Is It A Crime?: Russian Election Meddling and Accomplice Liability Under the Computer Fraud and Abuse Act

Helen Klein Murillo, Susan Hennessey
Thursday, July 13, 2017, 10:24 AM

There’s been a lot of bad news for the Trump team this week. Shocking revelations regarding a meeting between Donald Trump Jr., Jared Kushner, and Paul Manafort and someone they believed to be a representative of the Russian government currently dominate headlines.

Most of the speculation about possible crimes that might have been committed has centered on possible violations of campaign finance law. But another recent story highlights a different possible form of criminal liability: violation of the Computer Fraud and Abuse Act.

Donald Trump Jr. speaks at Iowa State on November 1, 2016/Max Goldberg

Published by The Lawfare Institute
in Cooperation With
Brookings

There’s been a lot of bad news for the Trump team this week. Shocking revelations regarding a meeting between Donald Trump Jr., Jared Kushner, and Paul Manafort and someone they believed to be a representative of the Russian government currently dominate headlines.

Most of the speculation about possible crimes that might have been committed has centered on possible violations of campaign finance law. But another recent story highlights a different possible form of criminal liability: violation of the Computer Fraud and Abuse Act.

Yesterday evening, the New York Times reported:

Two Democratic Party donors and a former party staff member have filed an invasion of privacy lawsuit against President Trump’s campaign and a longtime informal adviser, Roger J. Stone Jr., accusing them of conspiring in the release of hacked Democratic emails and files that exposed their personal information to the public.

The case was organized by Protect Democracy, a government watchdog group run by former Obama administration lawyers. It filed the claim just short of a deadline under a one-year statute of limitations for privacy invasion lawsuits: WikiLeaks published the first archives of stolen Democratic National Committee emails, which intelligence agencies say Russia hacked to harm Hillary Clinton’s presidential campaign and help Mr. Trump, last July 22.

Andy Wright has a good summary of the case on Just Security as well. So how exactly does a civil suit on a privacy tort help us to better understand the available criminal charges?

To explain, we have to back up to a hypothetical posed by law professor Orin Kerr in a Twitter thread over the weekend. Here is a consolidated version of Kerr’s hypothetical:

Let's say the Trump campaign was contacted by hackers who said they had already hacked the DNC, etc. and that they wanted to help Trump get elected by releasing the documents to hurt Clinton. Assume the hackers asked the Trump campaign for any advice on how best to release the docs to hurt Clinton. Campaign members gave some quick advice on what and when to release documents.

Question: Are they guilty of conspiracy to violate the CFAA, 18 USC 1030(a)(2)(C), enhanced to a felony under 1030(c)(2)(B)(ii), on the theory that they were agreeing to help to further a disclosure of the docs under in violation of a privacy tort? Alternatively, does 18 USC 2 (accomplice liability) apply to an effort to assist in the tort violation that provides the felony enhancement?

Kerr posed his hypothetical before the revelations about Trump Jr., Kushner, and Manafort’s June 9 meeting and before the recent filed lawsuit alleging tortious invasion of privacy. In short, his hypothetical is far more plausible factually now than before.

The Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act, at 18 U.S.C. § 1030, makes it a crime to “intentionally access[] a computer without authorization . . . and thereby obtain[] . . . information from any protected computer.” This is the crime that would apply to activities like hacking the DNC or John Podesta’s email.

The basic crime in § 1030(a)(2)—accessing a protected computer without authorization and obtaining information—is a misdemeanor. But, that same action can turn into a felony under § 1030(c)(2)(B)(ii) if “the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” For purposes of keeping them straight in the below analysis--which gets a little dense--we’ll call 1030(a)(2) “the misdemeanor” and 1030(c)(2)(B)(ii) “the combination felony.” Basically, if the hacking at issue is part of a broader criminal scheme—just the first step in a broader scheme to illegally release or use information—then the hacking itself becomes a felony.

Now, if the Trump team knew about and participated in the hacking scheme from the get go, before it was completed, they could be criminally culpable under § 1030(b), which covers anyone who conspires to commit or attempts to commit an offense under subsection (a). There isn’t much, if anything, on the public record to support that kind of claim.The identified Russian hackers had been in the compromised systems for more than a year prior to discovery.

Instead, in light of Don Jr.’s emails, the more pertinent question is what liability might attach if the Trump team learned about the DNC hack only after it had occurred (after a completed violation of the misdemeanor offense (§ 1030(a)(2)(C))) but then assisted in coordinating the release of the documents in violation of some other crime or tort (the enhancing element for the combination felony (§ 1030(c)(2)(B)(ii)); would that be sufficient for accomplice liability or conspiracy?

Federal Accomplice Liability and Combination Crimes

Under the federal aiding and abetting statute at 18 U.S.C. § 2, anyone who “aids, abets, counsels, commands, induces or procures” the commission of a federal crime is punishable as though they committed the crime directly. To take a simple example, if you know someone is planning to commit murder and you encourage her to do it, you can be directly prosecuted for the resulting murder. As the Supreme Court has explained, “§ 2 reflects a centuries-old view of culpability: that a person may be responsible for a crime he has not personally carried out if he helps another to complete its commission.”

In Rosemond v. United States, the Supreme Court faced a strikingly similar question to the CFAA question Kerr raises: a question of accomplice liability for a combination crime where the defendant knew about only one part of the crime in advance. Rosemond was charged with a violation of 18 U.S.C. § 924(c), a statute that makes it a felony to “use[] or carr[y]” a firearm “in furtherance of” a drug trafficking crime. Section 924(c) is functionally a sentencing enhancement much like § 1030(c). Rosemond was charged on an accomplice liability theory under § 2 when his confederate in the drug crime used a gun. The jury instruction in that case indicated that Rosemond could be convicted as an accomplice to a § 924(c) violation if he “knew his cohort used a firearm in the drug trafficking crime . . . and he actively participated in the drug trafficking crime,” even if he didn’t know about the gun ahead of time.

The Supreme Court explained the basic test: “a person is liable under §2 for aiding and abetting a crime if (and only if) he (1) takes an affirmative act in furtherance of that offense, (2) with the intent of facilitating the offense’s commission.” First, the Court explained that a defendant need not aid and abet every element of a crime to satisfy the affirmative act prong:

As almost every court of appeals has held, “[a] defendant can be convicted as an aider and abettor without proof that he participated in each and every element of the offense.” . . . In proscribing aiding and abetting, Congress used language that “comprehends all assistance rendered by words, acts, encouragement, support, or presence,” Reves v. Ernst & Young, 507 U. S. 170, 178 (1993)—even if that aid relates to only one (or some) of a crime’s phases or elements. So, for example, in upholding convictions for abetting a tax evasion scheme, this Court found “irrelevant” the defendants’ “non-participation” in filing a false return; we thought they had amply facilitated the illegal scheme by helping a confederate conceal his assets. United States v. Johnson, 319 U. S. 503, 515, 518 (1943). “[A]ll who shared in [the overall crime’s] execution,” we explained, “have equal responsibility before the law, whatever may have been [their] different roles.” Id., at 515.

. . .

In helping to bring about one part of the offense (whether trafficking drugs or using a gun), he necessarily helped to complete the whole. And that ends the analysis as to his conduct. It is inconsequential, as courts applying both the common law and §2 have held, that his acts did not advance each element of the offense; all that matters is that they facilitated one component.

So what are the components of a CFAA crime that one could aid and abet? As described above, there is a basic misdemeanor offense—improperly accessing a protected computer. But additional conduct—using the stolen information to commit a tort or other crime—turns that misdemeanor into a felony. Although the U.S. Code labels that additional conduct as a “sentencing enhancement,” because an additional element turns the crime into a felony, courts will analyze the felony as a distinct crime. In other words, it is a felony to “intentionally access[] a computer without authorization . . . and thereby obtain[] . . . information from any protected computer . . . in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” That felony is not complete until the additional crime or tort has been committed.

In United States v. Auernheimer, the U.S. Court of Appeals for the Third Circuit addressed this question in its examination of where venue would be proper in a criminal case against a defendant charged with conspiracy to commit both the misdemeanor and felony CFAA offenses. The government alleged the defendant’s unlawful access to a computer was “in furtherance of” a violation of New Jersey’s computer crime statute, thereby satisfying § (c)(2)(B)(ii), and indicted him in New Jersey. Because a criminal defendant has a right to be tried in the state in which the alleged crime was committed, the defendant objected to venue in New Jersey, arguing that the crime involved accessing servers in Georgia and Texas while the co-conspirators were in California and Arkansas. After the court concluded that the “essential elements” of § 1030(a)(2)(C) (the misdemeanor) were thus all committed outside of New Jersey, it wrote:

This is not the end of our analysis, however, because the Government did not just charge Auernheimer with conspiracy to commit an ordinary violation of the CFAA, but also with conspiring to violate the CFAA in furtherance of a state crime ...The enhancement relevant here provides for such increased punishment if “the offense was committed in furtherance of any criminal or tortious act in violation of the ... laws of ... any State.” Id. § 1030(c)(2)(B)(ii). “[A]ny ‘facts that increase the prescribed range of penalties to which the criminal defendant is exposed’ are elements of the crime” that must be proven to the jury beyond a reasonable doubt. . . . This is true even if they are explicitly termed “sentence enhancement[s]” in the statute. . . .

The New Jersey statute allows for criminal liability “if the person purposely or knowingly and without authorization, or in excess of authorization, accesses any ... computer [or] computer system and knowingly or recklessly discloses, or causes to be disclosed any data ... or personal identifying information.” N.J. Stat. Ann. § 2C:20–31(a). Its essential conduct elements are accessing without authorization (or in excess of authorization) and disclosing data or personal identifying information.

This is all to say that § 1030(c)(2)(ii) (the combination felony) requires proving all the elements of a separate tort or crime. Because of the additional element(s), it is treated by courts as a separate offense even if formally categorized as a sentencing enhancement. This matters because you cannot conspire to commit a crime after every single element of the offense is completed. There are other after-the-fact offenses—for example, misprision of a felony—that might attach, but those are distinct from the underlying offenses being discussed here.

In plain language, the felony charge requires proving a second crime or tort (like invasion of privacy). So in Kerr’s hypothetical, the hacking offense is already completed (a misdemeanor), but then the Trump campaign gets involved in the felony part of the offense—publishing illegally obtained emails in violation of state or federal law. In the words of the Rosemond Court, aiding in this stage of the crime necessarily “help[s] to complete the whole,” and therefore “ends the analysis” as to the conduct prong of § 2.

The Rosemond Court specifically rejected the argument that the act sufficient for § 2 must go to some “essential feature” of the crime—in that case, the gun component rather than the drug component:

Rosemond argues, to the contrary, that the requisite act here “must be directed at the use of the firearm,” because that element is §924(c)’s most essential feature. Brief for Petitioner 33 (arguing that “it is the firearm crime” he was really charged with aiding and abetting, “not the drug trafficking crime”). But Rosemond can provide no authority for demanding that an affirmative act go toward an element considered peculiarly significant; rather, as just noted, courts have never thought relevant the importance of the aid rendered. See supra, at 7–8. And in any event, we reject Rosemond’s premise that §924(c) is somehow more about using guns than selling narcotics. It is true enough, as Rosemond says in support of that theory, that §924(c) “establishes a separate, freestanding offense that is ‘distinct from the underlying [drug trafficking crime].’” Brief for Petitioner 32 (quoting Simpson v. United States, 435 U. S. 6, 10 (1978)). But it is just as true that §924(c) establishes a freestanding offense distinct from any that might apply just to using a gun—say, for discharging a firearm in a public park. That is because §924(c) is, to coin a term, a combination crime. It punishes the temporal and relational conjunction of two separate acts, on the ground that together they pose an extreme risk of harm.

The same can be said here. Though one might characterize the “essential feature” of a CFAA violation to be the hacking, the offense is a felony when done in furtherance of a tort or other crime because the combination is especially harmful. It’s not just illegal hacking; it’s illegal hacking to then use the ill-gotten material to commit another wrong. Under Rosemond’s logic, aiding the commission of the tort or violation of a secondary law necessary to constitute a § 1030(c)(2)(B)(ii) felony is likely sufficient for the affirmative act prong.

As in Rosemond, the second element—”intent of facilitating the offense’s commission”—is harder to prove. Finding it lacking in that case, the Rosemond Court wrote:

An intent to advance some different or lesser offense is not, or at least not usually, sufficient: Instead, the intent must go to the specific and entire crime charged—so here, to the full scope (predicate crime plus gun use) of §924(c). . . . And the canonical formulation of that needed state of mind—later appropriated by this Court and oftquoted in both parties’ briefs—is Judge Learned Hand’s: To aid and abet a crime, a defendant must not just “in some sort associate himself with the venture,” but also “participate in it as in something that he wishes to bring about” and “seek by his action to make it succeed.”

. . .

[F]or purposes of aiding and abetting law, a person who actively participates in a criminal scheme knowing its extent and character intends that scheme’s commission. The same principle holds here: An active participant in a drug transaction has the intent needed to aid and abet a §924(c) violation when he knows that one of his confederates will carry a gun. In such a case, the accomplice has decided to join in the criminal venture, and share in its benefits, with full awareness of its scope—that the plan calls not just for a drug sale, but for an armed one. In so doing, he has chosen (like the abettors in Pereira and Bozza or the driver in an armed robbery) to align himself with the illegal scheme in its entirety—including its use of a firearm. And he has determined (again like those other abettors) to do what he can to “make [that scheme] succeed.” . . . He thus becomes responsible, in the typical way of aiders and abettors, for the conduct of others. He may not have brought the gun to the drug deal himself, but because he took part in that deal knowing a confederate would do so, he intended the commission of a §924(c) offense—i.e., an armed drug sale.

For all that to be true, though, the §924(c) defendant’s knowledge of a firearm must be advance knowledge—or otherwise said, knowledge that enables him to make the relevant legal (and indeed, moral) choice.

So the question here is whether anyone in the Trump campaign had the requisite intent as to the entire CFAA crime, not just any tortious or criminal purpose that came after the hacking. That is to say, a defendant wouldn’t have to have been involved from the outset, but he or she would have needed to be aware of the larger scheme before deciding to participate in the second element—the part that made it a felony—for accomplice liability to attach. Ultimately, that would be a question for a jury and would depend on facts not presently in the public record. It would depend on indications of things like defendants being aware of the hacking, knowingly receiving the fruits of that hacking, and being aware of a common scheme to assist the campaign in violation of the law.

What Counts As the Second Offense of the Combination Felony (§ 1030(c)(2)(B)(ii))?

Before yesterday, there was also the issue of what the second act that fulfills the § 1030(c)(2)(B)(ii) enhancing element might be. Kerr had posited an invasion of privacy tort based on the publication of private emails—the precise claim now being pursued by the Democrats harmed by the leak. The legal argument here is certainly plausible, but not without issues. Even where publishing the emails is a tort, there is some argument that the First Amendment would preempt the tort under Bartnicki v. Vopper. If the newest lawsuit survives a motion to dismiss however, that would do a substantial amount of the leg work towards satisfying an independent § 1030(c)(2)(B)(ii) element.

And invasion of privacy is not the only option; there are other possibilities in state law as well. For example, in Auernheimer (cited above), the charge rested on a NJ statute that punished knowing or purposeful disclosure of personally identifying information. Similarly here, identifying a relevant statute and proving up the elements of that statute would be a prerequisite to the accomplice liability theory of Kerr’s hypothetical.

Another possible stumbling block, is hinted at in the Department of Justice Computer Crimes Manual which notes that “[p]rosecutors should consider whether the defendant manifested intent to commit a state tort, such as invasion of privacy, at the time the information was obtained.” While the precedent isn’t entirely clear on the matter, it is possible prosecutors here would need to prove not just that a member of the Trump team was aware of the CFAA scheme when he or she took steps to support the tortious act or violation of another state or federal law, but also that the Russians had the intention of publishing the emails at the time they obtained the information in the first instance. It isn’t at all clear from the public record that the Russians initially obtained the emails for the purpose of publishing them. Indeed, there is some suspicion the original intrusion was just in furtherance or ordinary espionage and the plan to release the emails came later.

Based on the current record, a CFAA violation might still be low on the list of possible charges. That said, Don Jr. and company probably shouldn’t rest easy; each week seems to bring revelations—and documentation—more shocking than the last.


Helen Klein Murillo is a student at Harvard Law School, where she is an editor of the Harvard Law Review. Helen holds a B.A. in Political Science and Spanish from the University of California, Irvine.
Susan Hennessey was the Executive Editor of Lawfare and General Counsel of the Lawfare Institute. She was a Brookings Fellow in National Security Law. Prior to joining Brookings, Ms. Hennessey was an attorney in the Office of General Counsel of the National Security Agency. She is a graduate of Harvard Law School and the University of California, Los Angeles.

Subscribe to Lawfare