Hot Topics
Cyberlaw Cybersecurity Data Security Featured Governance, Risk & Compliance Identity & Access Security Boulevard (Original) Spotlight 

The Supreme Court, Leaks and Computer Crime

Avatar photo by Mark Rasch on May 10, 2022

Last week, a highly confidential draft opinion in the Dobbs abortion rights case was leaked to reporters at Politico. Many have called for the leaker to be identified and prosecuted. However, a case from last term—from the U.S. Supreme Court—may make prosecution difficult, if not impossible.

Most computer crimes are actually crimes aimed at compromising the confidentiality, availability or integrity of information. Others, like ransomware or revenge porn, seek to disseminate information that the victim would prefer not to have disseminated or extract a ransom for not disseminating the information. So, they are really ‘information crimes’ using computers. The problem with information crimes is that the concept of theft of information is a difficult one to deal with.

What Crime?

The Watergate burglars were seeking to steal information from the offices of the DNC and broke into a physical office to do so. The crime was burglary. If they had paid off some official to give them the documents (or threatened to reveal something about them if they didn’t comply) that could be considered bribery or extortion. But if a DNC employee—without permission—simply gave the files to H. Howard Hunt (kids, Google it), would that be a crime?

Some information has specific criminal statutes prohibiting its transfer. Federal espionage laws make it a crime to give classified information to a person not entitled to receive it. Privacy laws make it a civil offense to misuse PII or PHI or to fail to protect it. Bank secrecy laws protect the secrecy of banking information, and consumer proprietary network information (CPNI—phone data) is similarly protected. But as a general rule, the “theft” of information is not a crime, although an actor often has to commit a crime to accomplish the theft or may use the purloined papers in the commission of other crimes like insider trading.

It is for this reason that companies that believe that they are the victims of theft of information (particularly by insiders) often turn to the Computer Fraud and Abuse Act (18 USC 1030) to attempt to punish insiders who steal information. The statute makes it a crime to “exceed authorization to access a computer” in order to “obtain information.”

The theory has been that insiders who misappropriate information (typically by taking information to use with a competitor) are not authorized to access their employer’s computer for that purpose and therefore have “exceeded authorization” to obtain certain information. The same could be used in the Supreme Court leaker’s “theft” of the Dobbs opinion. The clerk, justice, administrative assistant or whomever accessed the computer at the court with the specific intent to obtain a copy of the Dobbs opinion and to forward it to the Politico reporter without authorization. He/she/they “exceeded authorization” to access his/her/their computer to obtain information.

At least, that’s one plausible scenario. Or he/she/they accessed the computer to print out a copy to give to Politico. Again, exceeding authorization. But, put plainly, even if that is what happened factually, it’s really not a computer crime. The actor accessed the Supreme Court computers with authorization, viewed a draft opinion they were authorized to view and then did something they did not have permission—by law, regulation or, in this case, habit, culture, ethics and practice—to do.

In the recent case of Van Buren v. United States, the Supreme Court held that a government employee who accessed a restricted database to obtain information to give to someone not entitled to receive it (for money) could not be prosecuted under the computer crime statute because their actions did not constitute “exceeding authorized access” to the database to which they had lawful access. Merely violating rules about what you can do with data you have lawful access to (even in violation of an express policy) is not exceeding authorization to access to the computer. So, our authorized Supreme Court clerk or admin who logged in and “stole” the opinion can’t be prosecuted for computer crime—unless, for example, they did not have the authorization to go into the database at all. So, for example, a security guard who gets email at the court and who hacked the draft opinions database could be prosecuted for hacking, but a clerk with authorized access could not.

There are some other possible crimes, but they are similarly ill-suited to this situation. One is the federal embezzlement statute, 18 USC 641, which noted that “[w]hoever … without authority … conveys … any record … of the United States” is guilty of a crime. The embezzlement statute is based on principles of larceny and theft and has been used, for example, to prosecute someone who copied grand jury transcripts, sold documents with the names of DEA undercover agents or copied (on government equipment) FBI documents without authorization.

In an espionage case in 1980, a federal appeals court in Virginia noted that “Congress has never directly considered the application of § 641 to government information. In enacting § 641 and its predecessors, Congress did not express an intent that the unauthorized disclosure of government information be either included within or excluded from the criminal prohibitions of § 641.”

As a result, an attorney for a defense contractor who bribed a Navy employee to get competitive bid information could be prosecuted for embezzling that information from the government. In another 641 case, the government prosecuted a defense contractor who sold classified pictures of Soviet ships at Severomorsk naval base to Jane’s Defense Weekly, a British magazine.

However, the Department of Justice has a long-standing policy of not using the embezzlement statute to prosecute leaks of government information.  The U.S. Attorney’s manual notes:

“The Criminal Division believes that it is inappropriate to bring a prosecution under 18 U.S.C. § 641 when: (1) the subject of the theft is intangible property, i.e., government information owned by, or under the care, custody, or control of the United States; (2) the defendant obtained or used the property primarily for the purpose of disseminating it to the public; and (3) the property was not obtained as a result of wiretapping, (18 U.S.C. § 2511) interception of correspondence (18 U.S.C. §§ 1702, 1708), criminal entry, or criminal or civil trespass.”

In other words, we don’t use this statute to prosecute leaks.  This is to ensure that whistleblowers and members of the press are not prosecuted when government data is published—even without authorization. So, even if the clerk/justice provided the opinion to Politico, an embezzlement prosecution is unlikely.

Information Crimes

So, the Justice Department likely has the authority to prosecute the leaker for theft of government property. But this creates a bizarre situation where providing an actual document is a crime (theft) but providing the contents of the document (say, sitting down with the Politico reporter and describing the proposed Alito majority opinion) might not be. When is information “stolen”? When is it “misappropriated”? When you leave one job and go to another, if you download your prior employer’s files you are a criminal, but if you have them in your head you are not. Is it the taking of the data that is the crime? Or the use of that data that makes it an offense? Information crimes are hard. And computer crimes are, at their core, information crimes. We struggle with concepts of “ownership” and “taking” and “taking away” and “misappropriation” and “misuse.”

In the Aaron Swartz case, a prominent researcher accessed the MIT computer system (and got booted out several times) to download data from the JStor database which was freely accessible to MIT staff but for which JStor charged a fee to non-academics. And Aaron was affiliated with MIT. It appears that his goal was to download the database and make it public. Was this a “theft” or “embezzlement”? Sure—it’s an easier case when someone steals data and sells it or steals it and uses it for their own purposes. But the embezzlement and computer crime statutes can be used to make every bit of gossip, leak or speaking out of school a federal crime. That’s why it is rarely used for theft-of-information cases.

What the Supreme Court made clear in Van Buren is that, no matter what the clerk/justice/admin did, they likely did not violate the federal computer crime statute. So we must look elsewhere if our goal is a criminal prosecution.

Recent Articles By Author
Avatar photo More from Mark Rasch
Mark Rasch , , , ,
Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark