Editor’s Note: The authors are white collar criminal lawyers in Los Angeles.
The prosecution of journalist Matthew Keys demonstrates the immense discretionary power that federal prosecutors wield under the Computer Fraud and Abuse Act (“CFAA”).
Last week, Keys surrendered to authorities to begin serving his twenty four month prison sentence stemming from his distribution of login credentials to the Tribune Company computer network to members of the hacker group Anonymous. Keys was convicted of three felonies following a federal jury trial in October 2015. While he has appealed his conviction, the Ninth Circuit denied his motion for bail pending appeal late last month, meaning that he must begin serving his sentence absent action by President Barack Obama, from whom Keys has lobbied for a commutation or pardon.
The case has received significant media attention, with most commentators questioning the government’s decision to pursue felony charges and a lengthy prison sentence against Keys for, as Keys’ defense team describes it, a few altered words in a Los Angeles Times online story on tax cuts. The Department of Justice viewed the intrusion as much more serious, requiring the Tribune Company to deploy a large team of employees to locate and close the security breach.
The CFAA, first enacted in 1986 and codified at 18 U.S.C. § 1030, contemplates both misdemeanor and felony criminal charges for transmission of a “program, information, code or command” to a “protected computer.” When such conduct causes a loss of more than $5,000, it is sufficient to elevate the conduct to a felony.
The criticism of the government in Keys’ case primarily centers around two issues: first, that the CFAA has remained largely the same since enactment in 1986 and thus fails to account for the tremendous growth of the internet and the connected realities of today; and second, that the method of calculation of damages is not well established, leaving too much to the discretion of the prosecutor.
The critics of the outdated reach of the CFAA raise a valid point. Few in 1986 could have imagined the world of the internet as we know it today — the first website was still five years away. Thus, at the time, Congress likely viewed the concept of accessing a protected computer as physical access to a protected computer, not the connection to a remote computer potentially thousands of miles away. As Keys’ counsel pointed out on multiple occasions, conduct as ubiquitous in our society as sharing a Netflix password with a friend would potentially run afoul of the literal language of the CFAA.
As for the calculation of damages, in Keys’ case, the government argued successfully that the value of the time of the team of Tribune employees searching for and deleting expired user accounts in an attempt to close potential sources of the breach was all damage caused by Keys’ sharing of login credentials, rather than just the cost to reverse the changes to the website. Thus, the costs of broad preventative measures taken in a reaction to an intrusion could all be included in the damage calculations for the purposes of elevating the conduct to a felony.
However one feels about Keys’ case in particular, it is clear that the CFAA allows federal prosecutors to swing an incredibly powerful tool. In the wake of high profile CFAA cases, like those of Keys and Aaron Swartz, the Department of Justice is certain to be under increased scrutiny of their use of this statute. In that environment, government attorneys across the nation must ensure that they continue to give equal concern to another powerful tool: prosecutorial discretion.