On October 25, 2016 the Department of Justice released its “intake and charging policy for computer crime matters (blog post and formal memorandum). This policy has been operative since September 2014, but is just being released now.
The policy memorandum—mostly process-oriented—describes some of the factors that must be considered before it can be determined that a case serves a substantial federal interest. These factors are described at the end of this posting. The policy also states that federal prosecutors must “consult with” the DOJ Computer Crime and Intellectual Property Section (CCIPS) before bringing charges under the Computer Fraud and Abuse Act. The formal memorandum also includes commentary on these factors and provides some examples of hypothetical cases that may or may not warrant prosecution.
In my view, the guidelines do help address some concerns about overreach, but as they stand today, they do not help the U.S. government rebuild productive relationships with the technology, researcher, and public interest communities.
First, the positive. Mandatory consultation with the DOJ CCIPS may help to establish some degree of uniform standard across the nation, though consultation does not necessarily guarantee consistency. Item 5 below also provides a nod in the direction of reducing abuse of the “exceeding authorized access” parts of the CFAA by making it more difficult to bring a case when the defendant misused information or services after he had obtained that information or services while he was authorized to do so. For example, assume I am authorized to access a database for purpose A. In January, I access this database for authorized purpose A. In February, I use the information gained in January for unauthorized purpose B. Under this guideline, my access in January should not be used as a basis for prosecution under CFAA. My colleague Jennifer Granick notes that existing case law supports this interpretation (she points to https://casetext.com/case/oce-north-america-inc-v-mcs-services as one example), and argues therefore that Item 5 advise prosecutors what the law is and how not to bring a case that will lose for an existing reason already enforced by the courts. Even if this is all that it does, Item 5 still helps by reducing abuse of CFAA.
But the guidelines are problematic in other ways. Perhaps the most important part is that they do not provide guidance that instructs prosecutors to refrain from doing things that were never intended to be addressed in the CFAA—two of the most prominent of these things are talking to journalists about newsworthy things, and doing security research for vulnerabilities in software. And the guidelines leave too much discretion in the hands of local US attorneys, because in the end, consultation need not result in behavioral change.
Here’s a different formulation of the guidelines that I hope a revised set of guidelines might follow (the numbering scheme follows the original):
Bringing charges is generally not appropriate and should not be pursued if any of the following conditions are met:
- The sensitivity of the affected computer system or the information transmitted by or stored on it and the likelihood and extent of harm associated with damage or unauthorized access to the computer system or related disclosure and use of information is insignificant or minimally significant;
- The degree to which damage or access to the computer system or the information transmitted by or stored on it raises concerns pertaining to national security, critical infrastructure, public health and safety, market integrity, international relations or other considerations does not have a demonstrably broad or significant impact on national or economic interests;
- The extent to which the activity was not in furtherance of a larger criminal endeavor or did not pose a significant risk of bodily harm or a significant threat to national security;
If none of the preceding conditions are met, prosecutors should take into consideration before bringing a case factors such as Items 4-8 from the original list of guidelines below. A ninth item is added:
The public interest value resulting from the alleged act, including but not necessarily limited to uncovering information that is newsworthy or useful or helpful in remediating security vulnerabilities in information technology systems;
A revised policy should also state that federal prosecutors must obtain the concurrence of the DOJ Computer Crime and Intellectual Property Section (not just consult with the CCIPS) before bringing charges under the Computer Fraud and Abuse Act.
I’ve constructed my alternative formulation to make it more difficult, but not impossible, to bring cases under CFAA—even those cases involving journalists or security researchers. The reason is that I can imagine that under some circumstances, prosecution could sometimes be warranted and serve the public interest even if journalists or security researchers were the targets of a prosecution. But making it harder does seem to me to be the right thing to do. And I note in passing that making it harder to bring controversial cases against CFAA might well have salutary effects on the relationship between Silicon Valley, the privacy and civil liberties community, and the US government.
From the memo of September 2014 -- Factors to be considered:
- The sensitivity of the affected computer system or the information transmitted by or stored on it and the likelihood and extent of harm associated with damage or unauthorized access to the computer system or related disclosure and use of information;
- The degree to which damage or access to the computer system or the information transmitted by or stored on it raises concerns pertaining to national security, critical infrastructure, public health and safety, market integrity, international relations or other considerations having a broad or significant impact on national or economic interests;
- The extent to which the activity was in furtherance of a larger criminal endeavor or posed a risk of bodily harm or a threat to national security;
- The impact of the crime and prosecution on the victim or other third parties;
- Whether the criminal conduct is based upon exceeding authorized access consistent with several policy considerations, including whether the defendant knowingly violated restrictions on his authority to obtain or alter information stored on a computer, and not merely that the defendant subsequently misused information or services that he was authorized to obtain from the computer at the time he obtained it;
- The deterrent value of an investigation or prosecution, including whether the need for deterrence is increased because the activity involves a new or expanding area of criminal activity, a recidivist defendant, use of a novel or sophisticated technique, or abuse of a position of trust or otherwise sensitive level of access; or because the conduct is particularly egregious or malicious;
- The nature of the impact that the criminal conduct has on a particular district or community; and
- Whether any other jurisdiction is likely to prosecute the criminal conduct effectively, if the matter is declined for federal prosecution.