Provided below are example cases of federal prosecutions including CFAA violations charges. The case entries include links to additional materials from the case and resources related to the case. Also, the Department of Justice has published its own manual on “Prosecuting Computer Crimes” that is available online here.
U.S. v. Andrew Auernheimer, No. 13-1816 (3rd Cir. Apr. 11, 2014)
When Apple released the iPad, customers were required to purchase a contract with AT&T and register their accounts on a website controlled by AT&T using their email addresses. When testing AT&T’s security system, Andrew “Weev” Auernheimer discovered a flaw. He was able to gather the email addresses of their customers. When Weev notified AT&T that these personal emails were accessible and that AT&T customers were vulnerable, AT&T took no action. In response, he alerted the press to the security flaw and publicized some of the email addresses in redacted form. He did not possess, nor had access to, any other personally identifiable information or passwords of the customers.
AT&T responded by alerting the federal government, who then prosecuted Weev for violating the Computer Fraud & Abuse Act (CFAA). In order to enhance the potential punishment from a misdemeanor to a felony, the government claimed that the CFAA violation occurred in furtherance of a violation of New Jersey’s computer crime statute, even though no conduct occurred in New Jersey. This is known as “stacking” offenses, when the federal government reaches to a state statute to ramp up the charges, even though the state and federal statute cover the same conduct.
After a jury trial, Weev was convicted and sentenced to 41 months in federal prison and to pay $73,000 in restitution. NACDL filed an amicus brief in support of his appeal to the Third Circuit, urging the court to take a narrow approach to the CFAA and limit the prosecutorial power of the government, which is available here. Holding that venue was not proper in the District of New Jersey, the Third Circuit vacated Weev’s conviction (opinion).
U.S. v. Matthew Keys, No. 2:13-cr-00082 (E.D. Cal. 2013)
On March 14, 2013, Matthew Keys, a former Reuters Social Media Editor, was indicted on multiple counts of CFAA violations for allegedly providing hackers with usernames and passwords for Tribune Company websites in late 2010 after he was fired from his job at a Tribune-owned company. The government alleges this conduct was part of a conspiracy to make unauthorized changes to Tribune websites and to damage Tribune computers. The indictment charges three criminal violations of the CFAA, including conspiracy to cause damage to a protected computer, transmission of a malicious code and attempted transmission of a malicious code. These charges carry up to 25 years in prison and a fine up to $750,000. Keys rejected a plea deal and went to trial. After an 8-day jury trial, Keys was found guilty of three counts of violating the CFAA. On April 13, 2016, he was sentenced to 24 months of imprisonment, 24 months of supervised release, and restitution in the amount of $249,956. His appeal is currently pending before the Ninth Circuit.
U.S. v. Aaron Swartz, Crim. No. 1:11-cr-10260 (D. Mass. 2012)
Aaron Swartz, a computer programmer, entrepreneur and activist, was federally indicted on multiple counts of wire fraud and CFAA violations, including unlawfully obtaining information from a protected computer and recklessly damaging a protected computer. The charges stemmed from Swartz’ alleged effort to download approximately 4.8 million articles from JSTOR, which is a not-for-profit digital library, using the MIT network. Anyone on the MIT campus could access MIT’s computer network and, as a result, JSTOR, but JSTOR’s terms of service limited the amount of articles that could be downloaded at a time. Swartz wrote a script that instructed his computer to download JSTOR articles continuously and, when this violation was detected and requests from his computer were denied, Swartz spoofed his computer’s address to trick the JSTOR servers.
Swartz was first indicted in November 2011, but federal prosecutors filed a superseding indictment in September 2012 that added nine more felony counts, increasing Swartz’s maximum criminal exposure to 50 years of imprisonment and $1 million in criminal fines. According to Swartz’s attorney Elliot Peters, the prosecutors offered Swartz a plea deal in which he would pled guilty to 13 felonies in exchange for a four or six month sentence. The prosecutors also stated that they would seek a seven year sentence should Swartz exercise his constitutional right to a trial. The government took this hard-line position despite the fact that the “victims” MIT and JSTOR declined to pursue civil litigation. In fact, JSTOR actually informed the prosecutors that it did not want to press charges. Tragically, under the weight of the prosecution and potential prison sentence, Swartz committed suicide on January 11, 2013. After his death, the federal prosecutors dropped the charges.
For analysis of the Swartz prosecution, see Professor Orin Kerr’s two-part session here and here, posts from the Electronic Frontier Foundation here and here, and a two-part post from Jennifer Granick at the Center for Democracy and Technology here and here.
U.S. v. Sergey Aleynikov, No. 11-1126 (2d Cir. Apr. 11, 2012)
A computer programmer, Aleynikov allegedly stole proprietary computer source from his former employer (Goldman Sachs) and transferred it to his new employer. He was charged with violating the Economic Espionage Act (EEA), the National Stolen Property Act (NSPA), and the CFAA. Prior to trial, the U.S. District Court dismissed Count Three, the CFAA charge, on the ground that Aleynikov was authorized to access the Goldman computer and did not exceed the scope of authorization. Specifically, the court ruled that authorized use of a computer in a manner that misappropriates information is not an offense under the CFAA. A jury then convicted Aleynikov on the remaining counts and he appealed.
The Second Circuit reversed Aleynikov’s conviction on both counts (opinion). On count one, the court held that the theft and subsequent interstate transmission of purely intangible property is beyond the scope of the NSPA. The court similarly reasoned that the theft of source code relating to the high frequency trading system is not an offense under the EEA. Shortly after the Second Circuit vacated Aleynikov’s conviction, the Manhattan District Attorney’s Office initiated a prosecution against him based on state criminal law.
U.S. v. David Nosal, No. 10-10038 (9th Cir. Apr. 10, 2012)
The prosecution of David Nosal revolved around his enlistment of former colleagues to use their log-in credentials to download certain information from company computers in order to assist him in starting a new, competing business. These colleagues were authorized to access this information, but disclosing it violated company policy. The government charged Nosal with twenty counts, including trade secret theft, mail fraud, conspiracy, and violations of the CFAA. Following a motion to dismiss, the U.S. District Court dismissed the CFAA counts on the ground that the definition of “exceeds authorized access” does not incorporate corporate policies governing use of information. The government appealed and the Ninth Circuit agreed (opinion).
The Ninth Circuit reasoned that the phrase “exceeds authorized access” in the CFAA does not extend to violations of use restrictions. The court cited the rule of lenity, as well as basic common sense, for reaching this conclusion. Specifically, the court reasoned that a narrower interpretation is appropriate since the CFAA is an anti-hacking statute and Congress dealt with misappropriation of trade secrets in another part of the federal code. As the colleagues had permission to access the company databases and obtain the information, their conduct could not be “without authorization” nor could it “exceed authorized access.” The Ninth Circuit affirmed the dismissal of the CFAA counts and the government proceeded to prosecute and convict Nosal on the remaining counts.
U.S. v. Elaine Cioni, No. 09-4321 (4th Cir. Apr. 20, 2011)
The Cioni case involved a federal criminal statute that has two overlapping misdemeanor criminal offenses that prohibit hacking into email accounts. Ordinarily, first offenses under the Computer Fraud and Abuse Act and the Stored Communications Act are misdemeanors, unless committed, among other things, in furtherance of another crime. In Cioni, the government attempted stacking the misdemeanors to obtain a felony conviction. Cioni was convicted of multiple counts and appealed her conviction to the Fourth Circuit.
In an amicus brief, NACDL argued that Cioni’s CFAA offense, unauthorized access to stored email, was not committed “in furtherance of” an SCA violation, because both convictions were based on the same conduct. The government’s attempt to count the same conduct as both an underlying misdemeanor and as the basis for a felony conviction violates the Double Jeopardy Clause. The Fourth Circuit agreed (opinion), holding that the CFAA charges had been improperly elevated to felony offenses and sent the case back to the district court to reduce the convictions to misdemeanors.
U.S. v. Lori Drew, No. CR 08-0582-GW (C.D. Cal. Aug. 28, 2009)
The prosecution of Lori Drew, sometimes referred to as the “MySpace Suicide Case,” took place following the tragic suicide of a 13-year old girl. Drew and others set-up a fictitious account on the social media website MySpace in order to target this girl. Such conducted violated the MySpace terms of service and, when the conduct ultimately resulted in the girl’s suicide, federal prosecutors responded by charging Drew with multiple violations of the CFAA and conspiracy. Following a jury trial, Drew was acquitted of all counts but for one misdemeanor violation of the CFAA.
The U.S. District Court set aside the jury’s guilty verdict in an opinion rejecting the government’s position that violating a website’s terms of service can constitution a federal offense. The judge reasoned that reading the statute in such a manner would deprive individuals of actual notice and be an overwhelmingly overbroad enactment that converts a multitude of otherwise innocent internet users into federal criminals.