The Computer Fraud Act: Bending a Law to Fit a Notorious Case

Until recently, the Computer Fraud and Abuse Act — covering a myriad of activities related to hacking and intellectual property theft — was just one of many questionable federal laws on the books.

Then came the case of Lori Drew — the woman found guilty of a misdemeanor under the Act: accessing protected computers without authorization. What Drew had done was invent a fake MySpace profile of a nonexistent teenage boy and develop a relationship between him and her daughter’s former friend. The target of the ruse, Megan Meier, committed suicide after Drew’s creation spurned her.

Drew was widely vilified for her actions, but there was a certain uneasiness in many legal quarters about prosecuting her under the Computer Fraud and Abuse Act. It appeared that the law was being stretched beyond its original intent to meet the needs of the prosecutors in the case.

Certainly the mixed verdict — Drew was found not guilty of felony conspiracy charges — suggests the jury had its own reservations. One irony, though, in this sad and sordid tale is that even before Drew came along, some corporations were stretching the Computer Fraud and Abuse Act beyond its original intent as a means of keeping former employees in line.

“It is not unlike the RICO statutes that were put on the books some 30 years ago to go after organized crime, but then later were used in other ways beyond what the original crafters intended,” John Woods, a partner with Hunton & Williams, told the E-Commerce Times.

Tool to Prosecute Hackers

First passed in 1986, the Computer Fraud and Abuse Act was originally written to help aid the prosecution of hackers looking for classified government information, Woods said. Later, it was amended a few times, most recently in 2001, to include the private sector. It is the way the private sector is using the Act that is stretching it beyond its original mission.

Companies are using the Act to defend their intellectual property — not only against hackers, although that is clearly a use, but also against former employees who have left the corporate fold and are suspected of having taken company data with them. The data does not necessarily have to be trade secrets; it can be something as pedestrian as a customer list or service policy. Still, the Act can be used prosecute former employees for such alleged thefts.

“It is a statute that was broadly written to encompass a number of different activities involving computer abuse — and that abuse applies to outside hackers but also to insiders such as employees,” said Beryl Howell, executive managing director and general counsel at Stroz Friedberg, an investigative firm that specializes in computer forensics. She helped draft the amendments to the Computer Fraud and Abuse Act that were adopted in 2001.

For one statute, it covers a lot of ground, which may explain the creative ways in which it is being used in cases today, she told the E-Commerce Times.

“It is not unusual for the federal government to take a complicated law and present a different interpretation of it, as it is doing in the Drew case,” Howell said.

It can be applied to the prosecution of cyber-extortionists, for instance, or people who send sensitive code to hackers so they don’t have to make illegal incursions into a network.

“The civil component of it also allows organizations in the private sector to get compensation from wrongdoers whether or not the federal government takes criminal action,” she said.

Exceeding Authorization

The Act is used to go after hackers — people who intrude on networks without any access rights, Robert Brownstone, law and technology director for Fenwick & West, told the E-Commerce Times. “The other part of this is that it is also used to go after someone who had or has access rights but then exceeded the authorization.”

That is how the government is justifying the prosecution of Drew — she violated MySpace’s terms of service, or the authorization that was granted to her when she clicked on the user agreement.

That is also the reasoning behind prosecution of employee theft suits.

This calendar year in particular, Brownstone said, there has been a growth in the number of cases in which companies have accused former employees either of exceeding their computer authorizations or doing things they were never authorized for in the first place. It is fairly easy to prove the latter, and judges increasingly have been making it easier for companies to prove the former — that is, that employees exceeded their authorizations.

Prosecutions of these cases were tricky in the past, because an employee oftentimes had every right to access a system and may well have taken information out of the workplace on a USB drive for a valid reason. Increasingly, though, courts are finding that once an employee has decided to leave a company, any incursions may be seen as exceeding authorization — even when the individual is still legally employed at the firm.

“Sure, some cases are getting kicked out of court,” Brownstone said, “but in a growing number of cases, the majority of the courts are saying in response to a defendant’s move to dismiss that the company has a viable claim.”

Thought Crime

Given these nebulous parameters, it is easy to see why Drew and her advocates are crying foul.

With any statute, there is the possibility of abuse, Hunton & Williams’ Woods said. “There will always be lawyers attempting to stretch the bounds of a law — especially for one like this, where its exact contours are yet to be fully defined.”

Still, there’s not much use for the Computer Fraud and Abuse Act in the criminal courts, said Chris Collins, a partner with Vanderpool Frostick and Nishanian.

“Yes, it’s a tool for an overzealous prosecutor,” he told the E-Commerce Times, “but I don’t think we will see a lot of these cases similar to Drew’s going to trial.”

Drew’s prosecution is a poor application of a set of facts to the law, Collins continued. “The prosecutor is sensing the indignation of the local community and is stretching the law in response.”