Press Delete, Go Directly to Jail? The Scope of the Computer Fraud and Abuse Act’s Damage Provision
Can deleting information, even personal information, from your work computer land you in prison? That was the central question posed in USA v. Zeng, Case No. 4:16-cr-00172 in the Northern District of California.
Mr. Zeng is a former employee of gaming company Machine Zone, Inc., a Silicon Valley company famous for its “Game of War: Fire Age” video game and its commercials featuring supermodel Kate Upton and former Governor Arnold Schwarzenegger. He was charged with one felony count of “damaging” his company-issued laptop under the Computer Fraud and Abuse Act (“CFAA”).
Mr. Zeng was arrested by the FBI in August 2015, after being accused of stealing trade secrets from Machine Zone. The FBI alleged that Mr. Zeng was attempting to use the purportedly stolen trade secrets in China. The arrest and the subsequent arraignment were widely covered in the media.
After more than a year of legal motions and negotiations, the prosecution dismissed most of the charges, including the allegations of trade secret theft. However, the government maintained a single felony charge under the damage provision of the CFAA, which prohibits, “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.” (18 U.S.C. § 1030 (a)(5)).
Codified in 1986, the CFAA targets hackers. It contains various subsections that impose civil penalties and make it a crime to do such acts as accessing or deleting electronic information without authorization. The law, however, has come under widespread criticism in the media for its overbreadth. Critics claim that the law gives corporations and federal prosecutors unchecked power to prosecute employees for almost any conduct they commit on their work machines, even deleting personal files temporarily saved on a work computer.
The popular criticism of the CFAA has spread into the Courts. There, most of the litigation has focused on what employees are authorized to do on their work computers and what corporate outsiders are allowed to do with publicly viewable information on social media websites. For example, is an employee who has access to a certain database for technical purposes allowed to actually view it, even for a non-work purpose? Can a company scrape publicly viewable data on Facebook and make use of it? The answer to these questions depends largely on the scope of the authorization that the employee or the visitor to the Facebook page has.
Mr. Zeng’s case, however, focused on a different aspect of the CFAA, namely, what constitutes damage to a computer? In a federal criminal trial before the Honorable Judge James Donato held in July, the federal government argued that the deletion of any information, no matter whether the deletion was permanent, or whether the information deleted was valuable to Mr. Zeng’s employer, qualified as damage under the CFAA so long as it could prove Mr. Zeng intended to delete the information. In other words, intentionally pressing the “Delete” key constituted the transmission of a command that damaged a protected computer. Indeed, since Mr. Zeng had admittedly erased the contents of the laptop before returning it to the company, the government’s proposed interpretation of the CFAA was breathtakingly broad.
Conversely, Mr. Zeng presented several arguments that would limit the scope of the CFAA’s damage provision. He argued, based on case law from other jurisdictions, that the deletion had to occur via an external transmission. He also argued that the government had to prove that the company could not access the deleted information via an alternative source. Judge Donato tested both sides’ arguments but appeared particularly troubled by the broad scope of the government’s argument. During the government’s closing argument, Judge Donato asked the government’s lawyer whether it made her queasy that an employee, in a dyspeptic moment, could erase files from his or her computer and be guilty of a federal felony? The lawyer responded with an argument that in this case Mr. Zeng’s conduct exhibited more than a mere dyspeptic moment but dodged the Court’s more generalized fear.
Ultimately, Judge Donato demonstrated that this thought at least made him queasy. On December 5, Judge Donato found Mr. Zeng not guilty without providing further explanation. In case you’re wondering, he did not need to provide an explanation for his decision. Of course, this was great news for Mr. Zeng, who had endured criminal prosecution for over two years. However, without the benefit of Judge Donato’s reasoning, the scope of the CFAA’s damage provision remains nebulous.
Unless you have been living in a bunker for at least the past year, you know that hacking is one of the central topics facing corporations and law enforcement these days. Beyond the news of Russia’s state-sponsored hack of the 2016 U.S. Presidential election, there have been other high-profile hacks such as the Equifax data breach in 2017. These well-known hacks underscore the danger posed by failures in cybersecurity as technology becomes more ubiquitous in everyday life. However, the laws we have to fight these hacks, such as the CFAA, are antiquated and, as in Mr. Zeng’s case, can target innocent people. Cases like Mr. Zeng’s make clear that in addressing the critical need for cybersecurity, we must update the laws that enforce it to ensure that we protect the public safety without compromising the freedoms we value so dearly.