The United States Justice Department has turned to the Computer Fraud and Abuse Act (CFAA) to augment their prosecutions of leaks by federal government employees or contractors. But a decision issued in June by the U.S. Supreme Court limits the extent to which prosecutors may wield this computer crime law.
In fact, if former U.S. Army intelligence analyst Chelsea Manning or former National Security Agency (NSA) senior executive Thomas Drake were charged today with CFAA violations, it is likely prosecutors may fail to secure convictions.
Prior to the Supreme Court ruling, a split existed. The Second, Fourth, and Ninth Circuits adopted a narrow view of the CFAA while the First, Fifth, Seventh, and Eleventh Circuits favored a broader interpretation. (The Eastern District of Virginia, where most leak cases are currently pursued, is in the Fourth Circuit.)
The CFAA criminalizes anyone who "knowingly accesses" a computer without authorization or "exceeds authorized access" to obtain information that the U.S. government designates as classified or sensitive.
More simply, the law may target a person who "intentionally accesses a computer without authorization or exceeds authorized access" and obtains financial records of a financial institution, information from a U.S. department or agency, or "information from any protected computer."
The Supreme Court heard a challenge brought by Nathan Van Buren, a former Georgia police sergeant, who used "valid credentials" to search a law enforcement database for a license plate number in exchange for money. Van Buren was caught in an FBI sting operation.
What the Supreme Court determined is whether a government employee or contractor violates the computer crime law depends on if the person had authorization to use a particular system to retrieve information.
"An individual 'exceeds authorized access' when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him," the court clarified, siding with Van Buren [PDF].
Military Judge Was Wrong To Convict Manning Of CFAA Violations
While the Supreme Court did not contemplate how the CFAA is applied in leak prosecutions, their ruling certainly matters for future prosecutions of whistleblowers accused of unauthorized disclosures of information.
Manning was convicted in 2013 of Espionage Act charges and other offenses stemming from her decision to provide WikiLeaks over a half million U.S. government documents, which exposed war crimes, diplomatic misconduct, and other instances of wrongdoing and questionable acts by U.S. officials.
She faced two charges of "having knowingly exceeded authorized access on a Secret Internet Protocol Router Network computer," when she used an unauthorized program called W-get to help her retrieve U.S. diplomatic cables.
Colonel Denise Lind, a military judge, ruled that Manning knowingly used a computer by "exceeding authorized access" and that restrictions on access to classified information were not limited to "code-based or technical restrictions on access."
"Restrictions on access to classified information can arise from a variety of sources to include regulations, user agreements, and command policies. Restrictions on access can include the manner of access," Lind added.
Yet, as the Supreme Court recognized, the CFAA is supposed to apply to the unauthorized access of information and not mere violations of use-based restrictions.
"If the 'exceeds authorized access' clause criminalizes every violation of a computer use policy, then millions of otherwise law-abiding citizens are criminals," the court declared. And if the government's interpretation were law, "An employer who sends a personal email or reads the news using her work computer" would be guilty of violating the CFAA.
Manning's defense pointed out during the court-martial that Manning was "authorized to access each and every piece of information [she] accessed." She had the appropriate security clearance. The government did not introduce evidence to suggest that Manning was not permitted to view the cables nor did they offer proof that she was not permitted to download the cables.
Which is similar to the case that was before the Supreme Court, where both sides agreed that Van Buren had authorization to access the law enforcement database.
What Drake Pleaded Guilty To Was Never A Crime
Drake was targeted under the Espionage Act after he communicated with a reporter at the Baltimore Sun and informed the reporter of constitutional violations he witnessed.
The case eventually collapsed, and the Justice Department opted to salvage their prosecution by offering Drake probation if he plead guilty to a misdemeanor charge of "exceeding authorized access" on a government computer.
Prosecutors outlined [PDF]:
...being an employee of the National Security Agency and by virtue of his employment, having authorized access to and use of NSA computers, including but not limited to NSANet, containing both unclassified, official NSA information, and classified information, intentionally exceeded his authorized access of said computers at various times and obtained information from NSANet to provide said information orally and in written form to another not permitted or authorized to receive said information.
However, Drake had the proper security clearance to access the information he shared with the Baltimore Sun reporter. It does not matter whether he violated use restrictions or not.
The Supreme Court decision makes it clear the Justice Department would lack grounds to coerce Drake into pleading to this kind of a misdemeanor if the case was pending today.
What It May Mean For Two WikiLeaks Prosecutions
It is difficult to gauge whether the Supreme Court's decision constrains the ability of the Justice Department to bring CFAA charges against WikiLeaks founder Julian Assange. They accuse him of actually breaking into government computer systems, which is what the law was intended to criminalize.
But it is relevant that Assange's computer crime charge is a conspiracy charge. While prosecutors have shoehorned a host of allegations to bolster this charge, the plain fact is Manning had access and never needed or asked Assange in alleged communications to help her get into any particular databases.
Former CIA engineer Joshua Schulte was accused of leaking the “Vault 7” files to WikiLeaks and charged with violating the Espionage Act and committing other offenses, including "exceeding authorized access" to obtain classified information.
His trial ended in a hung jury in March 2020, and though prosecutors failed to prove to a jury that he was the source, the Justice Department insists on pressing on with a second trial.
Schulte's defense could invoke the Supreme Court's decision to challenge two CFAA charges against him because as a CIA contractor he had access to the documents at issue.
Winner, Albury, Hale, and Snowden's Cases
Former NSA contractor Edward Snowden could still face additional charges if he was ever brought to trial in the United States, but in the initial indictment, the government charged him with violating the Espionage Act when he disclosed documents on mass surveillance to reporters. They did not charge Snowden with violating the CFAA.
Former NSA contractor Reality Winner was charged with violating the Espionage Act when she disclosed a report on alleged Russian hacking to a media outlet. She was not charged with "exceeding authorized access."
Former FBI agent Terry Albury was charged with violating the Espionage Act but not charged with a computer crime, even though he was accused of "accessing documents on his classified FBI computer system and taking photographs of documents on his computer screen."
Former Air Force intelligence analyst Daniel Hale will be sentenced in July after pleading guilty to violating the Espionage Act when he disclosed documents to a media outlet on drone warfare.
Hale was accused of using his "top secret NSA computer to search for classified information concerning individuals and issues" covered by journalist Jeremy Scahill. Yet prosecutors did not charge him with a computer crime.
All four individuals had security clearances to access the information at issue in their cases.
It is impossible to say whether prosecutors recognized they had no grounds for charging them with computer crimes, but what the Supreme Court for the most part settles is the fact that the law does not—and should not—apply to their actions. So prosecutors were correct not to charge them.
The National Whistleblower Center (NWC) submitted a brief in support of the challenge against the government's broad interpretation of the CFAA.
Steve Kohn, president of NWC, hailed the Supreme Court decision as a win for whistleblowers and stated, "Whistleblowers often access computer information and provide it to law enforcement officials, even if those disclosures were not 'authorized' by the company. Consequently, a broad reading could have criminalized typical whistleblower behaviors."
"Companies could have instituted 'computer use policies' that would have prevented employees from turning over files they were authorized to access to law enforcement in an effort to report criminal activity," whistleblower attorney Todd Yoder contended.
Yoder pointed to the "negative implications" whistleblowers already experienced in recent years. "Companies had recently begun to weaponize the civil component of the CFAA to attack employee whistleblowers who took computer data from their employees and provided it to the government as evidence" in False Claims Act cases."
The decision by the Supreme Court was long overdue, and going forward, it should reduce the number of cases where the government flagrantly abuses the computer crime law to clamp down on whistleblowers. At the very least, it will force prosecutors to develop a new tactic.