Deactivating President Trump’s Twitter Account
Many people fantasize about dramatic ways to quit their jobs. One anonymous Twitter employee allegedly acted on one such fantasy. For eleven minutes on November 2nd, President Trump’s personal Twitter account was deactivated. Twitter’s initial explanation was that the deactivation was due to human error. But it seems that this was no accident. Rather, it was a defiant final action of an employee on his or her last day of work.
What comes after viral fame? Some attorneys warn that the ex-Twitter employee should lawyer up. That is because a federal cybercrime law, the Computer Fraud and Abuse Act, has been interpreted very broadly by courts. The CFAA is usually thought of as an anti-hacking statute. But prosecutors have argued in a variety of situations that a particular defendant accessed a computer without authorization or exceeded authorized access, in violation of the CFAA. For example, Lori Drew was prosecuted under the CFAA for exceeding authorized access to MySpace’s servers after she created a fake profile to harass her daughter’s classmate. Before Internet activist Aaron Swartz committed suicide, prosecutors had been preparing a CFAA case against him for using authorized accounts to automatically download academic databases.
More relevantly, the CFAA has been used to prosecute employees who use their access to do improper things. But courts disagree about how the CFAA applies. If the Justice Department decides to prosecute the individual who deleted the Twitter account, a lot will turn on where the case is brought. In the Eleventh Circuit, a jurisdiction that includes Florida, Georgia, and Alabama, a government employee named Roberto Rodriguez used his access to Social Security Administration databases to look up information about some people in his life. The appeals court affirmed his conviction for exceeding authorized access under the CFAA. But further north, the Second Circuit came to the opposite conclusion. Gilberto Valle was on trial for using government databases at the NYPD to look up information about some people that he was interested in. In Valle’s case, the court adopted a more narrow definition for exceeding authorized access and concluded that acting with an improper purpose did not amount to unauthorized access.
If the current allegations are true, the Twitter employee may have violated the CFAA – or maybe not. In the Valle case, the court applied the rule of lenity, which is a principle that says that if the meaning of a law is vague or unclear, a court should adopt the more lenient interpretation of the law during a criminal prosecution.
An essential part of any case against this ex-employee will be the employment agreement or computer use policy that they signed in order to work for Twitter. Those contracts are most likely what a prosecutor would rely on to argue that the ex-employee did not have authorization to delete the account. The problem with this is that it allows private companies like Twitter to determine whether the CFAA has been violated. This interpretation forces the government to use private contract language to detect whether a crime has been committed. But contract violations are traditionally civil issues, not criminal issues. Twitter could sue the ex-employee because they violated Twitter’s computer use policy by deleting the President’s Twitter account, but allowing a criminal prosecution for the same offense may be harder to justify.
Cybersecurity threats have evolved so quickly that it is challenging for cybercrime laws to keep up. The CFAA essentially gives private companies the power to criminalize actions by prohibiting such actions in their contracts. The saga of this ex-employee is just one of many things about the Computer Fraud and Abuse Act that courts disagree about.