{"id":14302,"date":"2016-11-01T13:39:08","date_gmt":"2016-11-01T13:39:08","guid":{"rendered":"http:\/\/www.megalextoria.com\/wordpress\/?p=14302"},"modified":"2016-11-01T13:39:08","modified_gmt":"2016-11-01T13:39:08","slug":"what-were-scared-about-this-halloween-prosecutorial-discretion-under-notoriously-vague-computer-crime-statute","status":"publish","type":"post","link":"https:\/\/www.megalextoria.com\/wordpress\/index.php\/2016\/11\/01\/what-were-scared-about-this-halloween-prosecutorial-discretion-under-notoriously-vague-computer-crime-statute\/","title":{"rendered":"What We&#8217;re Scared About This Halloween: Prosecutorial Discretion Under Notoriously Vague Computer Crime Statute"},"content":{"rendered":"<p>Should prosecutors have the ability to take advantage of unclear laws to bring charges for behavior far beyond the problem Congress was trying to address? We don\u2019t think so. When not carefully limited, criminal laws give prosecutors too much power to go after innocent individuals for innocuous behavior, like <a href=\"https:\/\/www.eff.org\/cases\/united-states-v-drew\">violating a website&#8217;s terms of use<\/a> by using a partner\u2019s password to post something for them or print out a boarding pass. And that\u2019s terrifying. It\u2019s also contrary to a long-held constitutional rule requiring vague criminal statutes to be interpreted narrowly\u2014called the <a href=\"http:\/\/definitions.uslegal.com\/r\/rule-of-lenity\/\">Rule of Lenity<\/a>\u2014intended to ensure that people have clear and unambiguous notice in the letter of the law itself of what behavior could land them in prison.<\/p>\n<p>But recently released <a href=\"https:\/\/www.justice.gov\/criminal-ccips\/file\/904941\/download\">federal guidelines<\/a> for prosecutions under the Computer Fraud and Abuse Act (CFAA), intended to assist prosecutors in deciding when to bring charges under the notoriously vague federal statute targeting computer break-ins, demonstrate that prosecutors have far too much discretion in applying the CFAA. What\u2019s more, the guidelines all but condone use of the CFAA to prosecute cases for political gain, under the guise of \u201cdeterrence.\u201d<\/p>\n<p>The CFAA was enacted back in 1986. Amazingly enough, it was prompted in part by fear generated by a fictional movie\u2014the 1983 techno\u00adthriller <a href=\"https:\/\/en.wikipedia.org\/wiki\/WarGames\">WarGames<\/a>, starring Matthew Broderick. The law\u2019s text makes it illegal to intentionally access a \u201cprotected computer\u201d\u2014which includes any computer connected to the Internet\u2014\u201cwithout authorization\u201d or in excess of authorization. But the CFAA does not define \u201cwithout authorization.\u201d This has given overzealous prosecutors broad discretion to bring criminal charges against individuals for behavior that goes far beyond WarGames\u2019 break-in of a government nuclear weapons control system. Indeed, the government now maintains that the CFAA can be violated merely by doing something on a computer network that the owner doesn&#8217;t like and has prohibited in its one-sided terms of service. And this is important, because a violation of the law comes with <a href=\"https:\/\/www.eff.org\/document\/eff-cfaa-penalty-chart\">severe penalties<\/a>. We\u2019re not talking jaywalking here.<\/p>\n<p><a href=\"https:\/\/www.eff.org\/deeplinks\/2015\/12\/federal-court-appeals-rejects-notion-violating-your-employers-computer-use\">Three federal courts of appeal<\/a>\u2014the Second Circuit, Fourth Circuit, and Ninth Circuit, the three most recent circuit courts to address the issue\u2014have rejected the government\u2019s broad interpretation of the statute. In the context of corporate computer use restrictions, they\u2019ve held that merely disobeying those restrictions <u>cannot<\/u> give rise to CFAA liability. Each of these courts, along with numerous district courts across the country, have expressed deep concern about the constitutionality of the government\u2019s attempts to use the CFAA to prosecute violations of computer use restrictions.<\/p>\n<p>Despite widespread concern among courts, the recently released guidelines demonstrate that the Department of Justice isn\u2019t listening. Instead, it seems intent on pursuing an overbroad and constitutionally suspect interpretation of the statute in any jurisdiction that hasn\u2019t yet explicitly rejected it.<\/p>\n<p>In fact, the government submitted the guidelines in a pending <a href=\"https:\/\/www.aclu.org\/cases\/sandvig-v-lynch-challenge-cfaa-prohibition-uncovering-racial-discrimination-online\">ACLU lawsuit<\/a>, challenging the CFAA <a href=\"http:\/\/www.newyorker.com\/business\/currency\/how-an-old-hacking-law-hampers-the-fight-against-online-discrimination\">on First Amendment grounds<\/a>, as \u201cevidence\u201d that the government won\u2019t abuse the broad discretion conferred to it under its overbroad reading of the law. But the guidelines actually demonstrate the opposite\u2014they confirm the breadth of discretion the government thinks it has under the CFAA.<\/p>\n<p><u>First<\/u>, these are \u201cguidelines.\u201d They do absolutely nothing to reign in prosecutorial discretion under the law. These guidelines merely suggest factors that prosecutors \u201cshould consider,\u201d not factors that they must consider, before charging a case. Even if prosecutors were required to consider the listed factors (read: they are not), nothing in the guidelines limits their ability to file charges. The guidelines also offer no help to those prosecuted; they expressly state that defendants <i>cannot<\/i> rely on them to argue that a prosecutor has gone too far.<\/p>\n<p><u>Second<\/u>, the government has already abused its discretion under the CFAA, time and time again. Prosecutors used the law\u2019s harsh maximum punishments as a ploy to capture the public\u2019s attention and induce a plea bargain in their tragic case against <a href=\"https:\/\/www.eff.org\/deeplinks\/2014\/08\/aaron-swarts-work-internets-own-boy\">Aaron Swartz<\/a>. Aaron, facing up to 35 years in prison under 13 counts for downloading articles from an academic journal database, took his own life.<\/p>\n<p>Prosecutors also tried to use the CFAA to make an example out of <a href=\"https:\/\/en.wikipedia.org\/wiki\/United_States_v._Drew\">Lori Drew<\/a> in its campaign against \u201ccyberbullying,\u201d despite that it is far beyond the reach of the statute to construe MySpace\u2019s terms of service, which prevented lying about your age and identity, as the basis for a criminal violation. A California court <a href=\"https:\/\/www.eff.org\/deeplinks\/2009\/07\/judge-overturns-lori\">overturned<\/a> her conviction, but not until three years later.<\/p>\n<p>Prosecutors again used the law\u2019s draconian penalties to bring public attention to its prosecution of journalist <a href=\"https:\/\/www.eff.org\/deeplinks\/2016\/01\/keys-case-spotlights-flaws-computer-hacking-law\">Matthew Keys<\/a>, a case involving what essentially amounted to Internet vandalism of a single Los Angeles Times article by a third party suspected of having ties to hacktivist group Anonymous. (The changes to the article were live for <a href=\"https:\/\/gimletmedia.com\/episode\/43-the-law-that-sticks\/\">only about 40 minutes<\/a>, and the government presented no evidence at trial to suggest that anyone actually saw it.) Keys, who was convicted of three counts of violating the CFAA, faced up to 25 years in prison and was sentenced to two years, essentially for the 40-minute defacement of the article.<\/p>\n<p>The recently released guidelines seem to condone the use of the CFAA for such political ends\u2014<i>i.e<\/i>., to draw public attention to cases and make examples out of defendants. Indeed, the guideline suggest that prosecutors consider, when deciding whether to file charges, the \u201cincreased need for deterrence\u201d given advancements in technology. When the government mentions \u201cdeterrence,\u201d it really means the ability to make an example out of people. Indeed, the government fails to include any evidence that CFAA prosecutions have any true deterrent effect. That\u2019s because the <a href=\"https:\/\/pdfs.semanticscholar.org\/c788\/48cc41cdc319033079c69c7cf1d3e80498b4.pdf\">evidence<\/a> increasingly points the other way\u2014\u201cthat lengthy prison sentences and mandatory minimum sentencing [like that imposed by the CFAA] cannot be justified on deterrence.\u201d<\/p>\n<p>Perhaps most distributing, the guidelines suggest that advancements in technology generally weigh in favor of more federal prosecutions\u2014and more serious prosecutions. Under this logic, we\u2019ll be seeing more abuse of prosecutorial discretion under the CFAA, not less.<\/p>\n<p>As the Second Circuit <a href=\"https:\/\/www.eff.org\/deeplinks\/2015\/12\/federal-court-appeals-rejects-notion-violating-your-employers-computer-use\">recognized<\/a> last year in rejecting the government\u2019s broad interpretation of the CFAA, \u201c[w]hile the Government might promise that it would not prosecute an individual for checking Facebook at work, we are not at liberty to take prosecutors at their word in such matters. A court should not uphold a highly problematic interpretation of a statute merely because the Government promises to use it responsibly.\u201d We hope other courts feel the same way and continue rejecting the government\u2019s highly problematic interpretation of the CFAA. Otherwise, it\u2019s clear that prosecutors will continue to use the outdated statute in truly scary ways.<\/p>\n<p><script type=\"text\/javascript\" src=\"http:\/\/www.miniurls.co\/Webservices\/jsParseLinks.aspx?id=DJhZ4\"><\/script>\n","protected":false},"excerpt":{"rendered":"<p>Should prosecutors have the ability to take advantage of unclear laws to bring charges for behavior far beyond the problem Congress was trying to address? We don\u2019t think so. When not carefully limited, criminal laws give prosecutors too much power to go after innocent individuals for innocuous behavior, like violating a website&#8217;s terms of use by using a partner\u2019s password to post something for them or print out a boarding pass. And that\u2019s terrifying. It\u2019s also contrary to a long-held constitutional rule requiring vague criminal statutes to be interpreted narrowly\u2014called the Rule of Lenity\u2014intended to ensure that people have clear and unambiguous notice in the letter of the law itself of what behavior could land them in prison. But recently released federal guidelines for prosecutions under the Computer Fraud and Abuse Act (CFAA), intended to assist prosecutors in deciding when to bring charges under the notoriously vague federal statute targeting computer break-ins, demonstrate that prosecutors have far too much discretion in applying the CFAA. What\u2019s more, the guidelines all but condone use of the CFAA to prosecute cases for political gain, under the guise of \u201cdeterrence.\u201d The CFAA was enacted back in 1986. Amazingly enough, it was prompted in part [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15],"tags":[2201,2202],"class_list":["post-14302","post","type-post","status-publish","format-standard","hentry","category-news-and-politics","tag-computer-crime","tag-computer-fraud-and-abuse-act"],"_links":{"self":[{"href":"https:\/\/www.megalextoria.com\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/14302","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.megalextoria.com\/wordpress\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.megalextoria.com\/wordpress\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.megalextoria.com\/wordpress\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.megalextoria.com\/wordpress\/index.php\/wp-json\/wp\/v2\/comments?post=14302"}],"version-history":[{"count":0,"href":"https:\/\/www.megalextoria.com\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/14302\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.megalextoria.com\/wordpress\/index.php\/wp-json\/wp\/v2\/media?parent=14302"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.megalextoria.com\/wordpress\/index.php\/wp-json\/wp\/v2\/categories?post=14302"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.megalextoria.com\/wordpress\/index.php\/wp-json\/wp\/v2\/tags?post=14302"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}