Senator's claims of CIA violating computer fraud act shaky, legal expert says

Establishing CFAA liability could be uphill task for Sen. Dianne Feinstein

Sen. Dianne Feinstein's (D-Calif.) claim earlier this week that the CIA violated provisions of the Computer Fraud and Abuse Act (CFAA) when it accessed computers used by members of the Senate Intelligence Committee, could be hard to substantiate, according to a leading legal expert.

For one thing, it's not clear whether the CIA had rights to the accessed computers, at least as defined under the CFAA, said Orin Kerr, a law professor at the George Washington University Law School and a former trial attorney at the U.S. Department of Justice.

It's also not clear if the restrictions the Intelligence Committee had in place for governing access to the computers were strong enough to trigger a CFAA access violation claim, Orin wrote in a blog for Lawfare.

Earlier this week, Feinstein accused the CIA of illegally accessing computers used by members of the Senate Intelligence Committee to investigate the agency's detention and interrogation practices during the George W. Bush administration.

The CIA set up the Intelligence Committee's computers at a facility in northern Virginia to enable committee members to review tens of thousands of documents, memos, and other files pertaining to the CIA's interrogation practices.

The only CIA officials who were supposed to have access to the network were the agency's IT personnel, who were not permitted to share information gathered from the system with others at the agency.

According to Feinstein, however, CIA officials accessed the network anyway and removed documents that would have cast an unfavorable light on the agency's detention and interrogation practices. CIA officials accessed the walled-off committee network to remove documents previously provided to them by the CIA and to access the committee's internal work and communications, Feinstein charged Tuesday.

She alleged the agency's actions violated the CFAA's provisions against unauthorized access to a protected computer and an executive order prohibiting the agency from conducting domestic searches.

The CFAA is a federal statute that makes it illegal for someone to knowingly access a computer without authorization or to exceed authorized use of a system. It is an online anti-trespassing law that has gained considerable notoriety in recent years because of the manner in which over-zealous prosecutors have used the law to prosecute crimes for which it was never intended.

Critics have claimed that the ambiguous wording of the law allows prosecutors to pursue felony charges against individuals for minor terms of service and computer misuse violations.

Courts around the country have been split on how the law should be interpreted. Some courts have held that people with valid access to data on a computer cannot be held liable under CFAA if they later abuse that access to steal, sabotage or misuse the data. Other courts have ruled the opposite way.

In Feinstein's instance, it is not clear at all who controls access to the computer network in question, Kerr wrote. Though the intelligence committee is the primary operator of the network, is the CIA that owns the systems and the network.

"Who has the superior claim to control access? I don't think there's an obvious answer," Kerr wrote. It is possible that the CIA has a better claim to controlling access since it owns the system and maintains the right to have IT people access the systems, he said.

The kind of restrictions the committee had in place for governing access to the systems is also important, Kerr noted. If the only barrier to access was a contractual agreement between the two sides, that alone may not be enough to trigger a CFAA violation.

Some courts have held that the CFAA can only be applied in situations where someone deliberately circumvents or overrides an access restriction, like breaking a password-protected system. Others have held that persons can be held liable under CFAA even for breaking a contractual agreement.

"Was the only barrier to CIA access the agreement between the CIA and the Intelligence Committee? If so, that implicates the circuit split over whether violation of contractual terms can trigger CFAA liability," Kerr said.

The CIA could also use its status as an intelligence agency to seek exemption from the CFAA's provision if it can show the access was part of lawfully authorized activity.

"Establishing CFAA liability requires concluding that the Committee properly controlled access; that the CIA violated an access restriction that the CFAA protects; that the violation was intentional; and that the exception doesn't apply," he noted.

This article, Senator's claims of CIA violating computer fraud act shaky, legal expert says, was originally published at Computerworld.com.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about government it in Computerworld's Government IT Topic Center.

Tags privacyintelU.S. Department of JusticeGovernment ITGeorge Washington UniversityDepartment of JusticecyberwarfareSena

Show Comments