DOJ Falters on Prosecution of Cybercrimes Due to Unequal Application of the Computer Fraud and Abuse Act

This article was updated on June 30, 2023, to correct a misquote from the complaint. The complaint alleges that CREXi account executives “obtained access to” and later in the complaint “unlawfully accessed” CoStar’s password protected database, not “hacked into.”

Recent policy announcements by the U.S. Department of Justice (DOJ) regarding the selective prosecution under the Computer Fraud and Abuse Act of 1986 (CFAA) have had the unintended consequence of alerting cyber criminals that the DOJ cannot walk and chew gum at the same time.

The CFAA, landmark 1986 legislation, prohibits accessing a computer without authorization or in excess of authorization. Enacted in the aftermath of press coverage of high-profile criminal hacking incidents, heightened national security threats from rogue foreign actors, and a finding that traditional theft and trespass statutes were ill-suited to address cybercrimes, the CFAA imposed criminal penalties, including fines and imprisonment, granting the FBI and the Justice Department the authority to investigate and prosecute. The CFAA further provides private civil causes of action for individuals or entities harmed by the perpetrators’ unauthorized access.

Since then, the CFAA has been amended by Congress multiple times, including via the USA Patriot Act, and each time the law expanded its definition of criminalized computer acts and broadened its jurisdiction to include any internet-enabled electronic device, including computers and cell phones, due to the interstate nature of most Internet communication.

Understanding the CFAA

The CFAA prohibitions broadly apply to hacking for malicious purposes (i.e., breaking in with stolen passwords to steal data or encrypted files), to “insider threats” where employees who have authorized access to a certain portion of their employer’s computer gain unauthorized access to other portions of the same computer, and to former employees who gain access to their work computers after access is revoked upon termination of employment.

The U.S. Supreme Court in Van Buren v. United States, 14 S.Ct 1648 (2021) ended the decades long split in federal circuit courts’ rulings on the definition of “unauthorized access” and “access in excess of authorization” with a finding that the burden of authorized access or access in excess of authorization rests on the employer to restrict access and establish security protocols to regulate access; an employee exercising permissible access does not lose access if the purpose of that access is not as intended by the employer. However, the enforceability of unauthorized access or access in excess of authorization is strengthened by the Supreme Court decision where access had been definitively terminated or restricted by the employer.

An Overbroad and Vague Directive

Contrary to the extensive statutory guidelines and case law precedents, the DOJ has recently announced that the “Department will not charge defendants” in certain types of “exceeds authorization” cases “based on the theory that a defendant’s authorization to access a particular file, database, folder, or user account was conditioned by a contract, agreement, or policy, with the narrow exception of contracts, agreements, or policies that entirely prohibit defendants from accessing particular files, databases, folders or user accounts on a computer in all circumstances.” The DOJ further states that defendants will not be charged where “authorization to access a computer, or a particular area on a computer, was automatically withdrawn under the terms of a contract or other written document once the user did something, or some other particular condition was met.”

The DOJ’s prosecutorial discretion, exercised in this policy directive, appears to be overbroad and vague. Without prior Congressional review or a legislative amendment, the DOJ’s selective enforcement of a key federal statute neither provides risk mitigation to the industry facing billions of dollars of losses nor deters industrial espionage and cyber theft, which are rampant. Twin cases, one in the real estate industry (CREXi) and a second in the entertainment industry (Ticketmaster), conspicuously illustrate the DOJ’s unequal application of the CA’s mandate despite their similarity in fact pattern.

In both cases, the fact pattern conforms to the type of “without authorization” cases that the DOJ has specifically identified for prosecution in its policy directive: “Unlike the “exceeds authorization” cases, which the DOJ has directed it will only prosecute for ” the narrow exception of contracts,  agreements, or policies that entirely prohibit defendants from accessing particular files, databases, folders, or user accounts on a computer in all circumstances,” the DOJ has provided no such limiting guidance for “without authorization” cases. Inexplicably, the DOJ chose to bring criminal charges in one case (Ticketmaster), while the other case (CREXi) has languished in court for three years.

Contradictory Application of the New Standard

CoStar Group et al. v. Commercial Real Estate Exchange, Inc. is a civil case pending in the Central District Court of California Court in Los Angeles for alleged theft of intellectual property for the purpose of developing a competing business. The complaint alleges that defendant Commercial Real Estate Exchange, Inc. (“CREXi”} employees accessed CoStar’s subscription database without permission; “CREXi’s former account executives … obtained access to CoStar’s password protected database by using passwords issued to CoStar customers, and then downloaded CoStar’s broker directories to build a clone directory on CREXi, using the stolen data to generate customer leads.” The complaint specifies that at least one of the CREXi executives involved, the head of its New York office, used credentials to which he had never had any entitlement. According to the complaint, two of the other executives used a former employer’s credentials after they left to work for CREXi.

In a second case with a similar fact pattern, which was before the Eastern District of New York, in Brooklyn, the DOJ intervened with criminal charges against the defendant, Ticketmaster, because “its employees repeatedly -­ and illegally – accessed a competitor’s computers without authorization using stolen passwords to unlawfully collect business intelligence.” Ticketmaster agreed to pay a criminal penalty of $10 million in exchange for deferred prosecution and a compliance and ethics program designed to prevent and detect violations of the Computer Fraud and Abuse Act and other applicable laws, and to prevent the unauthorized and unlawful acquisition of confidential information belonging to its competitors.

According to William Sweeney, FBI Assistant Director-in-Charge assigned to the Ticketmaster case; “When employees walk out of one company and into another, it’s illegal for them to take proprietary information with them. Ticketmaster used stolen information to gain an advantage over its competition, and then promoted the employees who broke the law. This investigation is a perfect example of why these laws exist … to protect consumers from being cheated in what should be a fair marketplace.” Should the same standard not apply to the CoStar case?

Even under the DOJ’s new and unduly restrictive policy, the alleged access to CoStar’s database by  the head of CREXi’s New York office was reportedly never authorized under any circumstances. Indeed, even the two CREXi executives who purportedly used credentials issued to their former employers pose a problem, as said credentials would have been revoked upon their separation from the company. And, arguably, even that point need not be reached as no authorization existed for any CREXi employee in the first place.

In any event, given the lack of prosecution for this seemingly plain lack of authorization for CREXI’s New York office head’s database access, it is clear that the DOJ’s new unduly restrictive approach to “exceeds authorization” cases is having a chilling effect on prosecutions of the other type — cases where no authorization existed at all. In short, the pernicious impact of the DOJ’s new policy regarding selective prosecutions under the Computer Fraud and Abuse Act of 1986 (“CFAA”) appears to be stymieing even those prosecutions that on their face fall outside its overly narrow restrictions.

In mid-May, the DOJ announced criminal charges including export violations, smuggling, and theft of trade secrets, in connection with the Disruptive Technology Strike Force, which it co-leads with the Department of Commerce, to counterefforts by hostile nation-states such as Russia and China to illicitly acquiring sensitive U.S. technology. Once again, the DOJ’s prosecutorial discretion, exercised in this policy directive involving rogue foreign actors, appears to be overbroad and vague, and with an unequal application of CFAA mandates in cases with a similar fact pattern.

The DOJ, in two of the five criminal cases, charged former software engineers for stealing software and hardware source code from U.S. tech companies to sell to China. In the Central District of California, a senior software engineer was arrested and charged with theft of trade secrets for allegedly stealing source code used in meteorology software, used in”smart” automotive manufacturing equipment, which the defendant then allegedly marketed to multiple Chinese companies. In the Northern District of California, a citizen of the People’s Republic of China (PRC) and former Apple engineer is charged with allegedly stealing thousands of documents containing the source code for software and hardware.

In the CREXi case, which similarly involves theft of an American company’s intellectual property and trade secrets by offshore agents in India, the DOJ has failed to consider intervening with criminal charges against the defendant, CREXi. According to the CoStar complaint, CREXi not only has substantial financial backing from venture capital firms, including Industry Ventures, Jackson Square Ventures, Freestyle Capital, and TenOneTen Ventures, but the company has also used its Indian vendors to steal CoStar’s intellectual property. Three of its vendor companies are facing court proceedings in India.

Uncertainty Threatens Security

During a time of escalating cyber security threats, both domestic and foreign, the DOJ’s failure to fully enforce the mandates of the CFAA as intended by Congress and decided by case law precedent weakens the law’s broad legal protections against industrial espionage and cyber theft of intellectual property and trade secrets.

A CREXi spokesperson submitted the following statement to IPWatchdog on June 29, 2023, in response to this article:

“This opinion piece grossly mischaracterizes the CoStar v. CREXi litigation and raises the specter of criminal conduct where none exists. In years of ongoing civil litigation against CREXi, CoStar has never asserted a claim under the Computer Fraud & Abuse Act. And CREXi does not engage in web-scraping, cyber-hacking or international espionage, as the opinion column suggests. The claim that a CREXi executive “hacked into CoStar’s password protected database” is not supported even by the allegations in CoStar’s complaint. [see above correction]

CREXi operates an innovative technology platform that hosts commercial real estate information and listings created by, or at the direction of, its users. CREXi competes with CoStar, and a bipartisan pair of U.S. Senators has called for the FTC to investigate CoStar’s anticompetitive behavior.

Image Source: Deposit Photos
Image ID: 68350515
Author: stevanovicigor