“If I were this employee, I'd be hiring a good criminal defense lawyer who knows something about the CFAA,” said Paul Ohm, a law professor at Georgetown University.
The CFAA — short for the Computer Fraud and Abuse Act — is the federal government's premiere anti-hacking law. It's been used, controversially, to go after information activists such as Aaron Swartz as well as the former Reuters journalist Matthew Keys. And it gives the government wide latitude to pursue those who have allegedly accessed a computer “without authorization” or in ways that exceed the level of authorization they've been given.
“If this was beyond what the employee was authorized to do, one could argue he ‘exceeded authorized access,’ ” said Chris Calabrese, vice president of policy at the Center for Democracy and Technology. He added: “[That's] a phrase we've critiqued, because it empowers private actors to exercise criminal penalties over what are essentially contractual/civil disputes.”
How much legal risk does Twitter's former employee really face in light of this law? That depends on a number of factors, chief among them being how difficult Twitter makes it for employees to deactivate user accounts.
Under one theory, the worker may not have violated the CFAA if Twitter's internal policies on the matter were lax or nonexistent. But the employee could be in much greater jeopardy if Twitter's policies were much more strict.
“If they have layer after layer of training and passwords and signs on the wall that say, ‘Do not delete accounts without permission or out of spite,’ ” said Ohm, “if they have anything like that, it becomes a much more prosecutable offense.”
Some reports suggest that while Twitter has some safeguards against employer misuse, the policies are not as robust as they could be. According to BuzzFeed, hundreds of Twitter employees have been given the permissions to unilaterally deactivate accounts, while still more workers can independently suspend accounts. Additional measures — perhaps requiring multiple people to sign off on the deletion of an account — were contemplated at one point, but were never put in place, BuzzFeed said, citing a former senior Twitter employee.
Benjamin Wittes, an expert on surveillance and law enforcement policy who runs the Lawfare blog in coordination with the Brookings Institution, said he agrees with many information security practitioners — the former Twitter employee is not safe.
At the very least, it seems like it could be a close call.