Senator Feinstein recently claimed that the CIA may have violated the federal computer hacking statute, the Computer Fraud and Abuse Act, by searching computers used by the Intelligence Committee to conduct CIA oversight. Based on the facts we know so far, I'm skeptical of the claim that the CIA violated the statute. This post explains why.
Let me start with some background on the Computer Fraud and Abuse Act (CFAA), codified at 18 U.S.C. 1030. The CFAA is a computer trespass statute. It prohibits intentional unauthorized access to computers much like physical trespass laws prohibit unauthorized physical entry. The structure of the CFAA presumes that there is a computer owner or operator who controls access rights to each computer, much like an owner/operator controls access rights to physical property. The statute then punishes a person who obtains unauthorized access to the computer in violation of the access rights set by the owner/operator of the computer.
The scope of the CFAA is really murky in part because there is great uncertainty as to what kinds of access rights set by the owner/operator have the force of law. Everyone agrees that if the owner/operator sets up a code-based barrier to access, such as a password gate, then bypassing the code-based barrier is a violation. But there’s a circuit split on whether violating a written restriction or other contractual agreement is enough to trigger the statute. For example, if an employer says that an employee can only use the company’s network for official business, does an employee commit an unauthorized access if he uses the computer for personal reasons in violation of the policy? Some courts say “yes,” and other courts say “no.”
With this background in place, let’s turn to the CIA monitoring. According to Senator Feinstein, the CIA provided computers to the Intelligence Committee for its members to use, with the promise that only CIA IT people would access the computers. The CIA allegedly then broke that promise and looked through the computers anyway outside the IT context. The question is, did this access violate the CFAA?
I think there are four reasons to be skeptical that the CIA’s conduct violated the statute.
First, it’s not at all clear who controls access rights to the accessed computers. Who is the owner/operator of the computers? The CIA owns the machines, but the Committee was their primary operator. Who has the superior claim to control access? I don't think there's an obvious answer. There is no caselaw on how to resolve conflicting claims of control between owners and operators. Courts haven't even been clear that it's the owner/operator who controls access generally; the statute assumes this and the cases reflect it, but courts haven't been clear on the point because it hasn't come up. So it's a pretty murky area. My instinct is that the CIA probably has a better claim to controlling access than the Committee, as it is both the owner of the machine and maintains some residual rights to have IT people access the computers. But that's just my instinct.
Second, assuming that the Committee has access rights, there's the subsequent question of whether the CIA's access violated an access restriction that the CFAA protects. Was the only barrier to CIA access the agreement between the CIA and the Intelligence Committee? If so, that implicates the circuit split over whether violation of contractual terms can trigger CFAA liability.
Third, assuming the Committee controls access rights and the CIA breached an access restriction, was the access intentional with respect to the element of lacking authorization? If the CIA thought that it had rights to access the computer, then perhaps the access was not intentionally unauthorized and therefore not a CFAA crime.
Fourth, there's an exception to the statute that may apply. 18 U.S.C. 1030(f) states: "This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity . . . of an intelligence agency of the United States." We don't know exactly what this means, and especially what makes an activity "lawfully authorized," because no court has interpreted that section. But it's possible that it applies and negates CFAA liability.
Taking these four legal issues together, I think it's an uphill climb to argue that the CIA violated the CFAA. Establishing CFAA liability requires concluding that the Committee properly controlled access; that the CIA violated an access restriction that the CFAA protects; that the violation was intentional; and that the exception doesn't apply. Each of these issues are significant, and reaching the opposite conclusion on any of these issues would negate any CFAA liability.