So You Think You're Funny? New Considerations for Cybercrime Victims Under the Computer Fraud and Abuse Act
"You think Zoom bombing is funny? Let's see how funny it is after you get arrested," one federal prosecutor said in response to the significant rise of "Zoom-bombing" during the COVID-19 pandemic.
Countless Americans have turned to various video-teleconferencing platforms, such as the one operated by Zoom Video Communications, Inc., to interact with family, friends, and colleagues during this unprecedented pandemic. For most, a video session is a welcome reprieve from the social isolation we're all experiencing. But for some, video sessions have been marred by unwelcome interruptions. For individuals and corporate entities victimized by these "Zoom-bombs," as they are colloquially called, a recent federal district court interpretation of the Computer Fraud and Abuse Act (CFAA) provides some guidance regarding how to seek redress, both civilly and through a referral to federal authorities.
What is a Zoom-Bomb?
Like its now-familiar twin the "photobomb" (in which a person spoils a photograph by unexpectedly appearing in the camera's field of view as the picture is taken), a person performs a "Zoom-bomb" by making an unexpected and unwanted appearance in a video session. Typically Zoom-bombers disrupt video conferences with any combination of pornographic and/or hateful images and threatening language.
Federal and state prosecutors have threatened to prosecute Zoom-bombers under various theories: disrupting a public meeting, computer intrusion, using a computer to commit a crime, hate crimes, fraud, and transmitting threatening messages. But perhaps the most important weapon a federal cybercrime prosecutor has in her arsenal—the Computer Fraud and Abuse Act (CFAA)—may well prove to be a dud in a prosecution against a Zoom-bomber. The problem comes from a long running circuit split about what it means to "exceed authorized access" under the CFAA.
The Computer Fraud and Abuse Act
The CFAA prohibits "intentionally access[ing] a computer without authorization or exceed[ing] authorized access." 18 U.S.C. § 1030(a)(2). The term "computer" refers to any computer "used in or affecting interstate or foreign commerce or communication," meaning that the definition functionally applies to any website or computer device connected to the Internet. Over the years, courts and legal scholars have wrestled with the meaning of "authorization" as it applies to a violation of the CFAA, especially in the context of whether an offense occurs where a person uses features of a website "in excess" of the website's terms of service.
This "terms of service" debate has raged for years. Consider this scenario. You log on to your workplace computer, which is connected to your employer's computer network. You're aware of the warning banner that pops up every time you log on, but you don't really pay much attention to it. So while you know that your employer's "terms of service" for its computer network—terms to which you ostensibly agreed to follow when using your work computer—state that you're not allowed to use the computer to browse social media, check your personal emails, online shop, or even read the newspaper, you nevertheless decide to hop on a few sites for some personal shopping and to check in on Facebook. If simply violating private "terms of service" constitutes a CFAA violation, then who among us is not a felon?
The answer to that question, however, depends on where you access a computer. In the First, Fifth, Seventh, and Eleventh Circuits, courts interpret the CFAA broadly and hold that a person exceeds authorized access to a computer by accessing information in a way that violates a written agreement or term of service. But the controlling precedent in those cases all pre-dates 2010. Since 2012, the Second, Fourth, and Ninth Circuits have interpreted the CFAA narrowly, holding that violations of private terms of service cannot give rise to a CFAA criminal violation.
One federal judge continued this more recent trend—in opposition to the Department of Justice's position—and found that violations of a website's "terms of service do not . . . trigger criminal liability" under the CFAA. Sandvig v. Barr, --- F. Supp. 3d ---, 2020 WL 1494065, at *10 (D.D.C. Mar. 27, 2020). The Sandvig court aligned itself with the Second, Fourth, and Ninth Circuits holding that the rule of lenity requires a narrow interpretation of the CFAA's criminal prohibition of "exceed[ing] authorized access" to a protected computer. Instead, a CFAA criminal violation requires a person to hack "permission requirements" to a website—that is, hack through the user-name and password requirement to gain access to a website or other computer. The court reasoned that "websites' terms of service provide inadequate notice for purposes of criminal liability" and "[c]riminalizing terms-of-service violations risks turning each website into its own criminal jurisdiction and each webmaster into his own legislature," a result Congress likely did not intend.
Whether Sandvig's analysis prevails will depend on the Supreme Court. Less than a month after the district court decided Sandvig, the Supreme Court accepted a petition for a writ of certiorari in Van Buren v. United States, No. 19-783, to resolve the circuit split over the reach of the CFAA. Van Buren presents the question whether a person who has access to a computer violates CFAA if the person accesses information on the computer for an unauthorized purpose.
Analysis and Guidance
Should the Supreme Court follow the reasoning in Sandvig, Zoom-bombers no doubt will try to avoid a prosecution under the CFAA by arguing that they have contractual access to Zoom generally, and while they may have accessed specific Zoom sessions in violation of the terms of service, they can't be prosecuted because they didn't do so by hacking any username and password requirements.
But none of this should be read to mean that Zoom-bombers get a free pass. For people victimized by a Zoom-bomb, or just looking for ways to protect themselves generally from computer hackers, the Sandvig court makes a few helpful observations. First, the Sandvig Court left open the possibility that violations of a website's terms of service could form the predicate of the CFAA's civil cause of action for "exceed[ing] authorized access" of a computer. Consequently, individuals and corporate entities victimized by hackers can still potentially sue them under the CFAA for damages or other losses. See 18 U.S.C. § 1030(g). Second, even if the Sandvig analysis becomes the prevailing view of the law, potential Zoom-bomb targets can focus their information security efforts on implementing password requirements, to help preserve the option of making a criminal referral under § 1030 of any Zoom-bomber to appropriate federal law enforcement authorities. And, of course, prosecutors have a vast array of other criminal statutes to draw upon, so may well be able to base a prosecution on a statute other than the CFAA.
In the end, a Zoom-bomber is hardly outside the reach of federal law enforcement authorities. But under Sandvig, at least, the CFAA may not extend the long arm of the law as far as prosecutors—or Zoom-bombing victims seeking redress—may have hoped.
© Arnold & Porter Kaye Scholer LLP 2020 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.