Chapter 5
Anti-Hacking Laws

CHAPTER MENU

  1. Computer Fraud and Abuse Act
  2. State Computer Hacking Laws
  3. Section 1201 of the Digital Millennium Copyright Act
  4. Economic Espionage Act

 

U.S. legislators have passed statutes to address what they view as the increasingly large threat of computer hacking. This chapter looks at some of the commonly used laws to prosecute people who access computers, software, or data without authorization or in excess of authorization: the Computer Fraud and Abuse Act, state computer hacking laws, section 1201 of the Digital Millennium Copyright Act, and the Economic Espionage Act. Section 2701 of the Stored Communications Act, which penalizes individuals for hacking stored communications, such as email, is discussed in Chapter 7, along with the rest of the Electronic Communications Privacy Act.

The laws discussed in this chapter provide government prosecutors with the ability to bring criminal charges against individuals who hack computers without authorization. In some cases, conviction on a single count of these laws can result in a prison sentence of ten or more years, as well as severe fines. The laws also allow the victims of computer hacking to bring civil suits to recover damages from the hackers and obtain injunctions to prevent further damage.

Unfortunately, some anti-hacking laws were written before the arrival of many technologies that are now commonplace in computer networks and systems. Accordingly, in many cases there are disagreements about the reach of the laws, and what constitutes illegal “hacking” that should lead to criminal sentences and civil liability.

Some prosecutors, plaintiffs, and courts have adopted particularly broad views of these anti-hacking laws. Many of these statutes prohibit not only traditional unauthorized access but the unauthorized use or transfer of information, or circumvention of access controls. Indeed, the laws often present barriers to cybersecurity researchers who are seeking to identify software bugs and other flaws in order to help companies improve the security of their products and services. At the same time, companies that often are the victims of hacking argue that the laws are not strong enough to deter the worst behavior. Anti-hacking legislation is particularly a concern for companies that experience widespread theft of their trade secrets and other confidential information.

In short, there is little agreement about the scope and reach of computer hacking laws. For that reason, many of the laws discussed in this chapter are still controversial, and a number of key political players have long called for significant amendments to the laws.

5.1 Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act is the primary U.S. federal statute that prohibits and penalizes certain forms of computer hacking. The statute imposes both criminal and civil penalties for actions taken by an individual who either lacks authorization to access a computer or exceeds authorized access to that computer.

5.1.1 Origins of the CFAA

Congress passed the CFAA due to a growing concern about computers becoming increasingly networked and subject to unauthorized access, compromising sensitive data such as credit card numbers. The modern version of the CFAA is based on a 1986 amendment to a 1984 law, the Counterfeit Access Device and Computer Fraud and Abuse Act, which was focused primarily on hacking financial institutions and the federal government. Rather than only addressing particular types of sensitive information, Congress chose to regulate the method by which people access all information without proper authorization. As the 1984 House Judiciary Committee Report accompanying the initial bill noted, experts testified in committee hearings “that we need to shift attention in our statutes from concepts such as ‘tangible property’ and credit and debit instruments to concepts of ‘information’ and ‘access to information.’”1

The Judiciary Committee acknowledged that computer fraud was neglected in federal and state laws because it was seen as a “white collar” crime. This neglect was a mistake, the House Report concluded, because “an attack on white collar crime can often be much more productive, economically, to this country than the more publicized emphasis on violent crime.”2 For instance, the Committee cited a decline in highway construction costs of between 25 and 35 percent, and attributed that change to successful federal prosecutions for bid-fixing in that industry.3 In other words, increased penalties for white collar crime will result in significant economic benefits for society by reducing white collar crime.

Congress was particularly concerned about the possibility of white collar criminals using the rapidly developing computer technology to carry out economic crimes. In 1983, the Judiciary Committee noted, personal computer sales were estimated at $1.5 billion, up from “virtually zero” in 1976.4 The Committee heard extensive testimony that “criminal elements gained access to computers in order to perpetuate crimes,” and that the criminals “possess the capability to access and control high technology processes vital to our everyday lives[.]”5 The criminal justice system at the time was “largely uninformed concerning the technical aspects of computerization, and bound by traditional legal machinery which in many cases may be ineffective against unconventional criminal operations,” the Committee wrote.6 The Committee was particularly concerned that a new crime, known as “hacking,” did not fit easily into existing criminal laws. The Committee reasoned that the general public fails to appreciate the harm that can be caused by hacking: “People can relate to mugging a little old lady and taking her pocketbook, but the perception is that perhaps there is not something so wrong about taking information by use of a device called a computer even if it costs the economy millions now and potentially billions in the future.”7 This proved to be quite prescient: a 2014 study conducted by the Center for Strategic and International Studies estimated that cybercrime costs the U.S. economy approximately $100 billion annually.

To address these concerns, Congress passed in 1984 the Counterfeit Access Device and Computer Fraud and Abuse Act,8 which created felonies and misdemeanors for certain computer hacking and counterfeit access device crimes. It has been amended six times since its initial passage and is now known as the Computer Fraud and Abuse Act. The statute currently criminalizes seven different categories of behavior, each outlined in sections (a)(1) through (a)(7) of the CFAA. It is useful to think of each of these sections as a stand-alone crime because alleged hackers often are charged under multiple sections of the CFAA.

5.1.2 Access without Authorization and Exceeding Authorized Access

The seven subsections of the CFAA primarily apply to acts that individuals commit when they use a computer either without “authorization” to access the computer or “exceeding authorized access” to the computer. Some of the CFAA sections only apply if the defendant did not have authorization, and others apply either if the defendant didn't have authorization or if the defendant exceeded authorized access.

At the outset, it is important to understand the forms of “access” that trigger the protections of the CFAA. The CFAA does not define “access,” though one court, relying on the dictionary definition of the word, stated that the transitive verb “access” means “to gain access to,” and the noun “access” means “to exercise the freedom or ability to make use of something.”9 Regardless of the exact definition of the term, courts generally require the defendant to have played an active role in entering the computer and either obtaining information or causing damage. Passively receiving information – and nothing more – does not constitute access under the CFAA. For example, in Role Models America, Inc. v. Jones,10 an academy for high school dropouts sued its former principal, alleging that he used his access to the academy's computer systems to disclose proprietary information to Nova Southeastern University, where he was completing his dissertation. The academy in fact sued the former principal and Nova, alleging that they both violated the CFAA. The district court granted Nova's motion to dismiss, reasoning that even if the academy's allegations were true, Nova did nothing more than receive information to which the principal was not entitled. The court wrote that in the context of the CFAA, “access” is an “active verb: it means ‘to gain access to,’ or ‘to exercise the freedom or ability to make use of something.’”11

The more difficult question to answer is: was this act without authorization or in excess of authorized access? Among the most common defenses in CFAA cases surrounds the definition of “authorization” or “exceeds authorized access.” The statute does not provide an incredibly clear definition of either term. “Authorization” is not defined in the statute, and the statute defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”12 Unfortunately, this definition does not specifically address whether specific types of access exceed authorization, leading to a great deal of uncertainty in CFAA cases. In fact, whether a user has exceeded authorized access or accessed a computer without authorization is among the most frequently litigated issues in CFAA cases.

The issue is frequently disputed in cases in which a defendant had previously been authorized to access a computer, but either obtains information that the defendant was not entitled to access or uses the information in a way unintended by the owner of that information. Typically, in these cases, the government or a civil plaintiff argues that the defendant exceeded authorized access, though there are some cases in which prosecutors and plaintiffs have argued that the defendant no longer had any authorization to access a computer, and therefore was acting “without authorization.”13 There is a good deal of uncertainty as to whether accessing “without authorization” or “exceeding authorized access” includes actions that violate a website's terms of use or a company's internal information technology policies.

Some commentators have proposed three primary ways in which the CFAA could be violated. “Code-based” CFAA violations occur when the defendant circumvents computer software code in order to access a computer without authorization or in excess of authorized access.14 “Contract-based” CFAA violations occur when the defendant's access is in violation of an agreement, policy, or terms of service.15 “Norms-based” CFAA violations occur when the defendant's access is contrary to general societal expectations.16 There is little dispute that code-based violations fall within the scope of the CFAA. However, there is great disagreement as to whether contract-based and norms-based violations are covered by the statute.

A narrow reading of the statute would lead to the conclusion that you only violate the CFAA if you commit a code-based violation. A broader reading of the statute would allow prosecutors and plaintiffs to bring CFAA cases not only arising from code-based violations but also contract-based and norms-based violations. Federal courts currently are split as to how broadly to interpret the CFAA, as will be discussed in detail below.

5.1.2.1 Narrow View of “Exceeds Authorized Access” and “Without Authorization”

The more restrictive reading of the CFAA is seen in United States v. Nosal,17 a 2012 decision of the United States Court of Appeals for the Ninth Circuit, sitting en banc. David Nosal, a former employee of an executive search firm, convinced his ex-coworkers to use their access to the firm's computer systems to provide him with confidential information. The ex-coworkers had access to this data, which Nosal planned to use to start a competing search firm. Nosal was indicted under numerous criminal laws, including section (a)(4) of the CFAA (discussed in depth below). The government charged that Nosal aided and abetted his ex-coworkers in exceeding their authorized access to the network with intent to defraud.18

Nosal moved to dismiss the CFAA charges, arguing that he did not violate the CFAA because he did not exceed authorized access. According to Nosal, the CFAA only covers hackers, and not those who misuse information to which they had lawful access.19 The Ninth Circuit agreed with Nosal and adopted his restrictive reading of “exceeds authorized access.” The court concluded that “[i]f Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions — which may well include everyone who uses a computer — we would expect it to use language better suited to that purpose.”20 The court reasoned that the government's proposed broad interpretation of “exceeds authorized access” would enable the government to bring federal criminal charges against individuals who innocuously violated workplace computer policies. Such broad governmental discretion, the court reasoned, would lead to truly absurd results:

Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of the New York Times to read at work, but they'd better not visit ESPN.com. And sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their sudoku skills behind bars.

The effect this broad construction of the CFAA has on workplace conduct pales by comparison with its effect on everyone else who uses a computer, smart-phone, iPad, Kindle, Nook, X-box, Blu-Ray player or any other Internet-enabled device. The Internet is a means for communicating via computers: Whenever we access a web page, commence a download, post a message on somebody's Facebook wall, shop on Amazon, bid on eBay, publish a blog, rate a movie on IMDb, read www.NYT.com, watch YouTube and do the thousands of other things we routinely do online, we are using one computer to send commands to other computers at remote locations. Our access to those remote computers is governed by a series of private agreements and policies that most people are only dimly aware of and virtually no one reads or understands.21

The Ninth Circuit's Nosal holding is the most forceful articulation of the narrow approach to interpreting CFAA's “exceeds authorized access” provision. One commentator stated that the opinion “is a huge victory for those of us who have urged the courts to adopt a narrow construction of the CFAA.”22

In fact, less than a year after the Ninth Circuit issued the Nosal opinion, the U.S. Court of Appeals for the Fourth Circuit adopted the Ninth Circuit's reasoning in a civil CFAA case. In WEC Carolina Energy Solutions LLC v. Miller, WEC,23 an energy services company, brought a CFAA lawsuit against Mike Miller, a former employee. WEC alleged that before leaving the company, Miller used his access to the company's servers and Intranet to download confidential documents about the company's projects, and later took a job at a WEC competitor and used the confidential information to make a presentation to a potential customer.24

WEC claimed that this violated sections (a)(2), (a)(4), and (a)(5) of the CFAA because Miller used the information without authorization or in excess of authorized access. Although (a)(2) and (a)(4) apply to acts that are either without authorization or exceeding authorized access, (a)(5) only applies to acts that are without authorization. The Fourth Circuit observed that “the distinction between these terms is arguably minute[.]”25 The court concluded that, based on the ordinary meaning of the terms, “authorization” means that “an employee is authorized to access a computer when his employer approves or sanctions his admission to that computer,” and therefore “without authorization” means that the employee “gains admission to a computer without approval.”26 The court concluded that “exceeds authorized access” means that the employee “has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access.”27 Importantly, the court reasoned that neither “without authorization” nor “exceeds authorized access” can be read to include “the improper use of information validly accessed.”28

Imposing liability on individuals based on an individual's use of information – even if they had lawful access – would lead to absurd results, the Fourth Circuit reasoned. For instance, the court stated, this interpretation “would impute liability to an employee who with commendable intentions disregards his employer's policy against downloading information to a personal computer so that he can work at home and make headway in meeting his employer's goals.”29

Most recently, the U.S. Court of Appeals for the Second Circuit adopted the Nosal reasoning in United States v. Valle.30 In that case, Gilberto Valle, a New York City Police Department officer, was charged with crimes arising from online communications in which he discussed committing sexual violence against women he knew. Among the charges was a CFAA violation because he allegedly used his access to law enforcement databases to obtain home addresses, birth dates, and other information about the women who were named in his violent fantasies.31 Prosecutors charged that this violated the CFAA because Valle knew of the NYPD's policy that the information was strictly limited to use for official police business.32

The Second Circuit held that Valle did not violate the CFAA. It relied in part on the legislative history of the 1986 amendments to the CFAA.33 The Senate Committee Report to these amendments explained that Congress did not intend to impose liability for those “who inadvertently stumble into someone else's computer file or computer data,” and that such a scenario was “particularly true in those cases where an individual is authorized to sign onto and use a particular computer, but subsequently exceeds his authorized access by mistakenly entering another computer or data file that happens to be accessible from the same terminal.”34 The court reasoned that this legislative history “consistently characterizes the evil to be remedied—computer crime—as ‘trespass’ into computer systems or data, and correspondingly describes ‘authorization’ in terms of the portion of the computer's data to which one's access rights extend.”35 The Second Circuit acknowledged that the terms “authorization” and “exceeds authorized access” are ambiguous, but ultimately decided that it is required to adopt the narrower, less punitive version under the “rule of lenity,” a principle of statutory interpretation that requires courts to interpret ambiguous criminal statutes in favor of criminal defendants, based on the principle that it is the duty of Congress, and not the courts, to create laws that punish criminals.36

Under the narrow interpretation of “without authorization” and “exceeds authorized access,” as articulated in Nosal, WEC, and Valle, individuals are only liable for CFAA violations if their initial access to the system or data was not permitted. Therefore, how the individual used the data is irrelevant.

5.1.2.2 Broader View of “Exceeds Authorized Access” and “Without Authorization”

Some other courts have adopted a broader reading of the CFAA, in which individuals may be liable for misusing information to which they initially had lawful access. Typically, courts that adopt the broad approach to the CFAA will hold that violations of contracts, terms of use, and other rules or agreements constitute acting either without authorization or in excess of authorization. In other words, the broader view of the CFAA allows liability not only for code-based violations but also for contract-based violations.37

The first federal appellate court to examine the scope of “exceeds authorized access” and “without authorization” was the U.S. Court of Appeals for the First Circuit, in the 2001 civil CFAA case, EF Cultural Travel BV v. Explorica.38 In that case, a company, EF, brought a CFAA claim against a competitor and the competitors' employees for using an automated software program to scrape pricing information from the company's publicly available website. The employees had previously worked for EF, and had entered into a confidentiality agreement in which they agreed to not disclose or use any confidential information for any third party's benefit or against EF's interests.39 The plaintiffs presented evidence that the former employee used his knowledge of confidential EF information to develop the scraping tool. The defendants requested that the court dismiss the lawsuit, contending that they did not “exceed” authorized access. The First Circuit rejected this argument, concluding that the defendants “would face an uphill battle trying to argue that it was not against EF's interests for appellants to use the tour codes to mine EF's pricing data.”40 This is a particularly broad interpretation of the term “exceeds authorized access” because there was not even an allegation that the scraping program violated an explicit terms of use or other policy on a user agreement.

Violations of terms of use and workplace policies are more common for charges of exceeding authorized access under the CFAA. For instance, in United States v. Rodriguez,41 the government brought CFAA charges against Roberto Rodriguez, a former Social Security Administration customer service representative. SSA's policies prohibited its employees from obtaining information “without a business reason.” Rodriguez refused to sign forms acknowledging the policy, and accessed the Social Security records of seventeen individuals without a business reason, and without the individuals' knowledge. Among the individuals whose records were accessed was Rodriguez's ex-wife.42 Rodriguez was convicted of violating the CFAA, and on appeal to the U.S. Court of Appeals for the Eleventh Circuit, he argued that he did not “exceed authorized access” because his access was limited to the databases that he was permitted to access due to his job requirements.43

The court rejected Rodriguez's argument and held that he exceeded his authorized access by accessing the information for reasons unrelated to his job.44 The court reasoned that this constituted a CFAA violation because the Social Security Administration had explicitly told him that he was not permitted to obtain the information for reasons that were unrelated to business purposes. In other words, the court concluded, the violation occurred not because Rodriguez misused the information, but because he obtained the information in violation of the Social Security Administration's policy.

Rodriguez also argued that he did not exceed authorized access because he did not use the information in a criminal manner (e.g., for identity theft). The court quickly disregarded this argument, concluding that the manner in which he used the information is not relevant to deciding whether he violated the CFAA; the inquiry for the court was whether he obtained the information in violation of the statute.45 The Rodriguez case is an example of a broad reading of the CFAA, in which the focus of the court's inquiry is not merely whether the initial access was authorized, but whether the access was used to further unauthorized activities.

Similarly, in United States v. John,46 Dimetriace Eva-Lavon John, a Citigroup employee, used her credentials to provide information about corporate customers' financial accounts to her half-brother, who used the information to commit fraud.47 John was charged and convicted on a number of counts, including the CFAA. On appeal, she argued that she did not exceed authorized access because she was authorized to access and view the corporate customer account information. The U.S. Court of Appeals for the Fifth Circuit rejected this argument, concluding that “authorized access” may include use limitations that are placed on the information, “at least when the user knows or reasonably should know that he or she is not authorized to access a computer and information obtainable from that access in furtherance of or to perpetrate a crime.”48 For instance, the court wrote, if an employer authorizes employees “to utilize computers for any lawful purpose but not for unlawful purposes and only in furtherance of the employer's business,” the company's employees would exceed authorized access if they “used that access to obtain or steal information as part of a criminal scheme.”49

Applying this definition of authorized access to the charges against John, the Fifth Circuit concluded that she clearly violated the CFAA. The court noted that Citigroup's internal policy, which was presented to John at employee training sessions, explicitly barred employees from misusing confidential information. “Despite being aware of these policies,” the court concluded, “John accessed account information for individuals whose accounts she did not manage, removed this highly sensitive and confidential information from Citigroup premises, and ultimately used this information to perpetrate fraud on Citigroup and its customers.”50 Key to the court's decision was evidence that John had actually been trained on the policies that prohibited such access.

In short, the broad interpretation of CFAA includes not only code-based violations, but also violations based on contract and norms.

5.1.2.3 Attempts to Find a Middle Ground

Courts nationwide have recognized the clear split between the Nosal/WEC/Valle narrow reading of the CFAA and the John/Rodriguez broad reading. Some courts, rather than selecting one definition, have attempted to distinguish the two lines of thinking and find a middle ground in which the facts of each case determine which reading of the CFAA to apply.

For instance, in 2015, the U.S. District Court for the District of Columbia reasoned that the reading of the CFAA depends in part on whether the defendant knowingly violated the law or an agreement. In Roe v. Bernabei & Wachtel PLLC,51 the plaintiff had secretly recorded her employer allegedly sexually harassing her. She allowed a coworker to copy the video. The coworker, along with other colleagues, later sued the employer. They also allegedly provided the media with copies of the video.52 The plaintiff sued the former coworkers and their law firm for, among other things, violating various provisions of the CFAA by intentionally accessing a protected computer while exceeding authorization, and obtaining information from that computer and furthering intended fraud.53

The defendants moved to dismiss this claim, arguing that a CFAA violation did not exist because the plaintiff had voluntarily allowed her coworker to copy the video. The judge recognized that courts have different interpretations of the term “exceeds authorized access.” The judge ultimately concluded that the narrower version, as articulated in Nosal, applied to this case, and dismissed the CFAA claims. The judge reasoned that the more expansive view, as stated in cases such as Rodriguez, involves “circumstances in which employees knowingly violated internal employer policies related to the use of data, either unlawfully, or in violation of their employment agreement.”54 In this case, there was no allegation of an explicit agreement or law that prohibited the defendants from sharing this information. Although the court adopted the Nosal line of reasoning for this case, it is possible that, had the coworkers violated an explicit agreement, the court would have sustained the CFAA claims.

As courts continue to apply both interpretations of the CFAA to a wide set of fact patterns, it will be increasingly difficult for courts to find such a middle ground; the interpretations clearly conflict with each other. Quite simply, the federal courts are split as to whether an individual can be found guilty of violating the CFAA merely by misusing information to which the individual had proper access. Unless the United States Supreme Court eventually resolves the issue, federal courts will continue to apply different definitions of “without authorization” and “exceeds authorized access.” A court's decision about which interpretation to use will inevitably affect the fate of any CFAA criminal prosecution or civil lawsuit.

5.1.3 The Seven Sections of the CFAA

Although courts exert a great deal of effort determining whether a CFAA defendant has accessed a computer without authorization or exceeded authorized access, that determination is only the beginning of their inquiry under the CFAA. Individuals only violate the CFAA if, while acting without authorization or in excess of authorization, their behavior falls into one of seven categories specified by the CFAA, such as obtaining information or damaging a computer. Below is an overview of the seven subsections of the CFAA, and the types of behavior that courts have held constitutes – and does not constitute – violations of the law. For all seven of these subsections, the CFAA imposes criminal penalties not only on the commission of these acts but also on conspiracies and attempts to commit the acts.55

5.1.3.1 CFAA Section (a)(1): Hacking to Commit Espionage

Section (a)(1) prohibits individuals from knowingly accessing a computer without authorization or exceeding authorized access, and obtaining classified information, and willfully communicating, delivering, transmitting, or causing the communication, delivery, or transmission to any person who is not authorized to receive the information.56 The statute also prohibits the willful retention of the data, and failure to deliver it to the U.S. employee who is entitled to receive it. Section (a)(1) only applies if the individual had reason to believe that the information could be used to injure the United States or to the advantage of a foreign nation.

No published court opinion interprets this subsection, largely because it is rare for prosecutions to be brought under this subsection. That likely is because the federal government typically brings espionage-related hacking prosecutions under the Espionage Act,57 which criminalizes many forms of unauthorized access, use, and disclosure of classified information.

Violations of Section (a)(1) are felonies, and violations carry prison terms of up to ten years and fines. If an individual violates Section (a)(1) after having been convicted of another CFAA violation, the prison term can be up to twenty years.

5.1.3.2 CFAA Section (a)(2): Hacking to Obtain Information

Section (a)(2) of the CFAA prohibits individuals from intentionally accessing computers without authorization or in excess of authorized access, and obtaining (1) information contained in a financial record of a financial institution, card issuer, or consumer reporting agency; (2) information from any federal government department or agency; or (3) information from any “protected computer,” which the CFAA defines as a computer that is either used by a financial institution or the federal government, or is used in or affecting interstate or foreign commerce.58

Because it is relatively easy to demonstrate that companies' computers affect interstate or foreign commerce, Section (a)(2) is a frequent basis for CFAA criminal prosecutions and civil litigation. Indeed, the CFAA had initially only applied to computers that are used in interstate commerce, but in 2008, Congress amended the statute to include computers that affect interstate commerce because it recognized the need to “address the increasing number of computer hacking crimes that involve computers located within the same state[.]”59 Under this incredibly broad definition of “protected computer,” it is difficult to imagine any U.S. companies whose computers do not qualify as “protected computers” that are covered by the CFAA. Indeed, one federal court in California stated that the requirement for a “protected computer” will “always be met when an individual using a computer contacts or communicates with an Internet website.”60 Moreover, in 2001, Congress amended the CFAA to clarify that it applies not only to actions that affect interstate commerce but also foreign commerce. As the U.S. Justice Department observed, this amendment “addresses situations where an attacker within the United States attacks a computer system located abroad and situations in which individuals in foreign countries route communications through the United States as they hack from one foreign country to another.”61

The act covered by Section (a)(2) – obtaining information – is quite broad. In the Senate report accompanying the 1986 amendments to CFAA that established Section (a)(2), the legislators wrote that “obtaining information” includes “mere observation of the data.”62 The legislators clarified that, for the government or a litigant to demonstrate that an individual obtained information under Section (a)(2), they need not prove that the defendant had been “physically removing the data from its original location or transcribing the data[.]”63 In the three decades since this report, there has been little dispute that “obtaining information” under Section (a)(2) does not necessarily include the actual removal of the data. Observation of data – such as by hacking into a company's website – is sufficient to establish that the individual “obtained” the information. However, there are some limits to the breadth of this definition. Merely accessing a computer without authorization or in excess of authorization – and not actually viewing or otherwise obtaining any information – will not constitute a Section (a)(2) violation.

Perhaps the most significant barrier to charges or claims under Section (a)(2) is the requirement that the act of obtaining information be intentional. Congress intentionally set this higher standard in its 1986 amendments to the CFAA. The initial 1984 version of the CFAA applied to acts that were committed “knowingly.” In 1986, Congress replaced “knowingly” with “intentionally.” In the report accompanying the 1986 amendments, the Senate committee members wrote that “intentional acts of unauthorized access – rather than mistaken, inadvertent, or careless ones – are precisely what the Committee intends to proscribe.”64 The Committee analyzed Supreme Court precedent that interpreted the term “knowingly,” and reasoned that the “knowingly” standard could apply to acts that apply whenever the individual is “aware that the result is practically certain to follow from his conduct, whatever his desire may be as to that result.”65 Although this broad definition of “knowingly” might be appropriate for other crimes, the Committee reasoned that it is not appropriate for computer hacking because it “might not be sufficient to preclude liability on the part of those who inadvertently ‘stumble into’ someone else's computer file or computer data.”66

Replacing “knowingly” with “intentionally,” the Committee concluded, “is designed to focus Federal criminal prosecutions on those whose conduct evinces a clear intent to enter, without proper authorization, computer files or data belonging to another.”67 The Committee, relying on earlier interpretations of the term “intentional,” stated that it “means more than one voluntarily engaged in conduct or caused a result. Such conduct or the causing of the result must have been the person's conscious objective.”68

The limits imposed by the word “intentionally” were evident in a 2006 federal court opinion in the District of Columbia, arising from a civil action against IBM.69 Butera & Andres, a DC law firm, alleged that its servers were hacked, and the attacker's IP addresses were located at an IBM facility in North Carolina. The law firm sued IBM and the anonymous individual – whom the firm alleged to be an employee of IBM – under a variety of causes of action, including a violation of Section (a)(2) of the CFAA. IBM moved to dismiss the claims, arguing that the plaintiff's complaint failed to allege that IBM acted intentionally.70 The district court granted IBM's motion to dismiss, agreeing that the complaint failed to allege that IBM acted with any intent. The court reasoned that the mere allegation that the hacker's IP addresses were located in IBM's facilities did not permit an inference that IBM participated in the alleged hacking.71 “Far from pleading any intentional conduct on the part of IBM,” the court observed, “the plaintiffs' position appears directed, at most, at establishing the likelihood that an individual employed at the IBM facility in Durham is responsible for the alleged attacks.”72 Such an allegation does not rise to the level of “intentional” hacking, the court concluded.73

Demonstrating intent under Section (a)(2), however, is not an insurmountable task. Indeed, courts generally have held that for the government or a civil plaintiff to establish a Section (a)(2) violation, they only need to prove that the defendant intended to obtain information by accessing a computer without authorization or exceeding authorized access. It is unnecessary to demonstrate that the defendant intended for the information to be used in any particular way.

For example, in a 2007 case, United States v. Willis,74 defendant Todd A. Willis, an employee of an Oklahoma City debt collection business, had access to a proprietary database of individuals' personal information, and was explicitly prohibited from obtaining the information for personal reasons.75 A law enforcement investigation revealed that Willis provided his drug dealer with a coworker's credentials, and the credentials were later used to commit identity theft.76 Willis was charged with aiding and abetting a violation of Section (a)(2), convicted by jury, and sentenced to forty-one months in prison.77 On appeal to the U.S. Court of Appeals for the Tenth Circuit, Willis argued that his conviction was invalid because he did not have the intent to defraud when he provided the credentials. The Tenth Circuit rejected this argument after reviewing the legislative history of the 1986 amendments to CFAA, and concluded that the government did not have an obligation to demonstrate that Willis intended to use the information in any particular way; the inquiry for the court was whether his intentional access and obtaining of the information violated the CFAA.78

Similarly, in Thayer Corporation v. Reed,79 Thayer Corporation filed a civil lawsuit against its former Chief Financial Officer, David Reed. Among the many counts in the complaint was a CFAA claim under Section (a)(2). Thayer alleged that for approximately a week after Reed's employment ceased, he forwarded Thayer human resources emails to his personal email account. Reed asserted that the email transfers were the result of a mistake by his phone provider, and that as soon as he saw that he was receiving the Thayer emails, he directed the phone company to fix the issue. The court rejected this argument, reasoning that the complaint alleged that Reed “intercepted, read, deleted and forwarded emails from Thayer's human resources director,” explained that Reed created Thayer's password system, and alleged that Reed “knew of discussions regarding his severance package, information that only could have been obtained from the human resources manager's emails.” Assuming that the allegations in the complaint were true, the court concluded, “Mr. Reed could not have unintentionally done any of these things; each requires the intent to access, intercept, and use Thayer's email system without authorization, causing harm.”80

These cases have a consistent theme: to satisfy the “intentional” requirement of Section (a)(2), the government or civil plaintiff must establish that the defendant knew that they were obtaining the information through unauthorized hacking. However, they need not establish that the defendant intended to cause harm, defraud, or support the commission of another crime.

Section (a)(2) violations may be charged as felonies or misdemeanors. If a violation is charged as a misdemeanor, the defendant could be punished by a fine and up to one year in prison. A violation of Section (a)(2) may be charged as a felony, punishable by a fine and up to five years in prison, if one of the following is true: (1) the offense was committed for commercial advantage or private financial gain; (2) the office was committed in furtherance of any criminal or tortious act that violates the U.S. Constitution or any federal or state laws; or (3) the information obtained is valued at more than $5000. Additionally, if an individual violates Section (a)(2) after having previously been convicted of a CFAA violation, that individual can be charged with a felony punishable by a fine and up to ten years in prison.

5.1.3.3 CFAA Section (a)(3): Hacking a Federal Government Computer

Section (a)(3) prohibits individuals from intentionally accessing nonpublic federal government computers without authorization. This prohibition applies to both computers that are “exclusively for the use of the Government of the United States,” and computers that are “used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States.”81

At first glance, one might wonder why Section (a)(3) is necessary, since Section (a)(2) also explicitly prohibits certain hacks of federal government computers. Section (a)(3) differs because it prohibits the mere act of intentionally accessing a federal government computer without authorization, regardless of whether the defendant actually obtained any information. This provision was conceived two years after the initial CFAA was enacted, members of Congress indicated a desire to “balance its concern for Federal employees and other authorized users against the legitimate need to protect Government computers against abuse by ‘outsiders.’”82 Congress addressed this balance by amending the CFAA to create this separate prohibition on unauthorized access to federal computers. According to the Senate report accompanying the amendments, this section was drafted in response to the U.S. Justice Department's concerns about whether Section (a)(2) “covers acts of mere trespass,” that is, unauthorized access, or whether it requires a further showing that the information perused was “used, modified, destroyed, or disclosed.”83 Congress stated that it intended for Section (a)(3) to create “a simple trespass offense” that applies “to persons without authorized access to Federal computers.”84 In this respect, Section (a)(3) is significantly broader than Section (a)(2).

However, Section (a)(3) also is narrower than Section (a)(2) in one important area: while Section (a)(2) applies to both access without authorization and exceeding authorized access, Section (a)(3) only applies to access without authorization. Congress intentionally excluded “exceeding authorized access” from Section (a)(3) due to its belief that “government employees and others who are authorized to use a Federal Government computer would face prosecution for acts of computer access and use that, while technically wrong, should not rise to the level of criminal conduct,” according to the 1986 Senate report.85 The legislators concluded that if an employee “briefly exceeds his authorized access and peruses data belonging to the department that he is not supposed to look at,” the employee should be subject to administrative sanctions, but not criminal penalties.86

Section (a)(3) does not apply to unauthorized access of any federal government computer. In 1996, Congress amended Section (a)(3) to clarify that it only applies to unauthorized access of nonpublic federal government computers. In the Senate report accompanying the 1996 amendment, Congress warned that despite the new restriction of Section (a)(3) to nonpublic federal government computers, “a person who is permitted to access publicly available Government computers, for example, via an agency's World Wide Web site, may still be convicted under (a)(3) for accessing without authority any nonpublic Federal Government computer.”87

There have been few prosecutions under Section (a)(3). Among the few was a recent criminal case against Jerry Wang, the chief executive officer of two universities in California. The government alleged that Wang provided one of his employees with Wang's access to the Department of Homeland Security's Student and Exchange Visitor Information System, which processes the information that DHS uses to determine whether universities are complying with student immigration laws. The government alleges that this unauthorized employee filed forged documents. Among the fifteen counts was a charge that Wang violated Section(a)(3). Wang moved to dismiss this count, arguing that providing log-in credentials to an employee to input data does not violate Section (a)(3). The court denied this motion, concluding that the indictment sufficiently alleged a violation of the statute.88

The U.S. Department of Justice's manual on computer crimes attributes the lack of prosecutions under Section (a)(3) to the fact that a first-time violation of Section (a)(3) is a misdemeanor, while a first-time violation of Section (a)(2) may be charged as a felony, with greater penalties.89 Accordingly, if an act falls under both Section(a)(2) and Section (a)(3), prosecutors may have greater incentive to bring the charges under Section (a)(2).

If, however, an individual is charged under Section (a)(3) after having previously been convicted of a CFAA violation, the crime can be charged as a felony with a fine and up to ten years in prison.

5.1.3.4 CFAA Section (a)(4): Hacking to Commit Fraud

Section (a)(4) prohibits individuals from knowingly and with intent to defraud accessing a protected computer without authorization, or exceeding authorization, and furthering the intended fraud and obtaining anything of value. This provision does not apply if the object of the fraud and the thing obtained consists only of the use of the computer, and the value of that use is not more than $5000 during any one-year period.90

Section (a)(4) is similar to the federal mail fraud and wire fraud statutes. But when Congress enacted this provision in the 1986 amendments to CFAA, it expressed a desire to ensure that fraud conducted over a computer – rather than the mails or wires – be covered explicitly under a criminal law. According to the Senate report accompanying the amendments, for a prosecution under Section (a)(4), “the use of the computer must be more directly linked to the intended fraud,” meaning that it “must be used by an offender without authorization or in excess of his authorization to obtain property of another, which property furthers the intended fraud.”91

Courts generally have been willing to conclude that a wide range of types of improper access “further” the intended fraud, as required by Section (a)(4). For instance, in United States v. Lindsley,92 the defendant was charged with violations of Section (a)(4) and other statutes for using his personal computer to illegally access Sprint's internal computer system and steal customers' calling card numbers. His co-defendants allegedly sold the calling card numbers, and the government alleged that the total losses that Lindsley caused exceeded $1.8 million. Lindsley pleaded guilty and was sentenced to forty-one months in prison. The large prison sentence was primarily due to a sentencing enhancement that was triggered by the large losses. Lindsley appealed the sentence and argued that it was not reasonably foreseeable that his co-defendants would resell the card numbers. The U.S. Court of Appeals for the Fifth Circuit, in an unpublished opinion, affirmed the sentence, concluding that the loss was foreseeable and therefore was properly foreseeable to Lindsley.93

Similarly, in United States v. Bae,94 the defendant, a retailer whose store sold lottery tickets, pleaded guilty to a Section (a)(4) violation. He was charged with using his lottery terminal to generate more than $500,000 in tickets for himself. The tickets were redeemable for more than $296,000 and the defendant redeemed them for approximately $224,000. When calculating his sentence, the district court attributed $503,650 in losses, equal to the total value of the tickets after subtracting the commission that the defendant would have received as a retailer. The defendant appealed the sentence, arguing that the market price does not reflect the actual cost to the lottery system, and that therefore the district court should have calculated his sentence based on the redemption value of the tickets. The U.S. Court of Appeals for the D.C. Circuit rejected this argument and affirmed his sentence, concluding that the proper measure of damage under Section (a)(4) is the fair market value of the property at the time that it was illegally acquired.95

Although both the Lindsley and Bae opinions dealt with the narrow issue of criminal sentencing, the courts' reasoning indicates a willingness to broadly attribute subsequent fraud to an initial illegal access. In other words, even if the eventual fraud is attenuated from the initial access, the defendant still may be liable under Section (a)(4).

Perhaps the largest barrier to Section(a)(4) cases is the requirement to demonstrate that the defendant obtained something “of value” that is worth more than $5000. Consider the prosecution of Richard Czubinski, a customer service employee at the Internal Revenue Service. The federal government brought charges against Czubinski under numerous statutes, including Section (a)(4), alleging that he used his credentials to search the tax records of a number of people for whom he had no legitimate business reason to be querying, including political staffers, a state prosecutor who handled a case against his father, his brother's instructor, and a woman whom Czubinski had dated.96 At trial, there was evidence that he only mentioned his access to the data to one acquaintance, and there was no further evidence that he had shared or otherwise used any of the information that he viewed.97 He was convicted by a jury on thirteen counts, and appealed.

In 1997, the U.S. Court of Appeals for the First Circuit reversed his Section (a)(4) conviction. (At the time, Section (a)(4) required proof that the hacker obtained something of value, but did not have a $5000 minimum value.) At issue in the appeal was whether the taxpayer IRS information qualifies as something of “value,” even though there was no evidence that Czubinski used it in any way. The court concluded that in this case, the government failed to demonstrate that the information had any value to Czubinski. Instead, the court reasoned, he accessed the data merely to satisfy his “idle curiosity.”98 In other words, viewing confidential information – and not doing anything with that knowledge – does not constitute obtaining a thing “of value” in violation of Section (a)(4). The mere act of accessing information on a computer without authorization or in excess of authorization more easily fits under Section (a)(2).

Section (a)(4)'s intent requirement is more specific than other sections of the CFAA: the violation must not only be done knowingly, but it must be done with intent to defraud. One of the few courts that has interpreted this phrase in the context of the CFAA took a fairly broad approach. In Shurgard Storage Centers v. Safeguard Self Storage,99 the plaintiff, a self-storage company, alleged that one of its managers emailed confidential business information to its competitor, and was later hired by the competitor. The plaintiff sued the competitor alleging a number of claims, including violation of Section (a)(4). The competitor moved to dismiss the complaint, arguing that the complaint did not adequately allege that the competitor intended to defraud the plaintiff.100 At common law, to demonstrate that fraud occurred, a plaintiff must demonstrate nine elements, including a representation of fact that was false, and the plaintiff's reliance on this false statement. Requiring a Section (a)(4) plaintiff (or a government prosecutor) to demonstrate common-law fraud would make it exceptionally difficult to bring a case under this provision. The court rejected this reading of Section (a)(4), agreeing with the plaintiff that, in the context of Section (a)(4), “defraud” means “wronging one in his property rights by dishonest methods and schemes.”101 The court reasoned that Section (a)(4) does not require proof of common-law fraud, and only requires demonstration of a “wrongdoing.”102

A federal judge in Iowa later adopted the broad definition of “defraud” as articulated in Shurgard Storage Centers. In NCMIC Finance Corporation v. Artino,103 a company alleged that a former executive violated Section (a)(4) when he used his access to the company's computer systems to obtain confidential customer information. The judge concluded that these actions constituted an intent to defraud for the purposes of Section (a)(4) because they harmed the plaintiff's property rights.104

Violations of Section (a)(4) are charged as felonies punishable by a fine or imprisonment of up to five years. If the defendant had previously been convicted of violating the CFAA, the prison term can be up to ten years.

5.1.3.5 CFAA Section (a)(5): Hacking to Damage a Computer

Section (a)(5) of the CFAA prohibits three types of behavior, all related to damaging computers through hacking: (1) knowingly causing the transmission of a program, information, code, or command, and, as a result of such conduct, intentionally causing damage without authorization, to a protected computer; (2) intentionally accessing a protected computer without authorization, and as a result of such conduct, recklessly causing damage; or (3) intentionally accessing a protected computer without authorization, and as a result of such conduct, causes damage and loss.105

Section (a)(5) is among the more commonly prosecuted and litigated provisions of the CFAA, as it covers a wide range of actions, including the deployment of viruses and malware, denial-of-service attacks, and deletion of data. The three subsections of (a)(5) are quite different, and therefore we will examine each separately.

5.1.3.5.1 CFAA Section (a)(5)(A): Knowing Transmission that Intentionally Damages a Computer Without Authorization

Section (a)(5)(A) requires prosecutors (or private plaintiff) to demonstrate four general elements: that the defendant (1) knowingly caused the transmission of a program, information, code, or command; (2) and as a result of such conduct, intentionally caused (3) damage to a protected computer; (4) without authorization.

The first element requires a demonstration that the plaintiff knowingly caused the transmission of program, information, code, or command. The biggest hurdle for satisfying this element is a demonstration that a transmission occurred, though courts generally have interpreted this to cover a fairly wide range of activities. For instance, in International Airport Centers, LLC v. Citrin,106 a company filed a Section (a)(5)(A) civil claim against a former employee who allegedly deleted proprietary company data from his laptop before quitting and starting his own business.107 The former employee also installed a secure-erasure program that ensured that the files could not be recovered.108 The former employee argued that the claim should be dismissed because merely deleting a file does not constitute a “transmission” under the CFAA. The U.S. Court of Appeals for the Seventh Circuit agreed it might be “stretching the statute too far” to hold that merely pressing “delete” – and nothing more – constitutes “transmission.” However, the court allowed the claim to proceed because the installation of the secure-erasure program did constitute “transmission.”109 The Citrin opinion, which has been widely cited in other CFAA cases, demonstrates that, although courts consider many types of acts to be “transmission,” there are some limits to the term's scope.

The second element requires the government or plaintiff to demonstrate that as a result of the knowing transmission, the defendant intended to damage a protected computer. It is important to keep in mind that this requirement is separate from the first element; not only must the government or plaintiff establish a knowing transmission, it also must demonstrate intentional damage. Although the CFAA does not define “intentional,” courts generally have held that it requires a greater showing than a “knowing” act. For instance, the U.S. Court of Appeals for the Third Circuit has defined “intentionally,” in the context of Section (a)(5), as “performing an act deliberately and not by accident.”110 In perhaps the most extensive discussion of the requirement to demonstrate intentional causation of damage, the U.S. Court of Appeals for the Sixth Circuit considered a civil lawsuit by a homebuilder against a labor union that organized an extensive email campaign, which the company claimed clogged employee inboxes and brought business to a standstill.111 Relying on the dictionary definition, the Sixth Circuit, in Pulte Homes, Inc. v. Laborers' International Union of North America, concluded that in the context of the CFAA, “intentionally” means acting “with the conscious purpose of causing damage (in a statutory sense)” to a computer system.112 Applying that definition, the court reasoned that the union acted intentionally because it instructed thousands of union members to email three of the company's executives and urged union members to “fight back.” The court reasoned that such language “suggests that such a slow-down was at least one of its objectives.”113 These opinions suggest that as long as there is some credible evidence that the defendant committed the act with the purpose of causing damage, courts will conclude that the “intentional” requirement is satisfied.

The third element requires the government or plaintiff to demonstrate that the defendant caused damage to a protected computer. The CFAA defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information.”114 A federal court in Illinois, after reviewing nationwide CFAA cases, concluded that “damage” includes “the destruction, corruption, or deletion of electronic files, the physical destruction of a hard drive, or any diminution in the completeness or usability of the data on a computer system.”115 Although this is a fairly broad definition, it has some limits. For instance, in New South Equipment Mats, LLC v. Keener,116 a federal judge in Mississippi dismissed a Section (a)(5) claim against a former employee who allegedly copied confidential business information but did not delete or modify the data on the company's computers.117 The court concluded that because the company did not allege anything more than merely copying the information, it could not demonstrate that the former employee caused damage.118 In contrast, in the Pulte case, the Sixth Circuit concluded that the email campaign did cause damage to Pulte because it disrupted the company's operations and prevented it from fully using its computer systems.119 Although there is little binding precedent on the exact definition of “damage,” these court opinions suggest that any harm to the original data or computer system, including an inability to access, likely will qualify as “damage,” but merely copying data will not.

The fourth and final element is that the damage must have occurred without authorization. This typically does not present a significant issue in claims under Section (a)(5)(A) because the government or plaintiff must only demonstrate that the damage – not the access – was not authorized.120

5.1.3.5.2 CFAA Section (a)(5)(B): Intentional Access Without Authorization that Recklessly Causes Damage

Section (a)(5)(B) requires prosecutors to demonstrate three general elements: (1) intentional access of a protected computer; (2) without authorization; and (3) as a result of the access, recklessly causes damage. This is a very different crime from Section (a)(5)(A). In short, Section (a)(5)(B) focuses on whether the access was intentional and unauthorized, while Section (a)(5)(A) focuses on whether the damage was intentional and unauthorized.

The first element, intentional access of a protected computer, focuses on whether the access was intentional. In contrast, Section (a)(5)(A) only applies if the defendant intended to cause damage. In other words, the inquiry into intent under Section (a)(5)(B) is whether the defendant intentionally accessed a protected computer. Whether the defendant intended to cause damage is irrelevant to a prosecution or civil action under Section (a)(5)(B).

The second element requires a demonstration that the intentional access was without authorization. Again, this differs from Section (a)(5)(A), which focuses on whether the damage was authorized. Section (a)(5)(B)'s authorized access requirement also is narrower than the access provisions of other sections of the CFAA. Other sections, such as Section (a)(2), apply to acts that are done either without authorization or exceeding authorized access, but Section (a)(5) only applies to the first category. These terms are discussed more generally in Section 5.1.2 of this chapter, but they have special significance for this provision of the CFAA because it does not apply to exceeding authorized access. One court concluded that “without authorization” only applies to people who have “no rights, limited or otherwise, to access the computer in question.”121 The Sixth Circuit in Pulte, which, as discussed above, had ruled that the company had stated a viable claim under Section (a)(5)(A), dismissed the company's claim under Section (a)(5)(B).122 The court reasoned that because the company allows the general public to contact its employees via email, it could not allege that the union encouraged people to access its computer systems without authorization.123

The third element requires the government or plaintiff to demonstrate that the intentional, unauthorized access recklessly caused damage. The definition of “damage” generally is the same as was discussed above for Section (a)(5)(A). The key difference is that for a claim under Section (a)(5)(B), the damage must have been caused recklessly. The CFAA does not define “recklessly,” nor is there a significant discussion of the term in precedential CFAA cases. The Model Penal Code, which many states have adopted as the framework for their criminal laws, states that a person acts recklessly “when he consciously disregards a substantial and unjustifiable risk that the material element exists or will result from his conduct.”124 Applying this definition to Section (a)(5)(B), a person recklessly causes damage if she consciously disregards a large risk of damage created by her unauthorized, intentional access to a computer system.

Often, individuals will be found to have violated both Sections (a)(5)(A) and (a)(5)(B) with a single act. For instance, in the Citrin case described above, in which the Seventh Circuit concluded that the defendant violated Section (a)(5)(A) by deleting his former employers' files and installing a secure erasure program to permanently wipe the memory, the court concluded that the defendant also violated Section (a)(5)(B). The court concluded that he did not have authorized access after his employment terminated, and that his intentional access recklessly caused damage because “he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee.”125

5.1.3.5.3 CFAA Section (a)(5)(C): Intentional Access Without Authorization that Causes Damage and Loss

Section (a)(5)(C) requires prosecutors to demonstrate three general elements: (1) intentional access of a protected computer; (2) without authorization; and (3) as a result of the access, causes damage and loss.

Section (a)(5)(C) is quite similar to Section (a)(5)(B), with two key differences: Section (a)(5)(C) applies even if the damage was not recklessly caused, therefore allowing it to apply to a wider range of actions. However, Section (a)(5)(C) only applies if the defendant caused both damage and loss, while Section (a)(5)(B) only requires a showing of damage. “Loss” under the CFAA includes any reasonable costs to the victim, though courts have a wide range of opinions as to what costs qualify as “losses” under the CFAA. The next subsection, which covers the requirements for misdemeanors and felony convictions under Section (a)(5), explains how courts have defined “loss” for the purposes of CFAA cases.

5.1.3.5.4 CFAA Section (a)(5): Requirements for Felony and Misdemeanor Cases

Congress has repeatedly amended the maximum criminal penalties under Section (a)(5), and it currently is among the most complex sentencing structures under the CFAA. Any violation of Section (a)(5) can be charged as a misdemeanor, punishable by a fine and up to a year in prison. However, if prosecutors seek more than a year in prison, they must charge the defendant with a felony. Section (a)(5) only allows felony charges in certain situations.

First-Time Violations of Sections (a)(5)(A) or (A)(5)(B), without Aggravating Factors

To convict a defendant of a felony under Sections (a)(5)(A) and (a)(5)(B), if the defendant had not been convicted under the CFAA before committing the act, prosecutors must demonstrate that the offense caused one of the following:

  • loss to one or more persons during a single year, totaling at least $5000 in value;
  • the “modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of at least one individual”;
  • physical injury;
  • a threat to public health or safety;
  • damage to a federal government computer “in furtherance of the administration of justice, national defense, or national security”; or
  • damage to ten or more protected computers during a single year.126

If the government can establish one of these forms of harm, it can seek a fine and imprisonment of up to ten years under Section (a)(5)(A), and a fine and imprisonment of up to five years under Section (a)(5)(B). If the government cannot establish one of those forms of harm, these violations are punishable as misdemeanors, with a fine and up to a year in prison.

According to the Justice Department's Computer Crime manual, felonies under Sections (a)(5)(A) and (a)(5)(B) are most often charged under the first scenario: causing a loss to one or more persons of at least $5000 over a one-year period.127

When courts determine whether a Section (a)(5) charge is punishable as a felony due to a loss, they must decide whether the government has adequately alleged at least $5000 in losses. Until 2001, the CFAA did not explicitly define “loss,” leading courts to develop a fairly wide range of definitions. Congress's 2001 amendments that defined “loss” were modeled after an opinion issued a year earlier by the U.S. Court of Appeals for the Ninth Circuit, United States v. Middleton.128 The government brought a Section (a)(5)(A) charge against Nicholas Middleton, the former employee of an Internet service provider. After leaving the ISP, he accessed an administrative account to create new accounts, change administrative passwords, modify the computer's registry, and delete the ISP's billing system and other databases.129 The ISP devoted significant staff time to repairing the damage that Middleton caused, and purchased new software. At his criminal trial, the judge denied his request to instruct the jury as to the meaning of “damage,” and he was convicted of a Section (a)(5)(A) violation.

On appeal, Middleton argued that the government had not demonstrated that he caused at least $5000 in damages. The government had alleged that he caused approximately $10,000 in damages, and it arrived at this estimate by calculating the amount of time that each employee spent on remediation, and multiplying it by their hourly rates, and adding the costs of the consultant and the new software.130 Middleton asserted that this method was incorrect because at least one of the employees was paid on a fixed salary and therefore did not pay any additional amount for the employee to fix the damage. The Ninth Circuit agreed with the government's calculation, and concluded that whether the employee is hourly or salaried is irrelevant; the proper question is “whether the amount of time spent by the employees and their imputed hourly rates were reasonable for the repair tasks that they performed[.]”131 Applying that definition to Middleton's case, the Ninth Circuit concluded that the jury was reasonable to find that Middleton's actions caused at least $5000 in losses.132

The 2001 amendments to the CFAA, based on Middleton and included in the USA Patriot Act, define “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”133 Few published opinions in Section (a)(5) criminal cases have interpreted this definition, partly because it is so broad that there is little dispute as to what sorts of harms are covered. However, there has been some dispute about its application in CFAA civil cases, which are discussed in Section 5.1.4 of this chapter.

First-Time Violations of Section (a)(5)(C)

Unlike the two other crimes in Section (a)(5), Section (A)(5)(C) does not provide for felony charges for first-time offenders. If a defendant has not been convicted of any other CFAA crime before violating Section (a)(5)(C), the government can only charge the defendant with a misdemeanor, punishable by a fine and up to a year in prison.

Repeat Violations under Section (a)(5)

If the defendant had been convicted of a CFAA crime before violating Section (a)(5), the penalties will be higher (and, in the cases of Sections (a)(5)(A) and (a)(5)(B), do not require proof of at least $5000 in losses or the five other scenarios described above). A defendant previously convicted of a CFAA crime can be sentenced to a fine and up to twenty years in prison for violations of Section (a)(5)(A) and (a)(5)(B), and a fine and up to ten years in prison for violations of Section (a)(5)(C).

Aggravating Factors

In certain cases, an individual convicted of a Section (a)(5)(A) violation can receive a greater sentence, regardless of whether it is a first-time offense or the size of the losses caused by the hacking. If the defendant attempted to cause or knowingly or recklessly caused serious bodily injury via a Section (a)(5)(A) violation, she may be sentenced to a fine or up to twenty years in prison. If the defendant attempted to cause or knowingly or recklessly caused death via a Section (a)(5)(A) violation, she can be sentenced to a fine and up to a life term in prison.

5.1.3.6 CFAA Section (a)(6): Trafficking in Passwords

Section (a)(6) of the CFAA prohibits individuals from knowingly, and with the intent to defraud, trafficking in passwords or similar information through which a computer can be accessed without authorization, provided that the trafficking either affects interstate or foreign commerce, or the computer is used by or for the federal government. Because of the relatively small penalties attached to Section (a)(6), it is among the less commonly prosecuted and litigated sections of the CFAA.

Congress added Section (a)(6) to the CFAA in 1986, out of concern that hackers were using “pirate bulletin boards” to share victims' passwords.134

Section (a)(6) is intended to broadly define the term “password,” and cover a wide range of information that can be used to access a computer. The Senate Judiciary Committee's report accompanying the 1986 bill clarified that the legislators intended to not only protect the single string of characters commonly thought of as a “password” but also intended to cover “longer more detailed explanations on how to access others' computers.”

In the rare instances in which courts have written opinions interpreting Section (a)(6), there occasionally has been a dispute about the meaning of “trafficking.” Section (a)(6) defines “traffic” as “transfer, or otherwise to dispose of, to another, or obtain control of with intent to transfer or dispose of.” This is a fairly broad definition of “traffic,” and it does not require evidence that the defendant sold the password or information for money. However, the defendant will not be liable for receiving passwords. For instance, in State Analysis v. American Financial Services,135 a federal judge dismissed a Section (a)(6) civil lawsuit filed by a database provider against a company that allegedly received a password for the database from another source. The court reasoned that such behavior does not qualify as “trafficking” for the purposes of the CFAA.136

Even if the defendant trafficked in passwords, Section (a)(6) only applies if the prosecutor or plaintiff can demonstrate that the defendant did so with an intent to defraud. In AtPac, Inc. v. Aptitude Solutions,137 Inc., Nevada County, California was transitioning software service providers, from AtPac to Aptitude Solutions. To make the transition easier, Nevada County requested that AtPac provide Aptitude with a user account, allowing Aptitude to access the county's data. Nevertheless, a county employee created a log-in account on AtPac's system and provided it to Aptitude. AtPac sued the county and Aptitude for violating Section (a)(6). The district court swiftly dismissed this claim. The court noted that merely providing another person with a password is not prohibited by Section (a)(6). That provision only applies, the court noted, if the defendant intended to defraud. Although the County employee's actions might have violated AtPac's license agreement, the court reasoned, there was no evidence that the County intended to defraud AtPac. The County's actions were “not the sort of fraud Congress envisioned when it made password trafficking subject to criminal penalties,” the court wrote.138

Moreover, Section (a)(6) only applies if the traffic password allows a computer to be accessed without authorization. The AtPac court concluded that this also provided it with a reason to dismiss the lawsuit. The court determined that under the CFAA, “a person cannot access a computer ‘without authorization’ if the gatekeeper has given them permission to use it.”139 AtPac had already given the County permission to log in to the server. The court wrote that it “cannot conclude that Congress intended to impose criminal liability on third parties just because a computer licensee violates a license agreement.”140

If the defendant has not been convicted of a CFAA violation before violating Section (a)(6), the defendant can be sentenced to a fine and no more than a year in prison. If the defendant had been convicted of a CFAA violation before violating Section (a)(6), the defendant can be sentenced to a fine and up to ten years in prison.

5.1.3.7 CFAA Section (a)(7): Threatening to Damage or Obtain Information from a Computer

Section (a)(7) prohibits individuals from transmitting in interstate or foreign commerce any communication containing three types of threats or demands: (1) a threat to damage a protected computer; (2) a threat to obtain information from a protected computer without authorization or in excess of authorization or to “impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access”; or (3) a demand or request for “money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion.”141 Section (a)(7) only applies if the defendant was acting with intent to extort from any person any money or other thing of value.

Unlike Sections (a)(1)–(a)(5), Section (a)(7)'s applicability does not depend on whether the defendant actually accessed, damaged, or obtained information from a computer. Instead, Section (a)(7) applies to the defendant's attempt to extort money from a victim by threatening a computer crime.

Section (a)(7) addresses a similar crime that is prohibited by the Hobbs Act, a 1948 federal extortion law. That statute imposes a sentence of a fine and up to twenty years in prison on any individual who “threatens physical violence to any person or property.”142 In the 1996 Senate Report accompanying the CFAA amendments, Section (a)(7)'s authors wrote that Section (a)(7) was necessary because the term “property” in the Hobbs Act “does not clearly include the operation of a computer, the data or programs stored in a computer or its peripheral equipment, or the decoding keys to encrypted data.”143 The government likely could attempt that computers, networks, and data are property under the Hobbs Act, but it wanted a more direct route to prosecute online extortionists that would present less legal uncertainty. In fact, defendants who are charged with violating Section (a)(7) often also are charged with violating the Hobbs Act.

Section (a)(7) is relatively new to the CFAA. Congress added the provision in 1996, after the U.S. Justice Department reported that hackers had increasingly made threats to penetrate computer systems. In the Senate report accompanying the 1996 amendments to the CFAA, the legislators expressed a desire to “address a new and emerging problem of computer-age blackmail.”144

In fact, Congress's motivations for amending the CFAA appear to be quite prescient more than two decades later. As Congress explained:

One can imagine situations in which hackers penetrate a system, encrypt a database and then demand money for the decoding key. This new provision would ensure law enforcement's ability to prosecute modern-day blackmailers, who threaten to harm or shut down computer networks unless their extortion demands are met.145

Sound familiar? Twenty years after Congress enacted Section (a)(7), ransomware became among the most concerning trends in cybersecurity. Theoretically, Section (a)(7) provides a very direct mechanism to bring criminal and civil actions against hackers that have used ransomware to attempt to extort money from companies and individuals. However, many of the most egregious ransomware distributors hide behind well-masked anonymity, making prosecutions and civil lawsuits quite difficult. They use Bitcoin as the payment currency, further cloaking their identity and the ability to be tracked by law enforcement.

Ransomware – and other extortion attempts – often originate from other countries. Congress contemplated this problem in 1996 when it drafted Section (a)(7), and explicitly stated that it covers threats used in both interstate and foreign commerce. The government used this ability to prosecute foreign extortionists in United States v. Ivanov.146 Aleksey Ivanov allegedly hacked into the computer system of a Connecticut company that processes online retailers' credit card transactions. While he was located in Russia or another former Soviet bloc country, Ivanov emailed the company to inform them that he obtained its system administrator root passwords, threatened to destroy its database, and demanded $10,000.147 Among the email messages that he sent was the following:

[name redacted], now imagine please Somebody hack you network (and not notify you about this), he download Atomic software with more than 300 merchants, transfer money, and after this did ‘rm-rf/’ and after this you company be ruined. I don't want this, and because this i notify you about possible hack in you network, if you want you can hire me and im allways be check security in you network. What you think about this?148

Ivanov was indicted in federal court in Connecticut on eight counts, including a violation of Section (a)(7). Ivanov filed a motion to dismiss the indictment, arguing that because he was in Russia or another Soviet bloc country at the time of the alleged email threats, the CFAA and other statutes could not apply to him. The district court denied this motion for two reasons. First, it reasoned that if an individual violates a law with the intent to cause effects within the United States, then U.S. courts have jurisdiction to hear criminal cases involving that action.149 Ivanov allegedly transmitted a threat to a company located in Connecticut, and threatened to further damage its computers, also located in Connecticut.150 Second, the court concluded that Section (a)(7)'s explicit reference to computers used in “foreign” commerce demonstrated an intent of Congress to apply the statute extraterritorially.151

Courts have generally required a Section (a)(7) indictment or civil claim to provide proof of an explicit threat. Merely hacking to cause damage or obtain information will not sustain a Section (a)7) claim, even if that action violates other parts of the CFAA. In Ivanov's case, the email was clear proof of an explicit threat that violates Section (a)(7).

In other cases, however, the evidence of a threat is not as compelling. In Vaquero Energy v. Herda,152 Vaquero Energy, an oil and gas collection and installations company, hired Jeff Herda to provide information technology support. Vaquero Energy alleges that Herda and his company changed the passwords to critical SCADA systems and devices without Vaquero Energy's permission.153 Vaquero Energy claimed that it asked Herda to provide all of its log-ins and passwords, but Herda provided incomplete information, and that he later stopped providing services to the company. Vaquero Energy claimed that its lack of password information left its systems vulnerable and insecure, and sued Herda under a number of statutes, including Section (a)(7) of the CFAA. In a preliminary injunction order, the court concluded that the Section (a)(7) claim was unlikely to succeed on the merits because Vaquero Energy did not allege that Herda made a threat or demand. Although Vaquero Energy's lawyer demanded that Herda provide the passwords, and Herda responded, the court concluded that this exchange did not constitute a demand or threat made by Herda.154 Moreover, the court found that the claim also failed because there was no allegation that Herda changed the password in order to extort money. The Vaquero Energy case demonstrates the need for prosecutors and civil litigants to allege a specific threat and intent to extort money.

A defendant is convicted of a violation of Section (a)(7) faces a fine and up to five years in prison. If the defendant had been convicted of a CFAA offense before violating Section (a)(7), the defendant faces a fine and up to ten years in prison.

5.1.4 Civil Actions under the CFAA

Although the CFAA is primarily a criminal statute that is enforced by federal prosecutors, the statute allows certain private parties that have suffered a damage or loss by CFAA violations to bring civil actions against the violators. Indeed, many of the CFAA cases discussed in this section involve civil litigation between two private parties. This is partly due to the nature of the acts that constitute CFAA violations: obtaining information or causing damage without proper authorization. These actions often cause significant harm to companies, and they understandably seek compensation. Moreover, private CFAA claims often arise in larger disputes with former employees who later work for a competitor.

CFAA lawsuits must be brought within two years of the harmful act, or the date of discovery of the damage.155 The statute prohibits private CFAA lawsuits that arise from the negligent design or manufacture of hardware, software, or firmware.

The CFAA only allows private litigants to sue if they have suffered a “damage” or “loss.” The CFAA defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information,”156 and defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”157

Courts generally have applied broad definitions of these terms, and allowed a fairly wide range of plaintiffs to sue. For instance, in the Shurgard Storage Centers case, discussed in Section 5.1.3.4 of this chapter, the plaintiff alleged that its former employees' use of its computer systems to send trade secrets to the defendant, its competitor, caused damages under the CFAA.158 The defendant contended that these actions did not constitute “damage” because there was not any impairment to the integrity or availability of the data or information, as required in the statute.159 The court acknowledged that the term “integrity,” in this context, is ambiguous. To resolve the dispute, the court looked to the Senate report accompanying the 1996 CFAA amendments, which changed the definition of “damage.” The Senate wrote that it intended the term “damage” to include the theft of information – such as passwords – even if the original data was not altered or rendered inaccessible. Applying this broad definition of “damage” to Shurgard Storage's claims, the court concluded that even though the confidential business information remained intact and unharmed on the company's computers, the data's integrity was impaired because it was stolen. Therefore, the court held that the plaintiffs had sufficiently alleged damages under CFAA.160

Even if private parties have suffered a damage or loss, they may only bring CFAA lawsuits in certain circumstances. To establish the right to file a civil action, the plaintiff must allege that the CFAA violation resulted in one of the following:

  • loss to at least one person, totaling at least $5000 in value during a one-year period;
  • the actual or potential modification or impairment of the medical examination, diagnosis, treatment, or care of at least one individual;
  • physical injury;
  • a threat to public health or safety; or
  • damage affecting a federal government computer in furtherance of the administration of justice, national defense, or national security.161

If the lawsuit alleges only a loss to a person that totals at least $5000 in damages, the plaintiff may only recover economic damages. However, if the lawsuit alleges any of the four other types of harms arising from the CFAA violation, the plaintiff may obtain compensatory damages, injunctive relief, and other equitable relief.162

In some CFAA civil actions seeking economic damages for losses, courts have grappled with what constitutes at least “$5000 in value.” The statute provides a right to economic damages if the offense caused “loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value.”163

For instance, in Creative Computing v. Getloaded.com LLC,164 the Ninth Circuit considered a civil action under Section (a)(4) that the operator of an online trucking services website, Creative Computing, filed against a competitor, Getloaded.com. Creative Computing alleged that Getloaded.com used its customers' credentials to log in to Creative Computing's website and obtain information. Creative Computing also alleged that Getloaded.com's officers hacked Creative Computing's website code, and hired a Creative Computing employee, who downloaded customer data and other confidential information.165 With all of this data, Creative Computing alleged, Getloaded.com attempted to replicate Creative Computing's website and business model. Getloaded.com sought to dismiss the lawsuit, arguing that the CFAA only allows civil damages if the plaintiff suffered at least $5000 in damages from each instance of unauthorized access.166 The Ninth Circuit rejected this reading of the statute, holding that the $5000 minimum “applies to how much damage or loss there is to the victim over a one-year period, not from a particular intrusion.”167 In other words, if Company A hacks Company B's website 10,000 times during a year, each time causing $1 in damage, Company B could sue Company A for CFAA violations. If, however, each hack caused 25 cents in damage, Company B could not sue Company A because the total damage would be less than $5000.

5.1.5 Criticisms of the CFAA

Companies, government agencies, and advocacy groups have criticized the CFAA for not effectively presenting many proposals to amend – and in some cases, repeal – the CFAA. Some argue that the CFAA is far too punitive in light of the relatively minor acts that it prohibits, while others argue that it does not effectively prevent some of the most pressing cybersecurity threats.

Among the most prominent criticisms of the CFAA comes from advocacy groups and some legislators, who argue that the CFAA imposes significant criminal penalties on technical violations of the CFAA that do little or no harm to people or property. Perhaps their most compelling argument comes from the case of Aaron Swartz, who as a teenager helped develop Reddit and the technology underlying RSS news feeds. Throughout his teens and twenties, Swartz was an active member of the CopyLeft, movement, which challenged the ability of companies to control the distribution of their materials on the Internet.

In 2010, Swartz, while working at a laboratory at Harvard, connected a computer to the Massachusetts Institute of Technology's network and, without the school's approval, downloaded millions of academic articles via the school's access to JSTOR, a proprietary database. In 2011, Swartz was arrested, and later indicted in federal court for eleven counts under CFAA Sections (a)(2), (a)(4), and (a)(5), as well as two counts of wire fraud, exposing Swartz to up to thirty-five years in prison.168 In 2013, at age 26, Swartz committed suicide. A number of critics used this tragedy to highlight what they viewed as significant problems with the CFAA.

Justin Peters, in Slate, wrote that the Swartz suicide demonstrates the “disproportionate” nature of U.S. computer crime laws, and “the laxity with which these laws have been conceived and amended – and the increasing severity of their corresponding penalties – has had serious consequences.”169 Sen. Ron Wyden introduced Aaron's Law, which would make the following changes to the CFAA:

  • explicitly adopt the narrower Nosal reading of “exceeds authorized access” and clarify that merely violating an agreement does not trigger the CFAA;
  • prevent a defendant from being liable for multiple CFAA counts arising from a single incident; and
  • prevent the prosecution for a single act under both the CFAA and state hacking laws.170

Cybersecurity researchers also are among the most vocal critics of the CFAA.171 They argue that the rigid requirements of many CFAA sections have a chilling effect on researchers who seek to help companies find and patch vulnerabilities in their systems and networks. Zach Lanier, a cybersecurity researcher, told the Guardian newspaper in 2014 that after he informed a device maker of a security vulnerability that he discovered, he received a response from the device maker's lawyer, who claimed that Lanier violated the CFAA. Lanier said that this threat caused him to abandon the research on this flaw. “The looming threat of CFAA as ammunition for anyone to use willy-nilly was enough,” Lanier told the Guardian, “and had a chilling effect on our research.”172

Cybersecurity professionals also criticize the CFAA for limiting their ability to engage in active defense of their computers and networks (also known as “hacking back”). Consider a company that is barraged with attacks from a specific set of IP addresses. That company's information security professionals might be tempted to counterattack, in an attempt to knock the adversary offline. Unfortunately for the company, such responses pose a very real risk of violating Section (a)(5) of the CFAA. Critics of “hacking back” assert that it is difficult to attribute the source of an attack with 100 percent certainty, and therefore the retaliatory actions could hurt innocent bystanders. For instance, Robert M. Lee, co-founder of Dragos Security LLC, said that if “organizations cannot effectively run defense programs and tackle the security basics, they cannot run an effective offensive program.”173 They argue that the CFAA correctly prohibits individuals and companies from taking the law into their own hands.

On the other side of the spectrum, some critics argue that the CFAA does not adequately protect the United States against emerging threats, such as botnets and the 2014 attack by North Korea on Sony Pictures Entertainment. In 2015, President Obama responded to these concerns by introducing a bill to update the CFAA. His proposal would explicitly criminalize the sale of “means of access,” such as botnets, and increase the penalties for certain CFAA violations. The proposal also would define “exceeds authorized access” as occurring when an individual accesses, obtains, or alters information if the individual “is not entitled to obtain or alter,” or “for a purpose that the accesser knows is not authorized by the computer owner.”

Neither Aaron's Law nor the White House proposal had been enacted by Congress as of the publication of this book, though it is likely that there will be continued efforts to amend the CFAA.

5.2 State Computer Hacking Laws

Most states also have similar anti-hacking laws that apply to hacking that occurs within their boundaries.174 Some state laws predate the CFAA, and often prohibit activities that are not addressed by the CFAA. Therefore, if you are considering the legal implications of computer fraud or hacking, you must consider not only the CFAA but the state law.

To illustrate the requirements of some state computer hacking laws – and the key differences with the CFAA, it is useful to examine California Penal Code 502, one of the most prominent and commonly prosecuted state computer crime laws. California Penal Code 502 explicitly penalizes 154 types of computer-related actions. California Penal Code 502, edited slightly below for clarity and brevity, prohibits any of the following acts, provided that they were committed knowingly:

  1. Accessing and without permission altering, damaging, deleting, destroying, or otherwise using any data, computer, computer system, or computer network in order to either (a) devise or execute any scheme or artifice to defraud, deceive, or extort, or (b) wrongfully control or obtain money, property, or data.
  2. Accessing and without permission taking, copying, or making use of any data from a computer, computer system, or computer network, or taking or copying any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.
  3. Without permission using or causing to be used computer services.
  4. Accessing and without permission adding, altering, damaging, deleting, or destroying any data, computer software, or computer programs that reside or exist internal or external to a computer, computer system, or computer network.
  5. Without permission disrupting or causing the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.
  6. Without permission providing or assisting in providing a means of accessing a computer, computer system, or computer network.
  7. Without permission accessing or causing to be accessed any computer, computer system, or computer network.
  8. Introducing any computer contaminant into any computer, computer system, or computer network.
  9. Without permission using the Internet domain name or profile of another individual, corporation, or entity in connection with the sending of one or more electronic mail messages or posts and thereby damages or causes damage to a computer, computer data, computer system, or computer network.
  10. Without permission disrupting or causing the disruption of government computer services or denying or causing the denial of government computer services to an authorized user of a government computer, computer system, or computer network.
  11. Accessing and without permission adding, altering, damaging, deleting, or destroying any data, computer software, or computer programs that reside or exist internal or external to a public safety infrastructure computer system computer, computer system, or computer network.
  12. Without permission disrupting or causing the disruption of public safety infrastructure or denying or causing the denial of computer services to an authorized user of a public safety infrastructure computer system computer, computer system, or computer network.
  13. Without permission providing or assisting in providing a means of accessing a computer, computer system, or public safety infrastructure computer system computer, computer system, or computer network in violation of this section.
  14. Introducing any computer contaminant into any public safety infrastructure computer system computer, computer system, or computer network.175

Like the CFAA, California Penal Code 502 provides hacking victims with the ability to sue individuals who violate this statute and cause damage or loss.176

The most striking difference between Cal. Penal Code 502 and the CFAA is that the California law enumerates twice as many prohibited acts. However, the statutes prohibit many of the same types of actions, though the California law is more specific, in part because it has been amended six times since 2000 and more directly addresses new technological issues. For instance, sections 4, 5, 10, 11, 12, and 14 all involve damage to computers, systems, or data, and many of these acts likely could fall under the broader umbrella of CFAA Section (a)(5).

The California hacking law also covers actions that the CFAA does not explicitly address. For instance, the prohibition in section 3 of the California law – related to the use of computer services without permission – criminalizes the theft of services such as email and cloud storage. The CFAA does not directly address such a crime, though in some cases it could be covered under Section (a)(2)'s prohibitions regarding obtaining information. Likewise, Section 9 of the California law explicitly prohibits hacking Internet domain names to send spam. Although the CFAA does not address spam, there is a reasonable argument that in some cases, such activities cause damage in violation of Section (a)(5) of the CFAA.

Perhaps the largest overall difference between the California law and the CFAA is the type of access required to trigger the law's prohibition. As discussed above, the CFAA applies to acts that are done either without authorization or exceeding authorized access. In contrast, the California hacking law applies to access that is done knowingly and “without permission.”

Unfortunately, the definition of “without permission” is not entirely clear. The statute does not define the term, and the California Supreme Court – which has the final authority in interpreting California state laws – has not weighed in on the issue. However, federal judges interpreting the California statute in civil cases have reached opposite conclusions.

In a 2007 case, Facebook, Inc. v. ConnectU,177 a California federal judge held that ConnectU, a Facebook competitor, violated Section 502 by accessing the email addresses of millions of Facebook users, in violation of Facebook's terms of use. ConnectU argued that private companies such as Facebook should not be permitted to dictate terms of service that could lead to criminal penalties. The judge rejected this argument, reasoning that “[t]he fact that private parties are free to set the conditions on which they will grant such permission does not mean that private parties are defining what is criminal and what is not.”178

A different judge from the same court rejected that reasoning in a 2010 case, Facebook, Inc. v. Power Ventures, Inc.,179 concluding that “allowing violations of terms of use to fall within the ambit of the statutory term ‘without permission’ does essentially place in private hands unbridled discretion to determine the scope of criminal liability recognized under the statute. If the issue of permission to access or use a website depends on adhering to unilaterally imposed contractual terms, the website or computer system administrator has the power to determine which actions may expose a user to criminal liability.” Rather than looking at the terms of use to determine whether access was without permission, the judge stated that access without permission is that which “circumvents technical or code-based barriers that a computer network or website administrator erects to restrict the user's privileges within the system, or to bar the user from the system altogether.”180

If the California Supreme Court were to eventually adopt the ConnectU reasoning, Cal. Penal Code 502 would be just as broad – if not broader – than even the most expansive interpretations of the CFAA. However, the Power Ventures interpretation of Cal. Penal Code 502 is even more restrictive than the narrow interpretations of the CFAA. For now, there is little certainty for individuals and companies in California, as neither interpretation is binding on any other judge in California.

5.3 Section 1201 of the Digital Millennium Copyright Act

Since the founding of the United States, laws have provided the authors of creative works and expressions with a copyright, which gives them a limited right to control the distribution, publication, and performance of their works. The U.S. Constitution encourages such protection, providing Congress with the ability to “promote the progress of science and useful arts, by securing for limited times to authors and inventors the exclusive right to their respective writings and discoveries.”181 For more than two centuries, copyright law has been an integral part of the economic framework for producing books, newspapers, music, movies, and other creative expression. U.S. copyright law provides the creators of content with certain exclusive rights to control the republication, performance, and other uses of their content for a limited duration. Over the past two decades, as content such as books, music, and videos has increasingly moved online, Congress and regulators have grappled with determining how to apply copyright law to the Internet.

Section 1201 of the Digital Millennium Copyright Act restricts the ability of individuals to circumvent access controls that protect copyrighted material. Unlike other provisions in U.S. copyright law, which protect the rights of copyright owners to control the distribution, performance, copying, and other use of their protected works, Section 1201 protects the technology that companies use to control access to their works. Because of this close nexus with technology, Section 1201 is deeply intertwined with cybersecurity. Like the CFAA, it restricts the ability of individuals to access digital materials. However, it also has received a great deal of criticism by making it more difficult to perform vulnerability testing and other security research on any products, software, or services that contain access controls.

5.3.1 Origins of Section 1201 of the DMCA

In 1996, members of the World Intellectual Property Organization – including the United States – finalized the WIPO Copyright Treaty, which set common legal rules for copyright protection in the digital age. Among the provisions in the treaty was a requirement that participating nations “provide adequate legal protection and effective legal remedies against the circumvention of effective technological measures that are used by authors in connection with the exercise of their rights.”182

In 1998, Congress enacted the Digital Millennium Copyright Act, which significantly amended U.S. copyright laws to implement the WIPO Copyright Treaty and, more generally, “to make digital networks safe places to disseminate and exploit copyrighted materials.”183 The law contains many important and noteworthy provisions, such as Section 512, which establishes a process by which websites and other online services may be notified of infringing content on their services, and must remove that content to avoid being sued for copyright infringement. For the purposes of cybersecurity, however, the most relevant DMCA provision is Section 1201.

Section 1201 of the DMCA is intended to satisfy the WIPO Copyright Treaty's requirement regarding circumvention. In the Senate report accompanying the DMCA, legislators stated that they intended to punish the circumvention of measures that are intended to protect copyrighted works, such as passwords, if the “primary purpose” of that circumvention is to break the control. The report states that such prohibitions are analogous to “making it illegal to break into a house using a tool, the primary purpose of which is to break into houses.”184

5.3.2 Three Key Provisions of Section 1201 of the DMCA

Section 1201 of the DMCA has three primary provisions that each restrict certain actions regarding access controls:

  • Section (a)(1) prohibits the act of circumventing technology that controls access to copyrighted material.
  • Section (a)(2) prohibits trafficking in technology that facilitate circumvention of access control measures.
  • Section (b)(1) prohibits trafficking in technology that facilitate circumvention of measures that protect against copyright infringement.

This subsection examines each of these restrictions, and how courts have interpreted them.

5.3.2.1 DMCA Section 1201(a)(1)

Section (a)(1) of the DMCA is perhaps the most direct and least controversial of the three sections. It prohibits individuals from circumventing “a technological measure that effectively controls access to a work” that is protected by copyright law.185

Congress included Section (a)(1) because, at the time the DMCA was passed, “the conduct of circumvention was never before made unlawful,” according to the Senate report accompanying the DMCA.186

At the outset, it is important to note that Section (a)(1) focuses solely on whether the defendant circumvented technology that protects a copyrighted work. As legislators stated when they drafted the DMCA, the types of actions prohibited by Section (a)(1) are analogous to “breaking into a locked room in order to obtain a copy of a book.”187 Section (a)(1) does not restrict subsequent use, performance, or distribution of the copyrighted materials that are obtained via this circumvention; those activities are protected in other provisions in U.S. copyright law.188

The statute explicitly states that a technological measure “effectively controls access to a work” if the measure, “in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright towner, to gain access to the work.”189 Courts generally have broadly included many types of controls under this definition, and they typically do not require a high degree of technological sophistication for a control to qualify as a technological measure. For instance, in IMS Inquiry Management Systems, LTD v. Berkshire Information Systems, Inc.,190 the plaintiff, which offered a web-based system that companies use to track magazine advertising, alleged that its competitor accessed its service without authorization and copied content for use on its competing service. The plaintiff alleged that the competitor obtained the log-in credentials from a third party, in violation of the user agreement.191 The court concluded that the plaintiff's password protection constitutes an effective technological measure under Section (a)(1) because to access the plaintiff's service, “a user in the ordinary course of operation needs to enter a password, which is the application of information.”192

The more difficult question under Section (a)(1), however, is whether the defendant circumvented a technological measure. Alleging that the defendant infringed the copyright of a work that is protected by a technological measure is not, by itself, sufficient to sustain a Section (a)(1) claim.193 The statute defines “circumvent a technological measure” as “to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner.”194 In the IMS case, the court concluded that the plaintiff failed to allege that the defendants circumvented a technological measure.195 The court reasoned that the plaintiff merely accused the defendant of using a valid password to access the site, and the defendant “is not said to have avoided or bypassed the deployed technological measure in the measure's gatekeeping capacity.”196 Avoiding permission to use the password, the court reasoned, is not the same as actively circumventing the password technology. The court noted that unlike the CFAA, which prohibits access based on whether it is authorized and injurious, the DMCA is focused on circumventing technology that protects copyrighted content.197

Indeed, courts have made clear that Section (a)(1) violations do not occur merely because a user violates an agreement. For instance, in Auto Inspection Services, Inc. v. Flint Auto Auction,198 the plaintiff, Auto Inspection Services, developed software for automobile inspections. One of its former customers, Flint Auto Auction (FAA), developed very similar software. One of the former FAA employees who helped develop the competing software testified that FAA provided him with a printout of Auto Inspection Services's software interface, and instructed him to design the software based on that interface.199 Auto Inspection Services sued FAA for, among other things, a violation of Section (a)(1), and sought a preliminary injunction to effectively block the use of FAA's software.200 The district court denied this request, concluding that Auto Inspection Services failed to provide any evidence that FAA circumvented a technological measure. Using a printout of a software interface to design competing software, the court held, is not the same thing as accessing source code, modifying the source code, or otherwise creating a derivative software program.201

Courts also require Section (a)(1) plaintiffs to allege in their complaints the specific technology that the defendant circumvented, and how that circumvention occurred. For instance, in LivePerson, Inc. v. 24/7 Customer, Inc.,202 LivePerson, which makes real-time interaction software for ecommerce companies, filed a number of claims against 24/7 Customer, a competitor. The two companies had worked together to provide services to some companies, and at one point LivePerson provided 24/7 Customer with a license to use LivePerson's software to serve customers. LivePerson alleges that 24/7 Customer developed competing technology, in part by accessing LivePerson's backend system and copying LivePerson's technology. In its complaint, LivePerson alleged that 24/7 used its access to LivePerson's systems to “observe, penetrate, and manipulate the operation of LivePerson's technology and download extensive data … in order … to reverse engineer and copy LivePerson's technology.”203 The court noted that LivePerson's complaint does not allege that 24/7 used reverse engineering to circumvent LivePerson's security measures but rather that “LivePerson believes that 24/7 breached its security measures in an effort to reverse engineer and misappropriate the proprietary technology and methodologies that LivePerson pioneered,” an allegation that the court concluded was not specific enough to constitute circumvention under the DMCA.204 The court also rejected LivePerson's assertion that 24/7's alleged mimicking of LivePerson in order to gain access to its system was a violation of Section (a)(7).205 In the cases in which courts have allowed Section (a)(1) claims to proceed, the court noted, the complaints explicitly described the technology that was designed to prevent unauthorized access to a copyrighted material. Merely alleging the circumvention of technology intended to protect copyrighted works, without specifying the technology and how it was circumvented, is insufficient to support a Section (a)(1) claim.

Unlike the CFAA and other statutes, Section (a)(1) does not explicitly require the defendant to have acted in a specific mental state (e.g., “knowingly” or “intentionally”) in order for the statute to apply to that conduct. However, courts generally will not allow a Section (a)(1) claim to move forward unless there is evidence that the defendant actively circumvented a technological measure that was designed to protect copyrighted material. If, for instance, the defendant accessed copyrighted material because the technological measure is not functioning properly, the plaintiff's claim likely will not succeed. In Healthcare Advocates, Inc. v Harding, Earley, Follmer & Frailey,206 a law firm used the Internet Archive's Wayback Machine, www.archive.org, to investigate Healthcare Advocates, a company that was suing the firm's client for trademark infringement. The Wayback Machine archives old versions of publicly available websites. To access the archived content, users type in the web address, and are presented with the dates for which the site has been archived. Healthcare Advocates had placed a robots.txt file on its website, which was intended to prevent the Wayback Machine from archiving its old content. However, due to a malfunction with the Wayback Machine's servers, the previous versions of the Healthcare Advocates website were available when the law firm searched for them. Healthcare Advocates sued the law firm under Section (a)(1), alleging that the firm obtained the archived websites by “hacking.”207 The district court agreed with the plaintiff that, in this context, the robots.txt file constituted a technological measure, as it was intended to prevent public access to archived screenshots of the company's website. However, the court disagreed with Healthcare Advocates – and dismissed the Section (a)(1) claim on summary judgment – because Healthcare Advocates did not provide any evidence that the law firm circumvented the robots.txt file. The court reasoned that the law firm employees had no reason to know that Healthcare Advocates used robots.txt, and therefore “they could not avoid or bypass any protective measure, because nothing stood in the way of them viewing these screenshots.”208

Another common dispute that arises in Section (a)(1) cases is whether the access control that was circumvented protects materials that are covered by U.S. copyright law. A good illustration of this inquiry can be seen in the Eighth Circuit's decision, Davidson & Associates v. Jung.209 The plaintiff, a video game creator, offered an online gaming site, Battle.net, which allowed users to play the CD-ROMs that they purchased in the stores with other players online. To play games with other users on Battle.net, users were required to enter a “CD Key” that was included with CD-ROM games.210 The defendants organized the bnetd project, a nonprofit project that emulates Battle.net and allows users to play online. To make their alternative site compatible with the plaintiff's games, they used reverse engineering of the plaintiff's software to test the interoperability.211 Users were able to access the plaintiff's games on bnetd even if they did not have a valid CD Key.212 The plaintiff sued the bnetd developers and organizers under Sections (a)(1) and (a)(2). The plaintiff alleged that the defendants violated Section (a)(1) by circumventing the CD Key requirement, which controlled access to the plaintiff's games.213 The defendants argued that Battle.net is a functional process that is not protected by copyright because it does not constitute creative expression.214 The Eighth Circuit rejected this argument and affirmed the district court's ruling that the defendants violated Section (a)(1), reasoning that the only way that the appellants could have accessed the copyrighted material provided through Battle.net was by reverse engineering and circumventing the site.215

Section (a)(1) cases often are not as complex as cases involving the other two subsections of the DMCA because the scope is relatively clear. As the U.S. Court of Appeals for the Second Circuit noted in 2001, Section (a)(1) differs from the other two DMCA subsections “in that it targets the use of a circumvention technology, not the trafficking in such a technology.”216 As we will see next, the inquiry becomes much more complicated – and courts disagree more frequently – when the alleged DMCA violations arise from trafficking in circumvention technology.

5.3.2.2 DMCA Section 1201(a)(2)

Section 1201(a)(2) states that no person “shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof,” that:

  1. “is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access” to a copyrighted work;
  2. “is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access” to a copyrighted work; or
  3. “is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access” to a copyrighted work”217

In short, Section (a)(2) prohibits the trafficking of technology that is used to circumvent controls that protect copyrighted works.218 In contrast, Section (a)(1) prohibits the actual act of circumvention of those controls. In the Senate report accompanying the DMCA, the legislators stated that Section (a)(2) would provide a cause of action against a company that manufactured a device that was designed to circumvent a control that only allowed authorized individuals to access the plain text of a copyrighted work.219

The primary legal dispute that arises in Section (a)(2) cases is whether the technology trafficked actually facilitates copyright infringement or other violations of rights protected by the Copyright Act. The DMCA does not directly address this issue, though Section 1201(c)(1), somewhat cryptically, states that “[n]othing in this section shall affect rights, remedies, limitations, or defenses to copyright infringement, including fair use, under this title.”220 Section 1201(c)(1) can be read to merely prevent the anti-circumvention provisions from abrogating existing rights that owners and consumers have under the copyright act, but it also can be read to limit Section 1201's scope only to cases that involve circumvention that leads to actual copyright infringement.

Courts have taken two very different approaches to interpreting the scope and reach of Section (a)(2). Some courts have taken a narrow approach, requiring a nexus between the access that is violated and the protection of copyright. Other courts, in contrast, have held that Section (a)(2) applies to technology that circumvents controls that are used to protect copyrighted content, regardless of whether that technology is actually used to access copyrighted content.

5.3.2.2.1 Narrow Interpretation of Section (a)(2): Chamberlain Group v. Skylink Technologies

The U.S. Court of Appeals for the Federal Circuit took the narrow approach to interpreting Section (a)(2) in a 2004 case, Chamberlain Group v. Skylink Technologies.221 Chamberlain makes a garage door opener that uses a copyrighted “rolling code” software that constantly alters the radio frequency signal that is needed for the transmitter to open the garage door.222 Skylink manufactures a fixed-code transmitter, Model 39, that circumvents the rolling code but nonetheless enables users to open garage doors that are connected to Chamberlain's garage door openers.223 Chamberlain argues that rolling code openers are more secure because they prevent burglars from grabbing the signal and using it later. Chamberlain did not claim that Skylink infringed Chamberlain's copyright in the code. Instead, Chamberlain claimed that the rolling code software protects itself, and therefore, by selling a transmitter that circumvents Chamberlain's rolling code, Skylink is violating Section (a)(2) by trafficking in a product that circumvents technology that protects copyrighted content.224

The Federal Circuit rejected Chamberlain's interpretation of Section (a)(2), concluding that for a plaintiff to state a valid Section(a)(2) claim, there must be a link between the access that is being circumvented and the infringement of copyrighted content. The court reasoned that Chamberlain's interpretation of the DMCA “ignores the significant differences between defendants whose accused products enable copying and those, like Skylink, whose accused products enable only legitimate uses of copyrighted software.”225 In other words, Section (a)(2) does not create a broad new property right; instead, it protects circumvention that is reasonably related to a property right that is currently provided by the Copyright Act. The court articulated this Section (a)(2) interpretation in a six-element test:

A plaintiff alleging a violation of § 1201(a)(2) must prove: (1) ownership of a valid copyright on a work, (2) effectively controlled by a technological measure, which has been circumvented, (3) that third parties can now access (4) without authorization, in a manner that (5) infringes or facilitates infringing a right protected by the Copyright Act, because of a product that (6) the defendant either (i) designed or produced primarily for circumvention; (ii) made available despite only limited commercial significance other than circumvention; or (iii) marketed for use in circumvention of the controlling technological measure. A plaintiff incapable of establishing any one of elements (1) through (5) will have failed to prove a prima facie case. A plaintiff capable of proving elements (1) through (5) need prove only one of (6)(i), (ii), or (iii) to shift the burden back to the defendant.226

Although the Federal Circuit's six-part test largely relies on the statute's wording, the Federal Circuit clearly emphasizes the need to demonstrate that the trafficked product helps circumvent access in order to violate an existing right under the copyright laws. Elaborating on this framework, the court concluded that it necessarily requires a link between the access circumvention and a violation of existing copyright law, and that Chamberlain failed to demonstrate such a link, and therefore failed to prove the fifth element of the six-part test:

The DMCA does not create a new property right for copyright owners. Nor, for that matter, does it divest the public of the property rights that the Copyright Act has long granted to the public. The anticircumvention and anti-trafficking provisions of the DMCA create new grounds of liability. A copyright owner seeking to impose liability on an accused circumventor must demonstrate a reasonable relationship between the circumvention at issue and a use relating to a property right for which the Copyright Act permits the copyright owner to withhold authorization—as well as notice that authorization was withheld. A copyright owner seeking to impose liability on an accused trafficker must demonstrate that the trafficker's device enables either copyright infringement or a prohibited circumvention. Here, the District Court correctly ruled that Chamberlain pled no connection between unauthorized use of its copyrighted software and Skylink's accused transmitter. This connection is critical to sustaining a cause of action under the DMCA.227

Soon after the Federal Circuit issued its opinion in Chamberlain, courts quickly adopted its narrow interpretation of Section (a)(2). For instance, in 2005, the U.S. District Court for the Northern District of Illinois rejected a Section (a)(2) claim by the distributor of more than 3300 copyrighted fonts against Adobe Systems, arising out of a feature on Adobe Acrobat that allowed users to select among the plaintiff's fonts when completing a PDF form.228 The plaintiffs claimed that this feature was only possible by adding code that circumvented the fonts' embedding bits, which impose licensing restrictions in fonts and indicate to software programs (e.g., Reader) how a font may be used. However, embedding bits do not actually prevent users from accessing the fonts, which are available for free online.229 The primary issue here arose from the second prong of the Chamberlain test, whether the embedding bits constituted a technological measure that effectively controlled access to the copyrighted fonts. The court concluded that the embedding bits did not satisfy this requirement, reasoning that an embedding bit “is a passive entity that does nothing by itself,” and that the fonts had long been available to the public for free download. The court focused on the lack of technological restrictions placed on the fonts, reasoning that the plaintiffs' embedding bits are neither encrypted nor authenticated, and software such as Acrobat “need not enter a password or authorization sequence to obtain access to the embedding bits or the specification for the TrueType font.”230 Although the outcome of this case focused on the nature of the technological control, the overall approach was quite similar to that of Chamberlain, which was decided based on whether the control prevented copyright infringement. In both opinions, the court's broader inquiry was whether the technology actually protected against rights provided in U.S. copyright law.

5.3.2.2.2 Broad Interpretation of Section (a)(2): MDY Industries, LLC v. Blizzard Entertainment, Inc.

For more than five years, Chamberlain was viewed as the prevailing interpretation of Section (a)(2), and many district courts applied its relatively restrictive six-part test to claims under the statute. This changed in 2010, when the U.S. Court of Appeals for the Ninth Circuit issued its opinion in MDY Industries, LLC v. Blizzard Entertainment, Inc.231 That case arose from Glider, a game-playing bot that enabled World of Warcraft players to automatically win early levels of the game, allowing them to focus on the more advanced stages. The developer of Glider, Michael Donnelly, started a company, MDY Industries, which earned approximately $3.5 million from licensing Glider.232

In response to Glider, World of Warcraft's developer, Blizzard Entertainment, launched Warden, a technology that is designed to prevent players who use third-party software, such as bots, from accessing the World of Warcraft servers and playing the game.233 Warden contained a “resident” component that occasionally scans a user computer's RAM while it is playing World of Warcraft to determine whether there are any activities that indicate the presence of an auto-playing bot. Warden also used scan.dll, a software module, to scan a computer's RAM before allowing a connection to World of Warcraft's servers. If scan.dll detected a user was running a program such as Glider, it would not permit the player to access its servers. MDY responded to this feature by only allowing Glider to launch after scan.dll scanned the RAM for bots. MDY promoted its ability to circumvent World of Warcraft's detection systems.234 Blizzard requested that MDY cease and desist, threatening to sue, and MDY responded by filing its own lawsuit, asking the court to declare that it did not violate the anti-circumvention provisions of Section 1201 of the DMCA.

Once the Blizzard case reached the U.S. Court of Appeals for the Ninth Circuit, the court refused to adopt the narrow interpretation of Section (a)(2) as stated in Chamberlain. Flatly rejecting the Federal Circuit's conclusion that Section 1201 does not create a new property right, the Ninth Circuit held that Section (a)(2) “creates a new anti-circumvention right distinct from the traditional exclusive rights of a copyright owner.”235 In short, the Ninth Circuit criticized the Chamberlain approach as ignoring the plain language of Section (a)(2). Although the Chamberlain court reasoned that its construction of the statute was more logical and sound public policy, the Ninth Circuit concluded that such considerations should not be a factor when the plain language of a statute is clear.236

Moreover, the Ninth Circuit noted that Section 1201(b)(1) (discussed below) already explicitly links a violation to copyright infringement.237 Section (a)(2) applies when the defendant “circumvent[s] a technological measure,” and the statute defines that term by providing two examples: descrambling scrambled work or decrypting an encrypted work. The court noted that these acts “do not necessarily result in someone's reproducing, distributing, publicly performing, or publicly displaying the copyrighted work, or creating derivative works based on the copyrighted work.”238 In contrast, Section (b)(1) applies to defendants who “circumvent protection afforded by a technological measure,” that “effectively protects the right of a copyright owner” under U.S. copyright law. Distinguishing between Sections (a)(2) and (b)(1) “ensures that neither section is rendered superfluous,” the court wrote.239 The court also recognized that the Senate Judiciary Report accompanying the DMCA stated that Sections (a)(2) and (b)(1) were “designed to protect two distinct rights and to target two distinct classes of devices,” and that “many devices will be subject to challenge only under one of the subsections.”240

Like the Federal Circuit, the Ninth Circuit articulated a six-element test that plaintiffs must satisfy in order to succeed on a Section (a)(2) claim. The tests differ, however, in that the Ninth Circuit does not require a link between the control measure and preventing copyright infringement. The Ninth Circuit stated that the plaintiff must demonstrate that the defendant:

(1) traffics in (2) a technology or part thereof (3) that is primarily designed, produced, or marketed for, or has limited commercially significant use other than (4) circumventing a technological measure (5) that effectively controls access (6) to a copyrighted work.241

Applying this broader interpretation of Section (a)(2) to the World of Warcraft dispute, the Ninth Circuit considered three types of components of World of Warcraft: (1): the literal elements, which is the source code that resides on customers' computers; (2) the individual nonliteral elements, which are the individual, discrete audio and visual elements of the computer game, such as an individual sound or picture; and (3) the dynamic nonliteral elements, which it described as “real-time experience of traveling through different worlds, hearing their sounds, viewing their structures, encountering their inhabitants and monsters, and encountering other players.”242

The Ninth Circuit concluded that under its definition of Section (a)(2), Glider does not violate Section (a)(2) regarding the computer game's literal elements and individual nonliteral elements because “Warden does not effectively control access to these [World of Warcraft] elements.”243 The literal element, which is the computer game's code, resides on the player's hard drive, and not on the server.244 Similarly, World of Warcraft users can access the individual nonliteral elements – such as a single sound or image – even if they do not connect to Blizzard's server.245 Warden only blocks users from accessing the servers to play World of Warcraft online with other users; it does not prevent players from accessing the code, images, and sounds that are stored on their computers.

The Ninth Circuit, however, concluded that MDY violated Section(a)(2) regarding the dynamic nonliteral elements of the game, that is, the overall experience of playing the game and encountering other players.246 The gist of the court's reasoning is that Warden controlled access to the overall display of the game online, which is protected by copyright law, and MDY trafficked in a technology – Glider – that it marketed as a means to circumvent Warden.247 The ruling on the dynamic nonliteral elements illustrates the significant difference between the Federal Circuit's approach to Section (a)(2) in Chamberlain, and the Ninth Circuit's approach in this case. If the Ninth Circuit had adopted the Federal Circuit's analytical framework for Section (a)(2), it is highly unlikely that it would have found that MDY violated the statute. Glider was not intended to help users infringe the copyright of World of Warcraft, by copying or redistributing it; instead, Glider merely allowed users to advance through early stages of the game.

The fact that this broad view of Section (a)(2) was reached in the Ninth Circuit is particularly important because the Ninth Circuit covers the western United States, including California, which is home to many large technology companies that are more likely to bring anti-circumvention complaints. Unless the Ninth Circuit reverses its interpretation of Section (a)(2), or the United States Supreme Court decides to hear an anti-circumvention case and adopts the Federal Circuit's approach, the MDY interpretation of Section (a)(2) will remain binding precedent throughout the Ninth Circuit.

In a 2015 case in the U.S. District Court for the Central District of California, NNG, KFT. V. AVA Enterprises, Inc.,248 plaintiff NNG, which makes navigation software, alleged that navigation device maker AVA violated Section (a)(2). NNG claimed that AVA installed pirated copies of NNG's software on its devices, along with software code that circumvents the authentication code that NNG uses to prevent unauthorized use of its software.249 AVA moved to dismiss the complaint, contending that the authentication does not control the access to the copyright-protected code or files, but rather it simply validates whether the device is authorized to run NNG's software.250 The authentication code only controls access to the dynamic nonliteral elements – namely the experience of using the software. Because NNG did not allege that AVA infringed the copyright of the dynamic nonliteral elements, AVA argued, NNG could not claim a Section (a)(2) violation. In other words, AVA argued that the court should limit Section (a)(2) claims to the circumvention of access controls that leads to copyright infringement. The district court rejected this argument, concluding that it “would be correct in other Circuits, but not here.” The court recognized that because it is located in the Ninth Circuit, it is bound by the MDY holding that a Section (a)(2) claim does not necessarily need to be linked to an allegation of copyright infringement.251 Applying MDY to the allegations in the lawsuit, the court reasoned that it is “undisputed that the technological measure in this case, the Authentication Code, effectively controls access to one element of NNG's copyrighted computer software – the dynamic non-literal elements.”252 NNG's failure to allege that AVA infringed the dynamic nonliteral elements “is of no consequence,” the court concluded.253

The NNG case clearly demonstrates the huge divide among circuits in their interpretation of the scope of Section (a)(2). In the courts that adopt Chamberlain's ruling, Section (a)(2) only protects rights that are already provided in the copyright law, such as the ability to control the copying and distribution of copyrighted works. In the courts that adopt the MDY reading of the statute, Section (a)(2) creates a new right to prevent companies from distributing products that circumvent access controls. The MDY reading is particularly relevant to the cybersecurity profession because it creates a fairly powerful legal remedy for companies to pursue those that assist in bypassing technological controls.

5.3.2.3 DMCA Section 1201(b)(1)

Section (b)(1) states that no person:

shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof that–

  1. is primarily designed or produced for the purpose of circumventing protection afforded by a technological measure that effectively protects a right of a copyright owner under this title in a work or a portion thereof;
  2. has only limited commercially significant purpose or use other than to circumvent protection afforded by a technological measure that effectively protects a right of a copyright owner under this title in a work or a portion thereof; or
  3. is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing protection afforded by a technological measure that effectively protects a right of a copyright owner under this title in a work or a portion thereof.254

Section (b)(1) defines “circumvent protection afforded by a technological measure” as “avoiding, bypassing, removing, deactivating, or otherwise impairing a technological measure.”255 The statute states that a technological measure “effectively protects a right of a copyright owner under this title” if the measure, “in the ordinary course of its operation, prevents, restricts, or otherwise limits the exercise of a right of a copyright owner under this title.”256

Section (b)(1) appears to be quite similar to Section (a)(2), as both prohibit trafficking in technology that circumvents technological measures. The primary difference between the two sections is that Section (a)(2) applies to technology that circumvents technological measures that control access to copyrighted works, while Section (b)(1) is narrower, and only applies to technology that circumvents a technological measure that protects against violations of copyright owners' rights – that is, copyright infringement.257 Under the narrow Chamberlain interpretation of Section (a)(2), there is not a substantial difference between Sections (a)(2) and (b)(1), as both sections require a direct link to copyright infringement. However, under the Ninth Circuit's more expansive view of Section (a)(2), the two sections are significantly different, with Section (a)(2) applying broadly to circumvention of technology that protects copyrighted works, regardless of whether the circumvention aids infringement. The Senate Commerce Committee's report accompanying the DMCA indicated its intention for Section (b)(1) to be more narrowly focused on technology that aids copyright infringement.258

Indeed, in MDY, the Ninth Circuit concluded that even though the plaintiff had sufficiently alleged a violation of Section (a)(2) under the court's broad reading of that statute, the plaintiff did not prevail on its claim under Section (b)(1). The court reasoned that its Warden software does not protect against infringement or any other violation of copyright laws, and therefore the circumvention could not violate Section (b)(1).259

If a court finds that a defendant has violated Section (b)(1), the court likely will also find that the defendant has violated Section (a)(2). For example, in Craigslist, Inc. v. Naturemarket, Inc., 260 online classified advertising website Craigslist alleged that defendant Naturemarket developed and distributed software that enabled Naturemarket customers to automatically post multiple ads on Craigslist and to harvest Craigslist user email addresses in order to send spam email messages. Both acts violate Craigslist terms of service, and Craigslist attempts to prevent such automatic posting and harvesting by using a CAPTCHA program and telephone verification, which requires the user to enter a unique code, in an effort to prevent automated programs from accessing the site.261 Craigslist alleged that Naturemarket copied portions of Craigslist's website in order to operate and develop its autoposter software. Naturemarket did not respond to Craigslist's complaint, and the district court granted default judgment to Craigslist, concluding that Craigslist's complaint stated valid claims under both Sections (a)(2) and (b)(1). Naturemarket violated Section (a)(2), the court concluded, applying the Ninth Circuit's broad interpretation of the statute, because they trafficked in a product that circumvented CAPTCHA and telephone verification, which “enabled unauthorized access to and copies of copyright-protected portions of Plaintiff's website.”262 The court concluded that because CAPTCHA protected plaintiff's copyright rights in the website, Craigslist stated a viable claim that Naturemarket violated Section (b)(1).263

In short, regardless of the circuit in which a Section 1201 dispute is adjudicated, a plaintiff who successfully states a Section (b)(1) claim typically also will prevail under Section (a)(2). However, the reverse is not always true. A successful Section (a)(2) claim, particularly in a jurisdiction that adopts the broad MDY reading of the statute, does not necessarily mean that the defendant also violated Section (b)(1), since Section (a)(2) does not require a link to copyright infringement.

5.3.3 Section 1201 Penalties

Violators of Section 1201 can face both civil actions and criminal prosecutions. Any person who is injured by a Section 1201 violation can bring a civil action against the violator in federal court. The plaintiff can seek injunctions preventing the circumvention or trafficking, impounding of a device used to violate Section 1201, damages, costs, attorney's fees, and the modification or destruction of a device used to violate the law.264

If the plaintiff in a Section 1201 case can seek either actual damages or statutory damages. Actual damages are the actual costs that the Section 1201 violation caused for the plaintiff, along with any profits that the violator earned due to the illegal act, provided that they are not already taken account for in the other actual damages.265 Statutory damages are a fixed amount per violation, set by the court as it “considers just.” Violations of Section 1201 carry statutory damages between $200 and $2500 per act of circumvention.266 If the violator demonstrates that it “was not aware and had no reason to believe that its acts constituted a violation,” the court is permitted to reduce or remit the damages award.267

Section 1201 violations also can trigger criminal prosecutions, but only if the violator did so “willfully and for purposes of commercial advantage or private financial gain.”268 The maximum sentence for a first offense is a $500,000 fine or five years in prison, and the maximum sentence for subsequent offense is a $1 million fine or ten years in prison.269 The statute of limitations for criminal prosecutions is five years.

5.3.4 Section 1201 Exemptions

Section 1201 has attracted a great deal of criticism from the cybersecurity community and consumer rights groups, who argue that the statute is not in the public interest because it prevents researchers from discovering vulnerabilities in software. As the Center for Democracy and Technology stated, the anti-circumvention provisions of Section (a)(1) “means a researcher who uncovers a software vulnerability by circumventing, for example, digital rights management (DRM) software, is breaking the law.”270 Critics also assert that Section 1201's prohibition on the distribution of tools that facilitate circumvention has had a chilling effect on online discussion about cybersecurity because publishers and ISPs fear that such discussions could lead to DMCA liability.271

Congress attempted to address these concerns by including a number of limited exceptions to the anti-circumvention provisions, though many critics say that these exceptions are not sufficient to address their concerns about the effects that Section 1201 has on cybersecurity, researchers, and consumers.

The most prominent – and flexible – exception allows the Librarian of Congress to temporarily exempt particular classes of works from Section (a)(1)'s anti-circumvention provisions, provided that the Librarian determines that the users of those works are “adversely affected by virtue of such prohibition in their ability to make noninfringing uses of that particular class of works[.]”272 In making this determination, the Librarian is required to consider the availability of copyrighted works for use; the availability for use of works for nonprofit archival, preservation, and educational purposes; the impact that a Section 1201 prohibition would have on “criticism, comment, news reporting, teaching, scholarship, or research”; whether circumvention affects the market value of copyrighted works; and other factors that the Librarian considers appropriate.273

These Librarian-granted exceptions are somewhat limited. The Librarian can only grant them in a rulemaking proceeding that occurs once every three years. The exceptions are temporary, and expire after three years. Perhaps most important, the temporary exceptions only apply to the anti-circumvention provision of Section (a)(1); they do not apply to the anti-trafficking provisions of Sections (a)(2) and (b)(1).274

In October 2015, the Librarian of Congress issued its most recent triennial rulemaking for Section (a)(1) exemptions. Among the ten classes of users and works that the Librarian exempted from Section (a)(1) are the following:

  • Motion pictures, where circumvention is undertaken only to make use of “short portions” of the motion pictures for the purpose of criticism or comment in specific instances, such as for use in documentary filmmaking, noncommercial videos, and nonfiction multimedia e-books offering film analysis.
  • Computer programs that enable smart televisions to “execute lawfully obtained software applications,” provided that circumvention is accomplished for the sole purpose of enabling interoperability of such applications with the smart television's software programs.
  • Certain lawfully acquired video games, provided that the copyright owner does not provide access to an external computer server that is necessary to authenticate local gameplay. This exception only applies for certain purposes, such as restoring access for personal gameplay.275

Some advocacy groups offered tempered praise for the wide range of exceptions that the Librarian of Congress granted in the 2015 rulemaking, but they criticized the office for delaying the effective date of the exceptions by twelve months, resulting in the exceptions only being effective for two years.276 Advocacy groups also criticized the complexity of the exceptions, and noted that a temporary Library of Congress rulemaking is perhaps not the best way to address the concerns of cybersecurity researchers and others.277 Advocacy groups also asserted that the Librarian of Congress attempted to reach a middle ground among the users and rights holders, leading to unnecessarily complex exemptions that are difficult to implement in the real world.278 Critics of Section 1201 have long expressed these concerns. In 1999, a year after Congress passed the DMCA, University of California-Berkeley law professor Pamela Samuelson wrote that “because none of the Librarian's findings last for more than a three-year period, copyright industry lobbyists will have multiple opportunities to carve back or eliminate any user-friendly exceptions that the Librarian might have the temerity to recommend.”279

In addition to the temporary exemptions that the Librarian of Congress grants every three years, the DMCA includes some permanent – but very narrow – exceptions to Section (a)(1) for specified uses. As with the Librarian's temporary exceptions, these do not apply to the trafficking provisions of Sections (a)(2) or (b)(1) unless specified:

  • Nonprofit libraries, archives, and educational institutions. Section 1201(d)exempts nonprofit libraries, archives, or educational institutions from Section (a)(1)'s anti-circumvention requirements in order to determine, in good faith, whether to lawfully acquire a copy of a copyrighted work.280 If a nonprofit library, archive, or educational institution circumvents access controls to make this determination, it may not retain the copy longer than necessary to determine whether to acquire the work, nor may it use the copy for purposes other than making this determination. This exception is not available if the organization already has an identical copy that is reasonably available. The exemption is not available to libraries or archives that are closed to the public or only available to affiliated researchers.
  • Law enforcement and intelligence activities. Under Section 1201(e), legal activities of federal, state, and local law enforcement, security, and intelligence agencies are not subject to any of the prohibitions in Section 1201 (Sections (a)(1), (a)(2), and (b)(1)). This includes the agencies' information security activities, which the statute defines as “activities carried out in order to identify and address the vulnerabilities of a government computer, computer system, or compute network.”281
  • Reverse engineering for interoperability. Section 1201(f) allows individuals who lawfully obtain the right to use a copy of a computer program to circumvent an access control technology without violating Section 1201, provided that the only purpose for which they circumvent the control is to identify and analyze the elements that are necessary to achieve interoperability with another program, and those elements have not been available to the user through other means.282 Section 1201 defines “interoperability” as “the ability of computer programs to exchange information, and of such programs mutually to use the information which has been exchanged.”
  • Encryption research. Section 1201(g) allows encryption researchers to circumvent an access control if (1) the researcher lawfully obtained the encrypted content, (2) the circumvention is necessary to conduct encryption research, (3) the researcher made a good-faith effort to obtain authorization to circumvent the control, and (4) the circumvention does not independently constitute copyright infringement or a violation of the CFAA. The exemption also allows researchers to provide the technological means of circumvention to a collaborating researcher.283

To determine whether the researcher qualifies for this exemption, the statute lists three factors: (1) the manner in which the information derived from the research is circumvented, and whether it is reasonably calculated to advance the state of knowledge or development of encryption; (2) whether the researcher has an appropriate background, training, and experience in encryption technology; and (3) whether the researcher provides the results of the research to the copyright owner.284

Some researchers have criticized this exemption for not providing the certainty necessary to conduct encryption research. In a petition to the Librarian of Congress, Johns Hopkins computer scientist Matthew D. Green wrote that the exemption includes “complex multifactor tests that cannot be evaluated ex ante, potential restrictions on the dissemination of research results, and requirements to seek authorization in advance of performing research.”285

  • Preventing minors from accessing the Internet. Section 1201(h) instructs courts, when applying Sections (a)(1) and (a)(2) to a component or part, to consider the necessity for the component's or part's intended and actual incorporation in technology that does not violate the copyright law and has the “sole purpose” of preventing minors from accessing material on the Internet.286 This is a relatively vague provision that does not give clear guidance as to the exact types of activities that are exempt from 1201 liability. The legislative history of the DMCA indicates that Congress intended to ensure that parents could install technology on their home computers that restrict their children's access to harmful material on the Internet.287
  • Protection of personally identifying information. Section 1201(i) allows an individual to circumvent controls on copyrighted works in order to protect the individual's privacy, but only if the company that possesses the data failed to conspicuously disclose the collection and dissemination and provide the individual with the chance to opt out. An individual may circumvent access controls without violating Section(a)(1), provided that all of the following four conditions are met: (1) the access control or the content that it protects is capable of collecting or disseminating personally identifiable information that reflects the online activities of a person who seeks to access the protected work; (2) in the normal course of business, the access control, or the work it protects, collects and disseminates information about the person who seeks to access the protected work, without providing conspicuous notice of the collection or dissemination to that person, and without providing the person the ability to opt out of the collection or dissemination; (3) the circumvention has the “sole effect” of identifying and disabling the collection nor dissemination of the personally identifying information; and (4) the circumvention is only conducted to prevent the collection or dissemination of the personally identifying information.288 The legislative history of the provision indicates that Congress intended this exception to apply only in cases when companies did not provide transparency and choice regarding personal information.289
  • Security testing. Section 1201(j) creates an exemption to Section (a)(1) for certain forms of security testing, which the statute defines as accessing a computer “solely for the purpose of good faith testing, investigating, or correcting, a security flaw or vulnerability, with the authorization of the owner or operator” of the computer.290 The statute provides the following two factors for consideration when determining whether the exemption applies: (1) whether the information obtained through testing was used “solely to promote the security of the owner or operator of the computer,” or shared with the developer; and (2) whether the information was used in a way that facilitates copyright infringement or the violation of privacy or data security laws.

    Security researchers have identified three primary shortfalls that render this exemption relatively toothless for their work. First, the exemption, by its very terms, only applies if the researcher has obtained prior approval from the owner or operator of the computer, system, or network. Companies often do not want unaffiliated parties to independently test their security, fearing negative publicity or legal exposure. Second, as with the encryption research exemption, there is no certainty that a court would agree that the two factors weigh in favor of the exemption. Therefore, researchers risk exposure to DMCA liability without any guarantee that the exemption applies. Third, Section 1201(j) explicitly states that the exemption does not apply if the testing violates another law, such as the CFAA. In light of the broad view of the CFAA in some courts, discussed above in Section 5.1.2.2, there is a reasonable chance that this exception would not apply merely because a security test is viewed by a court as exceeding authorization.291

In sum, the seven permanent statutory exemptions to Section 1201 often do not provide cybersecurity researchers and consumers with the certainty that is necessary to circumvent access controls, even if they have a good-faith reason to believe that the exception applies. Violating the DMCA could result in significant civil damages and, in some cases, criminal charges. The multi-factor balancing tests are applied by a court, only after the individual is accused of violating the DMCA. Therefore, it is impossible for the person to have certainty before circumventing an access control.

5.3.5 The First Amendment and DMCA Section 1201

In light of the uncertainty that Section 1201 has created for a number of researchers who work on encryption, cybersecurity, and related fields, some critics assert that the statute violates the First Amendment's guarantee of freedom of speech. The gist of their argument is that software code is speech, and by prohibiting the distribution or discussion of certain types of code, Section 1201 censors speech and therefore violates the First Amendment.

In 2015 comments to the United States Copyright Office, a group of leading cybersecurity researchers expressed the primary First Amendment concerns with Section 1201:

Academic and other research institutions can be risk-averse, advising faculty and students to steer clear of research with unclear liability; faculty advise students to work in areas less fraught with potential legal and public-relations challenges; and peer review may look unfavorably upon researchers whose work treads too closely to legal lines. Funders may be reluctant to support certain kinds of research. Academic publication venues are forced to wrestle with questions regarding the legality of research, despite its public value.292

In short, cybersecurity researchers say that fear of criminal prosecution and civil litigation under Section 1201 makes it incredibly difficult for them to conduct research on vulnerabilities in software and systems. The restrictions, they say, also make it difficult for them to communicate their findings via publications and conferences, having a chilling effect on speech. Researchers have raised these First Amendment objections to Section 1201 in a handful of court cases. To date, courts have not invalidated Section 1201 due to these concerns.

Among the highest profile of these cases emerged in 2001, when a group of academic researchers discovered a flaw in the copyright protection system that was used on audio CDs. The researchers had planned to present their findings at a large computer science conference, but they withdrew from the conference after receiving a threat from the RIAA, asserting that the publication of the research would violate the DMCA. The researchers then sued the recording industry, seeking a judgment from the court declaring that publication of the research would not violate Section 1201, and even if it did, applying the DMCA in that manner would violate the First Amendment. “In chilling publication and presentation of scientific research,” they wrote in their complaint, “the DMCA wreaks havoc in the marketplace of ideas, not only the right to speak, but the right to receive information – the right to learn.”293 The court dismissed the case for lack of standing, and did not rule on the broader statutory and First Amendment arguments. The researchers did not appeal this ruling.

Later that year, however, the U.S. Court of Appeals for the Second Circuit did rule on the constitutionality of Section 1201 in another case. In Universal City Studios, Inc. v. Corley,294 major movie studios sued Eric Corley, who published “DeCSS” code on his computer hacker website, 2600.com. He also linked to other sites that hosted DeCSS. DeCSS circumvents CSS, an encryption format that the major movie studios use to prevent unauthorized copying of their DVDs. The major movie studios sued Corley under Section (a)(2), seeking a permanent injunction to prevent him from both posting the DeCSS code and linking to other sites that host the code. After trial, the district court judge granted the permanent injunction. Corley appealed to the Second Circuit, primarily arguing that Section 1201, as applied to this case, violated the First Amendment.295

To understand how the court assessed this claim, it is necessary to know general framework for First Amendment analysis. First, it is necessary to ask whether the law regulates speech. If the law regulates an activity other than speech, the First Amendment's free speech protections will not apply. Second, if a law does, in fact, regulate speech, then it is necessary to determine whether the law is content-based or content-neutral. If the law is content-based, then it will only survive a First Amendment challenge if the government demonstrates that it serves compelling governmental interests by the least restrictive means that are available. If the law is content-neutral, then a court will allow it if it furthers a substantial government interest that is unrelated to suppressing free expression, and the law is narrowly tailored so that it does not burden substantially more speech than necessary. The content-neutral analysis is a much lower bar than the requirements for content-based restrictions. Accordingly, the constitutionality of a statute that restricts speech often hinges on whether a court classifies it as content-based or content-neutral.

Applying the First Amendment framework to the DeCSS case, the Second Circuit first determined that computer programs and code constitute “speech” that is protected by the First Amendment.296 Acknowledging that computer code is different from more traditional forms of speech, such as literature, the court concluded that courts have long provided First Amendment protection to “dry information, devoid of advocacy, political relevance, or artistic expression.”297 The court likened programmers' communication via code to musicians' communication via musical notes.298

The next step in the analysis is to determine whether Section 1201's restrictions on publication of DeCSS and linking to other sites is content-based or content neutral. The court reasoned that both restrictions are content-neutral. Corley argued that Section 1201's trafficking restrictions are content-based because they are specifically directed at communications regarding a particular topic: access control circumvention. The court disagreed, reasoning that Section 1201 and the district court's injunction target only the “non-speech” aspects of DeCSS: decrypting CSS.299 Section 1201, as applied to DeCSS, is content-neutral, the Second Circuit reasoned, because it is not “concerned with whatever capacity DeCSS might have for conveying information to a human being.”300

Applying the more lenient First Amendment test for content-neutral laws, the court concluded that Section 1201, as applied to this case, is constitutional. Prohibiting the posting of DeCSS code, the court ruled, serves a substantial government interest by “preventing unauthorized access to encrypted copyrighted material,” and the government's actions are unrelated to suppressing free speech because it regulates DeCSS distribution “regardless of whether DeCSS code contains any information comprehensible by human beings that would qualify as speech.”301 The prohibition on posting DeCSS code does not burden substantially more speech than necessary, the court concluded. Although the court acknowledged that the unconditional prohibition on posting the code “is not absolutely necessary to preventing unauthorized access to copyrighted materials,” Corley failed to demonstrate that the injunction burdens substantially more speech than is necessary. Had the court concluded that the injunction was content-based, it is unlikely that the injunction would have survived this challenge, since the government would have needed to demonstrate that the injunction is the least restrictive means to accomplish protect CSS-encrypted movies. The court suggested that the injunction's prohibition on linking to DeCSS code raises more difficult First Amendment issues, but ultimately it upheld the constitutionality of that prohibition as well.302

In more recent years, litigants have mounted similar First Amendment challenges to various aspects of Section 1201, but they have faced similar skepticism from courts.303 Because the United States Supreme Court has not directly ruled on whether Section 1201 comports with the First Amendment, it is possible – though unlikely – that a court could invalidate the use of Section 1201 based on a First Amendment challenge.

5.4 Economic Espionage Act

The Economic Espionage Act prohibits the theft of U.S. companies' trade secrets, either to benefit a foreign government or to economically benefit anyone other than the owner. The statute was passed in 1996 to impose criminal penalties for both foreign and corporate espionage, and amended significantly in 2016 to allow companies to bring civil suits for trade secret theft. The evolution – and growing importance – of the Economic Espionage Act demonstrates the increasingly grave threat that trade secrets pose in the United States.

5.4.1 Origins of the Economic Espionage Act

At first glance, economic espionage and the theft of trade secrets may not appear to be of particular concern for cybersecurity professionals. However, the Economic Espionage Act is one of the first U.S. laws that was crafted with cybersecurity in mind. When Congress passed the Economic Espionage Act in 1996, companies were just beginning to consider how to integrate the Internet into their daily business operations. The companies also were taking greater advantage of computers and data centers for warehousing data that had long been contained only on paper and stored in folders and drawers.

As an increasing amount of data is stored on computers and in remote data centers, espionage and theft of trade secrets has become common, causing great economic risk for companies. Indeed, many executives view the theft of trade secrets as an even greater threat than the theft of personal information, because the theft of confidential business information such as trade secrets could undercut a company's entire economic model.

Companies have long protected their nontangible assets – information – with intellectual property laws. However, those laws only provide limited protection for much of the information that companies seek to keep confidential. Copyright law only protects creative expressions that are fixed in a medium. While, for example, an email or report may be protected by copyright, the information contained in that report is not protected. Patent law only offers protection if the United States Patent and Trademark Office has approved a patent. The patent approval process is long and complex, and requires the applicant to demonstrate that the invention is nonobvious, useful, and new. A great deal of confidential business information, such as financial projections, sales statistics, and business plans, often is not covered under federal intellectual property laws.

The most likely source of protection for confidential corporate data are the many state laws that protect trade secrets. However, most of these laws do not provide sufficient penalties to deter corporate espionage. Moreover, the laws generally provide only for private civil litigation, so they rely on the victimized companies to investigate and litigate claims against the perpetrators.

Recognizing the need for a federal law to deter corporate espionage in the emerging information age, Congress drafted and enacted the Economic Espionage Act. In its report accompanying the bill, the House Judiciary Committee noted the rapidly increasing espionage threats that companies were facing as their data was stored on computers and servers:

Computer technology enables rapid and surreptitious duplications of the information. Hundreds of pages of information can be loaded onto a small computer diskette, placed into a coat pocket, and taken from the legal owner. This material is a prime target for theft precisely because it costs so much to develop independently, because it is so valuable, and because there are virtually no penalties for its theft.304

The Judiciary Committee noted the particular dangers of espionage that arise from insider threats. “A great deal of the theft is committed by disgruntled individuals or employees who hope to harm their former companies or line their own pockets,” the Committee wrote.305

5.4.2 Criminal Prohibitions on Economic Espionage and Theft of Trade Secrets

The Economic Espionage Act contains two separate prohibitions: Section 1831 prohibits economic espionage for a foreign government or entity, and Section 1832 prohibits the theft of trade secrets to benefit one company at the expense of another company.

The two sections differ primarily regarding the purpose and intent behind the defendant's trade secret theft, as described in more detail below. Both sections, however, require the defendant to have committed one of the five following acts:

  • Stealing, or without authorization appropriating, taking, carrying away, or concealing, or by fraud, artifice, or deception obtaining a trade secret.
  • Without authorization copying, duplicating, sketching, drawing, photographing, downloading, uploading, altering, destroying, photocopying, replicating, transmitting, delivering, sending, mailing, communicating, or conveying a trade secret.
  • Receiving, buying, or possessing a trade secret, knowing the same to have been stolen or appropriated, obtained, or converted without authorization.
  • Attempting to commit any of the aforesaid offenses.
  • Conspiring with at least one other person to commit any of the first three offenses, and one or more of the conspirators do any act to effect the object of the conspiracy.306

Violations of Section 1831 carry prison time of up to fifteen years and a fine of up to $5 million for an individual. Organizations that violate Section 1831 face a fine of up to $10 million or three times the value of the stolen trade secret, whichever is greater. Violations of Section 1832 carry prison time of up to ten years or a fine. Organizations that violate Section 1832 face a fine of up to $5 million, or three times the value of the stolen trade secret, whichever is greater.

Sections 1831 and 1832 apply to conduct that occurs outside of the United States, if either an act in furtherance of the violation was committed in the United States, or if the offender is a U.S. citizen or permanent resident alien, or an organization that is organized under U.S. laws.307

5.4.2.1 Definition of “Trade Secret”

Both Sections 1831 and 1832 only apply if the information at issue constitutes a “trade secret.” The Economic Espionage Act broadly defines “trade secret” as:

all forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if—

  1. the owner thereof has taken reasonable measures to keep such information secret; and
  2. the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, another person who can obtain economic value from the disclosure or use of the information.308

Congress modeled the Economic Espionage Act's definition of “trade secret” after the definition in the Uniform Trade Secrets Act, intending for the definition to broadly encompass many types of confidential information.309

In some cases, defendants argue that information is not a trade secret because the owner failed to take “reasonable measures” to keep the information secret. Although there is not a precise checklist to determine whether companies have taken sufficiently reasonable measures, courts consider a wide range of factors, such as the number of people authorized to access the information, the security of the storage of the information, confidentiality agreements, and the company's information security and document destruction policies.310

Despite this broad definition of trade secrets, defendants often seek to dismiss Economic Espionage Act cases by arguing that the government failed to demonstrate that the company took reasonable measures to ensure secrecy. For example, in a 2008 criminal trial in Los Angeles, Tien Shiah was tried for violating Section 1832.311 Shiah, who was born in Taiwan and raised and educated in Canada, worked at a California company, and had accepted a job at another company. Before leaving his first employer, he gathered a number of confidential electronic files on a laptop, as well as hard copies. He believed this was a “toolkit” that was a record of his work at the first employer.312 Two years later, Shiah left his second employer, and created another “toolkit” of a number of confidential documents, including many regarding pricing and business strategy.313

At trial, the judge concluded that his employer had taken reasonable steps to keep the information secret. The judge first noted that it is unnecessary to demonstrate that the company prevented even its own employees from seeing the data, as that would threaten internal productivity.314 The proper inquiry is whether the company took reasonable steps to prevent outsiders from accessing the data. Among the steps that the company took to safeguard the data:

  • Requiring every employee to sign a confidentiality agreement.
  • Using firewalls, intrusion detection software, strong passwords, layered protection between the Intranet and Internet, and selective storage of files.
  • Requiring nondisclosure agreements before sharing information with outside entities.
  • Marking documents as confidential.
  • Strengthening the physical security of its facilities.

However, the judge noted a few areas in which the employer could have improved its efforts to maintain secrecy of the data:

  • Explain the confidentiality agreement to employees, and provide them with a copy for their records.
  • Implement a comprehensive system to designate confidentiality of documents.
  • Refer employees to the confidentiality agreement during their exit interviews.
  • Ask employees at exit interview whether they copied any files.
  • Inspect employee's computer upon termination to determine whether the employee has taken any confidential information.315

On balance, the court concluded, the employer's confidentiality practices were “generally effective,” and the deficiencies “were not so extensive to qualify as unreasonable.”316 The court's well-reasoned analysis in this case provides an example of the factors that courts will weigh when determining whether companies took reasonable steps to protect confidential information. Keep in mind that another court could have just as easily found that the employer did not take reasonable steps, depending on the weight that the court were to accord to each protective measure. Accordingly, companies that seek to ensure that their information constitutes a trade secret for the purposes of the Economic Espionage Act should attempt to take as many protective measures as possible.

Defendants also argue that information does not constitute a trade secret because the information does not derive independent economic value from not being known to another person who can obtain economic value from the disclosure or use of the information.317 To make this determination, courts typically consider “the degree to which the secret information confers a competitive advantage on its owner.”318 In general, courts have been willing to find that confidentiality of information creates independent value, and they typically do not require proof of an actual increase in value due to the confidentiality. In part, that is because the statute allows the economic value to be actual or potential.319

For instance, in the Shiah criminal prosecution, the court concluded that the information that Shiah copied has independent economic value due to its confidentiality. The pricing information, for instance, “would allow competitors to compete more effectively with respect to price by undermining [the employer's] pricing structure and also obtain more favorable terms from their suppliers.”320 Disclosure of information about the company's unreleased products would hurt the company's research and development efforts, the court reasoned.321 Revealing the confidential customer information could harm the company's relationships with its customers, the court wrote.322 The court recognized that some of the information in the files that Shiah copied were not confidential, such as information that already was publicly available, and Congress did not intend to accord trade secret status to such data.323 Nonetheless, the information constituted a trade secret because at least some of it derived value from remaining confidential.324

5.4.2.2 “Knowing” Violations of the Economic Espionage Act

Both Sections 1831 and 1832 apply only to acts that are done “knowingly.” Congress added this additional state-of-mind requirement to limit the application of the Economic Espionage Act to people who are aware that they are handling trade secrets. In the Senate Judiciary Committee's report accompanying the Economic Espionage Act, the legislators wrote that to knowingly commit an act in violation of the Economic Espionage Act requires “(1) an awareness of the nature of one's conduct, and (2) an awareness of or a firm belief in or knowledge to a substantial certainty of the existence of a relevant circumstance, such as whether the information is proprietary economic information as defined by this statute.”325

Prosecutors need not demonstrate that the defendant knew that the act was illegal, nor do they need to be aware that the information legally qualifies as a trade secret.326 Instead, prosecutors only must prove that the defendants were aware that the information was proprietary.327

5.4.2.3 Purpose and Intent Required under Section 1831: Economic Espionage

As mentioned above, Sections 1831 (Economic Espionage) and 1832 (Theft of Trade Secrets) apply to the same five acts involving the theft, copying, receipt, or purchase of trade secrets. The difference between the two sections is the purpose and intent behind these acts. Section 1831 involves a violation that is motivated by the desire to help a foreign government, while Section 1832 involves a violation that is motivated by the desire to help one company succeed and harm the victim. It is possible to see a defendant charged under both sections, if the act is intended to both help another country as well as a company in that country.

Section 1831 applies if the defendant knowingly committed the offense “intending or knowing that the offense will benefit any foreign government, foreign instrumentality, or foreign agent[.]”328 Section 1831 explicitly states that it only applies if the foreign instrumentalities329 and agents330 are linked to a foreign government. Accordingly, an offense that is intended to violate a foreign private company – and not the government – will not qualify as a Section 1831 violation (though it might fall under Section 1832).

For instance, Hanjuan Jin was indicted under both Sections 1831 and 1832 for allegedly stealing trade secrets from her former employer, Motorola, and moved to China with plans to work for a competing company. The judge conducted a bench trial (which is a trial that is decided by the judge, not a jury), and determined that although Jin violated Section 1832, there was insufficient evidence to convict her of economic espionage under Section 1831. The government argued that by providing the trade secrets to a Chinese company, Jin intended to benefit the People's Republic of China. The district court rejected this argument, concluding that “[t]here is certainly plenty of speculative proof that the PRC may have benefited from Jin's conduct, but such speculation does not equate to proof beyond a reasonable doubt.”331 The Jin case demonstrates the difficulty of proving a Section 1831 violation. The government faces the heavy burden of demonstrative beyond a reasonable doubt that the defendant not only stole trade secrets but did so with the intent or knowledge that the action would benefit a foreign government.

That is not to say that it is impossible to demonstrate that the defendant stole trade secrets with the intent of benefiting a foreign government. Consider a 2011 case from the U.S. Court of Appeals for the Ninth Circuit, United States v. Chung.332 Dongfan Chung, a former Boeing engineer, was charged with violating Section 1831 because he provided Boeing trade secrets to China. Chung, who was born in China, worked in Boeing facilities in the United States for more than three decades before retiring in 2002. During the 2005 search of the home of another criminal suspect, federal agents found a letter to Chung, from a Chinese government official, thanking Chung for providing information to China and requesting additional information about airplanes and space shuttles. This letter provided the agents with reason to further investigate Chung. In 2006, with his consent, they searched his home and found more than 300,000 pages of Boeing documents, many relating to space shuttle design.333 They also learned that he gave a presentation about Boeing space shuttles to Chinese engineers. Chung was convicted at trial on violations of Section 1831, as well as other crimes.

Chung appealed the 1831 conviction. The Ninth Circuit held that there is “ample evidence” that Chung possessed the trade secrets with the intent of benefiting the Chinese government. “Defendant intended to benefit China by providing technical information responsive to requests from Chinese officials and by delivering presentations to Chinese engineers,” the court wrote.334 The Chung case shows court's willingness to conclude that a Section 1831 defendant intended to benefit a foreign government based on compelling circumstantial evidence. Possessing the documents, and nothing more, probably would not have satisfied Section 1831's intent requirements. However, Chung's ongoing contacts with Chinese officials, coupled with his possession of trade secrets, was enough for the court to affirm his Section 1831 conviction.

5.4.2.4 Purpose and Intent Required under Section 1832: Theft of Trade Secrets

In recent years, prosecutors have brought a number of high-profile cases under Section 1832, likely owing to the fact that employees are increasingly transferring large amounts of data from their current employer to a future employer. The abundance of portable digital media and unrestricted workplace Internet access makes such theft remarkably easy.

Section 1832 applies if the defendant knowingly commits one of the five offenses related to trade secrets “with intent to convert a trade secret, that is related to a product or service used in or intended for use in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will injure any owner of that trade secret[.]”335

The requirement of “intent to convert a trade secret” simply means that the defendant intended to transfer the trade secret to an individual or entity other than the legally authorized owner. This is based on the common law tort of conversion, which courts typically define as an “unauthorized assumption and exercise of the right of ownership over goods or personal chattels belonging to another, to the alteration of their condition or the exclusion of an owner's rights.”336 In the cyber realm, if an employee downloads thousands of pages of confidential sales documents, hoping to use them in a future job with a competitor, the employee intends to convert trade secrets.

Perhaps the most contentious – and complex – requirement is that the trade secret be related to a product or service used in or intended for use in interstate or foreign commerce. In fact, Congress has changed the precise wording of this requirement over the years as it has struggled to determine the scope of Section 1832.

When the Economic Espionage Act was initially introduced in the Senate, it did not require that the trade secret have any link to interstate or foreign commerce; instead, it imposed criminal penalties on any individual who steals “proprietary economic information having a value of not less than $100,000.”337 The House added an interstate or foreign commerce requirement, which applied to the conversion of any trade secret “that is related to or included in a product that is produced for or placed in interstate or foreign commerce.” That limitation was included in the bill that was enacted in 1996, and remained in effect until 2012.

That interstate commerce provision, however, raised some significant challenges for prosecutors and uncertainty for courts. What did it mean for a product to be produced for or placed in interstate commerce? And what if the trade secret related to a service, rather than a product? The limitations of this definition became apparent in a 2012 opinion from the U.S. Court of Appeals for the Second Circuit. In United States v. Aleynikov,338 Sergey Aleynikov, a Goldman Sachs computer programmer, was charged with violating Section 1832. Prosecutors alleged that he stole source code for Goldman's high-frequency trading system, and had accepted a job with another company that was developing its own high-frequency trading system.339 Aleynikov was convicted, and he appealed, arguing that Goldman's high-frequency trading system was not a product that is produced for or placed in interstate commerce. Aleynikov argued that the high-frequency trading system was strictly for Goldman's internal use, and the company had no plans to sell or license the system. The Second Circuit agreed with Aleynikov and reversed his Section 1832 conviction. Even though the software helped Goldman engage in interstate and foreign commerce, the Second Circuit concluded that the statutory provision is far more limited, and only applies to products that are in the stream of commerce or are intended to be placed in the stream of commerce.340

The Aleynikov decision quickly set off alarms throughout corporate America.341 Corporations develop a great deal of proprietary technology that is intended strictly for internal use. The court's opinion suggested that employees would not be liable under the Economic Espionage Act for the theft of this valuable data. Within months of the Second Circuit's decision members of Congress introduced the Theft of Trade Secrets Clarification Act of 2012. The bill's sponsors stated their intent to prevent future decisions such as Aleynikov, and the legislation passed without controversy.342 The bill expanded the reach of Section 1832, applying to trade secrets that are “related to a product or service used in or intended for use in interstate or foreign commerce.” This amendment significantly broadened the reach of Section 1832, allowing it to apply not only to products that are sold or licensed, but to products and services that are used in interstate or foreign commerce. For instance, while Goldman's high-frequency trading system did not fall within the scope of the older version of Section 1832, it clearly is covered by the current version because the software is used in interstate and foreign commerce.

Section 1832 also is limited by the requirement that the act be “for the economic benefit” of anyone other than the owner. Courts have held that an employee does not violate Section 1832 merely by gaining skills and expertise at Employer A, quitting, and using those skills at Employer B. Individuals only violate Section 1832 if they use confidential information for the benefit of themselves or others, such as a new employer.343

5.4.3 Civil Actions for Trade Secret Misappropriation: The Defend Trade Secrets Act of 2016

Until 2016, the Economic Espionage Act was enforceable only by federal prosecutors. If a company wanted to obtain an injunction or recover damages for the theft of trade secrets, its only recourse was filing a lawsuit in state court under one of the forty-eight state trade secret misappropriation laws. Companies often were unable to effectively use state trade secrets laws because the process was overly burdensome. Trade secret theft often affected a company's operations in all states, and bringing separate suits in each state would be impractical. Moreover, state courts often do not operate at the fast pace that is necessary to address trade secret theft involving a multinational company.

Recognizing the limitations of state trade secret laws, members of Congress in 2014 began to propose legislation to amend the Economic Espionage Act to allow companies to bring trade secret misappropriation lawsuits in federal court. They succeeded in 2016, when President Obama signed the Defend Trade Secrets Act of 2016.

The primary component of the bill is a new civil remedy for trade secret misappropriation, allowing companies to directly sue under federal law if their trade secrets have been stolen. In the House Judiciary Committee report accompanying the bill, legislators expressed a desire to provide a “single, national standard for trade secret misappropriation with clear rules and predictability for everyone involved.”344 Congress recognized the close link between trade secret theft and cybersecurity, and noted that despite companies' efforts to improve their security measures, such theft has increasingly taken a toll on the U.S. economy.345

5.4.3.1 Definition of “Misappropriation”

The Defend Trade Secrets Act of 2016 allows companies to bring a federal civil suit if they have been the victims of misappropriation, a term that had not been previously used in the Economic Espionage Act. The bill provides two definitions for “misappropriation”:

  1. acquisition of a trade secret of another by a person who knows or has reason to know that the trade secret was acquired by improper means; or
  2. disclosure or use of a trade secret of another without express or implied consent by a person who –
    1. used improper means to acquire knowledge of the trade secret;
    2. at the time of disclosure or use, knew or had reason to know that the knowledge of the trade secret was –
      1. I. derived from or through a person who had used improper means to acquire the trade secret;
      2. II. acquired under circumstances giving rise to a duty to maintain the secrecy of the trade secret or limit the use of the trade secret; or
      3. III. derived from or through a person who owed a duty to the person seeking relief to maintain the secrecy of the trade secret or limit the use of the trade secret; or
    3. before a material change of the position of the person, knew or had reason to know that –
      1. I. the trade secret was a trade secret; and
      2. II. knowledge of the trade secret had been acquired by accident or mistake.346

The term “improper means” is defined to include “theft, bribery, misrepresentation, breach or inducement of a breach of a duty to maintain secrecy, or espionage through electronic or other means[.]”347 The term does not include lawful means of acquisition, including reverse engineering or independent derivation.348

The House Judiciary Committee report states that this definition is largely identical to that which is in the Uniform Trade Secrets Act, which is the basis for the forty-eight state trade secret laws. Congress used the state laws' definition “to make clear that this Act is not intended to alter the balance of current trade secret law or alter specific court decisions.”349

The Defend Trade Secrets Act provides three general types of relief that misappropriation victims may seek: (1) civil seizures, (2) injunctions and other equitable relief, and (3) damages.

5.4.3.2 Civil Seizures

In certain extraordinary circumstances, a company may go to federal court to seek an order for the seizure of property, if the seizure is necessary to prevent propagation or dissemination of the trade secret that has been misappropriated.350 The company may apply for the seizure through an ex parte process, meaning that the other party need not be present to litigate the request. The House Judiciary Committee stated that it only intends the civil seizure process to be used “in instances in which a defendant is seeking to flee the country or planning to disclose the trade secret to a third party immediately or is otherwise not amenable to the enforcement of the court's orders.”351

For a court to grant a civil seizure motion, it must find the following to be clearly true:

  • Other equitable relief would be inadequate.
  • Denying the seizure would result in an “immediate and irreparable injury.”
  • The harm of denying the seizure outweighs the harm caused by the seizure.
  • The applicant likely will succeed in demonstrating trade secret misappropri-ation.
  • The person whose property is being seized actually has the trade secret.
  • The application describes the matter to be seized and the circumstances with reasonable particularity.
  • The person against whom the seizure is being ordered, or other people, would make the property inaccessible to the court if notified.
  • The applicant has not publicized the request for seizure.352

If a court issues a seizure order, it must set a hearing within seven days after the order has been issued. At the hearing, the applicant for the order has the burden of proof of proving the facts that support the order. If the court determines that the applicant has not met that burden, the seizure order will be immediately dissolved.353

Any party that has an interest in the matter seized may request an immediate hearing, which can be ex parte, to encrypt the seized material.354

5.4.3.3 Injunctions

A company that has been the victim of trade secret misappropriation may request an injunction to prevent actual or threatened misappropriation. Injunctions under this act may block threatened misappropriation, provided that they do not entirely prevent an individual from starting a new job. The injunction allows conditions to be placed on employment to be based on evidence of threatened misappropriation, but not only on information that the person knows. Such injunctions also may not conflict with state laws regarding restraints on trades or businesses.355 The House Judiciary Committee stated that it added these limits on injunctive relief to “protect employee mobility,” consistent with employment protection laws in many states.356

Injunctions also may require parties to take affirmative actions to protect a trade secret. And in exceptional circumstances, injunctions may condition future use of a trade secret on the payment of a reasonable royalty, for a limited period of time.357

5.4.3.4 Damages

The Defend Trade Secrets Act also enables plaintiffs to recover compensatory damages from the defendants. The Act allows plaintiffs to recover damages for actual loss caused by the misappropriation, as well as damages for unjust enrichment that are not included in the actual loss total.358

Alternatively, plaintiffs can seek to recover compensatory damages by imposing a “reasonable royalty” for the defendant's unauthorized disclosure or use of the trade secret.359 The House Judiciary Committee stated that it does not intend to encourage the use of reasonable royalties, and prefers alternative remedies.360 If the court determines that the defendant “willfully and maliciously” misappropriated the trade secret, the plaintiff may recover exemplary damages of up to twice as much of the compensatory damages awarded.361

5.4.3.5 Statute of Limitations

Plaintiffs must bring Economic Espionage Act civil actions within three years of the date the misappropriation was discovered or should have been discovered through exercise of reasonable diligence.362 This requirement is identical to the statute of limitations in the Uniform Trade Secrets Act.363

 

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.227.21.70