Criminalizing hacking, not dating: reconstructing the CFAA intent requirement.

Author:Thaw, David
Position:Computer Fraud and Abuse Act of 1986 - Symposium on Cybercrime

TABLE OF CONTENTS INTRODUCTION I. HACKING: A (BRIEF) CONTEXTUAL HISTORY OF THE CFAA A. Legislative History B. What Is Hacking and Who Are Hackers? 1. Security Vulnerabilities and the "Cybercrime Ecosystem" C. Criminal and Civil Prosecutorial History 1. United States v. Drew (C.D. Cal. 2009) 2. United States v. Nosal (9th Cir. 2012) (en banc) 3. United States v. John (5th Cir. 2010) II. CRIMINALIZATION BY CONTRACT A. The Concept of "Authorized Access" B. The "Harms" of Computer Crime--Against What Should We Protect? 1. Circumvention of Code-Based Restrictions 2. Existing Criminal Activities Made Easier or Having Increased Impact on Victims 3. Existing Offensive (but Not Criminal) Activities Rising to the Criminal Level in the Electronic or Virtual Context 4. Computer-Specific Activities that Are Otherwise Not Criminalized C. Effective Prevention: Criminalization vs. Private Options 1. Private Law (Tort and Contract) Deterrence of Cybercrime 2. Criminal Law Deterrence III. CRIMINALIZING (ONLY) HACKING: MENS REA AS A SOLUTION A. Kerr's Code-Based Restriction Test B. Representative Zoe Lofgren's Proposed Reform C. Mens Rea Reform: A Responsive Return to Congressional Intent IV. CONCLUSION INTRODUCTION

This Article addresses a growing problem with existing United States federal law addressing cybercrime. The Computer Fraud and Abuse Act of 1986 (CFAA), which in part revised earlier (limited) legislation on the subject, is the primary federal antihacking statute providing both criminal penalties and (limited) rights of private action for certain unauthorized activities using computers and similar information systems. Congress originally intended to address only a narrow range of crimes (1) but, as others have observed, (2) the statute's scope expanded dramatically over the past two decades.

The result of this expansion threatens to criminalize wide varieties of activities, common to the ordinary computer and Internet user, that are apparently innocuous in the context of "hacking," but technically constitute unauthorized activities or activities exceeding a user's authorized access. It is now common, if not near-universal, practice for popular Internet websites to have terms-of-service agreements (3) and for employers and other operators of computer systems to have acceptable-use policies. (4) Such policies frequently contain provisions governing what activities are and are not acceptable on the website or computer system. Over the course of the past several years, prosecutors and private parties increasingly have asserted these terms to define the boundaries of authorized access on computer systems; thus, violations of those terms constitute unauthorized access in violation of the CFAA.

While existing scholarship on the subject is still limited, the balance seems to favor an approach under which private agreements cannot define the boundaries of criminal activity. (5) The federal courts of appeal have split on the issue, with the Fifth (6) and Seventh (7) Circuits permitting such agreements to define authorized access for criminal purposes and the Fourth (6) and Ninth Circuits (9) rejecting such an approach. To date, the U.S. Supreme Court has not addressed the issue or granted certiorari in any case decided by the courts of appeal.

This Article responds to the debate in existing scholarship and the problems presented by the circuit split in an interconnected world. (10) It specifically takes up Professor Orin Kerr's invitation" seeking debate on the subject of access- or authorization-based tests in electronic crimes and challenges the solution proposed by Professor Kerr and the courts. The Article also responds to recent events (12) and resultant attention in Congress to possible reform of the CFAA. It identifies the shortcomings and risks in these current proposals, and suggests an alternate method of addressing overbreadth and vagueness problems in the existing statute through legislative reform of the mens rea element of the statute.

I propose legislative reconstruction of the existing mens rea element for at least [section] 1030(a)(2) of the CFAA (13) and perhaps all portions of 18 U.S.C. [section] 1030, where private agreements (e.g., terms of service) may define the boundaries of authorized access to computing and information systems. Specifically, I suggest a two-part intent requirement: (1) that the actor intentionally engage in an action not only constituting unauthorized access, (14) but also that the intent be that the action result in unauthorized access, an express element requiring proof that the actor reasonably should have known that the action in question was unauthorized under a terms-of-service or similar agreement; (15) and (2) that this action be in furtherance either of one of a list of specifically prohibited computer-specific crimes (16) or alternatively in furtherance of an act otherwise unlawful under existing state or federal law.

The goal of this proposed reform is to better align the effect and reach of the statute with congressional intent regarding acts deserving of criminal punishment, while at the same time maintaining its ability to serve as an effective deterrent to (and mechanism of punishment for) acts uniquely involving computers and modern information technologies that I argue should be criminalized. In Part II.B of this Article, I present a typology describing the types of acts with which the federal criminal law should be concerned. Based on that typology, I evaluate the degree to which legal alternatives may serve as substitutes in deterring and/or punishing perpetrators of such actions. I conclude that the most obvious alternative, private tort law, is vastly insufficient either as a deterrent or a mechanism of punishment, suggesting the importance of engaging the criminal law.

Reform of the mens rea element also suggests a larger question in the context of electronic crimes--how to conceive of "intent" in virtual worlds where the physical-world actions taken to bring about virtual-world results may have different (and sometimes disjunctive) intent associated with them. The Article opens this discussion, in part, by analogizing my proposed CFAA mens rea reform to distinctions in the intent requirements of physical-world crimes. It is a first step in this regard, and one I hope opens an ongoing discussion regarding the question of intent with respect to actions that have both physical-world and virtual-world consequences.

This Article proceeds in three Parts. Part I provides a contextual history of the CFAA relevant to the question of prosecution for agreement-based authorization violations of the CFAA and the role of the mens rea element in protecting against overbroad prosecutions. It provides background on congressional intent, examines the types of bad actors and the types of harms against which Congress sought to protect, and proposes a stratification of the cybercrime ecosystem as a way to categorize the types of criminal activity at issue. It then proceeds to provide a background on select cases highlighting the challenges inherent in the CFAA's existing authorized-access approach and intent requirement. Part II explores the concept of defining the boundaries of criminal action as a function of private agreements, including examining physical-world analogues such as criminal trespass. Building on the discussion of what harms may arise in a computer-centric world, it proposes a typology of computer-based or computer-enhanced crimes against which computer-crime legislation should protect. It then proceeds to examine why such protection is necessary for adequate deterrence, providing a foundation for the argument that existing CFAA reform proposals are inadequate. Part III examines other existing proposals, presents examples of how they cannot address the concerns raised by various types of harms that arise in the computer-crime context, and alternatively proposes legislative reform of the mens rea requirement of the CFAA as a solution that both protects against overbroad prosecution and maintains the ability of private (electronic) property owners to post virtual "no trespassing" signs and have those signs enjoy the necessary protection of the criminal law.


    In the (admittedly limited) scholarly discussion of the CFAA to date, much attention is given to the expansion (both by congressional act and judicial interpretation), potentially overbroad use, and ill-defined aspects of the criminal acts defined by the statute and its civil analogues. Scholarship and judicial notice have also spent substantial time discussing the logical, implied, and literal meanings of the statute, but comparatively less discussing the legislature's original intent as expressed in the congressional debates surrounding the CFAA's adoption.

    While there remains healthy debate as to the extent to which congressional intent should be balanced against literal interpretation--and this Article does not seek to address such debate--legislative intent, when evidence of it exists, is at least worthy of consideration. This is particularly true in cases where rapidly changing technological conditions make difficult the construction of statutes to address undesired, but not yet technically identifiable, behavior. This Part examines the congressional record surrounding the adoption of the 1986 amendments to 18 U.S.C. [section] 1030, which introduced the name "Computer Fraud and Abuse Act," with an eye toward how the bill's authors attempted to use the mens rea element of the statute to protect against overbroad use of the statute. It then proceeds to examine the types of criminals and criminal activity the statute's authors did seek to criminalize, the reasons behind it. It also discusses how subsequent criminal and civil prosecution under the CFAA has diverged from that intent in a manner inconsistent with legislative purpose.


To continue reading