Senator's claims of CIA violating computer fraud act shaky, legal expert says

Establishing CFAA liability could be uphill task for Sen. Dianne Feinstein

Sen. Dianne Feinstein's (D-Calif.) claim earlier this week that the CIA violated provisions of the Computer Fraud and Abuse Act (CFAA) when it accessed computers used by members of the Senate Intelligence Committee, could be hard to substantiate, according to a leading legal expert.

For one thing, it's not clear whether the CIA had rights to the accessed computers, at least as defined under the CFAA, said Orin Kerr, a law professor at the George Washington University Law School and a former trial attorney at the U.S. Department of Justice.

It's also not clear if the restrictions the Intelligence Committee had in place for governing access to the computers were strong enough to trigger a CFAA access violation claim, Orin wrote in a blog for Lawfare.

Earlier this week, Feinstein accused the CIA of illegally accessing computers used by members of the Senate Intelligence Committee to investigate the agency's detention and interrogation practices during the George W. Bush administration.

The CIA set up the Intelligence Committee's computers at a facility in northern Virginia to enable committee members to review tens of thousands of documents, memos, and other files pertaining to the CIA's interrogation practices.

The only CIA officials who were supposed to have access to the network were the agency's IT personnel, who were not permitted to share information gathered from the system with others at the agency.

According to Feinstein, however, CIA officials accessed the network anyway and removed documents that would have cast an unfavorable light on the agency's detention and interrogation practices. CIA officials accessed the walled-off committee network to remove documents previously provided to them by the CIA and to access the committee's internal work and communications, Feinstein charged Tuesday.

She alleged the agency's actions violated the CFAA's provisions against unauthorized access to a protected computer and an executive order prohibiting the agency from conducting domestic searches.

The CFAA is a federal statute that makes it illegal for someone to knowingly access a computer without authorization or to exceed authorized use of a system. It is an online anti-trespassing law that has gained considerable notoriety in recent years because of the manner in which over-zealous prosecutors have used the law to prosecute crimes for which it was never intended.

Critics have claimed that the ambiguous wording of the law allows prosecutors to pursue felony charges against individuals for minor terms of service and computer misuse violations.

Courts around the country have been split on how the law should be interpreted. Some courts have held that people with valid access to data on a computer cannot be held liable under CFAA if they later abuse that access to steal, sabotage or misuse the data. Other courts have ruled the opposite way.

In Feinstein's instance, it is not clear at all who controls access to the computer network in question, Kerr wrote. Though the intelligence committee is the primary operator of the network, is the CIA that owns the systems and the network.

"Who has the superior claim to control access? I don't think there's an obvious answer," Kerr wrote. It is possible that the CIA has a better claim to controlling access since it owns the system and maintains the right to have IT people access the systems, he said.

The kind of restrictions the committee had in place for governing access to the systems is also important, Kerr noted. If the only barrier to access was a contractual agreement between the two sides, that alone may not be enough to trigger a CFAA violation.

Some courts have held that the CFAA can only be applied in situations where someone deliberately circumvents or overrides an access restriction, like breaking a password-protected system. Others have held that persons can be held liable under CFAA even for breaking a contractual agreement.

"Was the only barrier to CIA access the agreement between the CIA and the Intelligence Committee? If so, that implicates the circuit split over whether violation of contractual terms can trigger CFAA liability," Kerr said.

The CIA could also use its status as an intelligence agency to seek exemption from the CFAA's provision if it can show the access was part of lawfully authorized activity.

"Establishing CFAA liability requires concluding that the Committee properly controlled access; that the CIA violated an access restriction that the CFAA protects; that the violation was intentional; and that the exception doesn't apply," he noted.

This article, Senator's claims of CIA violating computer fraud act shaky, legal expert says, was originally published at

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about government it in Computerworld's Government IT Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Government ITU.S. Department of JusticesecuritycyberwarfareGeorge Washington UniversitySenaDepartment of Justiceintelprivacy

More about BushDepartment of JusticeGovernment ITTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place