Law Enforcement

DOJ releases controversial cybercrime prosecution memo

Shutterstock image. Copyright  enzozo. 

The Department of Justice has just released a two-year-old policy document that provides guidance to prosecutors on what triggers an investigation or arrest under the Computer Fraud and Abuse Act. The release is raising questions, however, about why DOJ kept the policy under wraps until recent litigation prompted the release.

The department posted a blog on Oct. 26 promoting its commitment to transparency and rule of law regarding cybercrime, and in it stated the following: "In the course of recent litigation, the department yesterday shared the policy under which we choose whether to bring charges under the Computer Fraud and Abuse Act."

The post did not provide any details on the litigation, nor did DOJ officials respond to a request for such details or an explanation of why the document was withheld from the public from the outset.

The CFAA dates to the 1980s, and DOJ, Congress and civil liberties groups have long been calling for revisions to the act to bring it in line with advances in cybertechnology and cybercrime.

"It is, of course, not enough to have effective laws; those laws must also be enforced responsibly and consistently," read the DOJ post. "It is also important that the public understand how the department applies the law in this context."

The memorandum, issued on Sept. 11, 2014, by then-Attorney General Eric Holder, stated that it was not binding or all-inclusive, but rather that it simply provided guidance to prosecutors.

That guidance focused on eight different factors that could or should be considered by U.S. attorneys when deciding whether to press charges in a case of alleged cybercrime. Prosecution, it states, is to be pursued only when it serves a "substantial federal interest."

Determining factors include the "sensitivity of the affected computer system or the information transmitted by or stored on it;" the national security implications of the crime; impact of the crime on victims; the deterrent value of the investigation; and whether the crime can be prosecuted by another jurisdiction if it is declined for federal prosecution.

Another criteria is if information is obtained by "exceeding authorized access," which can mean anything from a system administrator invading the privacy of email accounts for personal gain to a government official accessing information on government computers in violation of stated rules – Edward Snowden, for example.

The blog post concludes: "We are proud of the work we have done to protect the privacy and security of Americans online.  Through this policy, the department continues to take very seriously our responsibility to seek justice for the victims of cybercrime and to do so in a fair and responsible manner."

While there have been some significant and celebrated prosecutions of cybercriminals under the CFAA, there also have been controversial cases like that of Aaron Schwartz. The young programmer and hacktivist was indicted under the CFAA for alleged unauthorized access to a Massachusetts Institute of Technology computer system from which he downloaded academic journals. Schwartz committed suicide while fighting 13 federal charges.

The Electronic Frontier Foundation has criticized a number of aspects of the CFAA over the years, in particular aspects of the law that relate to unauthorized access. "The law does not explain what 'without authorization' actually means," the EFF wrote in a 2013 call for reform of CFAA. "The statute does attempt to define 'exceeds authorized access,' but the meaning of that phrase has been subject to considerable dispute."

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.