Last week, a district court considered whether the federal computer hacking statute, the Computer Fraud and Abuse Act, applies to a laptop computer not connected to the Internet. The court concluded in Pine Environmental Services v. Carson (D.Mass. August 20, 2014) (Talwani, J.), that the Act does not apply in such circumstances because the alleged crime is not interstate in nature. As much as I favor narrow readings of the CFAA, I think the court was incorrect. Unfortunately, the CFAA is so broad it includes pretty much every computer, connected to the Internet or not. In this post I’ll explain why.
The facts alleged in the complaint are simple. Carson worked for Pine Environmental Services and used one of Pine’s laptops for work. When Carson left Pine to work for one of Pine’s competitors, she kept the laptop instead of giving it back. When Carson eventually returned Pine’s laptop, a forensic analysis suggested that Carson had accessed the laptop after leaving Pine and had used software to erase her tracks. Pine sued Carson and her new company, alleging (among other things) that Carson had accessed Pine’s laptop without authorization. The defendants moved to dismiss on the ground that the laptop was not a “protected computer” under the CFAA.
Under the CFAA, a “protected computer” is defined in 18 U.S.C. 1030(e)(2) as follows:
[T]he term “protected computer” means a computer— (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or (B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;
The district court agreed that the laptop was not a protected computer and granted the motion to dismiss. According to the district court, the laptop was not covered under (A) or (B), and specifically was not covered under (B) because it was not being “used in . . . interstate commerce” at the time the unauthorized access occurred. Carson had used the laptop to collect data across state lines when she had worked for Pine, but the laptop was not sending any interstate communications when Carson allegedly accessed it without authorization. At that time, the computer was offline rather than online. According to the district court, that was not enough, as the actual crime was not “interstate in nature,” as the 1986 legislative history indicated was the federalism standard that Congress had intended to adopt. According to the court, that meant that this was not a federal case: “[S]uch actions are appropriately addressed under state law.”
As much as I favor federalism limits on the CFAA, unfortunately I think the district court was wrong here. The key problem is that in 2008, Congress amended the CFAA to largely eliminate the federalism limits of the CFAA. Before 2008, the definition of “protected computer” ordinarily required that the computer be “used in” interstate commerce. It was never clear if that meant used generally, sometimes, or in that specific instances. But in 2008, Congress made that interesting issue irrelevant. As I explained in this article at 1569-71, Congress amended the definition so that it includes computers that merely “affect” interstate commerce. That makes a big difference to the scope of the CFAA:
The phrase “affecting interstate commerce” is a term of art that signals congressional intent to cover as far as the Commerce Clause will allow. Modern Commerce Clause doctrine gives the federal government the power to “regulate purely local activities that are part of an economic ‘class of activities’ that have a substantial effect on interstate commerce.” In application, that allows Congress to regulate any class of economic activities that when aggregated can impact interstate commerce. In Gonzales v. Raich, for example, the Supreme Court allowed Congress to regulate entirely local activities like growing marijuana for home use on the theory that the aggregate effect of homegrown marijuana could have an impact on the supply and demand for marijuana in the national economy. No matter how local the marijuana growing, Congress could still regulate it.
This excursion into Commerce Clause doctrine explains just how broad the current version of “protected computer”has become, and by extension, just how far the CFAA reaches. Because the definition now applies to both computers in the United States and abroad that are used in or affecting interstate commerce or communication, every computer around the world that can be regulated under the Commerce Clause is a “protected computer” covered by 18 U.S.C. § 1030. This does not merely cover computers connected to the Internet that are actually “used” in interstate commerce. Instead, it applies to all computers, period, so long as the federal government has the power to regulate them.
The 2008 amendments of the CFAA and the nearly limitless scope of modern Commerce Clause doctrine mean it may be no exaggeration to say that a “protected computer” now just means a “computer.” Computers are ubiquitous as tools of modern commerce, and intrastate use of computers often has interstate effects. Computer data created and used in one state is easily moved across state lines, and breaches of computer security among intrastate computers can have an effect on computer use generally. It would be premature to rule out Commerce Clause challenges to intrastate use of computers in all cases. If limits exist, however, they likely are very narrow ones. Perhaps the only identifiable exclusion from the scope of protected computers is a “portable hand held calculator, or other similar device,” exempted from the definition of “computer.” Everything else with a microchip or that permits digital storage is, arguably, covered.
As I understand the doctrine, then, the laptop is a “protected computer” because the aggregated effect of intrastate unauthorized access into computers would nonetheless have an effect on interstate commerce. See, e.g., United States v. Jeronimo-Bautista, 425 F. 3d 1266 (10th Cir. 2005) (concluding that Congress can prohibit the purely intrastate production of child pornography because the aggregated effect of such production would impact interstate commerce). Under the applicable standard from Raich incorporated by the 2008 amendments, whether the computer is connected to the Internet at the time does not impact whether it is a “protected computer.”
Or so it seems to me. I’d be very interested to know if anyone has a different view.