August 07, 2016

Computer fraud statutes need 21st century update, urges ABA panel

Most of the laws and federal criminal statutes governing computer crimes were written and passed decades ago, in the years before the prevalence of computers, the Internet, wi-fi and mobile devices. Because of the advances in technologies and the explosion of computer uses in everyday commerce and personal life, it is difficult to figure out what conduct Congress intended to criminalize when they wrote the laws.

In a Aug. 4 panel titled, “Today’s Interpretation of Computer Laws Developed for a Bygone Age: A Study of Computer Crime, Prosecution & Defense,” at the 2016 ABA Annual Meeting in San Francisco, lawyers, prosecutors and scientists discussed the issues surrounding the ambiguities in the law that have arisen in light of technological advances.

Dennis Riordan, an attorney with Riordan & Hogan in San Francisco who specializes in appellate litigation, concentrated on the Nosal case to help explain the problem. The United States Court of Appeals for the Ninth Circuit handed down two decisions in the Nosal case, one in 2012 and another in 2016, dealing with the extent of criminal prosecutions allowed against former employees under the Computer Fraud and Abuse Act, which was enacted 30 years ago in 1986.

As Riordan pointed out, opinions from intermediate appellate courts rarely garner the attention that U.S. Supreme Court decisions do, but the Nosal decisions were exceptions. He said that when the CFAA was drafted, very few people had the expertise or hardware to access a computer. The universe that the statute addressed was very small. Today, millions of Americans access their bank accounts, shopping sites and a myriad of other outlets through computers. Most businesses have their own systems and supply access to employees.

At the crux of the problem, Riordan explained, was the “intricacies of interpreting language.” In the CFAA, the terms “accessing a computer in excess of authorized use” and “without authorization” are at issue. The law is simpler to apply when it is narrowed by cases which involve clear fraud or causing damage. But Riordan and fellow panelist Peter G. Neumann, a computer science researcher at the Computer Science Lab at SRI International in Menlo Park, Calif., believe the language in the CFAA opens up a large number of people to criminal activity.

The actual language of the CFAA from 30 years ago does not spell out clearly who has authority to approve computer use. In Nosal I, the Ninth Circuit ruled that violating employer terms of use does not constitute “exceeding authorized access.” In Nosal II, it ruled that the same actions violated the CFAA’s ban on “access without authorization.”

“The question of exceeding authority when there is no clear authority is a slippery slope,” Neumann said. It brings into question the whole issue of consensual password sharing and even the very legality of cloud-based password storage apps.

“It’s a little preposterous that language from 40 years ago can put people on notice as to what is a crime,” Riordan said.

Presenter Vicki Chou, a prosecutor in the Computer Crime Unit of the U.S. Attorney’s Office in Los Angeles, was not as worried about the intricacies of language, stressing that enforcement of the law is “about criminal intent.” She added that “the CFAA is a little clunky, but has done a pretty good job of giving the government the tools to fight computer fraud.”

But Riordan is not a fan of the “we know it when we see it” approach to prosecutions and claimed that “Nosal II leaves a lot of unanswered questions that the court said, ‘We’ll answer them later.’”

Riordan also explained that the CFAA contained both criminal and civil statutes and worried that corporations could use it as a tool to threaten employees with computer fraud for unauthorized use for merely accessing personal emails or even basketball scores on a company computer. Although Chou said those would never be prosecuted, the fact that the language is in the statute might tempt a company to use it as a threat against an employee who might have a separate pending action against it.

Moving forward, there will need to be more questions answered in the courts. Ray Aghaian of Kilpatrick Townsend & Stockton LLP who concentrates on white collar criminal defense, cybersecurity and internal investigations for companies, said that “the line between exceeding authority and unauthorized access is blurred.”

Aghaian also noted that the Internet of Things will lead to even more confusion and different interpretations if the laws are not clarified. With self-driving cars and smart toasters soon to be the norm, Aghaian said that in the Internet of Things, “products are not made with security in mind.”

The lack of security was something all could agree on. “Everything is already broken,” Neumann declared.

“Today’s Interpretation of Computer Laws Developed for a Bygone Age: A Study of Computer Crime, Prosecution and Defense” was sponsored by the ABA Criminal Justice Section.