WASHINGTON >> It’s clearly illegal to hack into someone else’s computer network and steal information from it. But what about a police officer who uses his own department’s computer database to look up women from his past? Or an employee who uses his log-in credentials to download confidential information from his employer?
These are questions that for years have vexed the courts, which have struggled to define the difference between permissible and illegal computer use.
Stung by recent court decisions that have gone against them, Justice Department lawyers are making a fresh push to clarify a computer trespass law that critics malign as overly broad. The 1986 law was intended to punish hackers, but the government has had difficulty applying it to company employees and other insiders who have permission to access a computer — but abuse that right by using the machine in ways they don’t have authorization for.
While the concerns aren’t new, they attracted attention this year after President Barack Obama suggested changes to the Computer Fraud and Abuse Act as part of broader cybersecurity legislation. The Justice Department also has appealed to Congress, which is expected to take up other cybersecurity measures in the coming weeks.
"These are really hard issues of what should the law cover and what should it not cover," said George Washington University law professor Orin Kerr. "It’s totally understandable that we’re having this discussion and not sure what the answer should be, because this is a new kind of technological problem."
Critics, including judges, have long expressed concern that people could be prosecuted under the anti-fraud law for computer use that while technically unauthorized is nonetheless benign. An appeals court recently raised the prospect that checking sports scores at work could theoretically lead to prosecution, though the Justice Department says it’s never had any interest in going after that kind of behavior.
Justice Department lawyers have sought to allay those fears by proposing to narrow the standards for prosecution. They’ve proposed limiting the law’s use to circumstances including misuse of a government database, the theft of $5,000 or more, or when the computer access was part of another felony such as blackmailing a co-worker.
"What we need is a law that makes clear that if you exceed authorized access for nefarious purposes … that that’s a violation of the law," said Assistant Attorney General Leslie Caldwell.
Sens. Lindsey Graham, R-S.C., and Sheldon Whitehouse, D-R.I., have drafted legislation similar to the Justice Department proposal that aides say could be introduced soon. In the meantime Whitehouse has attached an amendment that would punish by up to 20 years damage to a "critical infrastructure computer," such as one that controls the electric power grid, to a broader cyber bill expected to be considered soon by the Senate.
Yet even some critics of the existing law say they believe the government already has enough tools to punish computer crime, without making changes.
"All of this is a solution in search of a problem," said Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation, a privacy group.
Though the Justice Department has successfully used the existing statute many times, its proposal comes amid recent decisions in appeals courts — including in a lawsuit involving trade secrets — that have interpreted the law in ways prosecutors didn’t like.
The issue surfaced last month when the California-based 9th U.S. Circuit Court of Appeals threw out computer access charges against Anthony Pellicano, a Hollywood private eye who wiretapped phones for celebrity clients to dig up dirt on rivals, and several alleged conspirators. The court upheld most of the convictions but found that the jury was given improper instructions on the law.
The same court in 2012 rejected computer access charges against a former employee of an executive search firm who had been accused of encouraging some of his ex-colleagues to help him start a competing business by using their log-in credentials to download trade secrets. The court said the government’s view created a slippery slope.
"Basing criminal liability on violations of private computer-use (policies) can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved," wrote Judge Alex Kozinski. "Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of The New York Times to read at work, but they’d better not visit ESPN.com."
A federal appeals court in New York is weighing the issue in the case of Gilberto Valle, a former New York City police detective dubbed the "cannibal cop" for his online exchanges about kidnapping and eating women. Though a judge dismissed most of the case, Valle is appealing his conviction for using an NYPD database to look up women he targeted. His supporters say that action could not have been a crime because, as an officer, he was entitled to access the database.
It’s not clear what action Congress will take, but it’s also not clear that it needs to do anything, said Kerr, the law professor.
"It’s a hard set of problems for Congress to try to figure out, because you have courts disagreeing on what the rules should be," Kerr said. "And one option is to just wait for the Supreme Court to say what the rules actually are."