The CFAA, 18 U.S.C. § 1030, is the federal government’s primary anti-hacking statute. Passed in 1984, in its most basic form it prohibits two primary types of behavior:
1. Unauthorized Access to a computer – traditional hacking
2. Unauthorized Damage to a computer – deleting or impairing access to data
It’s both a criminal and civil statute. That means that the federal government can put you in jail for violating the CFAA. And that private parties can sue you civilly for money – and restraining orders – for harms under the CFAA.
The CFAA is notorious for its lack of definitional clarity, leading to innocent and innocuous defendants being swept up in its ambit and subjected to felony punishment.
The CFAA’s central problem is that it contains no explicit definition of what “authorization” is. And although that may seem easy at first blush, it’s proven otherwise. Courts across the country have interpreted it in conflicting ways. Or in ways that are shocking to computer scientists and information security professionals.
Does violating the Terms of Service on a social media site make your access unauthorized? Is automated data scraping of sites lawful if you have the password? Does sharing a password to your HBO account violate the CFAA? Some courts say yes, and some say no. What is legal in some jurisdictions because of a court’s interpretation of the CFAA might be a felony in others. And this is a problem when you traverse multiple jurisdictions at the speed of light when you use the internet. Particularly when sentences for a single violation of the CFAA run as high as ten years, with potential fines in the hundreds of thousands of dollars.
Tor Ekeland Law’s first case – Client No. 1 – was a federal criminal CFAA jury trial and appeal. When we got Client No. 1’s conviction unanimously vacated on appeal we became the go to CFAA Firm. Since then we’ve handled CFAA criminal jury trials through verdict, and appeals, in California, Minnesota, New York, and Texas. And we’ve dealt with DOJ CFAA investigations from the target letter stage, through Grand Jury Proceedings and pre-trial litigation in Boston, Miami, New York, New Jersey, Texas, Memphis, Nashville, and the United Kingdom.
Few, if any, have our combination of in depth practical knowledge of the complex technicalities involved in a CFAA case with our depth of procedural experience with federal white collar criminal and civil trials and appeals.
Handling a computer crime case isn’t as simple as researching case law for the latest judicial hair splitting on the amorphous meaning of authorized access. It requires practical understanding of computer science, networked computers, and digital forensic analysis. Requirements on top of knowing how to persuasively present our client’s story in court and the ability to navigate complex rules of procedure while telling that story. Because when you’re taking or defending the testimony of a witness you don’t have the luxury of Googling the answer when things turn on your split second reaction. Too often we get calls from people whose first lawyer didn’t understand computers or the internet, hoping we can undo what can’t be undone.
Our second CFAA case was United States v. Matthew Keys, in federal court in Sacramento, California. Matthew was accused and convicted for passing a user name and password to the Tribune Media Company’s media content management system to another hacker. That hacker used it to change a few words in a L.A. Times website story on tax cuts. It was quickly fixed once discovered.
We did the case pro bono because the use of the CFAA to prosecute a journalist concerned us. Plus we like to go to trial (but only if that’s in the best interests of our client). It was a tough case, and in the end Matthew was convicted. But by going to trial and telling his story we got him a better sentence than what pre-trial services had recommended, 7 1/2 years, or what the government offered as a plea, 5 1/2. Ultimately the Court gave him 2 1/2 years, and we’re happy to say that Matthew is done with his sentence and thriving as a journalist again.
We did the 9th Circuit appeal pro bono and think the oral arguments highlight some of the problems with interpreting the CFAA. In the end, the court affirmed the conviction. But the oral arguments demonstrate how difficult it is to make sense of the CFAA, particularly when it comes to the part of the CFAA that prohibits unauthorized damage to a computer, an undeveloped area of the law subject to the conceptual confusion discussed in the oral arguments:
We’re experienced trial, appellate, and business lawyers with a nationally recognized computer law, intellectual property, and criminal defense practice.
Lots of law firms claim they practice computer or “cyber” law. Tacking the word cyber in front of everything they claim to be “cyber” experts. It’s cyber this and cyber that. Accompanied by photos of hooded, shadow faced hackers. Everyone wants to join the cyber law parade. But when you ask one of these “cyber” law firms the difference between a MAC Address and an IP Address you get a blank stare. And you probably get that blank stare in the form of an unencrypted email sent from that law firm’s unsecured server. We’re not that law firm.
Since 2012, we’ve been doing CFAA and computer crime trials and appeals across the nation. Back then, we were the first law firm in the country to accept BitCoin as payment. It wasn’t a big deal to us then and we aren’t dazzled now by all the hype around virtual currencies. We’ve been on the cutting edge of computer law this decade, not just on paper but in court, and we’re not stopping. If you’re looking for a Firm that has unparalleled real world experience with FBI computer crime investigations combined with jury trial experience against the Department of Justice in computer crime cases across the country, contact us.
©2020 Tor Ekeland Law, PLLC • (718) 737-7264
Attorney Advertising • Past results do not guarantee future results • Licensed in New York and California