After more than a decade of headlines about the vulnerability of US voting machines to hacking, it turns out the federal government says it may not be able to prosecute election hacking under the federal law that currently governs computer intrusions.
Per a Justice Department report issued in July from the Attorney General's Cyber Digital Task Force, electronic voting machines may not qualify as "protected computers" under the Computer Fraud and Abuse Act, the 1986 law that prohibits unauthorized access to protected computers and networks or access that exceeds authorization (such as an insider breach).
The report says the law generally only prohibits against hacking computers "that are connected to the Internet (or that meet other narrow criteria for protection)" and notes that voting machines generally do not meet this criteria "as they are typically kept off the Internet." Consequently, "should hacking of a voting machine occur, the government would not, in many conceivable circumstances, be able to use the CFAA to prosecute the hackers."
Aside from the fact that the assertion about voting machines not being connected is incorrect— many voting machines are connected in that they use cellular and landline modems that connect with cell towers and backend telecom networks to transmit results on election night—the government's assertion that the CFAA applies only to connected machines is news to legal experts.
"I would have thought, before the DOJ's [stated] position, that all computers are covered by the CFAA [whether connected to the internet or not]," said Orin Kerr, professor of law at the University of Southern California Gould School of Law.
Mark Rasch, a former federal computer crimes prosecutor now in private practice in Maryland, is also surprised by the government’s assertion, since this isn’t how the CFAA has been interpreted in the past. He points to a case years ago involving a student who hacked a CharlieCard—a smartcard used for travel on the Massachusetts Bay Transportation Authority's subway system. Although the student wasn't prosecuted, the MBTA sued the student under the CFAA because the card contained a processor chip. "This met the definition of a computer under the CFAA," Rasch notes, even though the card itself wasn’t a device that was connected to the internet. The CFAA allows not only criminal prosecutions for computer crimes, but also civil lawsuits.
The Justice Department did not respond to a request for comment. But last week in testimony delivered to the Senate Judiciary Committee's Subcommittee on Crime and Terrorism, Sujit Raman, associate deputy attorney general, said the Justice Department's concern with voting machines involves the CFAA's definition of a protected computer in what's known as the Commerce Clause in the statute. According to this clause, a protected computer is one "exclusively for the use of a financial institution or the United States Government" or used by or for a financial institution or the government and that in some way affects "interstate or foreign commerce or communication of the United States."
Prior to 2008, the statute defined a protected computer as one used in interstate commerce, but in 2008 it was amended to say "or affecting interstate commerce," which broadened the definition considerably. But apparently not enough to include voting machines.
Raman said the Justice Department is concerned courts might conclude the Commerce Clause doesn't apply to voting machines if they "are not used in a commercial setting, are not used in interstate communication, and are typically never connected to the Internet or to any other network."
The government wants to amend the CFAA to specifically cover voting machines so there is no ambiguity. Raman said that "[e]xpanding the definition of a protected computer to include electronic voting machines will strengthen confidence in the integrity of our electoral system and ensure that any attempts to manipulate the results of an election can be prosecuted to the fullest extent under federal law."
A bill, introduced in the Senate at the end of July by Sen. Richard Blumenthal (D-CT)—the Defending the Integrity of Voting Systems Act—would do just this, amending a protected computer to be any system that "is used for the management, support, or administration of a Federal election; or has moved in or otherwise affects interstate or foreign commerce."
Kerr said it appears the Justice Department is just being extra cautious in requesting the amendment.
"Sometimes that's a wise strategy … there is obviously a lot of concern about hacking voting machines," he noted.
But the assertion that the CFAA only applies to networked computers raises questions about federal cases involving other computers not connected to the internet that also might not meet other criteria under the law.
"[I]f DOJ wants to [now] take the view that the Commerce Clause authority is narrow, and computers have to be connected to the Internet to be regulated by the commerce clause, that's an unexpected limit in the CFAA that is worth noting," Kerr wrote in a tweet.
Former prosecutor Rasch said the government is concerning itself with a theoretical and academic argument that likely would never gain traction in a US court were a defendant to argue that "hacking a voting machine is not hacking under the CFAA because voting and elections are not commerce."
He points to two previous computer crime cases where defendants tried to claim the CFAA didn't apply because the computers involved in their crimes didn’t meet the definition of a protected computer under the Commerce Clause, and the courts rejected their claims.
Rasch said what the government really appears to be concerned about with the voting machines issue is jurisdiction. The Commerce Clause, and its definition of a protected computer, is what gives the federal government jurisdiction over hacking cases that meet these criteria. "In theory, a computer crime aimed at a non-networked computer, not used in interstate commerce, would be a state crime alone, as opposed to a federal crime," Rasch says.
But he said in reality there is no such thing. "You can make an argument that voting is not commerce because elections are not a commercial transaction. [But] since computers are manufactured in one state and used in another state … the machine has undoubtedly traveled in interstate commerce." It would therefore meet the "affecting interstate commerce" threshold, he said.
Kerr said there is also an aggregate understanding of computers that all of them in some way affect commerce or communication of the US.
Even without this interpretation, however, Rasch said federal jurisdiction for hacking voting machines is still satisfied under the current CFAA simply by the fact that voting machines are used for federal elections. And many machines used in the US today were also purchased with federal money made available in 2002 under the Help America Vote Act.
"So clearly you have sufficient federal nexus that you can make it a federal crime [without that amendment]," Rasch said.
The issue now is one of creating new problems. If the government asserts that the current CFAA only applies to networked computers, and if it succeeds in adding an amendment about non-connected systems that narrowly applies only to voting machines, the government opens the door for defendants to argue that any case involving a computer that is not connected to the internet and is not a voting machine can’t be prosecuted under the CFAA—this would include electronic pollbooks that are used to check-in voters at the polls and verify their eligibility to vote. Although some of these systems communicate in real-time to backend computers, many of them are standalone devices that do not connect.
“If an unconnected, or a moderately-connected voting machine has to be added to the list, then what about a standalone PDA or a watch or an IoT device that's not connected? Or other standalone processors that we might have. That's why I think this is a dangerous precedent,” says Rasch. “The problem with this is it creates the presumption that any non-internet connected, nonfederal owned computer is not protected under the CFAA… unless specifically mentioned.”
Kerr agrees. “[B]y creating certainty for voting machines, the government creates uncertainty about computers that are not voting machines."