By TJ Wong, CLS ’20
The Internet of Things (IOT) has made a lot of things in life much easier, including making the perfectly cooked toast.[1]The concept refers to the development of internet-connected versions of ordinary objects, which span to everything from coffeemakers to smart cars.[2]While offering endless benefits to daily life, the rapid rise of IOT has generated serious implications for existing computer crime laws, namely the Computer Fraud and Abuse Act (CFAA). Enacted as an amendment to existing laws addressing computer-related criminal activity,[3]the CFAA prohibits accessing a computer without authorization or exceeding authorized access and obtaining information from any “protected computer,” under § 1030(a)(2).[4]Courts have often easily accepted the broad definition of “protected computer” in light of other, more prominent limitations of the CFAA;[5]however, the seemingly endless proliferation of IOT devices justifies reconsidering “protected computer” as a worthy limitation on the breadth of conduct criminalized by the statute.
The CFAA currently defines “protected computer” as a computer that is “exclusively for the use of a financial institution or the United States Government,” or one that is “used in or affecting interstate or foreign commerce or communication.”[6]While the CFAA originally covered only important “federal interest” computers,[7]courts across the country have since interpreted “protected computer” to encompass any computer with an internet connection.[8]Furthermore, a “computer” is defined to essentially cover any device that processes or stores data,[9]including computer networks, databases, cell phones, MP3 players, refrigerators, and temperature control units.[10]As the definition covers anything with a microchip,[11]it includes all IOT devices feeding us data online, such as fitness watches and voice assistants. In the age of IOT, the CFAA’s definition of “protected computers” expands to cover items beyond the plain meaning of the term, as how toasters or refrigerators are not typically viewed in society as “computers.” As “Congress enacted the CFAA in 1984 primarily to address the growing problem of computer hacking,”[12]it seems unlikely that this dramatic expansion was contemplated.
This ever-expanding coverage of the term “protected computer” raises issues of vagueness and overly broad criminalization over the scope of the CFAA. For example, in conjunction with the Ninth Circuit’s interpretation of “without authorization” to cover common practices like password sharing, the extremely broad definition of “protected computer” contributes to potentially criminalizing individuals that share accounts over IOT devices.[13]Instead of using “protected computer” to serve as a significant limitation on the CFAA, courts have dedicated more attention to determining the scope of “without authorization or exceeds authorized access,” as well as relying on prosecutorial discretion to check arbitrary enforcement.[14]However, this approach may prove untenable in light of the uncertainty surrounding other CFAA terms, as circuits have been split over the proper interpretations of “without authorization” and “exceeds authorized access.”[15]
If it is not given enough attention, the expansive definition of “protected computers” could lead to unintended consequences after a circuit declares its stance on “access” or “authorization.” For example, the Second Circuit in United States v. Valle, 807 F.3d 508, 524 (2d Cir. 2015), held that “one ‘accesses a computer without authorization’ if he accesses a computer without permission to do so at all,”[16]along with interpreting “exceeds authorized access” as a limitation on access and not on use.[17]Consider a company that gives employees IOT devices such as voice assistants, indoor security cameras, smart keychains, or fitness watches. Under the Vallecourt’s interpretations of access and authorization, an IT employee of this company, who has a single proper purpose to access the devices for maintenance or troubleshooting, could potentially be free from CFAA liability after observing and obtaining very personal information on other employees – e.g., biometric data, location tracking, online retail or medicine orders, or even video feeds.[18]These cases also involve radically distinct types of information without the statute, as currently constructed, being able to adequately account for these differences.
The broadening scope of “protected computers” to cover everything from computers of financial institutions and the U.S. government to fitness watches, baby monitors, and home thermostats also creates problems for the penalty structure of the CFAA. The CFAA criminalizes intentionally accessing a computer without authorization or exceeding authorized access and obtaining information from any protected computer;[19]however, as mentioned above, the types of information that can be obtained from “protected computers” can be drastically and increasingly different. Nonetheless, a statutory maximum of one-year imprisonment and fines applies, with heightened penalties reserved for offenses with commercial purposes, offenses in furtherance of other unlawful conduct, information valued above $5,000, and individuals with prior CFAA convictions.[20]As such, the statutory penalties could fail to reflect whether the information improperly accessed and obtained was secrets from a government or bank computer, private biometric information, logs of someone’s shopping history, or records of one’s intimate at-home behaviors.[21]By establishing workable and meaningful distinctions between types of internet-connected devices, the CFAA could be more effective in criminalizing and deterring malicious conduct. With the rapid, constant innovation in technology, Congress may never be able to create definitions that stand the test of time; however, in light of the Internet of Things, it’s time that the CFAA is reevaluated to distinguish between traditional “computers” and smart toasters.
[1]Roberto Baldwin, The world now has a smart toaster(Jan. 4, 2017), https://www.engadget.com/2017/01/04/griffin-connects-your-toast-to-your-phone/
[2]Jacob Morgan, A Simple Explanation Of ‘The Internet Of Things’(May 14, 2014), https://www.forbes.com/sites/jacobmorgan/2014/05/13/simple-explanation-internet-things-that-anyone-can-understand/#5b3598c11d09
[3]OFFICE OF LEGAL EDUC., EXEC. OFFICE FOR U.S. ATT’YS, PROSECUTING COMPUTER CRIMES 1-2 (2010), http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf(last visited Mar. 29, 2019).
[4]18 U.S.C. § 1030(a)(2)(C).
[5]Namely, interpretations of “without authorization or exceeding authorized access” and prosecutorial discretion. See generallyUnited States v. Yücel, 97 F.Supp.3d 419 (S.D.N.Y.2015); LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9thCir. 2009); WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4thCir. 2012); United States v. Rodriguez, 628 F.3d 1258 (11thCir. 2010); United States v. John, 597 F.3d 263 (5thCir. 2010); Int’l Airport Ctrs. v. Citrin, 440 F.3d 418 (7thCir. 2006); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1stCir. 2001).
[6]18 U.S.C. § 1030(e)(2).
[7]Orin S. Kerr, Vagueness Challenges to the Computer Fraud and Abuse Act, 94 Minn. L. Rev. 1561, 1563 (2010).
[8]See Yücel, 97 F.Supp.3d 418-19 (collecting cases and noting “widespread agreement in the case law”).
[9]18 U.S.C. § 1030(e)(1). NOTE: stated exceptions for automatic typewriters, hand held calculators, or “other similar device[s].
[10]SeeUnited States v. Kramer, 631 F.3d 900, 902 (8thCir. 2011);see alsoUnited States v. Nosal, 844 F.3d 1024, 1032 (9thCir. 2016) (Nosal II); United States v. Mitra, 405 F.3d 492, 495 (7thCir. 2005).
[11]Kerr, supranote 7, at 1572-72.
[12]United States v. Nosal, 676 F.3d 854, 858 (9thCir. 2012).
[13]Nosal, 844 F.3d 1024, 1050-51 (Nosal II) (Reinhardt, J., dissenting).
[14]Yücel, 97 F.Supp.3d 419; see supranote 5.
[15]Tiffany Curtiss, Computer Fraud and Abuse Act Enforcement: Cruel, Unusual, and Due for Reform, 91 Wash. L. Rev. 1813, 1823 (2016).
[16]United States v. Valle, 807 F.3d 508, 524 (2d Cir. 2015).
[17]Id.at 527-28.
[18]These are types of data possibly acquired from popular IOT devices, such as voice assistants, indoor security cameras, smart keychains, and fitness watches.
[19]18 U.S.C. § 1030(a)(2)(A)-(C).
[20]18 U.S.C. § 1030(c)(2)(A)-(C).
[21]Id.; see supranote 18.