The hazard with landing upon a legal solution that seems too good to be true is that it often is. …. All that said, however, I think a colorable, non-frivolous argument can be made that Elon Musk, and everyone on his DOGE team accessing the federal government’s computer infrastructure, is potentially personally liable for violating the Computer Fraud and Abuse Act (CFAA).
There are a few types of offenses under the CFAA, but they basically all involve accessing a computer “without authorization,” although some of the offenses then hinge on what happened to any information acquired from that unauthorized access. For instance, 18 U.S. Code § 1030(a)(1) speaks to unauthorized access of a computer to obtain information protected by law against disclosure that is then willfully retained or communicated to someone not entitled to receive it…. And Section 1030(a)(2)(B) applies to “[whoever] intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any department or agency of the United States.” Meanwhile Section 1030(a)(3) speaks to “[whoever], intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States.”
The DOGE bros’ multi-departmental rampage through the federal government’s computer systems, including those in the SCIFs containing classified information, as well as all sorts of other sensitive information including HR materials (OPM), Americans’ social security numbers (Treasury), and other information pertinent to national defense and foreign relations (USAID), seems to implicate all three. And it would seem to implicate it with the required mens rea, or criminal intent. There is little question, given all their tweets and other bloviation, that they knew what they were doing when they accessed the protected data described in the first offense, and in terms of those offenses that required additional intentionality it is not like they slipped and accidentally ended up with root access to these systems. …[T]here is plenty of evidence to suggest that the DOGE bros deliberately sought to infiltrate these systems without any concern for whether they had any plausibly legitimate claim to be able to. Using “Trump is letting us” to bypass all law that would ordinarily prevent their actions, when Trump has no lawful basis to grant them that authorization, and ignorance of the law no excuse to forgive their reliance, makes their intrusion the intentional act the statute forbids.
Although there is a lot we don’t know about what transpired in all these departments Musk and his minions penetrated to get those credentials into their hot little hands, we know enough to know that the answer must be no, because there was no one entitled to provide those credentials to them. Not any staff member, any more than they would have been lawfully allowed to hand the credentials to anyone who happened to walk by, and not even Trump.
However, much to the annoyance of many civil libertarians that have, correctly, worried about how powerful the CFAA is, and how much reasonable behavior can get caught in its net, the CFAA has a civil enforcement mechanism. In other words, it’s not just the government who can go after Musk; regular people can too. See 18 U.S. Code § 1030(g)…. Offhand I don’t know of a case where private individuals have brought cases asserting standing on these grounds — it’s possible there are some, although those terms may mostly be in the statute for government prosecutorial use — but we’ve also never been down a road quite like this before.
Add new comment