Law Enforcement

DOJ releases controversial cybercrime prosecution memo

Shutterstock image. Copyright  enzozo. 

The Department of Justice has just released a two-year-old policy document that provides guidance to prosecutors on what triggers an investigation or arrest under the Computer Fraud and Abuse Act. The release is raising questions, however, about why DOJ kept the policy under wraps until recent litigation prompted the release.

The department posted a blog on Oct. 26 promoting its commitment to transparency and rule of law regarding cybercrime, and in it stated the following: "In the course of recent litigation, the department yesterday shared the policy under which we choose whether to bring charges under the Computer Fraud and Abuse Act."

The post did not provide any details on the litigation, nor did DOJ officials respond to a request for such details or an explanation of why the document was withheld from the public from the outset.

The CFAA dates to the 1980s, and DOJ, Congress and civil liberties groups have long been calling for revisions to the act to bring it in line with advances in cybertechnology and cybercrime.

"It is, of course, not enough to have effective laws; those laws must also be enforced responsibly and consistently," read the DOJ post. "It is also important that the public understand how the department applies the law in this context."

The memorandum, issued on Sept. 11, 2014, by then-Attorney General Eric Holder, stated that it was not binding or all-inclusive, but rather that it simply provided guidance to prosecutors.

That guidance focused on eight different factors that could or should be considered by U.S. attorneys when deciding whether to press charges in a case of alleged cybercrime. Prosecution, it states, is to be pursued only when it serves a "substantial federal interest."

Determining factors include the "sensitivity of the affected computer system or the information transmitted by or stored on it;" the national security implications of the crime; impact of the crime on victims; the deterrent value of the investigation; and whether the crime can be prosecuted by another jurisdiction if it is declined for federal prosecution.

Another criteria is if information is obtained by "exceeding authorized access," which can mean anything from a system administrator invading the privacy of email accounts for personal gain to a government official accessing information on government computers in violation of stated rules – Edward Snowden, for example.

The blog post concludes: "We are proud of the work we have done to protect the privacy and security of Americans online.  Through this policy, the department continues to take very seriously our responsibility to seek justice for the victims of cybercrime and to do so in a fair and responsible manner."

While there have been some significant and celebrated prosecutions of cybercriminals under the CFAA, there also have been controversial cases like that of Aaron Schwartz. The young programmer and hacktivist was indicted under the CFAA for alleged unauthorized access to a Massachusetts Institute of Technology computer system from which he downloaded academic journals. Schwartz committed suicide while fighting 13 federal charges.

The Electronic Frontier Foundation has criticized a number of aspects of the CFAA over the years, in particular aspects of the law that relate to unauthorized access. "The law does not explain what 'without authorization' actually means," the EFF wrote in a 2013 call for reform of CFAA. "The statute does attempt to define 'exceeds authorized access,' but the meaning of that phrase has been subject to considerable dispute."

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.