When It’s Not Just A Coup But A CFAA Violation Too

Legal Issues

from the tic-tac-DOGE dept

The hazard with landing upon a legal solution that seems too good to be true is that it often is. So as you read this post it is important to keep in mind that I may have overlooked something, and there can always be defenses. Few things are guaranteed in law, and even in the best of times it is always subject to taking some unexpected twists and turns as it is applied to real life situations.

All that said, however, I think a colorable, non-frivolous argument can be made that Elon Musk, and everyone on his DOGE team accessing the federal government’s computer infrastructure, is potentially personally liable for violating the Computer Fraud and Abuse Act (CFAA).

What follows is a high-level overview explaining how what Musk and his team are doing qualifies as a violation of the statute, and what the consequence of this violation should be. The argument largely rests on the fact that the access DOGE has demanded for itself is unauthorized because, per statute, there was no lawful power anyone in DOGE could claim for itself, or themselves, with which to demand it. Congress has control over whom the President can empower, yet here he has unilaterally and unlawfully empowered people outside of what the law Congress duly passed allows him to do. Which means there is no power that those he “empowered” can lawfully wield, and so the power they did wield to obtain access was unlawful. That unlawfulness made the access they obtained access “without authorization,” which they have then used to inflict the very sort of harm to America’s computer infrastructure that the CFAA exists to deter and punish.

Background

Although in recent years there has been more attention paid by Congress and regulatory agencies to the problem of cybersecurity, the unauthorized use of a computer is still mostly addressed by the original anti-hacking law put on the books: the Computer Fraud and Abuse Act. Congress passed the CFAA after President Reagan saw the movie War Games and became alarmed that we had no law deterring access to sensitive government computer systems. Congress has periodically amended the statute over the past forty years, which means that today it’s a bit of a kludge, but, for better or worse, it’s still a pretty powerful kludge. While concerns have often been fairly raised that it can be too powerful and target computer use that should not be deemed wrongful, here we are facing exactly the sort of attack on government computer systems the law was always intended to forestall.

Basic Offenses

There are a few types of offenses under the CFAA, but they basically all involve accessing a computer “without authorization,” although some of the offenses then hinge on what happened to any information acquired from that unauthorized access. For instance, 18 U.S. Code § 1030(a)(1) speaks to unauthorized access of a computer to obtain information protected by law against disclosure that is then willfully retained or communicated to someone not entitled to receive it.

[Whoever] having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it

And Section 1030(a)(2)(B) applies to “[whoever] intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any department or agency of the United States.” Meanwhile Section 1030(a)(3) speaks to “[whoever], intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States.”

The DOGE bros’ multi-departmental rampage through the federal government’s computer systems, including those in the SCIFs containing classified information, as well as all sorts of other sensitive information including HR materials (OPM), Americans’ social security numbers (Treasury), and other information pertinent to national defense and foreign relations (USAID), seems to implicate all three. And it would seem to implicate it with the required mens rea, or criminal intent. There is little question, given all their tweets and other bloviation, that they knew what they were doing when they accessed the protected data described in the first offense, and in terms of those offenses that required additional intentionality it is not like they slipped and accidentally ended up with root access to these systems. We require intentionality because we are concerned with people accidentally finding themselves having committed felonies when they had intended no such unlawful act, which has been an issue with CFAA claims over “exceeding authorization.” But here there was no authorization to exceed. Instead here there is plenty of evidence to suggest that the DOGE bros deliberately sought to infiltrate these systems without any concern for whether they had any plausibly legitimate claim to be able to. Using “Trump is letting us” to bypass all law that would ordinarily prevent their actions, when Trump has no lawful basis to grant them that authorization, and ignorance of the law no excuse to forgive their reliance, makes their intrusion the intentional act the statute forbids.

”Without authorization”

Whether the DOGErs had authorization to access (much less manipulate) these computer systems is key to all three CFAA offenses discussed here. That question does not depend on whether they managed to somehow obtain login credentials. If just having login credentials were enough to count as “authorized” access then every hacker who managed to get hold of anyone’s login credentials would be “authorized,” and it’s pretty clear the law still thinks there is a problem when bad actors get access to systems they aren’t supposed to have by using credentials they aren’t supposed to have. What we need to care about instead is whether the DOGE dudes were authorized to have those credentials at all.

Although there is a lot we don’t know about what transpired in all these departments Musk and his minions penetrated to get those credentials into their hot little hands, we know enough to know that the answer must be no, because there was no one entitled to provide those credentials to them. Not any staff member, any more than they would have been lawfully allowed to hand the credentials to anyone who happened to walk by, and not even Trump. Despite what he seems to think, Trump is not a king; he does not have unfettered power. His power is constrained by law. And law does not seem to allow him to empower the DOGE team to do what it has been doing.

Trump’s argument appears to be that if he were the most powerful person who could do anything he wanted, he could send anyone on his behalf to do what he wanted. But the Constitution and statute are careful to make sure he is not so unilaterally powerful because Congress is entitled to the transparency and visibility it needs to be able to ensure that the power the President yields is in furtherance of the People’s will. It’s why Congress gets to approve appointments, and why Congress also thought to rein in advisory committees to make sure this very thing wouldn’t happen: that unelected people beyond the purview of Congress’s supervision couldn’t run rampant in conflict with it. Or, in other words, to prevent exactly what is happening from happening, with this ad hoc, illegally-staffed presidential committee destroying the infrastructure, departments, and policy that Congress has built on behalf of the people.

This question of DOGE’s illegality is still being litigated, so it may be a while before a court can render an official opinion on whether DOGE is truly acting outside the law, but a facial reading of the statute and relevant caselaw strongly support such a conclusion. And, if so, it should mean that all of Musk and his minions’ access to these computer systems has been “unauthorized” for CFAA purposes, since there was no way for it to actually have been authorized — not by any existing law, and not by Trump ignoring it.

Enforcement

And so it would seem that Musk and his team are indeed breaking the law, including this law, as much as it feels like they are.

But what is there to do about it? The Computer Fraud and Abuse Act is a criminal law, but the way Trump is also gutting the DOJ means there probably won’t be anyone there to prosecute it. And even if the DOJ could obtain a conviction, Trump could just pardon them anyway.

However, much to the annoyance of many civil libertarians that have, correctly, worried about how powerful the CFAA is, and how much reasonable behavior can get caught in its net, the CFAA has a civil enforcement mechanism. In other words, it’s not just the government who can go after Musk; regular people can too. See 18 U.S. Code § 1030(g):

Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.

There are however a few limitations:

A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses [5] (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.

The last part about the negligent design appears inapplicable, and for now we don’t have to worry about the statute of limitations, although it might be good for Musk and crew to know that this liability can hang over their heads for at least two years. We should also acknowledge that any damage claim is for economic damages only, but there’s a lot of harm that can get construed in those terms. It’s the first part that is most important to us, and usually CFAA civil litigation hinges on the first criteria listed, at 18 U.S. Code § 1030(c)(4)(A)(i)(I), which requires a plaintiff (or a group of plaintiffs) to have an aggregated loss of at least $5000 within one year in order to bring a lawsuit.

In this case however, some of the other criteria might also be relevant depending on the consequences of the DOGE boys’ breach of the computer systems, like physical injury, § 1030(c)(4)(A)(i)(III), a “threat to public health or safety,” § 1030(c)(4)(A)(i)(IV), or “damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security.” § 1030(c)(4)(A)(i)(IV). Offhand I don’t know of a case where private individuals have brought cases asserting standing on these grounds — it’s possible there are some, although those terms may mostly be in the statute for government prosecutorial use — but we’ve also never been down a road quite like this before.

Damages

Even if the standing needed to sue hinges on the need for there to be at least $5000 in damages, the math suggests at least one lawsuit could be brought. Because even if the only damage any individual could incur is what it costs for credit monitoring, there are so many individuals affected that the amount of aggregated harm would easily exceed $5000. Given that the OPM hack of a few years ago led to federal employees getting a few years’ worth of credit monitoring, we understand that incurring such a cost is a reasonable harm that can be measured in economic terms.

While no one particular employee might incur enough on their own to reach the standing threshold, even if it only cost $10 for a year of it, it would only take 500 people to reach it. And we know there are far more than just a few hundred people affected by these breaches. At minimum there are over 3 million federal employees made vulnerable by the OPM incursion, and more than 70 million social security recipients affected by the incursion at Treasury. Even just looking at credit monitoring costs, at $10 a pop for just a year for everyone, damages are approaching a billion dollars, and these populations and amounts are just the tip of the iceberg.

Given how deep their infiltration has been into so many systems, across so many departments, affecting so many people, by revealing to them information that is so sensitive, the damage tally is likely to be enormous. For instance, with the DOGE vandals mucking around with the Treasury department, risking salaries and all sorts of other payments, there is almost no limit to the economic harm they could do.

And that’s not even the worst of it. The information compromised by their intrusion into the OPM and USAID systems includes intimate details of foreign service workers often stationed in unfriendly areas or in areas targeted by our adversaries. Their access has already jeopardized the security of many, and it will cost them a great deal to try reclaim it. But that measure of cost is but a fraction of the harm that will accrue if they or their loved ones ends up injured or killed as a result of Musk and DOGE.

We really don’t even know yet what the full fallout of the Musk intrusion will be, or how heavy the cost. Only that it must be his and his team’s to bear.

Deterrence

In addition to damages, the CFAA also allows for injunctive relief. Pursuing it could be a way to stop this madness. All it should take is one lawsuit (or at least one lawsuit per department infiltrated) to cause a court to order Musk and Co. out of the computer systems and bar them, under threat of contempt, from disclosing any of the information they gleaned from being in them. (It would also help the outraged public hold onto the belief that law matters, and that what they are seeing unfold is wrong and that people actually care to stand up to it, which can then in turn help them and others stand up to it too.) True, if the Muskers do not obey, we will have a new Constitutional crisis on our hands, but if they do ignore it, and the public sees them ignoring it, then the public can decide what to do about that attack on our democracy. The point with this post is to suggest there is something that already can be done with regard to this attack on our democracy too.

But short of a court telling them to stop, it would be helpful if they did it on their own. And even threatening a plausible CFAA lawsuit could spook them into stopping once they realize that they might face a consequence for what they’ve been doing, and quite a consequence at that. Maybe it won’t spook Musk, who can readily afford lots of lawyers and nine- or ten- figure damage awards — although given the number of people he has affected, he has potentially enough litigants with enough damages to be flirting with damage awards with that many digits (or more). But it seems unlikely that anyone else on his team can afford to pay anything close to the damage bill they tempt, or all the lawyers they would need to fight off all the lawsuits that now nearly everyone could bring, even if in groups of a few hundred at a time.

And if anyone from DOGE tries to use DOJ lawyers to defend themselves, it will just increase the theft from the public and be something else for the public to challenge. Which gets into why the DOGErs may think they are immune from all consequence: that they are from the government and protected by that position. But they have no position! The same thing that makes their access unauthorized — that they are not duly authorized federal workers or officials acting under the color of offices, which don’t exist, and which could not lawfully exist on these terms that they have claimed their fictional authority (if nothing else law requires us to screen candidates before giving them access to such sensitive systems) — is also what likely deprives them of all the immunities and protections that could potentially apply to those positions. The law should treat them like the private citizens they are, engaged in activities that no private citizen can lawfully engage in, because, again, Trump did not do, and could not do, anything needed to change that status and authorize this behavior (in fact, reports are that at least some of the vandals don’t have any federal job at all, let alone one that would allow for this activity). And being private citizens means they lack the protections of officials engaged in official functions because there is no way that what they are doing can be construed as official.

Perhaps they might get lucky and some court might see things their way, but given the enormity of the potential damage amounts they might be on the hook for, expecting such an outcome would be quite the gamble. Perhaps they think that they are somehow protected by Trump and so can do whatever they want with these systems with impunity. But as long as they don’t control the courts, and have assets in states that would be willing to enforce judgments against them, they aren’t nearly as protected as they think.

Filed Under: cfaa, doge, donald trump, elon musk