Cybercrime litigation.

• Author: Mayer, Jonathan
• Position: II. An Empirical Evaluation of Cybercrime Litigation D. What Fact Patterns Are Litigated Under Cybercrime Law? through Conclusion: A Limited Role for Cybercrime Liability, with footnotes, p. 1480-1507

4. What Fact Patterns Are Litigated Under Cybercrime Law?

   The longitudinal data are probative of how civil plaintiffs and criminal prosecutors have invoked cybercrime law, but they are certainly not conclusive. In this Section, I turn to a detailed latitudinal analysis, using a new, comprehensive dataset of 2012 federal cybercrime pleadings.

   With this novel dataset, it is possible to definitively answer additonal foundational questions about the function of federal cybercrime law: Who invokes CFAA and under what circumstances? The following subsections examine these questions, first for civil litigation, then for criminal prosecutions.

   1. Civil Litigation

      1. Party Relationships

         Civil defendants appear nothing like the outsider rogues that initially captivated Congress and state legislatures, as demonstrated by Table 1.

         The overwhelming majority of private cybercrime claims arise in business disputes (238,73%), (108) and of those, most follow from previous employment (168, 52%). (109) Just a small minority of claims (38,12%) are filed against strangers. (110)

         An analysis of party relationship coincidence confirms that cybercrime law most often intermediates routine commercial quarrels. There is scant overlap between categories associated with business and those associated with hacker stereotypes; these are not cases in which former employees or competitors have aligned with unrelated, serial computer abusers. Rather, civil CFAA litigation involves one-off commercial disputes that happen to involve information technology.

         The data on party relationships, seen in Table 2, reveal a notable trend in litigation: a cybercrime claim against a competitor is often accompanied by a cybercrime claim against a former employee (76, 78%). (111) These cases reflect departed staff who have either established their own firms or joined preexisting competitors. Cybercrime law is merely a novel federal twist in these cases, which have historically been adjudicated under contract, trade secret, or agency law.

      2. Underlying Conduct

         The overwhelming majority of civil cybercrime claims also look nothing like "hacking," even construed broadly, as shown in Table 3.

         Most private claims relate to information misappropriation (170, 52%), (112) or modification or deletion (71, 22%). (113) The categories substantially overlap, and together represent a majority of claims (182, 56%). (114) These findings indicate that civil cybercrime works as a quasi-intellectual property regime, far less concerned with the function and integrity of computer systems than with their information contents.

         Only a minority of claims could be reasonably characterized as involving the circumvention of a technical protection measure (99,30%). (115) Furthermore, even within these cases that involve technical circumvention, the most common avenues for unauthorized access are password theft (53, 54%), ns mobile phone unlocking (16, 16%), (117) and password sharing (n, n%). (118) Civil cybercrime cases, in short, do not arise from technically sophisticated "breaking and entering." (119)

         There is remarkably little commonality in the long tail of fact patterns. Claims present a hodgepodge of theories favoring liability, ranging from online harassment (11, 3%) (120) to hosting an unrelated website (9, 3%) (121) to scraping online material (5, 2%). (122) Cybercrime use in copyright trolling (8, 2%) (123) and bulk mobile phone unlocking cases (16, 5%) (124) suggests the law has been opportunistically seized upon for non-adversarial litigation. (125)

   2. Criminal Litigation

      1. Victim-Defendant Relationships

         Most criminal charges, like most civil claims, arise from a preexisting relationship, as shown in Table 4.

         And, like with civil claims, the majority of criminal charges relate to an employment or commercial dispute (76, 57%). (127)

         These findings squarely deflate the myth that most cybercrime defendants align with hacker archetypes (i.e., repeat offenders motivated by sport, profit, or national pride). Instead, most criminal cases arise from one-time misconduct, in which an underlying dispute migrates from the real world to the Internet.

         The criminal prosecution data reveal, however, one notable departure from civil practice: although still a minority, cases in which there is no relationship between the defendant and victim, or where the defendant is unidentified, occur about three times as often in criminal prosecutions as in civil suits (44, 33%). (128)

      2. Underlying Conduct

         Criminal cases, much like civil cases, tend not to arise from sophisticated hacking, as seen in Table 5.

         About half of prosecutions do not involve technical circumvention of an access control (65, 49%).wo And, among those cases that do involve a circumvention of a technological protection, many of the fact patterns do not reflect technical sophistication but rather password theft (32, 47%). (131)

         These results belie the narrative that federal prosecutors generally reserve cybercrime charges for the worst offenders, namely serial and sophisticated computer hackers. (132) In fact, prosecutors routinely file cybercrime charges for minor misconduct, especially when a current or former employee misappropriates information (51,39%). (133)

         One substantial point of divergence between civil and criminal litigation is the extent to which government computer systems are involved. Nearly all the civil cases in the dataset related to computer systems owned by private individuals or businesses. (134) In the criminal cases, by contrast, roughly a quarter of charges related to a government computer system (38, 29%). (135) Most of the defendants in these cases were current or former government employees who had technically valid credentials for a system, but misused the system (21, 55%). (136) Remarkably, among those cases where a government employee repurposed their access to a workplace computer system, the most common class of defendant consisted of law enforcement personnel (12, 57%). (137)

5. Is Cybercrime Law Redundant?

   Cybercrime law is not monolithic. Federal and state legislatures have enacted a diverse array of offenses and have drafted those offenses with a wide range of textual variations. (138) The current CFAA, for instance, contains (depending on how one counts) up to fourteen different statutory offenses. (139)

   The structure of cybercrime law generates the potential for two different types of redundancy. First, a cybercrime offense might be internally redundant, overlapping with other cybercrime offenses within the same statutory scheme. Second, a cybercrime offense might be externally redundant, overlapping with noncybercrime civil claims or criminal charges.

   This Section examines the extent to which cybercrime is both internally and externally redundant. It begins with civil claims before turning to criminal charges.

   1. Civil Litigation

      1. Internal Redundancy

         Many pleadings invoke cybercrime law only generally and fail to identify particular statutory claims (123, 38%). (140) These plaintiffs treat CFAA as a single type of liability, blurring the various offenses. One plausible interpretation is that attorneys simply fail to understand the federal statute's structure. Alternatively, practitioners may view cybercrime law as so internally duplicative that particularized claiming is unnecessary. A more cynical view is that many courts tolerate this vague pleading practice, thus providing little incentive for plaintiffs to furnish detail.

         CFAA's structure provides a limited natural experiment for evaluating whether attorneys are confused by the statutory scheme or are pleading strategically. In civil practice, statutory claims for unintentional damage to a computer are markedly easier to prove than claims for reckless damage to a computer, and both claims provide identical remedies. (141) Nevertheless, a nontrivial share of filings (55, 27%) include a reckless damage claim. (142) Most of these pleadings also include an unintentional damage claim (42, 76%), such that the reckless damage claim is merely duplicative. (143) But a meaningful share of reckless damage pleadings do not include an unintentional damage claim (13, 24%), (144) a result that can only be explained by attorney confusion. So, this much is certain: a fair number of practitioners are befuddled by cybercrime law.

         Within the subset of filings that are more precise about statutory claims (202, 62%), (145) a substantial majority reference multiple provisions (142, 70%), as shown in Figure 10.

         These findings strongly suggest that CFAA's various provisions greatly overlap. Most plaintiffs who plead with specificity believe their fact pattern could be styled as a violation of more than one statutory offense.

         Pleadings most commonly cite CFAA's taking information and fraud offenses, as would be expected given their broad judicial constructions. (146) The unintentional damage and loss provision is also widely invoked, suggesting plaintiffs recognize the broad and overlapping interpretations of "damage" and "loss" that some courts have adopted.

         Claiming coincidence under CFAA lends further credence to the view that the statute is internally redundant, as seen in Table 7. There are extraordinarily high rates of coclaiming across CFAA's broadest provisions.

         Several areas of claiming coincidence warrant note. First, the taking information and fraud offenses frequently coincide, (147) likely because courts have watered down key elements of CFAA's fraud offense.

         Second, the various "damage" claims commonly are coupled with a taking information or a fraud claim. (148) These filings reflect jurisprudence that broadly interprets "damage" to encompass mundane copying or modifying data. (149)

         Third, the overwhelming majority of password trafficking claims are paired with fraud claims (20, 87%). (150) Much, but not all, of the overlap arises from copy-and-paste complaints in mobile phone unlocking disputes (13, 65%). (131) The theory of these...