In the end, if I were a betting man, I’d bet that one or two low-level Cardinals employees take the fall for whatever results from the FBI investigation into them hacking the Astros. And by “take the fall” I don’t mean that they’re made scapegoats. Given what we know thus far about the FBI investigation, it was not a sophisticated thing and may very well have been considered a lark or an impulsive stunt by someone who simply didn’t like Jeff Luhnow back when he was their boss. The odds of it being an organizational-wide conspiracy seem low.
But to diminish the scope of the alleged hacking of the Astros’ system is not to diminish its seriousness. Not from a legal perspective anyway. Because the infiltration of someone else’s computer system, no matter how easily and primitively it was done, is covered by a particularly pernicious federal law: the Computer Fraud and Abuse Act (“CFAA”).
The CFAA is an old law as far as tech laws go. It was developed in 1984, back when Congress was just coming to grips with the fact that computers were the future and that hacking was a potentially serious deal. Of course, as Congress tends to do when it doesn’t fully understand something, it legislated broadly and somewhat sloppily. The CFAA and its many amendments and revisions -- some wound up into the Patriot Act -- are now vague enough to where it has been used to prosecute people for any computer-related crime. Once it was used in a case where a woman created a fake MySpace page to cyberbully a teenage girl, which resulted in the girl committing suicide. An awful act to be sure, but one which really didn’t fit neatly into the category of Computer Fraud given that no external system was improperly accessed. It’s use in that case showed just how malleable the law is and how eager prosecutors are to use it in a media-heavy case where, well, something must be done.
More infamously, the CFAA was used to prosecute famous hacker Aaron Swartz. Swartz was arrested and charged under the CFAA for surreptitiously installing a computer in order to download academic journal articles from a company which normally charges for the privilege of using them. While his violation, in essence, was one in which terms of service were not followed, Swartz was charged with 11 violations of the CFAA and faced a $1 million fine, 35 years in prison, asset forfeiture, restitution, and supervised release. Ultimately his charges were in the process of being pleaded down, but Swartz killed himself when negotiations with the feds failed to progress.
The upshot: This may have been an impulsive or spiteful action, as opposed to some orchestrated espionage effort. It may have involved one person rather than five or 10 and may have been as simple as looking up old passwords rather than some sophisticated hackery. But, to the feds, it may be considered something highly felonious and may turn into something huge. Especially given that, unlike some CFAA cases, this one actually allegedly involved the fraudulent accessing of a computer network across state lines.
Perhaps federal investigators and prosecutors will show restraint in this instance. After all, knowing that the Astros may have wanted to trade for Ichiro Suzuki is not a big deal in the grand scheme. But when was the last time federal prosecutors showed restraint? Especially when baseball -- which the Feds have always used in order to make an example -- is involved.
Finally, recall that the reporter who broke this story is Michael S. Schmidt of the New York Times. He’s a good reporter who broke many stories about federal steroids investigations. And he has spent more time on the national security beat in recent years. His sources tend not to be the sorts who are less-than-eager to go full-bore into federal violations.
Which is to say that someone, perhaps someone with the Cardinals, is in for a world of pain.