After more than a decade of headlines about the vulnerability of US voting machines to hacking, it turns out the federal government says it may not be able to prosecute election hacking under the federal law that currently governs computer intrusions. Per a Justice Department report issued in July from the Attorney General’s Cyber Digital Task Force, electronic voting machines may not qualify as “protected computers” under the Computer Fraud and Abuse Act, the 1986 law that prohibits unauthorized access to protected computers and networks or access that exceeds authorization (such as an insider breach). The report says the law generally only prohibits against hacking computers “that are connected to the Internet (or that meet other narrow criteria for protection)” and notes that voting machines generally do not meet this criteria “as they are typically kept off the Internet.” Consequently, “should hacking of a voting machine occur, the government would not, in many conceivable circumstances, be able to use the CFAA to prosecute the hackers.”
Aside from the fact that the assertion about voting machines not being connected is incorrect— many voting machines are connected in that they use cellular and landline modems that connect with cell towers and backend telecom networks to transmit results on election night—the government’s assertion that the CFAA applies only to connected machines is news to legal experts.
“I would have thought, before the DOJ’s [stated] position, that all computers are covered by the CFAA [whether connected to the internet or not],” said Orin Kerr, professor of law at the University of Southern California Gould School of Law.