This post, written by surveillance, free speech, and government transparency expert Trevor Timm, was originally published on July 31, 2013 by the Electronic Frontier Foundation.
We wrote yesterday about the dangerous “hacker madness” strategy used by the prosecution in the Bradley Manning trial, a tried-and-true tactic that attempts to scare judges into sustaining convictions based on a defendant’s knowledge of computers. However, another interesting fact of the Manning trial is being overlooked by the media: this is the first time we know of where the government has sustained a conviction under a controversial section of the Computer Fraud and Abuse Act (CFAA) known as (a)(1).
Manning’s conviction under this provision looks to be yet another example of prosecutors leveraging the CFAA to force more prison time on computer users while using other, almost identical laws to punish the same acts.
Though his ultimate sentence may be significantly shorter, Manning faces a maximum of 136 years in jail for the nineteen counts on which he would found guilty. Most significantly, he was found guilty of six counts under the Espionage Act and two counts under the CFAA. But when you read both of the statutes closely, they are completely redundant except for one aspect: computers.
In fact, as the Judiciary Committee Report on the 1996 amendment to the CFAA makes clear, Congress explicitly based (a)(1) of the CFAA off 793(e) of the Espionage Act. “The bill would bring the protection for classified national defense or foreign relations information maintained on computers in line with our other espionage laws,” the report says. The original CFAA, written in 1984 was modeled on another part of the Espionage Act, section 794, which has never been used in leak cases. But Congress wanted it tailored after 793(e), a statute that in recent years has been used to prosecute a record number of leakers. (Compare the text here and here.)
The statutes are so similar, in fact, it’s hard to tell them apart even when reading the Judiciary Committee’s explanation about how they differ:
Although there is considerable overlap between 18 U.S.C. 793(e) and section 1030(a)(1), as amended by the NII Protection Act, the two statutes would not reach exactly the same conduct. Section 1030(a)(1) would target those persons who deliberately break into a computer to obtain properly classified Government secrets then try to peddle those secrets to others, including foreign governments. In other words, unlike existing espionage laws prohibiting the theft and peddling of Government secrets to foreign agents, section 1030(a)(1) would require proof that the individual knowingly used a computer without authority, or in excess of authority, for the purpose of obtaining classified information. In this sense then, it is the use of the computer which is being proscribed, not the unauthorized possession of, access to, or control over the classified information itself.
Did you get all that? The Judiciary Committee basically copy-pasted the Espionage Act into the CFAA, but forbid “use of the computer” rather than accessing the documents. So there you have it: they specifically wanted to make the isolated act of using a computer a separate crime.
In the government’s mind, the Espionage Act can be used to punish a leaker of information, and if that person merely used a computer to get that information, they are guilty of an additional felony. So someone who emails documents to a journalists it got off a government computer will face ten more years per charge, than a government official who photocopied documents he got off a shelf and physically mailed them to the same journalist.
Of course, leaks to the press should never be equated with espionage, regardless of what statute is used. But this is yet another example of the government using knowledge of computers to unjustly ratchet up penalties on a crime that caused little or no harm.