Publication | Legaltech News
Nervous System: Computer Crime and Punishment
In this month’s history of cybersecurity, David Kalat looks back to the formation of the Computer Fraud and Abuse Act. While there was broad agreement that computer crime was a serious and growing menace to the nation’s security, that consensus broke down when it came to defining exactly what “computer crime” was.
On September 26, 1983, the House Committee on Science and Technology convened its first day of hearings on the increasingly urgent issue of computer security. The nation’s exposure to cyber risks had been escalating steadily for years, but the precipitating cause of the hearings was a specific incident. As discussed in last month’s article, a group of teenagers calling themselves the “414s” had penetrated the systems of the Los Alamos National Laboratory’s nuclear weapons research facility in hopes of playing some video games. On movie screens, the Hollywood film WarGames dramatized the strange new world of computer hackers, and real life was mimicking fiction.
Over several days, Congress heard testimony from various witnesses offering differing perspectives on computer crime. There was broad agreement that computer crime was a serious and growing menace to the nation’s security, but that consensus broke down when it came to defining exactly what “computer crime” was.
Surprisingly, the disagreements went as deep as even what constituted a “computer.” Should the definition of a computer exclude calculators, dedicated word processors, or video game consoles? What about digital watches, fuel-injection systems, or elevators? If Congress was to pass new laws governing computer crimes, this fundamental inflection point would make a significant difference in what activities might suddenly become illegal.
The next inflection point was what sort of action involving a “computer” would rise to a “computer crime?”
Donn Parker, an information security expert from the nonprofit institute SRI International, had dedicated decades of his life to the study of computer crime. His seminal works on the subject remain essential touchstones in the field. He is arguably the first person who could credibly claim to be a cybersecurity expert. Parker’s testimony suggested that “computer crime” meant “any crime in which the criminal required special knowledge of computers or data communications for its perpetration.”
In other words, per Parker’s formulation, a computer crime might not need to have involved a computer in its commission.
Another expert, attorney Susan Nycum, went further than Parker by defining a “computer crime” as “any illegal act where a special knowledge of computer technology is essential for its perpetration, investigation, or prosecution.” By this logic, someone could be guilty of a computer crime if the investigators needed specialized knowledge to catch the transgressor.
Legislators struggled to craft bills capable of clearing these conflicting and uncertain definitional hurdles. In the end, all were found wanting. Each bill had some problematic loophole or unintentional consequence that made the proposed legislation a poor fit to the problem at hand.
Eventually, a solution that was satisfactory to lawmakers was developed. The various ideas and concerns they reflected were worked into the Comprehensive Crime Control Act of 1984, which was amended in 1986 to become the Computer Fraud and Abuse Act (CFAA). Instead of trying to resolve a technical definition of what a “computer” was, the CFAA cut the Gordian Knot by focusing instead on how the device was used. The CFAA identified a class of “protected computers” that were essential to financial institutions or the federal government, or were involved in interstate or international commerce or communication. Then, the CFAA established that illegal conduct involving such protected computers meant unauthorized access or use. Additional penalties then could apply depending on what the unauthorized user did, such as knowingly commit fraud or inflict damage.
Had the CFAA been in place in 1982, the mischief caused by the 414s would have self-evidently been illegal simply based on the fact the teenagers were trespassing in computers used by government institutions like the Los Alamos National Laboratory, regardless of either the hackers’ motives or the actual effects of their intrusions.
One tragic and notorious incident illustrated the critics’ fears. On January 6, 2011, a young technologist named Aaron Swartz was arrested while he was riding his bicycle near the Harvard campus. His crime involved using a custom web crawler program to download scholarly documents from the online database service JSTOR in excess of the site’s download limits. This was no minor brush with the law–the United States Secret Service had taken lead on the case.
Even before his arrest, Swartz was a celebrity in the world of computer science. As a child growing up in Chicago’s North Shore, Swartz had created a precursor to Wikipedia, which he called the Info Network. The project got the pre-teen an invitation to join the World Wide Web Consortium, where he joined other prodigies helping to build the modern Internet.
As a teenager, Swartz developed RSS; he helped create the data architecture for the nonprofit Creative Commons at age fifteen. Before he was even old enough to drink, he helped create Reddit and became a millionaire when Conde Nast bought the site.
Swartz was charged with multiple counts of computer fraud for using his bulk downloader program on JSTOR, but JSTOR itself notably declined to press charges. Nonetheless, prosecutors seemed determined to make an example of Swartz. He faced up to thirty-five years in federal prison if convicted.
The case never went to trial. Swartz’s body was found in his New York apartment, after he hanged himself by his belt, ashamed about what he called “the bad thing in my life.”
Horrified and scandalized, Darrell Issa, then chairman of the House Oversight Committee, launched an investigation into the Justice Department’s prosecution of Swartz. In 2013, a bipartisan alliance sponsored by Zoe Lofgren, a Democratic congresswoman from California, along with James Sensenbrenner (R-WI), Mike Doyle (D-PA), Yvette Clarke (D-NY), and Jared Polis (D-CO), proposed a reformation to the CFAA they called “Aaron’s Law.” It was never passed or even put up to a vote.
Although the legislature did not amend the CFAA to respond to this issue, the question of whether the CFAA should be read as imposing criminal liability for violating websites’ terms of service agreements, or what sort of conduct would “exceed authorized access,” is now before the Supreme Court. On November 30, 2020, the Court heard arguments on Van Buren v. United States, an appeal involving a former police sergeant’s conviction for using a law enforcement database to lookup license plate information for private reasons. The decision is pending.
The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.