DOJ releases controversial cybercrime prosecution memo

The Department of Justice has just released a two-year-old policy document that provides guidance to prosecutors on what triggers an investigation or arrest under the Computer Fraud and Abuse Act. The release is raising questions, however, about why DOJ kept the policy under wraps until recent litigation prompted the release.

The department posted a blog on Oct. 26 promoting its commitment to transparency and rule of law regarding cybercrime, and in it stated the following: "In the course of recent litigation, the department yesterday shared the policy under which we choose whether to bring charges under the Computer Fraud and Abuse Act."

The post did not provide any details on the litigation, nor did DOJ officials respond to a request for such details or an explanation of why the document was withheld from the public from the outset.

The CFAA dates to the 1980s, and DOJ, Congress and civil liberties groups have long been calling for revisions to the act to bring it in line with advances in cybertechnology and cybercrime.

"It is, of course, not enough to have effective laws; those laws must also be enforced responsibly and consistently," read the DOJ post. "It is also important that the public understand how the department applies the law in this context."

The memorandum, issued on Sept. 11, 2014, by then-Attorney General Eric Holder, stated that it was not binding or all-inclusive, but rather that it simply provided guidance to prosecutors.

That guidance focused on eight different factors that could or should be considered by U.S. attorneys when deciding whether to press charges in a case of alleged cybercrime. Prosecution, it states, is to be pursued only when it serves a "substantial federal interest."

Determining factors include the "sensitivity of the affected computer system or the information transmitted by or stored on it;" the national security implications of the crime; impact of the crime on victims; the deterrent value of the investigation; and whether the crime can be prosecuted by another jurisdiction if it is declined for federal prosecution.

Another criteria is if information is obtained by "exceeding authorized access," which can mean anything from a system administrator invading the privacy of email accounts for personal gain to a government official accessing information on government computers in violation of stated rules – Edward Snowden, for example.

The blog post concludes: "We are proud of the work we have done to protect the privacy and security of Americans online.  Through this policy, the department continues to take very seriously our responsibility to seek justice for the victims of cybercrime and to do so in a fair and responsible manner."

While there have been some significant and celebrated prosecutions of cybercriminals under the CFAA, there also have been controversial cases like that of Aaron Schwartz. The young programmer and hacktivist was indicted under the CFAA for alleged unauthorized access to a Massachusetts Institute of Technology computer system from which he downloaded academic journals. Schwartz committed suicide while fighting 13 federal charges.

The Electronic Frontier Foundation has criticized a number of aspects of the CFAA over the years, in particular aspects of the law that relate to unauthorized access. "The law does not explain what 'without authorization' actually means," the EFF wrote in a 2013 call for reform of CFAA. "The statute does attempt to define 'exceeds authorized access,' but the meaning of that phrase has been subject to considerable dispute."