DOJ Finally Releases Its Internal, Mostly-Vague CFAA Prosecution Guidelines

The government often engages in very dubious CFAA prosecutions, but it takes a lawsuit to get it to talk about how it decides what cases are worth pursuing.

[T]hanks to a legal challenge to the CFAA, the Department of Justice is for the first time releasing its 2014 guidelines on how prosecutors should charge computer crimes - when someone exceeds "authorized" access on a computer. (First Look Media, the publisher of The Intercept, is a plaintiff in the case.)

The Department of Justice acknowledges that "laws addressing the misuse of computers have not kept pace uniformly with developments in technology and criminal schemes" though it maintains that the law remains "important" in prosecuting cybercrimes.

I'd imagine the DOJ is more concerned about crafty cybercriminals beating them in the tech arms race than it is about legislators' inability to reform the CFAA (something the DOJ routinely opposes). The "Intake and Charging Policy" memo [PDF] for the DOJ's prosecution of cybercrimes lists a number of factors to be considered before pursuing federal charges.

The first key is the sensitivity of the information or system accessed "without authorization," followed by national security considerations and economic impact. Public safety is also a factor. The document points out that information obtained without authorization can be deployed to stalk and harass officials and lower level members of the general public.

But the definition of "unauthorized access" isn't explored adequately in the legal memo, leaving this to be answered on a case-by-bad case basis. The prosecutions of Aaron Swartz and Andrew "Weev" Auernheimer suggest the DOJ allows this definition to be set by the complainant rather than by policy. When MIT or AT&T complain, the government listens.

Also of note is the DOJ's willingness to turf questionable cases to the local boys if that seems more likely to result in a conviction.

Where criminal activity risks these broad harms or has a substantial effect in several parts of the country, federal prosecution may be warranted. In other circumstances, if the effect of a violation is geographically focused and limited, deference to state or local authorities may be warranted, where they have the legal tools and resources to act.

The DOJ also reserves the right to take local prosecutions federal.

Where an offense causes particularly significant harm to a single District or community, federal prosecution may be warranted.

And then there's this part, which is what worries security researchers and white hat hackers:

[F]ederal prosecution may be warranted even where the offender did not actually obtain any such information; in other words, in certain aggravated circumstances, mere access to a computer system that stores these types of sensitive information may weigh in favor of prosecution.

On the plus side, the DOJ memo does make it clear that it would rather have evidence of malicious intent than mere "unauthorized access" to work with. It also states that it should take more than violations of Terms of Service or other "contracts" with websites/service providers to trigger federal prosecution.

Unfortunately, the law is still outdated (30 years old this month!) and "unauthorized access" prosecutions are still being handled inconsistently. The DOJ is prone to letting victims steer prosecutions, resulting in completely ridiculous outcomes like the two-year prison sentence handed to Matthew Keys for a 40-minute website defacement he didn't even perform.

The memo somewhat ominously concludes with the statement that this legal memo -- pried out of its hands by litigation -- isn't intended to be "all inclusive." Given the law hasn't aged terribly well and is predicated on a slippery term like "unauthorized access," the DOJ will likely be pursuing questionable edge cases for years to come.