For me personally, the timeline of events surrounding the discovery of Lenovo’s SuperFish malware is ironic. Just a couple of days before it was discovered, I had a telephone call with a friend named Jon Stanley. Jon is someone I consider to be an elder statesman of the CFAA as he has been digging deep into the law for a long time — much longer than I have — and our call was basically to chat about all things CFAA-related. (to get a glimpse of what it’s like to talk to Jon, check this out)
One of the things we talked about was our favorite CFAA opinions and Jon told me his was Shaw v. Toshiba, 91 F.Supp.2d 926 (E.D. Tx. 1999). I had skimmed the high points a few years back but never really taken the time to go through it slowly and enjoy it like a snifter of brandy, so after we hung up, I pulled it up and began reading.
I immediately turned to the point that Jon and I discussed which is where the court focused on the silliness of folks trying to argue the Computer Fraud and Abuse Act is a “hacking” law – ha, the court knocked it out of the park! “[T]his Court does not see a blanket exemption for manufacturers in Title 18 U.S.C. § 1030; nor does it see the term ‘hacking’ anywhere in this statute.” Id. at 936. I love that statement — I have never seen the term “hacking” in there either and, to hear people continue referring to it that way makes me wonder if they also refer to the mail and wire fraud statute as intending to keep the crooked city slickers from taking advantage of honest country folk. (seriously, see page 1)
How does this apply to the Lenovo SuperFish Malware?
So now you’re probably wondering where I’m going with this, right? And, what it has to do with the Lenovo SuperFish malware?
Ok, did you catch the first part of that quote? The part about a “blanket exemption for manufacturers”?
The issue in Shaw was whether a computer manufacturer’s sale of laptop computers containing devices with defective microcode that erroneously caused the corruption or destruction of data without notice was a violation of the CFAA, because the instructions given by the defective microcode were an unauthorized transmission. Toshiba argued several things but, most applicable here, that “Congress never intended for the CFAA to reach manufacturers; rather, the CFAA is geared toward criminalizing computer ‘hacking.'” In other words, Toshiba argued that, because it was a manufacturer that did all of its “stuff” before the computer was shipped and sold to Shaw, its activities were not prohibited by the CFAA. The Court disagreed with Toshiba’s narrow interpretation:
Perhaps. But it seems more plausible that Congress, grappling with technology that literally changes every day, drafted a statute capable of encompassing a wide range of computer activity designed to damage computer systems–from computer hacking to time bombs to defective microcode.
Brilliant. Ultimately, the Court denied Toshiba’s Motion for Summary Judgment and allowed the case to proceed.
The lawsuits against Lenovo have already started to drop and will surely continue coming. While I have not read the individual complaints, I’d say it’s a safe bet there are some CFAA claims in there — and if not, maybe they should give Shaw v. Toshiba a read (and not just for pleasure).
So, here’s a little test for you: if they do bring a CFAA claim, do they have to plead the $5,000 loss?
Hey Jon, by the way, thank you!
Shawn Tuma (@shawnetuma) is a cybersecurity lawyer business leaders trust to help solve problems with cutting-edge issues involving cyber risk and compliance, computer fraud, data breach and privacy, and intellectual property law. He is a partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes across the United States and, through the Mackrell International Law Network, around the world.