Computer Fraud and Abuse Act
Great Seal of the United States
United States Supreme Court cases

The Computer Fraud and Abuse Act of 1986 (CFAA) is a United States cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law (18 U.S.C. § 1030), which had been included in the Comprehensive Crime Control Act of 1984. [1] Prior to computer-specific criminal laws, computer crimes were prosecuted as mail and wire fraud, but the applying law was often insufficient.[2]

The original 1984 bill was enacted in response to concern that computer-related crimes might go unpunished.[3] The House Committee Report to the original computer crime bill characterized the 1983 techno-thriller film WarGames—in which a young teenager (played by Matthew Broderick) from Seattle breaks into a U.S. military supercomputer programmed to predict possible outcomes of nuclear war and unwittingly almost starts World War III—as "a realistic representation of the automatic dialing and access capabilities of the personal computer."[4]

The CFAA was written to extend existing tort law to intangible property, while, in theory, limiting federal jurisdiction to cases "with a compelling federal interest—i.e., where computers of the federal government or certain financial institutions are involved or where the crime itself is interstate in nature", but its broad definitions have spilled over into contract law (see "Protected Computer", below). In addition to amending a number of the provisions in the original section 1030, the CFAA also criminalized additional computer-related acts. Provisions addressed the distribution of malicious code and denial-of-service attacks. Congress also included in the CFAA a provision criminalizing trafficking in passwords and similar items.[1]

Since then, the Act has been amended a number of times—in 1989, 1994, 1996, in 2001 by the USA PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act. With each amendment of the law, the types of conduct that fell within its reach were extended.

In January 2015, President Barack Obama proposed expanding the CFAA and the RICO Act in his Modernizing Law Enforcement Authorities to Combat Cyber Crime proposal.[5] DEF CON organizer and Cloudflare researcher Marc Rogers, Senator Ron Wyden, and Representative Zoe Lofgren stated opposition to this on the grounds it would make many regular Internet activities illegal, and moved further away from what they were trying to accomplish with Aaron's Law.[6][7][needs update]

Protected computers

The only computers, in theory, covered by the CFAA are defined as "protected computers". They are defined under section 18 U.S.C. § 1030(e)(2) to mean a computer:

In practice, any ordinary computer has come under the jurisdiction of the law, including cellphones, due to the interstate nature of most Internet communication.[8]

Criminal offenses under the Act

(a) Whoever—

(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;
(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
(5)
(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.
(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if—
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States;
(7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—
(A) threat to cause damage to a protected computer;
(B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or
(C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion[9]

Specific sections

Notable cases and decisions referring to the Act

The Computer Fraud and Abuse Act is both a criminal law and a statute that creates a private right of action, allowing compensation and injunctive or other equitable relief to anyone harmed by a violation of this law. These provisions have allowed private companies to sue disloyal employees for damages for the misappropriation of confidential information (trade secrets).

Criminal cases

Civil cases

Criticism

There have been criminal convictions for CFAA violations in the context of civil law, for breach of contract or terms of service violations. Many common and insignificant online acts, such as password-sharing and copyright infringement, can transform a CFAA misdemeanor into a felony. The punishments are severe, similar to sentences for selling or importing drugs, and may be disproportionate. Prosecutors have used the CFAA to protect private business interests and to intimidate free-culture activists, deterring undesirable, yet legal, conduct.[50][51]

One such example regarding the harshness of the law was shown in United States vs. Tyler King,[52] where King refused initial offers by the government for involvement in a conspiracy to "gain unauthorized access" to a computer system for a small company that an ex-girlfriend of King worked for. His role, even while not directly involved, resulted in 6.5 years imprisonment. No financial motive was established. A non-profit was started to advocate against further harshness against others targeted under the broad law.[53]

Tim Wu called the CFAA "the worst law in technology".[54]

Professor of Law Ric Simmons notes that many provisions of the CFAA merely combine identical language to pre-existing federal laws with "the element of “access[ing] a protected computer without authorization, or [by] exceed[ing] authorized access,"[55] meaning that "the CFAA merely provides an additional charge for prosecutors to bring if the defendant used a computer while committing the crime."[56] Professor Joseph Olivenbaum has similarly criticized the CFAA's "computer-specific approach," noting both the risk of redundancy and resultant definitional problems.[57]

The CFAA increasingly presents real obstacles to journalists reporting stories important to the public’s interest.[58] As data journalism increasingly becomes “a good way of getting to the truth of things . . . in this post-truth era,” as one data journalist told Google, the need for further clarity around the CFAA increases.[58]

As per Star Kashman, an expert in cybersecurity law, the CFAA presents some challenges in cases related to Search Engine Hacking (also known as Google Dorking). Although Kashman states that accessing publicly available information is legal under the CFAA, she also notes that in many cases Search Engine Hacking is ultimately prosecuted under the CFAA. Kashman believes prosecuting cases of Google Dorking under the CFAA could render the CFAA void for vagueness by making it illegal to access publicly available information.[59]

Aaron Swartz

The government was able to bring such disproportionate charges against Aaron because of the broad scope of the Computer Fraud and Abuse Act (CFAA) and the wire fraud statute. It looks like the government used the vague wording of those laws to claim that violating an online service's user agreement or terms of service is a violation of the CFAA and the wire fraud statute.

Using the law in this way could criminalize many everyday activities and allow for outlandishly severe penalties.

When our laws need to be modified, Congress has a responsibility to act. A simple way to correct this dangerous legal interpretation is to change the CFAA and the wire fraud statutes to exclude terms of service violations. I will introduce a bill that does exactly that.

—Rep. Zoe Lofgren, Jan 15, 2013 [60]

Wikisource has original text related to this article:
Rep Zoe Lofgren Introduces Bipartisan Aaron's Law

In the wake of the prosecution and subsequent suicide of Aaron Swartz (who used a script to download scholarly research articles in excess of what JSTOR terms of service allowed), lawmakers proposed amending the Computer Fraud and Abuse Act. Representative Zoe Lofgren drafted a bill that would help "prevent what happened to Aaron from happening to other Internet users".[60] Aaron's Law (H.R. 2454, S. 1196[61]) would exclude terms of service violations from the 1984 Computer Fraud and Abuse Act and from the wire fraud statute.[62]

In addition to Lofgren's efforts, Representatives Darrell Issa and Jared Polis (also on the House Judiciary Committee) raised questions in the immediate aftermath of Swartz's death regarding the government's handling of the case. Polis called the charges "ridiculous and trumped up," referring to Swartz as a "martyr."[63] Issa, chair of the House Oversight Committee, announced an investigation of the Justice Department's prosecution.[63][64]

By May 2014, Aaron's Law had stalled in committee. Filmmaker Brian Knappenberger alleges this occurred due to Oracle Corporation's financial interest in maintaining the status quo.[65]

Aaron's Law was reintroduced in May 2015 (H.R. 2454, S. 1030[66]) and again stalled. There has been no further introduction of related bills[as of?].

Amendments history

2008[1]

See also

References

  1. ^ a b c Jarrett, H. Marshall; Bailie, Michael W. (2010). "Prosecution of Computer" (PDF). justice.gov. Office of Legal Education Executive Office for United States Attorneys. Retrieved June 3, 2013.
  2. ^ "Who's Responsible? - Computer Crime Laws | Hackers | FRONTLINE | PBS". www.pbs.org. Retrieved November 13, 2021.
  3. ^ Schulte, Stephanie (November 2008). "The WarGames Scenario". Television and New Media. 9 (6): 487–513. doi:10.1177/1527476408323345. S2CID 146669305.
  4. ^ H.R. Rep. 98-894, 1984 U.S.C.C.A.N. 3689, 3696 (1984).
  5. ^ "Securing Cyberspace – President Obama Announces New Cybersecurity Legislative Proposal and Other Cybersecurity Efforts". whitehouse.gov. January 13, 2015. Retrieved January 30, 2015 – via National Archives.
  6. ^ "Democrats, Tech Experts Slam Obama's Anti-Hacking Proposal". Huffington Post. January 20, 2015. Retrieved January 30, 2015.
  7. ^ "Obama, Goodlatte Seek Balance on CFAA Cybersecurity". U.S. News & World Report. January 27, 2015. Retrieved January 30, 2015.
  8. ^ Varma, Corey (January 3, 2015). "What is the Computer Fraud and Abuse Act". CoreyCarma.com. Retrieved June 10, 2015.
  9. ^ Legal Information Institute, Cornell University Law School. "18 USC 1030".
  10. ^ United States v. Morris (1991), 928 F.2d 504, 505 (2d Cir. 1991).
  11. ^ U.S. v. Lori Drew, scribd
  12. ^ US v Lori Drew, psu.edu Kyle Joseph Sassman,
  13. ^ Staff, Ars (July 2, 2009). "'MySpace mom' Lori Drew's conviction thrown out". Ars Technica. Retrieved March 31, 2020.
  14. ^ "FindLaw's United States Eleventh Circuit case and opinions". Findlaw. Retrieved March 31, 2020.
  15. ^ David Gilbert (December 6, 2013). "PayPal 14 'Freedom Fighters' Plead Guilty to Cyber-Attack". International Business Times.
  16. ^ Alexa O'Brien (December 5, 2013). "Inside the 'PayPal 14' Trial". The Daily Beast.
  17. ^ See Internet Activist Charged in M.I.T. Data Theft, By NICK BILTON New York Times, July 19, 2011, 12:54 PM, as well as the Indictment
  18. ^ Dave Smith, Aaron Swartz Case: U.S. DOJ Drops All Pending Charges Against The JSTOR Liberator, Days After His Suicide, International Business Times, January 15, 2013.
  19. ^ U.S. v. Nosal, uscourts.gov, 2011
  20. ^ Appeals Court: No Hacking Required to Be Prosecuted as a Hacker, By David Kravets, Wired, April 29, 2011
  21. ^ Kravets, David (April 24, 2013). "Man Convicted of Hacking Despite Not Hacking". Wired.
  22. ^ "Nos. 14-10037, 14-10275" (PDF).
  23. ^ "Docket for 16-1344". www.supremecourt.gov. Retrieved March 31, 2020.
  24. ^ US v Adekeye Indictment. see also Federal Grand Jury indicts former Cisco Engineer By Howard Mintz, 08/05/2011, Mercury News
  25. ^ US v Sergey Aleynikov, Case 1:10-cr-00096-DLC Document 69 Filed 10/25/10
  26. ^ Ex-Goldman Programmer Described Code Downloads to FBI (Update1), David Glovin and David Scheer. July 10, 2009, Bloomberg
  27. ^ Plea Agreement, U.S. District Court, Eastern District of Michigan, Southern Division. via debbieschlussel.com
  28. ^ Sibel Edmond's Boiling Frogs podcast 61 Thursday, 13. October 2011. Interview with Prouty by Peter B. Collins and Sibel Edmonds
  29. ^ "United States of America v. Neil Scott Kramer" (PDF). Archived from the original (PDF) on August 16, 2011. Retrieved March 18, 2012.
  30. ^ Poulsen, Kevin (May 7, 2013). "Feds Drop Hacking Charges in Video-Poker Glitching Case". Wired.
  31. ^ No Expansion of CFAA Liability for Monetary Exploit of Software Bug | New Media and Technology Law Blog
  32. ^ "United States v. Gilberto Valle". Electronic Frontier Foundation. March 6, 2015. Retrieved March 31, 2020.
  33. ^ "Second Circuit Adopts Narrow Construction of Federal Computer Fraud Statute, Joins Circuit Split". Jackson Lewis. December 10, 2015. Retrieved March 31, 2020.
  34. ^ Marks, Joseph (April 24, 2020). "The Cybersecurity 202: There's finally a Supreme Court battle coming over the nation's main hacking law". The Washington Post. Retrieved July 15, 2020.
  35. ^ Fung, Brian; de Vogue, Ariane; Cole, Devan (June 3, 2021). "Supreme Court sides with police officer who improperly searched license plate database". CNN. Retrieved June 3, 2021.
  36. ^ Gelman, Lauren (September 22, 2003). "Ninth Circuit Court of Appeals: Stored Communications Act and Computer Fraud and Abuse Act Provide Cause of Action for Plaintiff". Center for Internet and Society. Stanford University.
  37. ^ US v Jacob Citrin, openjurist.org
  38. ^ U.S. v Brekka 2009
  39. ^ Kravets, David, Court: Disloyal Computing Is Not Illegal, Wired, September 18, 2009.
  40. ^ Kravets, David (August 20, 2013). "IP Cloaking Violates Computer Fraud and Abuse Act, Judge Rules". Wired.
  41. ^ Craigslist v. 3taps |Digital Media Law Project
  42. ^ 3Taps Can't Shake Unauthorized Craigslist Access Claims – Law360
  43. ^ See the links to the original lawsuit documents which are indexed here
  44. ^ techdirt.com 2011 8 9, Mike Masnick, "Sending Too Many Emails to Someone Is Computer Hacking"
  45. ^ Hall, Brian, Sixth Circuit Decision in Pulte Homes Leaves Employers With Few Options In Response To Union High Tech Tactics, Employer Law Report, 3 August 2011. Retrieved 27 January 2013.
  46. ^ Farivar, Cyrus (July 12, 2016). "Startup that we all forgot gets small win against Facebook on appeal". Ars Technica. Retrieved March 31, 2020.
  47. ^ Lee, Timothy B. (September 9, 2019). "Web scraping doesn't violate anti-hacking law, appeals court rules". Ars Technica. Retrieved March 31, 2020.
  48. ^ "Docket for 19-1116". www.supremecourt.gov. Retrieved March 31, 2020.
  49. ^ Lee, Timothy B. (March 30, 2020). "Court: Violating a site's terms of service isn't criminal hacking". Ars Technica. Retrieved March 31, 2020.
  50. ^ Curtiss, Tiffany (2016), "Computer Fraud and Abuse Act Enforcement: Cruel, Unusual, and Due for Reform", Washington Law Review, 91 (4)
  51. ^ "A Voice from Prison Blog | Criminal Justice Reform & Constitutional Rights". A Voice from Prison. Retrieved October 25, 2022.
  52. ^ "Texas Man Sentenced to 57 Months for Computer Hacking and Aggravated Identity Theft". www.justice.gov. August 13, 2020. Retrieved October 25, 2022.
  53. ^ "A Voice from Prison Blog | Criminal Justice Reform & Constitutional Rights". A Voice from Prison. Retrieved October 25, 2022.
  54. ^ Christian Sandvig; Karrie Karahalios (July 1, 2006). "Most of what you do online is illegal. Let's end the absurdity". The Guardian.
  55. ^ 18 U.S.C. § 1030(a)(4)
  56. ^ Simmons, Ric (2016). "The Failure of the Computer Fraud and Abuse Act: Time to Take an Administrative Approach to Regulating Computer Crime". The George Washington University Law School.
  57. ^ Olivenbaum, Joseph M. (1997). <CTRL><ALT><DELETE>: Rethinking Federal Computer Legislation. 27 Seton Hall Law Review 574.
  58. ^ a b Baranetsky, Victoria. "Data Journalism and the Law". Columbia Journalism Review. Retrieved October 16, 2020.
  59. ^ Kashman, Star (2023). "Google Dorking or Legal Hacking: From the CIA Compromise to Your Cameras at Home, We Are Not as Safe as We Think". Wash. J. L. Tech. & Arts. 18 (2).
  60. ^ a b Reilly, Ryan J. (January 15, 2013). "Congresswoman Introduces 'Aaron's Law' Honoring Swartz". Huffington Post.
  61. ^ H.R. 2454 at Congress.gov; H.R. 2454 Archived July 15, 2018, at the Wayback Machine at GovTrack; H.R. 2454 Archived November 12, 2013, at the Wayback Machine at OpenCongress. S. 1196 at Congress.gov; S. 1196 Archived July 15, 2018, at the Wayback Machine at GovTrack; S. 1196 Archived November 12, 2013, at the Wayback Machine at OpenCongress.
  62. ^ Musil, Steven (January 15, 2013). "New 'Aaron's Law' aims to alter controversial computer fraud law". CNET News. Retrieved October 19, 2021.
  63. ^ a b Sasso, Brendan (January 16, 2013). "Lawmakers slam DOJ prosecution of Swartz as 'ridiculous, absurd'". The Hill. Retrieved January 16, 2013.
  64. ^ Reilly, Ryan J. (January 15, 2013). "Darrell Issa Probing Prosecution Of Aaron Swartz, Internet Pioneer Who Killed Himself". Huffingtonpost.com. Retrieved January 16, 2013.
  65. ^ Dekel, Jonathan (May 1, 2014). "Swartz doc director: Oracle and Larry Ellison killed Aaron's Law". Postmedia. Archived from the original on October 3, 2018. Retrieved May 1, 2014.
  66. ^ H.R. 1918 at Congress.govS. 1030 at Congress.gov

External links

Patriot Act
Categories