51% Attacks Are Illegal Under the CFAA
Applying traditional legal concepts to blockchain technologies can be tricky business. For example, if a blockchain project needs legal advice, who is the client? If a blockchain network breaks the law, who is at fault? In this blog post, I will discuss whether 51% attacks are illegal.
If a bad actor takes down a blockchain network, can any laws hold them accountable? The answer appears to be yes. The Computer Fraud and Abuse Act (CFAA) seems to clearly encompass 51% attacks, and impose significant penalties on the attacker.
What is a 51% Attack?
This blog assumes a basic understanding of proof of work (PoW) blockchains, and how 51% attacks occur. But for the uninitiated, here is a quick down and dirty.
First, miners gain control of a majority of a blockchain’s computing power. This can occur when a single miner adds additional computers to their PoW mining operation, or when several miners team up and pool their computing power.
Once the miners control a majority of the network, they have the potential ability to reorganize transactions, refuse to confirm new transactions, or confirm transactions that never occurred. In other words, by virtue of their control, the miners can create a faulty “consensus” about the network’s transaction history.
Blockchain networks know about this vulnerability, and actively work to prevent it. For this reason, 51% attacks are rare. But they can be extremely damaging because blockchain entries cannot be trusted, and the network’s integrity cannot be assumed. A 51% attack calls into question the immutability of the underlying blockchain. After all, the whole raison d’être of a blockchain is trustless, immutable transactions.
The Verge and Ethereum Classic 51% Attacks
Losses from 51% attacks are real. For example, when the Verge (XVG) network was attacked in April 2018, the attacker absconded with approximately 35 million XVG. As a result, XVG tokens lost 15% of their value in less than 24 hours.
In January 2019, someone 51% attacked the Ethereum Classic (ETC) network and double-spent approximately 88,500 ETC. The ETC attack had less of a price effect, but still caused tokens to lose approximately 10% of their value.
If losses from 51% attacks continue to grow, eventually token holders will want payback. Ironically, a hacking statute from the 1980s seems to provide a remedy.
The CFAA Prohibits 51% Attacks
The CFAA is “principally a criminal statute prohibiting ‘fraud and related activity in connection with computers.’” LivePerson, Inc. v. 24/7 Customer, Inc., 83 F. Supp. 3d 501, 511 (S.D.N.Y. 2015).
Under the CFAA, it is a crime to “knowingly cause[] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally cause[] damage without authorization, to a protected computer.” 18 U.S.C. § 1030(a)(5)(A) (emphasis added). Conspiracy to commit, or an “attempt[] to commit” these acts is similarly a crime. 18 U.S.C. § 1030(b).
In other words, to violate the CFAA a 51% attack must involve: (1) a knowing, (2) transmission, (3) of some “information, code, or command”, that (5) intentionally (6) causes damage without authorization (7) to a “protected computer.” 18 U.S.C. § 1030(a)(5)(A). Let’s see if a 51% attack fits the description.
Blockchain Networks As “Protected Computers”
We’ll start with the basics. Do the computers on a blockchain network – either individually or collectively – qualify as “protected computers” under the CFAA? That question is obviously specific to whatever blockchain we are analyzing. But if there are no “protected computers” involved, the analysis is over and the statute does not apply.
A “computer” under the CFAA includes a “data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device…” 18 U.S.C. § 1030(e)(1) (emphasis added). Since every node running a blockchain client is definitionally a “computer,” it stands to reason that the network collectively is as well.
The CFAA and interpreting case law agree. A “protected computer” under the CFAA includes “computers” “used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States …” 18 U.S.C. § 1030(e)(2)(B). Courts have interpreted this language to include computers connected together through the internet. See T-Mobile USA, Inc. v. Terry, 862 F. Supp. 2d 1121, 1130 n.2 (W.D. Wash. 2012) (“proprietary aviation computer system” and “wireless communications network” both were “protected computers”); United States v. Trotter, 478 F.3d 918, 920-22 (8th Cir. 2007) (discussing how computers connected to the internet are “protected computers” under CFAA); Dow Corning Corp. v. Chaganti, 2015 U.S. Dist. LEXIS 149712, at *27 (E.D. Mich. Nov. 4, 2015) (same).
Knowing Transmission of Information
Next, we need to inquire whether an attacker “knowingly” transmits a “program, information, code, or command” as part of a 51% attack. Again, this element of proof is context specific. I can imagine several scenarios where a blockchain miner could unintentionally gain control of a network, or automatically transmit information to the network without “knowledge.”
But in a true 51% attack, the attacker cannot accidentally reorganize transactions, refuse to confirm new transactions, or confirm transactions that never occurred. The transmission of this faulty consensus and transaction history seems to fit the CFAA like a glove.
Intentional Damage To The Blockchain
Does a 51% attack “intentionally cause damage” to the blockchain network? “Damage” under the CFAA “means any impairment to the integrity or availability of data, a program, a system, or information.” § 1030(e)(8) (emphasis added).
It seems obvious that reorganizing transactions and providing faulty consensus impairs the integrity of blockchain data. So a 51% attack seems to satisfy this element as well.
No Authorization To Damage The Blockchain
Some courts have construed “without authorization” as applying to the transmission of data to a protected computer. E.g., Advanced Aerofoil Tech., AG v. Torado, 2013 WL 410873 at *8 n. 3 (S.D.N.Y. Jan. 30, 2013).
But most cases require that the “damage” to protected computers occur “without authorization.” § 1030(a)(5)(A). This interpretation of Section 1030(a)(5)(A) is more sensible, and ensures that common features of modern commerce are not prohibited. For example, the transmission of cookies, website requests, etc. may not be authorized. But at the same time they do not intentionally cause damage.
In U.S. v. Stratman, 2013 U.S. Dist. LEXIS 150224, at *4 (D. Neb. Aug. 5, 2013), the defendant argued that the phrase “intentionally causes damages without authorization” means the CFAA “applies to only those individuals who initially accessed the computer without permission[.]” Id., at 3. The defendant argued that “‘without authorization’ cannot modify the word ‘damages’ because ‘who would be authorized to cause damage?’” Id., at *3-4.
The District of Nebraska disagreed because an IT professional could delete files in the normal course of her job, and cause “damage” to data. Thus, the court concluded that “[c]ontrary to the defendant’s argument, the phrase ‘without authorization’ modifies the phrase ‘intentionally causes damage,’ and not access to the computer itself.’” Id., at * 5 citing International Airport Centers, LLC v. Citrin, 440 F.3d 418, 421 (7th Cir. 2006); see also KLA-Tencor Corp. v. Murphy, 717 F.Supp.2d 895, 903-04 (N.D. Cal. 2010); In re America Online, Inc., 168 F.Supp.2d 1359, 1371 (S.D. Fla. 2001); Condux Intern., Inc. v. Haugum, 2008 U.S. Dist. LEXIS 100949, 2008 WL 5244818 at * 6-7 (D. Minn. Dec 15, 2008); B&B Microscopes v. Armogida, 532 F. Spp.2d 744, 758 (W.D. Penn. 2007); Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962, 967 n. 1 (D. Ariz. 2008).
This distinction is important because a 51% attacker does not “hack” the network in a traditional sense. A 51% attacker is actually operating the network client as designed. Instead, a 51% attack exploits the primary vulnerability of PoW blockchains.
If the attack altered the block history, or created a double-spend, it is difficult to imagine a scenario where other network participants would “authorize” such tampering. In fact, as we saw with the Verge and ETC 51% attacks, other network participants actively tried to stop the attacks and mitigate the damage. This is strong evidence that the “damage” from a 51% attack is not “authorized” by the rest of the network.
So there you have it; the CFAA likely prohibits 51% attacks. But can owners of the tokens recover their losses? Can they sue the attacker?
Steep Penalties For Violating The CFAA
As discussed above, the CFAA is primarily a criminal statute. For a first offense that causes at least $5,000 in losses, the CFAA provides for a fine or imprisonment up to 10 years, or both. 18 U.S.C. § 1030(c)(4)(B) citing § 1030(c)(4)(A)(i). The punishment for repeat offenders is a fine or imprisonment up to 20 years. § 1030(c)(4)(C). A person can also be ordered to forfeit computers or other property used in the CFAA violation. Id., § 1030(i). Any ill-gotten gains can similarly be forfeited. § 1030(j).
The bad actor doesn’t even need to compete the attack to incur liability. Any “attempt to commit” a CFAA violation is punishable if it would have caused at least $5,000 in losses. Id., § 1030(c)(4)(B)(i) and (ii).
Simply put, punishment for CFAA violations are steep. If the Department of Justice brought an action against a 51% attacker, this would provide a strong deterrent to such attacks in the future.
People Who Lose Money From CFAA Violations Can Sue For Damages
The CFAA also provides a private right of action for any person who suffers more than $5,000 in damage or loss as a result of CFAA violations. Id., § 1030(g) citing § 1030(c)(4)(A)(i)(I). The CFAA defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11).
In addition, the CFAA permits a court to order other injunctive or equitable remedies, such as orders not to dissipate assets, or to restore property. Id.
Conclusion
51% attacks can cause real losses. But there is a potent statutory remedy in the CFAA. Who will be the first to wield it? Will it be the U.S. government in a criminal enforcement action, or injured investors? Time will tell, but I’m ready to find out!
Stay safe out there.
SOME STATES MAY CONSIDER THIS AN ATTORNEY ADVERTISEMENT
I am not your attorney, and this is not legal or investment advice.