Capital One Hack Prosecution Raises New and Old Questions about Adequacy of CFAA
On August 28, 2019, almost a month after Paige A. Thompson was arrested based on allegations that she hacked into servers rented by Capital One Financial Corporation, a criminal indictment was returned charging her with one count each of computer and wire fraud, as well as forfeiture allegations. The indictment includes new allegations that, in addition to hacking Capital One’s data, Thompson illegally accessed and copied data from more than 30 different entities that rented or contracted servers at an unnamed cloud-computing company at which she previously worked. The indictment provides additional details concerning Thompson’s hacking scheme. According to the indictment, Thompson used devices that allowed her to scan servers rented or contracted by Capital One and other entities at the cloud-computing company. From the scans, Thompson was able to identify servers that had firewall misconfigurations, which she then exploited to obtain security credentials that allowed her to access and copy the entities’ data. In addition to copying the data, Thompson also used the stolen computing power of the servers to mine cryptocurrency—in a scheme colloquially known as “cryptojacking.”
The Capital One data reportedly obtained by Thompson included credit card application data for over 100 million individuals who applied for credit cards from 2005-2019—including names, addresses, dates of birth, and approximately 140,000 Social Security numbers. According to news reports, Thompson previously worked for Amazon Web Services—the cloud-computing entity that hosted the sensitive Capital One data Thompson accessed, suggesting that she at one point may have had lawful access to the servers hosting Capital One’s data. Commenters have noted that Thompson, unlike most sophisticated hackers, largely failed to obscure her identity or role in the Capital One hack. Thompson also allegedly discussed the hack in an online Slack chat and in Twitter direct messages. Capital One discovered the hack when an individual emailed a Capital One program established to solicit disclosures of actual or potential vulnerabilities in its computer systems. That individual directed Capital One to Thompson’s GitHub page.
While these allegations represent what may seem like an open and shut criminal prosecution, the reality of prosecuting hackers under federal law is far from simple. In addition to being charged with wire fraud, Thompson is charged with a single count of computer fraud and abuse pursuant to the Computer Fraud and Abuse Act of 1986 (“CFAA”), 18 U.S.C. § 1030, et seq. The CFAA is the primary federal law used to prosecute hackers. It has been used to charge a number of prominent defendants, including recently WikiLeaks founder Julian Assange, and generated significant controversy in the past prosecutions of Adam Swartz, Gilberto Valle, and Lori Drew. The CFAA was originally intended as a targeted measure to combat a fairly circumscribed category of “computer trespassing” crimes. In 1989, soon after enactment of the CFAA, only about 15% of American households owned a personal computer. Today three-fourths of Americans own smartphones, which are on average hundreds of times faster and more powerful than the personal computers of the late 1980s and whose networks offer internet connections at broadband speeds. Despite quantum leaps in technology since the CFAA was enacted, many of its provisions have not been changed in a generation.
While Congress has made periodic amendments, the CFAA is outdated and has failed to maintain pace with advances in technology. The antiquated provisions of the CFAA create challenges for prosecutors. For example, the prosecution of Sergey Aleynikov, a former high-frequency trader at Goldman Sachs, hit a snag when the trial court dismissed a CFAA charge—holding that Section 1030 does not criminalize actions taken by an employee who had permissible access to information that the employee subsequently misappropriates (“In short, unless an individual lacks authorization to access a computer system, or exceeds the authorization that has been granted, there can be no violation of § 1030(a)(2)(C).”). Similarly, in the so-called “cannibal cop” prosecution, the Second Circuit held that a person cannot be prosecuted under the CFAA when the person has approved access to information, yet accesses the information with an improper motive.
A number of emerging issues related to the application of the CFAA to today’s advancing technology arise in many prosecutions brought under the Act. First, the CFAA, in part, prohibits accessing computer systems or networks either “without authorization” or in a manner “exceed[ing] authorized access.” What was the extent of a defendant’s authorization? Was the defendant’s authorization revoked or her credentials disabled at the time of the intrusion? Unfortunately for prosecutors (and sometimes hackers alike), the CFAA fails to define “without authorization,” and there is no consensus what the existing definition of “exceeding authorized access” means. Second, how does the CFAA apply to intrusion of a non-physical “virtual machine”? The CFAA’s provisions reference the accessing of a “computer.” See 18 U.S.C. §§ 1030(a)(1) and (e)(1). Third, how should the CFAA apply to defendants who claim they are “white hat” hackers, “gray hat” hackers, or cyber security researchers engaged in hacking activity for purported ethical reasons? As our blog has described, oftentimes such hackers report their intrusions to the hacked entity pursuant to a bug bounty program. Fourth, how do you assign a value to the hacked information? Certain provisions of the CFAA require the value of the information obtained to exceed $5,000. See 18 U.S.C. § 1030(c)(2)(B)(iii) (requiring “the value of the information obtained exceeds $5,000” to be sentenced to up to five years’ imprisonment). Lastly, will prosecutors hesitate to pursue CFAA charges based on the statute’s uncertainties? Notably, the recent indictment of a former Google engineer who allegedly stole trade secrets concerning self-driving technology did not include a charge under the CFAA. In the Capital One case, prosecutors included a largely duplicative wire fraud count. Will prosecutors increasingly pair CFAA charges with overlapping wire fraud charges to guard against the uncertain CFAA landscape?
While some of these questions may not come into play in the Capital One prosecution, these issues will certainly arise in future hacking prosecutions. And they are a reminder that the CFAA is in need of an update.
We will continue to monitor developments related to CFAA criminal prosecutions, CFAA civil litigation, and legislative reform efforts. We will also feature a blog post detailing some of Congress’ past attempts at reform—and how Congress may act in the future.