Press Delete, Go Directly to Jail? The Scope of the Computer Fraud and Abuse Act’s Damage Provision
05 January 2018
Can deleting information, even personal information, from your work computer land you in prison? That was the central question posed in USA v. Zeng, Case No. 4:16-cr-00172 in the Northern District of California.
Mr. Zeng is a former employee of gaming company Machine Zone, Inc., a Silicon Valley company famous for its “Game of War: Fire Age” video game and its commercials featuring supermodel Kate Upton and former Governor Arnold Schwarzenegger. He was charged with one felony count of “damaging” his company-issued laptop under the Computer Fraud and Abuse Act (“CFAA”).
Mr. Zeng was arrested by the FBI in August 2015, after being accused of stealing trade secrets from Machine Zone. The FBI alleged that Mr. Zeng was attempting to use the purportedly stolen trade secrets in China. The arrest and the subsequent arraignment were widely covered in the media.
After more than a year of legal motions and negotiations, the prosecution dismissed most of the charges, including the allegations of trade secret theft. However, the government maintained a single felony charge under the damage provision of the CFAA, which prohibits, “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.” (18 U.S.C. § 1030 (a)(5)).
Codified in 1986, the CFAA targets hackers. It contains various subsections that impose civil penalties and make it a crime to do such acts as accessing or deleting electronic information without authorization. The law, however, has come under widespread criticism in the media for its overbreadth. Critics claim that the law gives corporations and federal prosecutors unchecked power to prosecute employees for almost any conduct they commit on their work machines, even deleting personal files temporarily saved on a work computer.
The popular criticism of the CFAA has spread into the Courts. There, most of the litigation has focused on what employees are authorized to do on their work computers and what corporate outsiders are allowed to do with publicly viewable information on social media websites. For example, is an employee who has access to a certain database for technical purposes allowed to actually view it, even for a non-work purpose? Can a company scrape publicly viewable data on Facebook and make use of it? The answer to these questions depends largely on the scope of the authorization that the employee or the visitor to the Facebook page has.
Mr. Zeng’s case, however, focused on a different aspect of the CFAA, namely, what constitutes damage to a computer? In a federal criminal trial before the Honorable Judge James Donato held in July, the federal government argued that the deletion of any information, no matter whether the deletion was permanent, or whether the information deleted was valuable to Mr. Zeng’s employer, qualified as damage under the CFAA so long as it could prove Mr. Zeng intended to delete the information. In other words, intentionally pressing the “Delete” key constituted the transmission of a command that damaged a protected computer. Indeed, since Mr. Zeng had admittedly erased the contents of the laptop before returning it to the company, the government’s proposed interpretation of the CFAA was breathtakingly broad.
Conversely, Mr. Zeng presented several arguments that would limit the scope of the CFAA’s damage provision. He argued, based on case law from other jurisdictions, that the deletion had to occur via an external transmission. He also argued that the government had to prove that the company could not access the deleted information via an alternative source. Judge Donato tested both sides’ arguments but appeared particularly troubled by the broad scope of the government’s argument. During the government’s closing argument, Judge Donato asked the government’s lawyer whether it made her queasy that an employee, in a dyspeptic moment, could erase files from his or her computer and be guilty of a federal felony? The lawyer responded with an argument that in this case Mr. Zeng’s conduct exhibited more than a mere dyspeptic moment but dodged the Court’s more generalized fear.
Ultimately, Judge Donato demonstrated that this thought at least made him queasy. On December 5, Judge Donato found Mr. Zeng not guilty without providing further explanation. In case you’re wondering, he did not need to provide an explanation for his decision. Of course, this was great news for Mr. Zeng, who had endured criminal prosecution for over two years. However, without the benefit of Judge Donato’s reasoning, the scope of the CFAA’s damage provision remains nebulous.
Unless you have been living in a bunker for at least the past year, you know that hacking is one of the central topics facing corporations and law enforcement these days. Beyond the news of Russia’s state-sponsored hack of the 2016 U.S. Presidential election, there have been other high-profile hacks such as the Equifax data breach in 2017. These well-known hacks underscore the danger posed by failures in cybersecurity as technology becomes more ubiquitous in everyday life. However, the laws we have to fight these hacks, such as the CFAA, are antiquated and, as in Mr. Zeng’s case, can target innocent people. Cases like Mr. Zeng’s make clear that in addressing the critical need for cybersecurity, we must update the laws that enforce it to ensure that we protect the public safety without compromising the freedoms we value so dearly.
Mr. Zeng is a former employee of gaming company Machine Zone, Inc., a Silicon Valley company famous for its “Game of War: Fire Age” video game and its commercials featuring supermodel Kate Upton and former Governor Arnold Schwarzenegger. He was charged with one felony count of “damaging” his company-issued laptop under the Computer Fraud and Abuse Act (“CFAA”).
Mr. Zeng was arrested by the FBI in August 2015, after being accused of stealing trade secrets from Machine Zone. The FBI alleged that Mr. Zeng was attempting to use the purportedly stolen trade secrets in China. The arrest and the subsequent arraignment were widely covered in the media.
After more than a year of legal motions and negotiations, the prosecution dismissed most of the charges, including the allegations of trade secret theft. However, the government maintained a single felony charge under the damage provision of the CFAA, which prohibits, “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.” (18 U.S.C. § 1030 (a)(5)).
Codified in 1986, the CFAA targets hackers. It contains various subsections that impose civil penalties and make it a crime to do such acts as accessing or deleting electronic information without authorization. The law, however, has come under widespread criticism in the media for its overbreadth. Critics claim that the law gives corporations and federal prosecutors unchecked power to prosecute employees for almost any conduct they commit on their work machines, even deleting personal files temporarily saved on a work computer.
The popular criticism of the CFAA has spread into the Courts. There, most of the litigation has focused on what employees are authorized to do on their work computers and what corporate outsiders are allowed to do with publicly viewable information on social media websites. For example, is an employee who has access to a certain database for technical purposes allowed to actually view it, even for a non-work purpose? Can a company scrape publicly viewable data on Facebook and make use of it? The answer to these questions depends largely on the scope of the authorization that the employee or the visitor to the Facebook page has.
Mr. Zeng’s case, however, focused on a different aspect of the CFAA, namely, what constitutes damage to a computer? In a federal criminal trial before the Honorable Judge James Donato held in July, the federal government argued that the deletion of any information, no matter whether the deletion was permanent, or whether the information deleted was valuable to Mr. Zeng’s employer, qualified as damage under the CFAA so long as it could prove Mr. Zeng intended to delete the information. In other words, intentionally pressing the “Delete” key constituted the transmission of a command that damaged a protected computer. Indeed, since Mr. Zeng had admittedly erased the contents of the laptop before returning it to the company, the government’s proposed interpretation of the CFAA was breathtakingly broad.
Conversely, Mr. Zeng presented several arguments that would limit the scope of the CFAA’s damage provision. He argued, based on case law from other jurisdictions, that the deletion had to occur via an external transmission. He also argued that the government had to prove that the company could not access the deleted information via an alternative source. Judge Donato tested both sides’ arguments but appeared particularly troubled by the broad scope of the government’s argument. During the government’s closing argument, Judge Donato asked the government’s lawyer whether it made her queasy that an employee, in a dyspeptic moment, could erase files from his or her computer and be guilty of a federal felony? The lawyer responded with an argument that in this case Mr. Zeng’s conduct exhibited more than a mere dyspeptic moment but dodged the Court’s more generalized fear.
Ultimately, Judge Donato demonstrated that this thought at least made him queasy. On December 5, Judge Donato found Mr. Zeng not guilty without providing further explanation. In case you’re wondering, he did not need to provide an explanation for his decision. Of course, this was great news for Mr. Zeng, who had endured criminal prosecution for over two years. However, without the benefit of Judge Donato’s reasoning, the scope of the CFAA’s damage provision remains nebulous.
Unless you have been living in a bunker for at least the past year, you know that hacking is one of the central topics facing corporations and law enforcement these days. Beyond the news of Russia’s state-sponsored hack of the 2016 U.S. Presidential election, there have been other high-profile hacks such as the Equifax data breach in 2017. These well-known hacks underscore the danger posed by failures in cybersecurity as technology becomes more ubiquitous in everyday life. However, the laws we have to fight these hacks, such as the CFAA, are antiquated and, as in Mr. Zeng’s case, can target innocent people. Cases like Mr. Zeng’s make clear that in addressing the critical need for cybersecurity, we must update the laws that enforce it to ensure that we protect the public safety without compromising the freedoms we value so dearly.
Related Insights
10 October 2024
Viewpoints
Proposed Rule Targeting Connected Vehicles Will Impose Major New Supply Chain Compliance Requirements on Automotive Companies that Source from Russia or China
On September 26, 2024, the Department of Commerce’s Bureau of Industry and Security (BIS) published a Notice of Proposed Rulemaking that, if finalized, would prohibit the sale or import of certain automotive hardware and software, as well as “connected vehicles” incorporating this technology, from or linked to the People’s Republic of China or Russia.
11 October 2024
Events
Managing Risk and Driving Resilience | Cybersecurity Summit 2024
On Friday, October 11, Foley Partner Jen Urban will speak on the panel titled, “Managing Risk and Driving Resilience.”
10 October 2024
Manufacturing Industry Advisor
Stellantis Files String of Lawsuits Against UAW Claiming Strike Threats Are Bad Faith
On October 7, 2024, in a coordinated attack, Chrysler owner Stellantis filed a string of lawsuits across multiple jurisdictions against the United Auto Workers Union (“UAW”) and numerous local chapters regarding the UAW’s threats to strike if Stellantis does not move forward with planned investments in its U.S. operations.