During a Senate Select Committee on Intelligence public hearing on Wednesday, January 29, 2014, Senator Ron Wyden asked CIA Director John Brennan if the Computer Fraud and Abuse Act applied to the CIA. Director Brennan deferred answering for a week. Here is the dialogue:
Senator Wyden: “Director Brennan – question with respect to policy. Does the Federal Computer Fraud and Abuse Act apply to the CIA? Seems to me that is a yes or no question.”
Director Brennan: “I would have to look into what that Act actually called for and its applicability to the CIA’s authorities, and I’d be happy to get back to you Senator on that.”
Director Brennan deferred and promised an answer to the question in a week. On the surface it may seem like Director Brennan was avoiding answering a relatively simple question but, in reality, I think his not doing so was justified. Here is why.
Does the Federal Computer Fraud and Abuse Act apply to the CIA?
The problem, Senator Wyden, is that there really is not a simple yes or no answer to your question because of factors you probably know a whole lot more about than I do.
The Statutory Language
The CFAA includes the following provision that addresses its applicability to lawfully authorized investigative, protective, or intelligence activity of law enforcement or intelligence agencies:
18 U.S.C. § 1030 (f) states “This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.”
This statutorily language leads to two questions:
- Is the CIA a law enforcement agency or intelligence agency of the United States? Yes it is (thank you to my friend @JPW_CybCrimeRev at Cybercrime Review for correcting my earlier misstatements here), so … the next question is,
- Are the particular activities being conducted lawfully authorized investigative, protective, or intelligence activities?
Based upon this language, the CIA is immune from the prohibitions of the CFAA for its activities that are “lawfully authorized investigative, protective, or intelligence activit[ies]” but for any activities that are not, it sounds like it would not be immune, right?
The question then becomes, is the CIA engaging in activities that are not lawfully authorized. If it is not, then all is good and the CIA Director could answer with an emphatic “No, the Computer Fraud and Abuse Act does not apply to the CIA.” But, if the CIA is engaging in any activities that are directed at or involve accessing computers that are not lawfully authorized, then the answer would not be an emphatic “no” but, instead, a “maybe” or a “in some cases,” or an “not all of the time” type of an answer. Or, maybe an emphatic “yes!”
Fortunately, the CIA Director now has a weekend and a few days to figure out the best way to answer this question. I have my suspicions about what the answer should be, but that is beyond the scope of this post. How about you?
My real point, however, is that the answer to the question of whether the CFAA applies to the CIA is really not a simple yes or no. There is a lot more that needs to be considered before answering that question … publicly, anyway.
[UPDATE TO POST: 1/31/14 @ 11:30 pm]
This issue is becoming more complex. After engaging in a very thoughtful Twitter discussion with @JPW_CybCrimeRev about what constitutes “lawfully authorized” insofar as investigative, protective, or intelligence activities are concerned, I decided to do more research. While I have not yet (as of this update, anyway) found the answer to the original question, I did find an interesting interpretation of the statutory language used in 18 U.S.C. § 1030 (f) which is almost verbatim with what is in the Digital Millennium Copyright Act.
The Blueport Case and Sovereign Immunity
This language in the DMCA was interpreted in the case Blueport Co., LLP v. United States, 71 Fed. Cl. 768 (Fed. Cl. 2006). The relevant facts of Blueport are that a software developer owned the copyright on a computer program that was being used by the United States Air Force and, when the program expired, the Air Force personnel “hacked” the program to remove the automatic expiration function to keep using the program. The developer sued the United States for monetary damages under the DMCA and the United States moved for summary judgment on the basis of sovereign immunity. The Court granted the motion for summary judgment.
Plaintiff’s primary argument was premised on the DMCA’s analogous statutory language to the CFAA’s § 1030(f), with the language in the DMCA is found at 17 U.S.C. § 1201(e):
This section does not prohibit any lawfully authorized investigative, protective, information security, or intelligence activity of an officer, agent, or employee of the United States, a State, or a political subdivision of a State, or a person acting pursuant to a contract with the United States, a State, or a political subdivision of a State.
Plaintiff tried to reason that, because the DMCA contained this language carving out immunity for the United States in certain case (i.e., “lawfully authorized” activities), that necessarily meant that the United States was not immune for those activities without those cases, otherwise that language in the statute would have been superfluous. The court did not rule on whether the United States was truly immune, but it did address the question of whether the United States could be sued by a private litigant for a tort claim seeking money damages.
The court implicitly conceded that the superfluous argument had some merit, however, ultimately the question came down to whether the above statutory language was a clear and unambiguous waiver of sovereign immunity for tort claims against the United States. The court found it was not. “Simply put, because of the doctrine of waiver’s paramount role in the protection of rights and the enforcement of duties, the law requires that when a right or duty is voluntarily relinquished, such a waiver must be explicit, and not construed through indirection or by legal fictions.” Blueport Co., LLP v. United States, 71 Fed. Cl. 768, 777 (Fed. Cl. 2006). The ruling of Blueport was affirmed by the Federal Circuit in Blueport Co., LLP v. United States, 533 F.3d 1374 (Fed. Cir. 2008).
What Does Blueport Teach Us About the Computer Fraud and Abuse Act?
While Blueport does not directly answer the overall question of whether the Computer Fraud and Abuse Act applies to the CIA, it does plot another point in CFAA jurisprudence.
Can private individuals bring lawsuits for money damages against the United States for violating the Computer Fraud and Abuse Act if the CIA “hacks” into their computers? No. Just as in Blueport, the United States government is protected against such claims by the doctrine of sovereign immunity and the language of 18 U.S.C. § 1030(f) will not be construed as a waiver of that sovereign immunity. So, insofar as civil claims against the United States by private citizens are concerned, the CFAA does not apply to the CIA or other agencies in the federal government.
With this, we see that the question of whether the CFAA applies to the CIA is getting more and more complicated:
- In civil cases for money damages, it does not apply to the CIA.
- In cases where the CIA is engaged in “lawfully authorized investigative, protective, or intelligence activity” it does not apply to the CIA.
- But, what about cases where its activities are not “lawfully authorized”?
- Could such a situation even exist — could the CIA ever be engaged in activities that are not “lawfully authorized” or, by definition, are all of the CIA’s activities necessarily “lawfully authorized”?
The answers to these questions may determine the ultimate answer to Senator Wyden’s question. Conversely, the answer to Senator Wyden’s question may shed light on the answers to some of those questions.
You can listen to the dialogue at the 3:20 mark in this video: