Cybercrime is, undoubtedly, a growing problem. Scarcely a week goes by without reports of massive online misconduct. The primary federal legislative response so far has been to impose computer abuse liability on network attackers. Every state has enacted a similar statute.
But do these cybercrime statutes actually punish and deter hackers? Members of Congress and Department of Justice prosecutors think so--and have repeatedly sought to expand the scope and consequences of liability. Meanwhile, scholars, advocates, and some judges have argued that computer abuse legislation is overbroad and ineffective. Law and policy debate has proceeded from these dueling narratives, not from data.
This Article presents the first comprehensive empirical analysis of litigation under the federal cybercrime statute, the Computer Fraud and Abuse Act. Drawing on a new dataset compiled from hundreds of civil and criminal pleadings, the Article addresses fundamental and unanswered questions about the on-the-ground function of cybercrime law.
The data reflect that there has been a nationwide cybercrime litigation explosion, and most cases look nothing like the hacker archetype. The overwhelming majority of civil claims arise from mundane business and employment disputes, not sophisticated computer intrusions. And while federal prosecutors do sometimes charge serious offenders, the plurality fact pattern in criminal litigation involves a low-level government employee mishandling data. What's more, cybercrime law appears to be redundant in civil cases, and there is little reason to believe that it deters the most concerning hackers.
The Article closes with normative recommendations. In the near term, I suggest that (1) Congress and state legislatures should repeal civil cybercrime liability, (2) prosecutors should establish enforcement policies that prioritize significant misconduct, and (3) courts should narrowly construe cybercrime statutes to better effectuate legislative intent. As a structural matter, I challenge the net benefit of cybercrime law. An expansive computer abuse construct is a poor fit for modern technology, which is increasingly pervasive and increasingly shared. Policy should emphasize alternative means of protecting computer security and privacy.
INTRODUCTION I. COMPETING PERSPECTIVES ON CYBERCRIME LAW A. The Expansionist Perspective B. The Critical Perspective 1. Consumers 2. Employees 3. Entrepreneurs 4. Journalists 5. Security Researchers C. Why Empirical Analyses Are Necessary II. AN EMPIRICAL EVALUATION OF CYBERCRIME LITIGATION A. Data Sources and Methodology B. What Is the Volume of Cybercrime Litigation? 1. Civil Litigation 2. Criminal Litigation C. How Punitive Are Cybercrime Prosecutions?.. D. What Fact Patterns Are Litigated Under Cybercrime Law? 1. Civil Litigation a. Party Relationships b. Underlying Conduct 2. Criminal Litigation.. a. Victim-Defendant Relationships b. Underlying Conduct E. Is Cybercrime Law Redundant? 1. Civil Litigation a. Internal Redundancy b. External Redundancy 2. Criminal Prosecutions a. Internal Redundancy b. External Redundancy F. Does Cybercrime Law Deter Computer Abuse? G. Assessing the Two Perspectives on Cybercrime Law III. RECOMMENDATIONS A. Civil Liability B. Enforcement Priorities C. Narrow Construction of CFAA CONCLUSION: A LIMITED ROLE FOR CYBERCRIME LIABILITY "[T]he majority of [cybercrime] cases still involve 'classic' hacking activities." --Pacific Aerospace (A Electronics, Inc. v. Taylor (1)
Phillip Fadriquela was the archetypal hacker. (2) By day, the twenty-six-yearold labored as a data processing drone; by night, he broke into federal computer systems. "I was just playing," he would later insist to the media. (3) In 1985, Fadriquela earned the first-ever criminal indictment under the primary federal cybercrime statute, the Computer Fraud and Abuse Act (CFAA). (4)
Dyanne Deuel managed medical technicians for a chintzy chain of surgical clinics. (5) Her "1-800-GET-THIN" employer had already aroused suspicion for unusually frequent complications and misleading advertisements. (6) In 2012, Deuel dropped a bombshell whistleblower lawsuit, alleging that physicians had covered up flagrant malpractice that contributed to a patient's death. (7) In response, Deuel's employers filed their own suit alleging a civil CFAA violation. (8) To blow the whistle, they argued, Deuel had checked the patient's electronic chart. (9) She shouldn't have.
Fadriquela and Deuel bookend a radical transformation in cybercrime law. What began as a tentative legislative response to the archetypal young, rogue hacker has evolved into sweeping doctrine with severe remedies. Read broadly, contemporary cybercrime law does not just address sophisticated hacking. It also imposes worldwide civil and criminal liability that displaces trade secret, property, contract, fraud, and copyright law in the information economy. (10) Proponents of expansive cybercrime law in both the legislative and executive branches have emphasized the government's need to combat online threats that are growing in frequency, impact, and sophistication. (11) Scholars, advocates, and some judges, meanwhile, have argued that computer abuse legislation is overbroad and ineffective. (12) The debate over the appropriate scope and sanctions for cybercrime law has played out for years, based almost exclusively on these dueling narratives and their accompanying anecdotes. Hard data are long overdue.
This Article presents the first comprehensive empirical analysis of cybercrime litigation in the federal courts. Drawing on a new dataset compiled from hundreds of civil and criminal CFAA pleadings, the Article answers foundational questions about the practical function of cybercrime law.
Part I sets the stage, attempting to articulate the two competing viewpoints on cybercrime liability. It also highlights untested factual assumptions that underpin both perspectives. Part II dives into data. It begins by explaining the sources and methodology for this study, then provides quantitative responses to specific unanswered questions at the heart of the cybercrime debate. The data reflect that, in recent years, there has been a nationwide cybercrime litigation explosion--and most of these cases look nothing like hacking. The overwhelming majority of civil claims arise from mundane employment and commercial disputes, not sophisticated computer intrusions. And the most common fact pattern in criminal prosecutions arises from low-level government employees merely misappropriating data. Moreover, cybercrime law appears to be both internally and externally redundant in civil cases, and there is little reason to believe that the law meaningfully deters sophisticated hackers.
Part III offers three workable recommendations for correcting cybercrime law. Congress should repeal civil liability because it is misdirected, unnecessary, and introduces expansionist pressures. The Department of Justice should articulate a cybercrime enforcement policy that focuses resources on serious...