It’s Not the Computer, Stupid. It’s the Information in It. Two Recent Indictments Stretch the Limits of “Theft” of Information.
None
<p>We continue to talk about “computer crime” as if the computer were the thing we are trying to protect. It is not. The real object of protection is information—its confidentiality, its integrity, and its availability. The computer is merely the medium. The law, however, still speaks in the language of theft, conversion, and fraud—concepts developed for tangible property—and then struggles to apply those concepts to something that can be copied, transmitted, and retained simultaneously by multiple parties without depletion.<br><br>Two recent federal indictments illustrate the problem with unusual clarity. One <a href="https://www.justice.gov/opa/media/1437146/dl" target="_blank" rel="noopener">involves a U.S. Army insider</a> (the Van Dyke matter), and <a href="https://www.justice.gov/usao-sdny/media/1437781/dl" target="_blank" rel="noopener">the other</a> charges the Southern Poverty Law Center (SPLC) with, among other things, participating in the acquisition and copying of internal documents from an extremist organization. The charging documents themselves are available from the Department of Justice. What is striking about both is not simply the conduct alleged, but the legal theory underlying the allegations.<br><br>In the Van Dyke indictment, based on insider trading in Polymarket based on inside information about the Maduro raid, the government reportedly asserts that “all information” to which the defendant obtained access “is now and will remain the property of the United States Government.” Not classified information. Not sensitive operational data. All information. That is not a duty of confidentiality; it is a claim of universal ownership. Under that formulation, everything from mission-critical intelligence to the most trivial observations becomes government property subject to criminal conversion if used inconsistently with government interests. A soldier who remarks, “Sure is hot out” — “yeah, Africa hot” could be prosecuted for improper use of “government information.” <br><br>That is a remarkable expansion of property concepts. Traditional national security prosecutions—under the Espionage Act, 18 U.S.C. §§ 793–798—focus on unauthorized disclosure, retention, or transmission. The harm is exposure. But the Van Dyke theory is not centered on disclosure. It is centered on use. The alleged wrongdoing is not simply that information was revealed, but that it was used for personal benefit. That is a conversion theory.<br><br>The problem, of course, is that conversion presupposes property that can be “taken” in a way that deprives the owner of possession. Information does not behave that way. It is non-rivalrous. It can be copied without dispossession. The government still has the information. Nothing has been “stolen” in the traditional sense. So it ultimately relates to some breach of a duty of loyalty, not a “theft” in the traditional sense.<br><br>The Supreme Court recognized this tension in <a href="https://supreme.justia.com/cases/federal/us/473/207/" target="_blank" rel="noopener">Dowling v. United States</a>, 473 U.S. 207 (1985), where it rejected the application of the National Stolen Property Act to bootleg recordings, emphasizing that infringement “does not easily equate with theft, conversion, or fraud.” Id. at 216. The Court drew a line between tangible property crimes and intellectual property regimes, noting that Congress had crafted distinct statutory frameworks to address the latter.<br><br>Even where the Court has permitted criminal liability for misuse of information, it has done so by reframing the conduct. In <a href="https://supreme.justia.com/cases/federal/us/484/19/" target="_blank" rel="noopener">Carpenter v. United States</a>, 484 U.S. 19 (1987), the misappropriation of confidential business information was treated as a scheme to defraud grounded in breach of fiduciary duty, not as simple theft. The “property” interest was the employer’s right to exclusive use of the information, and the mechanism was deception.<br><br>More recent decisions show increasing resistance to expanding property-based theories. In <a href="https://supreme.justia.com/cases/federal/us/590/18-1059/" target="_blank" rel="noopener">Kelly v. United States</a>, 140 S. Ct. 1565 (2020), the Court rejected an effort to recast regulatory decisions as property fraud. In <a href="https://supreme.justia.com/cases/federal/us/598/21-1170/" target="_blank" rel="noopener">Ciminelli v. United States</a>, 143 S. Ct. 1121 (2023), it unanimously rejected the “right to control” theory, holding that deprivation of accurate information does not constitute property fraud. And in <a href="https://supreme.justia.com/cases/federal/us/593/19-783/" target="_blank" rel="noopener">Van Buren v. United States</a>, 141 S. Ct. 1648 (2021), the Court narrowed the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, to exclude mere misuse of information obtained through authorized access, warning that a broader interpretation would criminalize ordinary policy violations.<br><br>Against that backdrop, the Van Dyke indictment’s assertion that all accessed information is government property appears doctrinally aggressive. It effectively collapses the distinction between protected information and trivial data, and between misuse and theft. If all information is property, then any unauthorized use becomes a potential conversion. That is precisely the overbreadth the Supreme Court has been attempting to constrain.<br><br>The SPLC indictment presents the same conceptual problem from the opposite direction. According to the charging document, an informant allegedly “stole 25 boxes of documents” from a violent extremist organization, copied them, returned them, and the information was then used for publication. If the documents were returned, what was stolen? The tangible property was not permanently deprived. The organization retained its records. What was “taken” was the information—and even then, only in the sense that it was duplicated.<br><br>This is not theft in the classical sense. It is copying. The law has struggled with this distinction for decades. In <a href="https://casetext.com/case/us-v-aleynikov" target="_blank" rel="noopener">United States v. Aleynikov</a>, 676 F.3d 71 (2d Cir. 2012), <br>the Second Circuit reversed a conviction where a programmer copied proprietary source code, holding that intangible code did not constitute “goods” under the National Stolen Property Act. Similarly, in <a href="https://casetext.com/case/us-v-nosal-5" target="_blank" rel="noopener">United States v. Nosal</a>, 676 F.3d 854 (9th Cir. 2012) (en banc), the court rejected an expansive reading of the CFAA that would have criminalized misuse of information obtained through authorized access, warning against transforming the statute into a general-purpose misappropriation law.<br><br>The SPLC case also raises First Amendment considerations. In <a href="https://supreme.justia.com/cases/federal/us/532/514/" target="_blank" rel="noopener">Bartnicki v. Vopper</a>, 532 U.S. 514 (2001), the Court held that the publication of lawfully obtained information on matters of public concern is protected, even where the source acquired it unlawfully. The SPLC allegations differ because the organization is accused of participating in the acquisition, but the underlying conceptual issue remains: copying information is not the same as stealing property. If, instead of copying the physical documents, the informant merely disclosed what he learned from them, would this have been a crime?<br><br>These cases expose a basic truth that the law has been reluctant to articulate clearly. When we talk about “theft” of information, we are rarely talking about theft. We are talking about misuse. When an employee leaves a company, they take with them knowledge, relationships, strategies—information stored in their head. That is not theft. It cannot be prevented, and it cannot be undone. What becomes actionable is when that information is used in a way that violates a duty—contractual, fiduciary, or statutory.<br><br>The same principle applies across the modern data economy. When a company collects personal information and uses it inconsistently with its representations, regulators do not typically charge theft. They charge deception under § 5 of the Federal Trade Commission Act, 15 U.S.C. § 45. The harm is not that the company “took” information; it already had it. The harm is that it was misused.<br><br>Yet the rhetoric of theft persists, and with it the temptation to stretch criminal statutes designed for tangible property to cover intangible harms. That approach creates doctrinal instability and risks overcriminalization. If every unauthorized use of information is a theft, then every policy violation becomes a crime. Every employee departure becomes suspect. Every investigative journalist who receives leaked material becomes a potential defendant. In the VanBuren case, the Supreme Court distinguished between a person who accesses a database with authorization to obtain information they would have been entitled to access, but then uses the data for an improper purpose, from an “unauthorized access” to that same database. <br><br>The Supreme Court’s recent decisions suggest a different trajectory. By narrowing the CFAA and rejecting expansive property theories, the Court has signaled that not all valuable information is “property” for purposes of criminal law, and not all misuse is criminal. The focus, instead, should be on specific harms: Unauthorized access, deception, breach of duty, or violation of statutory confidentiality obligations.<br><br>The Van Dyke and SPLC indictments show how far current practice has drifted from that framework. They attempt to solve an information problem with proprietary tools. Sometimes that works, particularly where tangible media or clearly defined trade secrets are involved. Often it does not.<br><br>We would do better to acknowledge what these cases implicitly recognize: That modern “computer crime” is really about information. The relevant questions are not who “owns” it, but who may access it, how it may be used, and what obligations attach to it. Until the law is structured around those questions, rather than metaphors of theft and conversion, we will continue to see cases that strain doctrine—and invite the very constitutional limits the Supreme Court has begun to enforce.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/04/its-not-the-computer-stupid-its-the-information-in-it-two-recent-indictments-stretch-the-limits-of-theft-of-information/" data-a2a-title="It’s Not the Computer, Stupid. It’s the Information in It. Two Recent Indictments Stretch the Limits of “Theft” of Information."><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fits-not-the-computer-stupid-its-the-information-in-it-two-recent-indictments-stretch-the-limits-of-theft-of-information%2F&linkname=It%E2%80%99s%20Not%20the%20Computer%2C%20Stupid.%20It%E2%80%99s%20the%20Information%20in%20It.%20Two%20Recent%20Indictments%20Stretch%20the%20Limits%20of%20%E2%80%9CTheft%E2%80%9D%20of%20Information." title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fits-not-the-computer-stupid-its-the-information-in-it-two-recent-indictments-stretch-the-limits-of-theft-of-information%2F&linkname=It%E2%80%99s%20Not%20the%20Computer%2C%20Stupid.%20It%E2%80%99s%20the%20Information%20in%20It.%20Two%20Recent%20Indictments%20Stretch%20the%20Limits%20of%20%E2%80%9CTheft%E2%80%9D%20of%20Information." title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fits-not-the-computer-stupid-its-the-information-in-it-two-recent-indictments-stretch-the-limits-of-theft-of-information%2F&linkname=It%E2%80%99s%20Not%20the%20Computer%2C%20Stupid.%20It%E2%80%99s%20the%20Information%20in%20It.%20Two%20Recent%20Indictments%20Stretch%20the%20Limits%20of%20%E2%80%9CTheft%E2%80%9D%20of%20Information." title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fits-not-the-computer-stupid-its-the-information-in-it-two-recent-indictments-stretch-the-limits-of-theft-of-information%2F&linkname=It%E2%80%99s%20Not%20the%20Computer%2C%20Stupid.%20It%E2%80%99s%20the%20Information%20in%20It.%20Two%20Recent%20Indictments%20Stretch%20the%20Limits%20of%20%E2%80%9CTheft%E2%80%9D%20of%20Information." title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fits-not-the-computer-stupid-its-the-information-in-it-two-recent-indictments-stretch-the-limits-of-theft-of-information%2F&linkname=It%E2%80%99s%20Not%20the%20Computer%2C%20Stupid.%20It%E2%80%99s%20the%20Information%20in%20It.%20Two%20Recent%20Indictments%20Stretch%20the%20Limits%20of%20%E2%80%9CTheft%E2%80%9D%20of%20Information." title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>