By: Michael S. Dorsi
The Washington Post published an article suggesting that the Twitter employee who deleted @realDonaldTrump might be criminally liable under the Computer Fraud and Abuse Act (“CFAA”).[fn1] The article, which draws on comments by Lawfare’s Benjamin Wittes and Chris Calabrese of the Center for Democracy and Technology, focuses on the misdemeanor access without authorization provision, 18 U.S.C. § 1030(a)(2)(C).[fn2] This provision attracts a lot of attention because it is very broad.[fn3]
The article focuses on whether the Twitter employee accessed without authorization, but then twists around to whether, while using that access, the employee did something he was not supposed to do. That is an invalid reading of the law, at least in the Ninth Circuit.[fn3] The access without authorization provision only criminalizes access, not what a person does once he or she has access. So the Twitter employee has nothing to fear, right? Wrong.
Just because the most notable part of the law is not implicated does not mean the law does not apply. A different provision, 18 U.S.C. § 1930(a)(5)(A), makes it a crime to “knowingly cause the transmission of a . . . command, and as a result of such conduct, intentionally cause damage without authorization, to a protected computer.” The story, as reported, indicates that the Twitter employee knowingly caused the transmission of a command that shut down @realDonaldTrump. The question is whether that shut down caused “damage” without authorization.
And a note of caution here: this offense does not require the defendant to access without authorization — it doesn’t require the defendant to access the system at all.[fn5] It just requires the defendant to lack authorization to cause damage.
What does it mean to cause damage? Unlike many words in the CFAA, damage actually has a definition in the law. “[T]he term ‘damage’ means any impairment to the integrity or availability of data, a program, a system, or information.”[fn6] Deleting a Twitter account probably impairs the availability of data, a program, a system, and information.
Does an 11-minute interruption qualify? One federal court in California held that changing someone else’s password and refusing to reveal it for two hours was insufficient under both the CFAA and its state-law analog.[fn7] Another case, in San Francisco, held that the CFAA and its state-law analog applied during “extended unavailability of the data.”[fn8] Maybe 11 minutes is not “extended unavailability,” but if I was the Twitter employee, I’d lawyer up.
And if I was his lawyer, I’d read the cases cited in this blog post. Free research. Because information wants to be free, or something like that.
P.S. The trial would probably have to be in San Francisco. Good luck asking Northern California jury to send someone to jail for shutting down Trump’s twitter.[fn9]
[fn1] 18 U.S.C. § 1030.
[fn2] Subsection (a)(2)(C), confers misdemeanor liability on any person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.”
[fn3] See, e. g., United States v. Nosal, 676 F.3d 854, 862 (9th Cir. 2012) (Nosal I) (en banc), Michael S. Dorsi & Keenan W. Ng, Computer Criminal Intent, 51 U.S.F. L. Rev. 469, 503–506.
[fn4] Nosal I, supra, at 855.
[fn5] Cf. United States v. Nosal, 844 F.3d 1024, 1039 (9th Cir. 2016), cert. denied, No. 16-1344, 2017 WL 1807382 (U.S. Oct. 10, 2017) (Nosal II)
[fn6] 18 U.S.C. § 1030(e)(8)
[fn7] Welenco, Inc. v. Corbell, 126 F. Supp. 3d 1154, 1168 (E.D. Cal. 2015)
[fn8] NovelPoster v. Javitch Canfield Grp., 140 F. Supp. 3d 954, 961 (N.D. Cal. 2014). Your author argued the motion that resulted in this order in NovelPoster.
[fn9] See United States v. Auernheimer, 748 F.3d 525, 533 (3d Cir. 2014) (quoting United States v. Rodriguez–Moreno, 526 U.S. 275, 279 (1999)).