b'No. 19-783\nIN THE\n\nSupreme Court of the United States\n\xe2\x80\x94\xe2\x80\x94\xe2\x80\x94\xe2\x80\x94\nNATHAN VAN BUREN,\nv.\n\nPetitioner,\n\nUNITED STATES OF AMERICA,\nRespondent.\n\xe2\x80\x94\xe2\x80\x94\xe2\x80\x94\xe2\x80\x94\nOn Writ of Certiorari to the\nUnited States Court of Appeals\nfor the Eleventh Circuit\n\xe2\x80\x94\xe2\x80\x94\xe2\x80\x94\xe2\x80\x94\nBRIEF OF THE FEDERAL LAW\nENFORCEMENT OFFICERS\nASSOCIATION AS AMICUS CURIAE\nIN SUPPORT OF RESPONDENT\n\xe2\x80\x94\xe2\x80\x94\xe2\x80\x94\xe2\x80\x94\nJOSEPH V. DEMARCO\nCounsel of Record\nDAVID M. HIRSCHBERG\nERIC SEIDEL\nBRIAN A. FOX\nDEVORE & DEMARCO LLP\n99 Park Avenue, Suite 1100\nNew York, NY 10016\n(212) 922-9499\n(917) 576-2369\njvd@devoredemarco.com\nCounsel for Amicus Curiae\nAugust 31, 2020\nWILSON-EPES PRINTING CO., INC. \xe2\x80\x93 (202) 789-0096 \xe2\x80\x93 WASHINGTON, D. C. 20002\n\n\x0cTABLE OF CONTENTS\nPage\nTABLE OF AUTHORITIES ................................\n\niii\n\nINTEREST OF AMICUS CURIAE .....................\n\n1\n\nSUMMARY OF ARGUMENT .............................\n\n2\n\nARGUMENT ........................................................\n\n6\n\nI.\n\nAN INTERPRETATION OF THE CFAA\nWHICH ONLY FOCUSES ON THREATS\nFROM OUTSIDE \xe2\x80\x9cHACKERS\xe2\x80\x9d IGNORES\nTHE REALITY OF HOW MODERN\nCOMPUTER SYSTEMS, INCLUDING\nTHOSE USED BY LAW ENFORCEMENT, OPERATE .....................................\n\n6\n\nA. Computerized Systems Used by\nFederal Law Enforcement Agents and\nOfficers Are Repositories of Massive\nAmounts\nof\nHighly\nSensitive\nInformation ..........................................\n\n6\n\nB. Law Enforcement Systems and Databases are Legitimately and Regularly\nAccessed by a Large Number of Users\n\n9\n\nTHREATS TO LAW ENFORCEMENT\nDATABASES AND COMPUTER SYSTEMS ARE THREATS TO PUBLIC\nSAFETY AND TO THE ADMINISTRATION OF JUSTICE ..................................\n\n10\n\nIII. THE CFAA IS A PROVEN METHOD OF\nPROTECTING GOVERNMENT SYSTEMS FROM INSIDER THREATS .........\n\n13\n\nA. The Threat of Data Theft ....................\n\n13\n\nII.\n\n(i)\n\n\x0cii\nTABLE OF CONTENTS\xe2\x80\x94Continued\nPage\nB. The Threat of Data Manipulation ......\n\n16\n\nIV. A PURELY \xe2\x80\x9cOUTSIDE HACKER\xe2\x80\x9d\nINTERPRETATION OF THE CFAA\nWOULD LIMIT ITS UTILITY AND\nIMPOSE SUBSTANTIAL COSTS ON\nITS USE ....................................................\n\n19\n\nCONCLUSION ....................................................\n\n23\n\n\x0ciii\nTABLE OF AUTHORITIES\nCASES\n\nPage(s)\n\nUnited States v. Manning,\n78 M.J. 501, 510-11 (U.S. Army\nCt. Crim. App. 2018) .................................\n\n16\n\nUnited States v. Morris,\n928 F.2d 504 (2d Cir. 1991), cert.\ndenied, 502 U.S. 817 (1991) ......................\n\n13\n\nSTATUTES\n18 U.S.C. \xc2\xa7 1030(e)(6) ...................................... 2, 17\n18 U.S.C. \xc2\xa7 1519...............................................\n\n19\n\nCOURT FILINGS\nComplaint, United States v Figeroa et al.,\nNo. 15-cr-02818 (S.D. Cal. Oct. 7, 2015) ...\n\n19\n\nIndictment, United States v. Bright, No.\n15-cr-00366 (M.D. Fla. Sep. 9, 2015) ........\n\n15\n\nIndictment, United States v. Duchak, No.\n10-cr-00131 (D. Colo. Mar. 9, 2010) .........\n\n18\n\nIndictment, United States v. Perry, No. 09cr-0090 (D. Md. Feb. 25, 2009) .................\n\n14\n\nInformation, United States v. Quidilla, No.\n11-cr-00617 (S.D. Cal., Feb. 17, 2011),\nDkt. No. 14 ................................................\n\n18\n\n\x0civ\nTABLE OF AUTHORITIES\xe2\x80\x94Continued\nOTHER AUTHORITIES\n\nPage(s)\n\nMichael Balsamo and Colleen Long, AP\nExclusive: Police Officers\xe2\x80\x99 Personal Info\nLeaked Online, Associated Press (Jun.\n10, 2020), https://apnews.com/23a5e9d31\n6127994ae31ad4813db3f80 ......................\n\n9\n\nU.S. Attorney\xe2\x80\x99s Office for the District of\nColorado, Colorado Springs Man Indicted\nfor Attempting to Corrupt TSA Computer\nDatabase, U.S. Department of Justice\n(Mar. 10, 2010), https://www.justice.gov/\narchive/usao/co/news/2010/March10/3_10\n_10.html ....................................................\n\n18\n\nU.S. Attorney\xe2\x80\x99s Office for the District of\nMaryland, DEA Contractor Pleads Guilty\nto Illegally Accessing Government Database,\nU.S. Department of Justice (Oct. 20,\n2009), https://www.justice.gov/archive/us\nao/md/news/archive/DeaContractorPleads\nGuiltytoIllegallyAccessingGovernment\nDatabase.html ...........................................\n\n14\n\nU.S. Attorney\xe2\x80\x99s Office for the Middle District\nof Florida, Former Police Department\nEmployee Indicted for Tax Fraud,\nComputer Intrusion, and Identity Theft,\nU.S. Department of Justice (Sept. 15,\n2015), https://www.justice.gov/usao-mdfl/\npr/former-police-department-employee-ind\nicted-tax-fraud-computer-intrusion-andidentity ......................................................\n\n15\n\n\x0cv\nTABLE OF AUTHORITIES\xe2\x80\x94Continued\nPage(s)\nU.S. Attorney\xe2\x80\x99s Office for the Southern\nDistrict of California, Former U.S. Border\nPatrol Supervisor Pleads Guilty, Admits\nto Violating Civil Rights of Legal Border\nCrosser, U.S. Department of Justice\n(Aug. 16, 2018), https://www.justice.gov/\nusao-sdca/pr/former-us-border-patrol-sup\nervisor-pleads-guilty-admits-violating-ci\nvil-rights-legal ...........................................\n\n19\n\nU.S. Dep\xe2\x80\x99t of Justice, Office of Justice\nPrograms, Bureau of Justice Statistics,\nFederal Law Enforcement Officers, 2016\n\xe2\x80\x94 Statistical Tables, NCJ 261992 (Oct.\n2019), https://www.bjs.gov/content/pub/\npdf/fleo16st.pdf..........................................\n\n9\n\n\x0cINTEREST OF AMICUS CURIAE1\nThe Federal Law Enforcement Officers Association\n(\xe2\x80\x9cFLEOA\xe2\x80\x9d), a volunteer organization founded in 1977,\nis the largest nonpartisan, nonprofit professional association exclusively representing federal law enforcement\nofficers. FLEOA represents more than 28,000 uniformed\nand non-uniformed active and retired federal law\nenforcement officers from over 65 different agencies.\nFLEOA is a charter member of the Department of\nHomeland Security Federal Law Enforcement Advisory\nBoard; holds two seats on the Congressional Badge of\nBravery Federal Board; and serves on the Executive\nBoard of the National Law Enforcement Officers\nMemorial Fund and the National Law Enforcement\nSteering Committee. FLEOA provides a legislative\nvoice for the federal law enforcement community and\nmonitors legislative and other legal issues that may\nimpact federal law enforcement officers.\nDue to the highly sensitive work conducted by\nFLEOA members, the security of the data they rely\nupon is paramount. Advances in technology have\ngreatly assisted modern law enforcement agencies by\nincreasing the efficiency, accuracy, and responsiveness of their efforts. No technology has been more\nimportant to the administration of law enforcement\nthan computer systems. The systems in use by law\nenforcement today range from relatively mundane\nrecordkeeping software to sophisticated programs and\ndatabases that allocate and direct law enforcement\xe2\x80\x99s\n1\n\nPursuant to Supreme Court Rule 37.6, no counsel for a party\nauthored this brief in whole or in part. No person or entity other\nthan the Federal Law Enforcement Officers Association and its\nmembers made any monetary contribution to fund the preparation or submission of this brief. The parties have consented to\nthis filing.\n\n\x0c2\nresources. The information stored on and accessible\nthrough the IT systems operated by federal law enforcement agencies is no less important. It includes, among\nother data, a staggering amount of sensitive and confidential information concerning ongoing investigations\nand agency plans and procedures. In performing their\nduties to protect and serve the public, FLEOA members\nrely on these IT systems and databases every day. As\nsuch, FLEOA is well aware of the dangers that would\nresult should the information contained in those\nsystems be subject to unauthorized dissemination,\nalteration, or deletion. Perhaps in no single other area\nwould the administration of justice in this country be\nso corrupted than if federal law enforcement computer\nsystems were to be rendered unavailable or unreliable.\nFor those reasons, FLEOA \xe2\x80\x94 recognizing that the\nComputer Fraud and Abuse Act (\xe2\x80\x9cCFAA\xe2\x80\x9d) is the primary\nfederal statute which criminalizes malfeasance in relation to federal law enforcement\xe2\x80\x99s computer systems \xe2\x80\x94\nis substantially invested in ensuring that the CFAA\nis interpreted in a manner which fully protects the\naccuracy, reliability, and security of its computer\nsystems and databases.\nSUMMARY OF ARGUMENT\nSince being enacted in 1986, the Computer Fraud\nand Abuse Act has been the most visible and effective\nfederal law to combat cybercrime. While the CFAA\ncriminalizes a variety of cybercrimes, the majority\nof the prohibited acts require that an individual access\na computer either \xe2\x80\x9cwithout authorization\xe2\x80\x9d or by\n\xe2\x80\x9cexceed[ing] authorized access.\xe2\x80\x9d The CFAA defines\n\xe2\x80\x9cexceeds authorized access\xe2\x80\x9d as \xe2\x80\x9cto access a computer\nwith authorization and to use such access to obtain or\nalter information in the computer that the accesser is\nnot entitled so to obtain or alter\xe2\x80\x9d (18 U.S.C. \xc2\xa7 1030(e)(6)),\n\n\x0c3\nbut the seemingly more basic term \xe2\x80\x9cauthorization\xe2\x80\x9d is\nleft without any explicit statutory definition. As a\nresult of this circumstance, differing interpretations of\nthe term \xe2\x80\x9cauthorization\xe2\x80\x9d will either bolster criminal\nprotections of vital law enforcement databases or\nseverely undermine them.\nIt should be noted that this confusion does not apply\nin instances where an \xe2\x80\x9coutsider\xe2\x80\x9d \xe2\x80\x94 that is, someone\nwho has no legitimate access to a computer system for\nany purpose \xe2\x80\x94 accesses a federal database. The CFAA\nis quite clear when applied to the circumstances of\nan outside \xe2\x80\x9chacker\xe2\x80\x9d who uses technological tools and\nmethods to \xe2\x80\x9cbreak into\xe2\x80\x9d a system and thereby steal\ndata or commit cyber-vandalism. Although that situation may be the one most thought of as prototypical by\nthose without significant experience in the field of\ncomputer security, those with such experience are\nall too well-aware that the threat to systems by\n\xe2\x80\x9cinsiders\xe2\x80\x9d \xe2\x80\x94 those who have been granted, as a\ntechnological matter, the ability to use a computer\nsystem \xe2\x80\x94 is at least as, and in many cases more,\nsignificant than the threat from outsiders. Countless\nexamples from both the public and private sectors\ndemonstrate that individuals who routinely access\nshared computer resources in their day-to-day jobs are\nquite often the perpetrators of crimes targeting data\ncontained on those systems or the operation of the\nsystems themselves.\nIt is in the realm of this \xe2\x80\x9cinsider\xe2\x80\x9d threat that\napplication of the CFAA has become muddled. Under\nthe current state of the law, there is uncertainty as\nto whether the provisions of the CFAA which contain\nthe element of \xe2\x80\x9cunauthorized\xe2\x80\x9d activity are to be read\nas referring merely to the technological provision\nof access credentials to a system or data, or\n\n\x0c4\nwhether other factors \xe2\x80\x94 such as policy or contractual\nrestrictions \xe2\x80\x94 should also be considered when evaluating the nature of an individual\xe2\x80\x99s activity on a\ncomputer system.\nFLEOA respectfully submits that an interpretation\nof the CFAA that, as Petitioners maintain, considers\nonly the issue of technological controls would be\ndisastrous to the security of sensitive law enforcement\ncomputer systems and databases. This is because a\nregime where the only relevant question is \xe2\x80\x9ccould the\ndefendant have accessed this data without resorting to\n\xe2\x80\x98hacking\xe2\x80\x99 activities\xe2\x80\x9d would allow any person who has\nlegitimate access to the data carte blanche to access\nand use (or indeed in many cases destroy) that data for\nany manifestly blameworthy reason they choose. Such\na regime therefore renders limited-use grants of access\nmeaningless.\nPut another way, Petitioner\xe2\x80\x99s reading of the law\nshifts the blame from the person who commits a data\ntheft or vandalism to the system\xe2\x80\x99s overseer for failing\nto implement technological measures to stop the thief\nor vandal. To analogize to the physical world (as is\noften useful in the analysis of abstract computer security questions), Petitioner\xe2\x80\x99s interpretation is akin to a\nrule of law that states \xe2\x80\x9cif you give a key to your\nneighbor so they can water your plants while you\nare on vacation, you cannot prevent them from going\nthrough your medicine cabinet and stealing your\njewelry as well.\xe2\x80\x9d This reading contradicts the plain\nand common understanding of what it means to engage\nin \xe2\x80\x9cunauthorized\xe2\x80\x9d conduct. It also makes no sense.\nWorse still, from a practical perspective, a purely\ntechnological interpretation of \xe2\x80\x9cauthorization\xe2\x80\x9d in the\nCFAA would present law enforcement with a dilemma.\nOn the one hand, they could choose to administer and\n\n\x0c5\nmaintain those systems in a manner which allows\nlegitimate users the greatest freedom to conduct their\nwork efficiently \xe2\x80\x94 but risk insider abuse of those\nsystems and forego any criminal legal recourse for that\nmisuse by those insiders. Alternatively, they could\nfrantically attempt to \xe2\x80\x9clock down\xe2\x80\x9d access controls to\nthose systems so as to retain the possibility of criminal\nrecourse \xe2\x80\x94 but, in the process, render the systems\ninefficient to maintain, far more costly in terms of\nfinancial and human resources, and removing much of\ntheir cross-platform efficacy and intelligence-sharing\nfunctionality.\nFLEOA proposes that the only way out of this\nquandary is by according \xe2\x80\x9cunauthorized access\xe2\x80\x9d its\nplain, common-sense meaning. We therefore respectfully submit that the operator of a system, as the\nowner of that property, has the right to determine\nwhat each user of the system is permitted to do on that\nsystem. FLEOA further submits that, when the scope\nof that access is clearly delineated to the user, the\nscope of authorization is what controls for a violation\nof the statute; \xe2\x80\x9cauthorization\xe2\x80\x9d is that which has been\ngranted by the system owner and no more. Particularly\nin the context of non-public systems containing highly\nsensitive, confidential and non-public data used daily\nby law enforcement, FLEOA maintains that the\nobjectives of the CFAA \xe2\x80\x94 to protect computerized\nsystems and data from theft, malicious destruction,\nand attacks which render those systems unusable \xe2\x80\x94\nare more reasonably met when the scope of \xe2\x80\x9cauthorized\xe2\x80\x9d activity is determined by considering the totality\nof the circumstances of the grant of access against the\nplain meaning of the statute, and not merely the dry\ntechnological controls employed.\n\n\x0c6\nARGUMENT\nI. AN INTERPRETATION OF THE CFAA\nWHICH ONLY FOCUSES ON THREATS\nFROM OUTSIDE \xe2\x80\x9cHACKERS\xe2\x80\x9d IGNORES\nTHE REALITY OF HOW MODERN COMPUTER SYSTEMS, INCLUDING THOSE\nUSED BY LAW ENFORCEMENT, OPERATE\nA. Computerized Systems Used by Federal\nLaw Enforcement Agents and Officers\nAre Repositories of Massive Amounts of\nHighly Sensitive Information\nLike most modern organizations, federal law enforcement agencies rely heavily on computerized systems\nto fulfill their core mission of protecting the public\nand the Nation. These systems can be as relatively\n\xe2\x80\x9csimple\xe2\x80\x9d as servers that contain files relating to open\ncriminal investigations, or as complex as databases\nwhich allow multiple law enforcement agencies to\naggregate, share, and analyze information concerning\ncriminal activity nationwide and internationally. While\nan exhaustive catalogue and discussion of the computerized systems used by federal law enforcement is\nnot practicable in the context of this brief, a short\noverview of how those systems are generally used is\ninstructive.2\n\xef\x82\xb7\n\n2\n\nComputerized Records of Criminal Investigations.\nThe vast majority of all written records produced by law enforcement officials are, at some\npoint, stored in digital format on computers. In\n\nFLEOA notes that descriptions of computer systems and\ndatabases in this brief necessarily omit law-enforcement-sensitive\nspecifications regarding those systems and databases. Should\nthe Court desire more detail on any of these systems or databases, FLEOA can provide that information to the Court.\n\n\x0c7\naddition to ongoing case reports filed by investigators, these files often also include extremely\nsensitive information, such as the names,\naddresses, phone numbers and other personal\ninformation of victims, suspects, and witnesses.\n\xef\x82\xb7\n\nRecords Concerning Individuals Whose Identities\nRequire Protection. Law enforcement maintains\nrecords of the identities of a variety of people\nwhose physical safety relies to a great extent\non the secrecy of their association with law\nenforcement. Such individuals include protected witnesses, confidential informants, and\nundercover officers.\n\n\xef\x82\xb7\n\nPolicies and Procedures. Each law enforcement\nagency maintains written documentation concerning how it conducts its operations. These\nrecords include both generally-applicable policies, such as a description of how a border\ncontrol agent will typically conduct a search at\nan international crossing, as well as plans for\nindividual operations, such as how the Secret\nService will be deployed during a specific\nprotection detail.\n\n\xef\x82\xb7\n\nCommunications Systems. Computerized hardware and software communications systems used\ndaily by law enforcement officers provide for\nboth traditional written correspondence (email\nand text messages) and immediate transmission of orders to law enforcement personnel,\nincluding agents working in the field.\n\n\xef\x82\xb7\n\nIntelligence Sharing Systems. Many law enforcement agencies, both local and federal,\nmaintain databases of criminal and intelligence\nactivity which aggregate information gathered\n\n\x0c8\nfrom an array of sources. These systems allow\nlaw enforcement agencies to, among other\nthings, identify patterns in crimes from which\nmore effective enforcement techniques may be\nderived, and to access files created by other\nagencies which may assist in their investigations. Examples of such systems include the\nNarcotics and Dangerous Drugs Information\nSystem (NADDIS), which is an interface allowing law enforcement agents to access U.S. Drug\nEnforcement Administration data, and the\nNational Child Victim Identification Program\n(NCVIP), operated by the Child Exploitation\nand Obscenity Section of the Department of\nJustice, which is a database of seized child\npornography that is used to identify the abused\nvictims of child pornography.\n\xef\x82\xb7\n\nPersonnel Information. Like almost every other\nentity in the United States that employs individuals, law enforcement agencies also operate\ncomputerized systems that contain confidential\nhuman resources and payroll records of civilian\nagency employees and uniformed and nonuniformed law enforcement officers. These records\ninclude names, home addresses, personal telephone numbers, Social Security Numbers, names\nof relatives (and emergency contacts), health\nrecords, and bank account direct-deposit, pension and retirement and other benefits records,\nto name but a few examples. A security breach\nthat results in the exposure of this type of information could result in physical harm, threats,\nor harassment targeting both law enforcement\nofficers and agency civilian employees. This\nconcern is not unique to law enforcement, although\nlaw enforcement officials, like legislators and\n\n\x0c9\nmember of the judiciary, by virtue of their\npositions, may be more likely targets of physical\nthreats and other malicious activity than other\nmembers of the public should this information\nbe disclosed.3\nB. Law Enforcement Systems and Databases\nare Legitimately and Regularly Accessed\nby a Large Number of Users\nThe computerized systems used by law enforcement\nare intended primarily for the use of law enforcement\nagents, but many authorized users have access to\nthese systems. According to the Bureau of Justice\nStatistics, as of 2016 there were more than 132,000\nfull-time federal law enforcement officers employed by\n83 federal agencies, along with hundreds of thousands\nof state and local officers.4 Considering only these\nofficers, however, greatly understates the number of\nusers who have legitimate access to law enforcement\nsystems. In addition to law enforcement officers,\nfederal agencies (and state and local police forces)\nemploy a huge number of civilians in roles such as\n3\n\nAs the press has noted, a recent report by the Department of\nHomeland Security warns that personal information including\nnames, email addresses, phone numbers, and home addresses of\nlaw enforcement personnel has been posted to social media as\npart of a malicious \xe2\x80\x9cdoxing\xe2\x80\x9d campaign directed against law enforcement officials. Should that information have been accessed\nthrough unauthorized use of law enforcement databases by insiders,\nthe CFAA should be available to prosecute such conduct. See\nMichael Balsamo and Colleen Long, AP Exclusive: Police Officers\xe2\x80\x99\nPersonal Info Leaked Online, Associated Press (Jun. 10, 2020),\nhttps://apnews.com/23a5e9d316127994ae31ad4813db3f80.\n4\n\nU.S. Dep\xe2\x80\x99t of Justice, Office of Justice Programs, Bureau of\nJustice Statistics, Federal Law Enforcement Officers, 2016 \xe2\x80\x94\nStatistical Tables, NCJ 261992 (Oct. 2019), https://www.bjs.gov/\ncontent/pub/pdf/fleo16st.pdf.\n\n\x0c10\ncrime analysts, dispatchers, forensic technicians, and\nrecords management. Beyond that, many agencies\nnecessarily must employ outside contractors to support\ntheir activities, including in areas such as data entry\nand IT technical support which necessitate permissioned access to sensitive law enforcement computer\nsystems and databases. In total, it is reasonable to\nestimate that substantially more than 1 million\nindividuals have technological access to one or more\nnon-public law enforcement computer system as part\nof their legitimate job responsibilities. With numbers\nsuch as these, the lack of a powerful disincentive to\nabuse legitimate access or a muscular mechanism to\nredress abuse poses real peril.\nII. THREATS TO LAW ENFORCEMENT\nDATABASES AND COMPUTER SYSTEMS\nARE THREATS TO PUBLIC SAFETY AND\nTO THE ADMINISTRATION OF JUSTICE\nAs a result of the nature of the data stored on law\nenforcement computer systems and the critical role\nthose systems play in law enforcement\xe2\x80\x99s routine activities, malicious actors who misuse such confidential\ninformation could create significant threats to the\nsafety of individuals and to the integrity of ongoing\ninvestigations.\nWholesale access to active, secure investigation\nfiles, without the possibility of redress through the\nCFAA looms as a critical threat over law enforcement\xe2\x80\x99s\noperations. In the most troubling scenario, the targets\nof investigations could become aware of both the\nexistence of those investigations and the specifics of\nwhat law enforcement knows of their activities and\nhow it intends to continue the investigation. This form\nof knowledge could be used, for example, to destroy\nevidence, to terminate relationships with exposed\n\n\x0c11\nundercover officers, or to flee prior to the execution of\na search warrant. More subtly \xe2\x80\x94 but perhaps even\nmore insidiously \xe2\x80\x94 a corrupt individual with access to\ninvestigative files could easily alter key facts in those\nrecords in a manner that leads officers to misinterpret\nsituations or that introduces a flaw in a search warrant\napplication or even an arrest \xe2\x80\x94 and could even undermine confidence in all information in the database.\nMoreover, even \xe2\x80\x9cclosed\xe2\x80\x9d files often contain extremely\nsensitive information concerning the identities of\nindividuals whose physical and/or emotional wellbeing is dependent on the confidentiality of those files.\nThese dangers include physical threats resulting from\ncriminal organizations becoming aware of the identities of undercover officers, confidential informants,\ncooperating witnesses or federally-protected witnesses.\nThey also include non-physical dangers to privacy\nsafeguards that the law affords to the identities of\ncertain classes of individuals, including minors and\nthe victims of sexual offenses. That law enforcement\ndatabases often act as a historical record of an agency\xe2\x80\x99s\nactivities only heightens the threats posed by malfeasance in relation to those systems and databases.\nAnother example of the danger unregulated insider\naccess poses concerns a law enforcement agency\xe2\x80\x99s\ninternal procedures. These procedures can be as\nseemingly mundane as the processes for checking out\nan agency-owned vehicle, or as sophisticated as the\nnetwork security protocols in place to protect the\nagency\xe2\x80\x99s computer systems from outside attacks. The\nefficacy of these law enforcement \xe2\x80\x9cplaybooks\xe2\x80\x9d are\nlargely dependent on the fact that their contents are\nunknown to criminals and criminal enterprises. For\nexample, were narcotics traffickers to become aware\nof the precise scale and capabilities of the Drug\n\n\x0c12\nEnforcement Agency to detect smuggling operations,\nor the manner in which those capabilities are routinely\ndeployed, they could \xe2\x80\x94 and would \xe2\x80\x94 design their\noperations to avoid detection. Knowledge of computer\nsystem vulnerabilities gained by a malevolent insider\ncould also lead to an outsider hacking into a highly\nsensitive criminal or national security database at will.\nPlans for specific operations are another aspect\nof law enforcement procedures that must be kept\nconfidential. For example, federal agents are often\ntasked with transporting protected witnesses or protecting members of the executive, legislative and\njudicial branches during public appearances. An\nindividual who intends to perpetrate an act of violence\nagainst a protected individual would obviously be\ngreatly advantaged by advanced knowledge of the\nidentities, locations, and assignments of each agent\nparticipating in a protection detail.\nThese examples are far from exhaustive. Like any\nother organization with competitors, law enforcement\nderives benefits from the fact that its adversaries\nare unaware of its confidential information. In the\nbusiness context, the ability to keep proprietary information confidential from commercial competitors can\nafford a financial advantage. But for law enforcement,\nwhere the \xe2\x80\x9ccompetitors\xe2\x80\x9d are criminals and criminal\norganizations, the consequence of having the \xe2\x80\x9cplaybook\xe2\x80\x9d\nknown to the opponent is an undeniable and significant diminution of public safety. In the most egregious\nscenario, it can mean the difference between life and\ndeath.5\n\n5\n\nConsider, for example, the case of a disgruntled agency\ncontractor who, because their bill was not paid on time, makes\npublic all of the information on a law enforcement operations\n\n\x0c13\nIII. THE CFAA IS A PROVEN METHOD OF\nPROTECTING GOVERNMENT SYSTEMS\nFROM INSIDER THREATS\nA. The Threat of Data Theft\nThat the CFAA may be used to punish outsiders who\ncause damage to government computers has been well\nestablished at least since the Second Circuit\xe2\x80\x99s decision\nin United States v. Morris, 928 F.2d 504 (2d Cir. 1991)\n(upholding the conviction of defendant who released\n\xe2\x80\x9cworm\xe2\x80\x9d malware onto the Internet when the worm\nsubsequently caused damage to systems including\nmilitary computers), cert. denied, 502 U.S. 817 (1991).\nBut it is also important to recognize that interpretation of the CFAA as advocated by Amici has proven an\ninvaluable tool in combatting cybercrime committed\nby insiders who target law enforcement computer\nsystems.\nAn examination of several cases in which a computer\noperator was granted access permission to a system\nand was then prosecuted for malicious acts committed\noutside the scope of that access, is instructive:\n\xef\x82\xb7\n\nAbusing Civilian Access to Provide Details of\nOngoing Investigations to Criminals. In 2009, a\ncivilian employee working as a data entry clerk\nfor a contractor was tasked with entering data\ninto the NADDIS database. While having clear\npermission to be on the system, the clerk was\n\ndatabase to which they have access. Or an IT consultant with\ntechnological access to a government personnel database who\nposts on the Internet all of the personal information of all of the\ncivilian and non-civilian employees of a given law enforcement\nagency because of disdain for that particular agency \xe2\x80\x94 or for law\nenforcement generally. In these situations, real harm may befall\nnumerous victims.\n\n\x0c14\nprohibited, as a matter of policy, from using\nNADDIS for any purpose other than entering\nrecords supplied by law enforcement agents.\nThe policy also prohibited the clerk from querying NADDIS for any other purpose, and the\nclerk was, by written agreement, expressly warned\nthat the disclosure of NADDIS files could\nendanger DEA investigations. As a result, she\nwas not permitted to communicate any information found in NADDIS. In flagrant violation\nof these policies, the clerk subsequently used\nher access to NADDIS to obtain information\nconcerning the DEA\xe2\x80\x99s investigation into two\nindividuals, including her romantic partner,\nand divulged details concerning the investigation to those individuals.6 The details included\nthat law enforcement had placed a GPS tracker\non a co-conspirator\xe2\x80\x99s car. As a result of the\nclerk\xe2\x80\x99s activities, law enforcement was forced to\nexecute search warrants earlier than anticipated and, likely as a result of being \xe2\x80\x9ctipped off,\xe2\x80\x9d\nonly one other member of the drug organization\nwas arrested and charged. The clerk was\nindicted and pleaded guilty to conspiracy stemming from her violations of the CFAA.7\n\xef\x82\xb7\n\nLocal Employee Using Federal Access to Commit\nIdentity Theft. While the CFAA is a federal\nstatute, it has been effective at the state and\n\n6\n\nIndictment, United States v. Perry, No. 09-cr-0090 (D. Md.\nFeb. 25, 2009).\n7\n\nU.S. Attorney\xe2\x80\x99s Office for the District of Maryland, DEA\nContractor Pleads Guilty to Illegally Accessing Government Database,\nU.S. Department of Justice (Oct. 20, 2009), https://www.justice.\ngov/archive/usao/md/news/archive/DeaContractorPleadsGuiltyto\nIllegallyAccessingGovernmentDatabase.html.\n\n\x0c15\nlocal level as well. In a recent example, a\ncivilian employee of the Tampa Police Department was tasked with taking down reports from\ncitizens and entering them into various law\nenforcement databases. To accomplish this\ntask, she was provided access to, among other\ndatabases, the National Crime Information\nCenter (NCIC) computerized index: a system\nmaintained by the Federal Bureau of Investigation for the purpose of assisting law enforcement\nagents to perform their official duties. The\ncivilian employee was restricted from using the\nNCIC for any purpose other than the performance of her authorized duties. In clear\nviolation of these policies, as part of an identity\ntheft conspiracy, the civilian employee accessed\nthe personal information of individuals in the\nNCIC database and provided that information\nto co-conspirators who used it to file fraudulent\nfederal income tax returns in order to obtain\nfraudulent tax refunds from the government.\nThe civilian had authorized access; however,\nshe misused it. Consequently, the employee\nwas indicted in 2015 on a number of federal\ncharges, including a violation of the CFAA.8\n\xef\x82\xb7\n\n8\n\nTheft of Military Intelligence. In 2010, U.S.\nArmy Private Chelsea Manning (known then as\nBradley Manning) downloaded a large trove of\n\nIndictment, United States v. Bright, No. 15-cr-00366 (M.D.\nFla. Sep. 9, 2015); see also U.S. Attorney\xe2\x80\x99s Office for the Middle\nDistrict of Florida, Former Police Department Employee Indicted\nfor Tax Fraud, Computer Intrusion, and Identity Theft, U.S.\nDepartment of Justice (Sept. 15, 2015), https://www.justice.gov/\nusao-mdfl/pr/former-police-department-employee-indicted-tax-fra\nud-computer-intrusion-and-identity.\n\n\x0c16\nsensitive military intelligence documents from\na classified database and transmitted them to\nWikiLeaks founder Julian Assange, who published them online. Private Manning\xe2\x80\x99s TopSecret rating lawfully permitted access to the\ndatabase. At trial, in addition to espionage\ncharges, Manning was convicted of violating the\nCFAA.9\nB. The Threat of Data Manipulation\nAnother particularly insidious manner in which\nauthorized users of law enforcement computer systems have interfered with officers\xe2\x80\x99 duties is through\nthe alteration or insertion of false records into official\nrecords. Individuals with access to law enforcement\xe2\x80\x99s\nelectronic systems can instruct officers to respond to\nnon-existent threats, thus diverting them from actual\ncrime scenes. Insiders who manipulate records can\nalso remove critical details from investigative records\nwhich may stop law enforcement from effectively pursuing a case, while manipulation of historical records\ncan make criminal history invisible to background\nchecks. Subtle alterations in intelligence databases\ncan also conceal the identities or activities of those\nacting against U.S. interests in the espionage and\nterrorism realms.\n9\n\nOn appeal to the U.S. Army Criminal Court of Appeals,\nManning challenged the scope of the CFAA, arguing that the\nstatute was misapplied in light of the fact that access to the\ndatabase was \xe2\x80\x9cauthorized.\xe2\x80\x9d The appeals court recognized the\ncircuit split in the civilian courts on this issue and affirmed the\nconviction based on a reading of the statute advocated by FLEOA.\nUnited States v. Manning, 78 M.J. 501, 510-11 (U.S. Army Ct.\nCrim. App. 2018) (noting circuit split between First, Fifth,\nSeventh, and Eleventh Circuits and Second, Fourth, and Ninth\nCircuits).\n\n\x0c17\nAt first glance, it would seem as though the various\nCFAA subsections which prohibit conduct based on a\ndefendant\xe2\x80\x99s exceeding his access to a computer would\ngovern these examples, as subsection (e)(6)\xe2\x80\x99s definition\nencompasses the alteration of information that the\n\xe2\x80\x9caccesser\xe2\x80\x9d is \xe2\x80\x9cnot entitled\xe2\x80\x9d to \xe2\x80\x9calter.\xe2\x80\x9d Clearly, a law\nenforcement employee is not entitled to alter or falsify\nagency records. However, since \xe2\x80\x9centitled\xe2\x80\x9d is just as\nundefined in the CFAA as is \xe2\x80\x9cwithout authorization,\xe2\x80\x9d\nwe confront the same conundrum concerning the\ndistinction between technological measures and communicated permissions. What would stop, for example, a\nrecords clerk who deletes a law enforcement file from\nclaiming that he was \xe2\x80\x9centitled\xe2\x80\x9d to do so purely on the\nbasis of his technical permission to access to those\nrecords as part of his legitimate job duties?\nThis concern is not merely hypothetical. Examples\nof law enforcement \xe2\x80\x9cinsiders\xe2\x80\x9d who have manipulated\nrecords for criminal purposes through their legitimate\ntechnical access include:\n\xef\x82\xb7\n\nAttempts to Corrupt Law Enforcement Databases.\nIn 2010, a former data analyst working from\nthe Transportation Security Administration\xe2\x80\x99s\nColorado Springs Operations Center (CSOC),\ntasked with updating the TSA\xe2\x80\x99s servers\nwith data received from the federal Terrorist\nScreening Database and the U.S. Marshal\xe2\x80\x99s\nService Warrant Information Network, transmitted malicious code to the TSA\xe2\x80\x99s system in\nan intentional attempt to corrupt the CSOC\xe2\x80\x99s\nsystems and interfere with those systems\xe2\x80\x99 ability\nto be used to screen air passengers. The data\n\n\x0c18\nanalyst was indicted and pleaded guilty to\ncharges under the CFAA.10\n\xef\x82\xb7\n\nFalsification of Records to Enable Identity\nTheft. In 2011, a contractor who worked as a\nrecords custodian at U.S. Citizenship and Immigration services pleaded guilty to violating the\nCFAA in connection with a scheme in which\nhe assisted illegal aliens in obtaining U.S.\npassports by deleting the names, birth dates\nand other personal information of naturalized\ncitizens in a secure database and substituting\nthem with the personal information of illegal\nimmigrants. Subsequent searches for the illegal\nimmigrants by government officials would then\nindicate that the individuals were citizens\nentitled to passports.11\n\n\xef\x82\xb7\n\nFalsification of Records to Cause Detention of\nAn Innocent Person. In 2018, a former U.S.\nBorder Patrol Agent pleaded guilty to creating\nand entering into TECS (a database used by\nofficers to assist in screening at border crossing)\na false law enforcement alert claiming a man\nwith no criminal history was frequently armed\nwith a firearm and known to be linked to the\nnarcotics trade, resulting in that man\xe2\x80\x99s being\ndetained multiple times at border crossings.\nThe former agent had created the false alert in\n\n10\n\nIndictment, United States v. Duchak, No. 10-cr-00131 (D.\nColo. Mar. 9, 2010); see also U.S. Attorney\xe2\x80\x99s Office for the District\nof Colorado, Colorado Springs Man Indicted for Attempting to\nCorrupt TSA Computer Database, U.S. Department of Justice\n(Mar. 10, 2010), https://www.justice.gov/archive/usao/co/news/\n2010/March10/3_10_10.html.\n11\n\nInformation, United States v. Quidilla, No. 11-cr-00617 (S.D.\nCal., Feb. 17, 2011), Dkt. No. 14.\n\n\x0c19\nan effort to coerce the victim into dropping\ncriminal sex abuse charges against the agent\xe2\x80\x99s\nbrother-in-law.12\nAll of the above are instances which would fall outside\nthe purview of the CFAA were Petitioner\xe2\x80\x99s view of the\nstatute be adopted.\nIV. A PURELY \xe2\x80\x9cOUTSIDE HACKER\xe2\x80\x9d INTERPRETATION OF THE CFAA WOULD LIMIT\nITS UTILITY AND IMPOSE SUBSTANTIAL\nCOSTS ON ITS USE\nShould the CFAA only prohibit the conduct of those\nwho access systems to which they are technologically\ndenied access, rather than also taking into account\nprocedural and policy prohibitions, the only recourse\nfor any entity \xe2\x80\x94 law enforcement or otherwise \xe2\x80\x94 to\nprotect its systems will be to strictly limit technical\nauthorization for each individual who uses those\nsystems.\nThis authorization will necessarily be\nlimited to only the absolute minimum required to\naccomplish their job responsibilities. This is not\npractical. It also makes no sense.\nFor multiple reasons, imposing strict user-based\nlimitations on access to specific files and systems is an\nexpensive, time-consuming, and inefficient process.\n12\n\nComplaint, United States v Figeroa et al., No. 15-cr-02818\n(S.D. Cal. Oct. 7, 2015) (defendant Duran in this case was charged\nwith a violation of Title 18, United States Code, section 1519\n(Destruction, alteration, or falsification of records in Federal\ninvestigation) rather than of the CFAA); see also U.S. Attorney\xe2\x80\x99s\nOffice for the Southern District of California, Former U.S. Border\nPatrol Supervisor Pleads Guilty, Admits to Violating Civil Rights\nof Legal Border Crosser, U.S. Department of Justice (Aug. 16,\n2018), https://www.justice.gov/usao-sdca/pr/former-us-border-pat\nrol-supervisor-pleads-guilty-admits-violating-civil-rights-legal.\n\n\x0c20\nFirst, file permissions would have to be set on a fileby-file basis, rather than system or database-wide.\nSecond, each user would have to be granted or denied\naccess to each file on an individual, rather than groupbased basis. And third, the administrator of each\nsystem would be deluged with requests for exceptions\nto the access-control policy so that frontline workers\ncould simply do their jobs.\nIn the context of law enforcement, this would\nrequire, for example, only allowing an agent access to\nthe specific case files for the investigations to which he\nor she is assigned at that very moment. Database\noverseers would then be inundated with requests from\nagents to grant one-time access to other files or\nsystems. The alternative \xe2\x80\x94 allowing agents access to\nfiles not directly related to their day-to-day tasks \xe2\x80\x94\nwould expose data to misuse, alteration, or destruction\nwithout the possibility of criminal recourse or even\ncivil sanction under the CFAA.13 Additionally, as\nlaw enforcement supervisors would in many cases\ncontinue to have unfettered access to the databases in\nuse by their subordinates, supervisors would have\ncarte blanche to access, manipulate or delete data in\nany manner they chose.\nApplying such a \xe2\x80\x9chacker-only\xe2\x80\x9d CFAA regime to the\nadministration of the NADDIS database (mentioned\n13\n\nAlthough some wrongdoing \xe2\x80\x94 for example, exfiltration of\nclassified information by a corrupt insider from an intelligence\ncommunity database \xe2\x80\x94 might be covered under other federal\ncriminal statutes, that may not always necessarily be so.\nMoreover, even in cases where other crimes could theoretically\napply to clearly blameworthy data destruction, theft, or misuse\nby an insider, the loss of the clear and straightforward provisions\nof the CFAA (as understood by FLEOA) would remove a valuable\ntool available to prosecutors to redress these wrongs.\n\n\x0c21\nabove) is instructive. NADDIS is currently protected\nfrom unauthorized access by administrative, technical, and physical means and all authorized users\nacknowledge in writing that they may not disseminate\nthe information contained on the system. Through\nthese safeguards, access to NADDIS is restricted only\nto those who use the system for specific assigned tasks.\nThese authorized users include DEA agents as well as\ncivilian employees who, for example, enter data into\nthe system. Technical access can, however, be granted\nto \xe2\x80\x9cgroups\xe2\x80\x9d of users by allowing, for example, all DEA\nemployees who are agents and supervisory agents\npermission to view certain records within the database.\nIf Petitioner\xe2\x80\x99s proposed interpretation of the CFAA\nis adopted, to ensure that data contained within NADDIS\ncontinues to be maximally protected, access to NADDIS\nwould have to be further restricted by taking such\nsteps as eliminating group-based authorizations and\nrestricting each individual agent to access records\nconcerning the cases on which that individual agent is\ncurrently working. Under this approach, granting\npermissions to access NADDIS potentially changes\nfrom a simple, role-based and largely one-time authorization, to one in which every document or electronic\nrecord entered into the database would need specific,\nunique access criteria assigned to it. In addition,\nshould a DEA agent wish to view NADDIS entries\nfor other matters (for example, to see if any other\ninvestigations have involved similar factual circumstances), the agent would have to request permission\nto access those records \xe2\x80\x94 a cumbersome process which\nwould delay access to data during a time-sensitive\ninvestigation.\nIt is this latter issue which reveals the subtler, but\nmore critical, problem with strict file-based access\n\n\x0c22\ncontrol mechanisms: They remove the ability of\ncomputerized systems to be used for intelligence and\ninformation collaboration and sharing, thus defeating\nthe very purpose for which many law enforcement\ndatabases are designed. NADDIS, along with numerous other law enforcement databases, exist primarily\nto allow law enforcement the benefit of shared intelligence and iterative analysis of information which has\nbeen gathered by agents and officers nationwide and\neven internationally. These officers are then able to\nleverage this aggregated knowledge to inform their\ninvestigations and enforcement activities.\nIf the CFAA is interpreted not to criminalize misuse\nof data to which technical access has been granted, law\nenforcement will be deprived of a powerful tool \xe2\x80\x94\nin some cases the only tool \xe2\x80\x94 to deter and punish\nunauthorized misuse of vital criminal intelligence\nsystems and databases.\n\n\x0c23\nCONCLUSION\nGiven the critical nature of the computerized\nsystems used by federal law enforcement agencies on\na daily basis and the threats to those systems both\nfrom insiders and outsiders, a narrow reading of the\nCFAA limited only to outsider \xe2\x80\x9chackers\xe2\x80\x9d would allow\nacts which are commonly and reasonably perceived as\nserious cybercrimes to fall outside the scope of the\nstatute. It is therefore essential to the public safety\nmission of federal law enforcement agents that the\nCourt accord the term \xe2\x80\x9cunauthorized access\xe2\x80\x9d as it is\nused in the CFAA, according to its plain meaning so as\nto protect non-public, sensitive data from malicious\nmisuse or vandalism from both external and internal\nwrongdoers.\nRespectfully submitted,\nJOSEPH V. DEMARCO\nCounsel of Record\nDAVID M. HIRSCHBERG\nERIC SEIDEL\nBRIAN A. FOX\nDEVORE & DEMARCO LLP\n99 Park Avenue, Suite 1100\nNew York, NY 10016\n(212) 922-9499\n(917) 576-2369\njvd@devoredemarco.com\nCounsel for Amicus Curiae\nAugust 31, 2020\n\n\x0c'