Did Apple hack users’ devices? That is the allegation in a class action lawsuit filed late last year. Specifically, the plaintiffs in In re Apple Inc. Device Performance Litig., 347 F. Supp. 3d 434, 451 (N.D. Cal. 2018) allege that Apple’s battery-slowing iOS updates violated a federal hacking statute, the Computer Fraud and Abuse Act (CFAA). This is the latest effort to stretch a broad, vague, and inconsistently-enforced law to cover new circumstances. This case illustrates the urgent need to write a statute that reflects today’s technological reality.
The CFAA, passed in 1986, makes it a federal felony to gain “unauthorized access” or to “exceed authorized access” to any “protected computer” and either take data or cause damage. The law was constructed when computers were relatively rare and could be defined as any “high speed data processing device” that was not an automated typewriter or a handheld calculator. It is no secret that technology has progressed significantly since the 1980s invention of the Nintendo Entertainment System or in-car stereo. In fact, modern smartphones, in-home devices, and wearable technology are all high-speed data processors that are a part of the daily lives of a significant number of Americans. However, the CFAA has not kept in tune with the technological times.
Usually, the CFAA is deployed for civil actions by employers or competitors against individuals or small companies. The CFAA has also been used to prosecute a variety of people, including a terminated employee who accessed his former employer’s data via another employee’s password, and Aaron Swartz, who released JSTOR articles. Prosecutors and companies can, and have, used it as a tool to penalize other objectionable behavior by users. The law’s civil suit option enables companies to go after competitors who access user data or after employees who violate workplace guidelines on computer usage. Under the broad language of the statute and because of the vagueness of its definitions, violating a website’s terms of service has been prosecuted as a federal felony and employees can be sued for personal use of a company computer. Computer security researchers, who hack systems in order to identify serious weaknesses, easily fall under the statute.
The law itself is broadly drawn. However, the latest use of this statute turns the typical case on its head. Owners of Apple products, whose batteries were throttled by updates from Apple, have filed multiple class action lawsuits. In the Northern District of California, the plaintiffs have alleged that the software updates pushed to their devices by Apple constituted access without authorization that resulted in damage to their devices–a violation of the CFAA. In re Apple, 347 F. Supp. 3d at 451.
Because of the breadth of the CFAA’s language, smartphones and tablets easily qualify as “protected computers.” The district court, at the motion to dismiss stage, found that the plaintiffs had sufficiently alleged that Apple had knowingly transmitted code to the plaintiffs’ devices and intended that this transmission would result in damage without the plaintiffs’ authorization. Id. at 452. However, the Court stated that, by choosing to download iOS updates, the plaintiffs had failed to adequately allege that Apple had intentionally accessed their devices without authorization and caused damage. The plaintiffs were granted leave to amend their complaint to potentially allege “ill-gotten consent.” Id. at 452-53. The CFAA intentional damage claim was one of a few causes of action to survive the motion to dismiss stage in October. If the suit is successful, Apple will be found liable under a statute originally intended to capture the kinds of computer hacking seen in the movie WarGames.
It remains to be seen if the CFAA claim becomes a more popular method of filing suit against companies for pushing damaging software updates to consumers’ devices. Though potentially holding Apple accountable for mass battery throttling may be satisfying, this case is another example of how the CFAA has stretched beyond its limits. A law that was written when computers were a new invention is now so outdated that it can capture everyday activities and a host of new devices that could not have been intended for coverage. Automatic updates and extensive terms of service provide numerous daily opportunities for civil or criminal liability. Current legislation, which is unlikely to pass, would alter the CFAA to broaden its scope to capture activities by Russian agents, but would not address the law’s deeper problems. The CFAA remains a blunt and volatile instrument, subject to significant differences in interpretation by prosecutors, judges, and civil attorneys. Modern technology users and developers should not be left to wonder when a law from 1986 will be brought to bear against them in criminal or civil court.