Bloomberg Law
Aug. 16, 2016, 9:53 PM UTC

Computer Crime Laws Need An Update (Perspective)

April Doss
Partner

Editor’s Note: The author of this post formerly worked in-house at the NSA.

Matthew Keys recently began serving a two-year prison sentence for providing the hacking collective, Anonymous, with his credentials into the network of a former employer, the Tribune Company. Keys was convicted under the Computer Fraud and Abuse Act (CFAA), a move that caused uproar among his supporters.

There have been a number of criticisms of Keys’ conviction and sentence; while many of those criticisms miss the point, there is one critique that bears repeating, and taking action to address: It’s time for a CFAA update.

First, though, the red herrings.

Some critics have said Keys should not have been convicted because he “only” shared login credentials like username and password. Under this argument, critics say, “everyone shares the username and password to their accounts,” and “this is like sending someone to jail for letting their family members login to their Netflix account.” In short: No, it’s not. By all accounts, Keys had been given login credentials to his employer’s network so he could perform work-related functions. According to court documents, he posted those credentials to a hackers’ web forum and encouraged members to use those credentials to “go f— some s— up.” At least one person took him up on that offer. From a policy perspective, that seems like precisely the type of behavior that ought to be unlawful under CFAA.

A brick-and-mortar analogy helps here: An employee who’s been given a physical key to their employer’s building should expect to be prosecuted if he makes copies of the key, hands them out to people whose hobby is breaking in, and encourages them to do exactly that – and to cause damage while they’re at it. In traditional criminal law, that employee would most likely be charged with aiding and abetting a burglary and vandalism.

This case is also different than sharing Netflix customer accounts: Sharing a Netflix login with your family members allows them to access information you’ve subscribed to, so there are potential licensing, intellectual property, and subscriber terms and conditions to consider. But sharing customer-level access doesn’t enable your ne’er-do-well cousin to alter the movies that are offered on the Netflix website, or to access employee-only portions of the network. In other words, from a computer security perspective, a former employee’s insider access is almost certainly different than the level of access that’s provided when users share a customer account.

Finally, some critics have said that prosecutors overreaches because Keys’ actions “only” resulted in one article being altered for a short time. That argument overlooks both the magnitude of damage that could have resulted, and the cleanup costs alleged by the company. Although Keys disputed the amount of costs that the Tribune Company claimed, it’s indisputable that a company hit with a cybersecurity like this can expect to spend tens or hundreds of thousands of dollars to investigate and repair the damage. As a general matter, the kind of access at issue here – unauthorized use of insider credentials – can be particularly costly from a forensics perspective, as it can require a significant search-and-destroy effort to root out any leave-behinds that could impact the company’s network later. Consequently, it isn’t crazy for prosecutors or the jury to conclude that there was enough harm to make this a felony. The exact amount of costs and extent of the website’s defacement are useful to consider at sentencing. But a fire that’s put out quickly can still be charged, tried, and convicted as arson, even if the building doesn’t burn completely down.

Despite the many logical fallacies in the debate around Keys’ case, there remains one issue where all of the critics are right: It’s time to amend the CFAA. Although this case wasn’t actually like a Netflix customer sharing their password, concerned critics are right to point to the ways in which the CFAA’s language could be applied to lump together and criminalize a range of behaviors among which, from a policy perspective, we ought to be drawing distinctions.

Technology-related activity is one of the most challenging areas to legislate: the rapid evolution of technical capabilities and risks, and actual and potential harms, makes it hard to write laws that: a) achieve the intended policy goals, and b) avoid being overly tied to specific technological implementations. When laws are written with specific technologies in mind, they can quickly become obsolete, or end up having perverse, unintended effects as technology changes. When that happens, prosecutorial discretion becomes our best – and uncertain – defense against charges being brought for behavior that isn’t seen as having social costs.

Although the jury agreed that this case was properly brought, it’s time to update the CFAA so that we have the benefit of both modern laws – as well as prosecutorial discretion – to protect against overcharging in some other, future case.

The views and opinions expressed in the piece are those of the author and not those of the NSA/CSS.

Learn more about Bloomberg Law or Log In to keep reading:

Learn About Bloomberg Law

AI-powered legal analytics, workflow tools and premium legal & business news.

Already a subscriber?

Log in to keep reading or access research tools.