Democracy & Elections

Did Donald Trump Jr. Admit to Violating the Computer Fraud and Abuse Act?

Orin Kerr
Sunday, April 29, 2018, 4:48 AM

A law-nerd analysis of whether Donald J. Trump Jr. violated the CFAA based on his recently-disclosed e-mail. 

Donald Trump, Jr. speaking with Trump campaign supporters at a rally in October 2016 (Flickr/Gage Skidmore)

Published by The Lawfare Institute
in Cooperation With

The recently-released Minority report of the House Permanent Select Committee on Intelligence (HPSCI) discloses a copy of an e-mail sent by Donald J. Trump Jr., on September 21, 2016, to a group of top Trump campaign officials.   The e-mail is interesting because Trump may have confessed in it to committing a federal crime, specifically 18 U.S.C. § 1030(a)(2).   It's just a misdemeanor based on the facts we know.  But depending on the circumstances, the violation could also be a felony.  

Here are the law-nerd details.

Support Lawfare

We learned back in 2017 that Trump Jr. exchanged direct messages on Twitter with the Wikileaks account during the 2016 Presidential campaign.  We knew that Wikileaks had sent Trump Jr. a message that included guessed login credentials of a default account on an about-to-launch anti-Trump website, and that Wikileaks encouraged him to visit the site.  But we didn't know if Trump Jr. or anyone else had actually used the username and password. As Matt Ford at The Atlantic explained, with some explanation by me:

Trump Jr.’s messages also show WikiLeaks providing him with the login information of an anti-Trump website. “A PAC run anti-Trump site is about to launch,” the account wrote to Trump Jr. “The PAC is a recycled pro-Iraq war PAC. We have guessed the password. It is ‘putintrump.’ See ‘About’ for who is behind it. Any comments?” Trump Jr. replied that he would “ask around” about the website’s provenance.

But Trump Jr. doesn’t indicate whether he actually used the password. Orin Kerr, a George Washington University law professor who specializes in computer-crime law, said that doing so would violate the Computer Fraud and Abuse Act. “If anyone actually entered in the username and password or entered in the password to the website, that’s a federal crime,” he said.

The Minority report reprints an e-mail from Trump Jr. in which he admitted to just that.  As reprinted on the bottom of page 33, here's what he wrote:

Guys I got a weird Twitter DM from [W]ikileaks. See below. I tried the password and it works and the about section they reference contains the next pic in terms of who is behind it. Not sure if this is anything but it seems like it’s really wikileaks asking me as I follow them and it is a DM. Do you know the people mentioned and what the conspiracy they are looking for could be? These are just screen shots but it’s a bully built out page claiming to be a PAC let me know your thoughts and if we want to look into it.

This sounds a lot like an admission that he committed a federal crime, and in particular a violation of 18 U.S.C. § 1030(a)(2)(c).  It provides:

Whoever. . .  intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer . . . shall be punished[].

Let's go through the elements.

First, Trump Jr. admits to "intentionally access[ing] a computer."  He visited the website, and by his own admission "tried the password" which "work[ed]."  That's clearly intentional access. See, e.g., United States v. Phillips, 477 F.3d 215, 220-21 (5th Cir. 2007).

Second, Trump Jr. also appears to admit to his access being "intentionally . . . without authorization."  Wikileaks had told him that it was a guessed password, that is, not a password that Wikileaks had been authorized to use.  There are some controversial uses of the Computer Fraud and Abuse Act, as the government has occasionally tried to use it in ways that really stretch the notion of unauthorized access.   But using a guessed password is a classic case of access without authorizaton under the CFAA.  See, e.g., United States v. Morris, 928 F.2d 504, 510 (2d Cir. 1991) (access without authorization established in light of "evidence that the worm was designed to gain access to computers at which he had no account by guessing their passwords").  See also Orin S. Kerr, Computer Crime Law 48 (4th ed. 2018) ("Guessing a password is something like picking a physical lock, and using a stolen password is something like making a copy of the key and using it without the owner’s permission. Indeed, bypassing password gates using stolen or guessed passwords is a common way to 'hack' into a computer.") 

It might also be worth pointing out that the access by Trump Jr. might be legally unauthorized even if Wikileaks was an authorized account holder and wished to allow Trump to use its account, at least according to some authority.  See United States v. Nosal, 844 F.3d 1024 (9th Cir. 2016).  But we don't have to consider that theory of liability, as here it's pretty clear that Wikileaks was not an authorized account holder itself.

But wait, you might be wondering: Wasn't the password here really weak?  Yes, the password for was "putintrump."  Nice.  But there's no basis I know of in the statute or in the caselaw to say that using a weak guessed password makes the access authorized, or that a password has to be sufficiently complex for guessing (and then using) it to count as unauthorized.  I have speculated in my academic work that there may be some circumstances, when a password was essentially provided to all users, that a password is not actually part of a genuine authentication mechanism and access based on guessing that password would not be unauthorized:  "For example, imagine a website required users to enter a secret password to enter the site but announced that the password was either 'red' or 'green.'"  Norms of Computer Trespass, 116 Colum. L. Rev. 1143, 1173  n.153 (2016).  But that doesn't seem to be an issue here.  The password was bad, but it seems to have been a bad password that was being used as a genuine account authentication mechanism to access nonpublic parts of the website.

Third, Trump implies that he "obtain[ed] information."  Obtaining any information will do, and merely viewing it is enough to obtain it.  A person doesn't need to have actually downloaded or kept a copy of the information obtained.  See United States v. Tolliver,  2009 WL 2342639 (E.D.Pa. 2009) (noting that "'obtaining information' in this context includes mere observation of the data") (quoting S. Rep. No. 99–432 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2484). The fact that using the password "worked" is likely enough for this, as Trump Jr. would have seen data beyond the login prompt and just seeing that information would have been sufficient to "obtain information." Id.  Trump Jr. may have seen more that this, but it's not obvious to me based on the snippets of information from his e-mail.

Fourth, the server that hosted the website was plainly a "protected computer."  That is a defined term in the statute, meaning, among other things, a computer "which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States." 18 U.S.C. 1030(e)(2)(B).  Given how broad that definition is (see pages 1569-71 of this article for the details), a server hosting a website that is being connected to from around the country and the world is obviously a protected computer. 

A possible Trump defense would be to say that when he used the login credentials he had no idea if the site he was visiting was really an anti-Trump website.  He didn't really know that it was Wikileaks contacting him, as the e-mail he wrote explains.  And if he didn't really know if the direct message was from Wikileaks, he could argue, maybe he didn't really know that he wasn't authorized to use the login credentials to visit   Thus, he could argue, he didn't commit his unauthorized access "intentionally." 

I don't think that argument would work, though.  The CFAA's legislative history indicates that Congress intended the mental states in the CFAA to use the Model Penal Code's influential definitions.  See, e.g., S. Rep. 101–544, at 9 (1990 amendments) (“The standard for recklessness used in the bill is taken from the Model Penal Code.”); S. Rep. No. 99–432, reprinted in 1986 U.S.C.C.A.N. 2479, 2483–84 (1986 amendments) (discussing intent using the key phrases of the MPC).  "Without authorization" is an attendant circumstance element under the Model Penal Code, so "intent" would presumably mean that the person "is aware of the existence of such circumstances or he believes or hopes that they exist," as the Code defines the term. MPC § 2.02(2)(a)(ii) (emphasis added).   Here, it seems pretty clear that Trump hoped that the website he accessed was an anti-Trump website. That was the premise that Wikileaks offered Trump Jr. to encourage him to use the guessed password, and that was the reason that he used the password to login to the site.  He wasn't sure, but that was what he hoped was the case.  If that's right, then I would think that is enough to make the unauthorized access "intentional" under the Computer Fraud and Abuse Act.

How serious is such a crime?  The base offense that I have described is only a misdemeanor.  See 18 U.S.C. § 1030(c)(2)(A).  However, under 18 U.S.C. § 1030(c)(2)(B), there are a few circumstances in which the basic unauthorized access misdemeanor becomes a more serious felony: 

(i) the offense was committed for purposes of commercial advantage or private financial gain;

(ii) the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or

(iii) the value of the information obtained exceeds $5,000.

I don't think we know the broader circumstances in which the unauthorized access occurred in detail, at least yet, so it's hard to say definitively if this was a felony or a misdemanor.  But it's worth noting that felony liability can creep up you surprisingly quickly under § 1030. 

For example, consider the provision that a misdemeanor becomes a felony if the "the value of the information obtained exceeds $5,000."  In United States v. Batti, 631 F. 3d 371 (6th Cir. 2011), the Sixth Circuit held that "where information obtained by a violation of § 1030(c)(2)(B)(iii) does not have a readily ascertainable market value, it is reasonable to use the cost of production as a means to determine the value of the information obtained."  In that case, the defendant was an employee who improperly obtained internal company videos that cost $305,000 to make.  The Sixth Circuit ruled that the employee was guilty of a felony violation because the information he obtained, the videos, had a production cost over $5,000 -- that is,  $305,000. See id. at 378.  If that same reasoning also applies to viewing materials from an "about-to-launch" website not viewable by the general public, then it seems at least possible that Trump Jr. viewed information worth more than $5,000 and that any unauthorized access was a felony.

Anyway, I'm not saying that this is the biggest offense in the world.  I don't think it is.  And it's important to flag the separate question of whether such an offense would normally be prosecuted.  As then-FBI Director James Comey noted in his statement about Hillary Clinton's use of a personal server, prosecutors exercise discretion in deciding what crimes to prosecute.  Not every crime leads to prosecution.  As then-Director Comey stated in the context of explaining his recommendation not to prosecute Clinton:

Although there is evidence of potential violations of the statutes regarding the handling of classified information, our judgment is that no reasonable prosecutor would bring such a case. Prosecutors necessarily weigh a number of factors before bringing charges. There are obvious considerations, like the strength of the evidence, especially regarding intent. Responsible decisions also consider the context of a person’s actions, and how similar situations have been handled in the past.

Here Trump Jr.'s intent doesn't seem particularly in doubt. But if this was merely him trespassing into a website and not a particularly big deal in context, then it's likely a case that wouldn't be normally prosecuted at the federal level.  Some may plausibly conclude, as did then-Director Comey in deciding not to recommend a prosecution of Clinton, that the absence of similar cases that have been prosecuted means "that no charges are appropriate in this case." 

I don't have a particular view of that here, especially as we don't know all the facts.  But I understand that some will find Comey's view commendable as applied to the circumstances of this apparent offense by Donald J. Trump, Jr.

Orin Kerr is a Professor at the University of California, Berkeley School of Law. He is a nationally recognized scholar of criminal procedure and computer crime law. Before becoming a law professor, Kerr was a trial attorney in the Computer Crime and Intellectual Property Section at the Department of Justice and a Special Assistant U.S. Attorney in the Eastern District of Virginia. He is a former law clerk for Justice Anthony M. Kennedy of the U.S. Supreme Court and Judge Leonard I. Garth of the U.S. Court of Appeals for the Third Circuit.

Subscribe to Lawfare