Computer Fraud and Abuse Act

From Wikipedia, the free encyclopedia - View original article

 
Jump to: navigation, search

The Computer Fraud and Abuse Act (CFAA)[1] was enacted by Congress in 1986 as an amendment to existing computer fraud law (18 U.S.C. § 1030), which had been included in the Comprehensive Crime Control Act of 1984. It was written to clarify and increase the scope of the previous version of 18 U.S.C. § 1030 while, in theory, limiting federal jurisdiction to cases "with a compelling federal interest-i.e., where computers of the federal government or certain financial institutions are involved or where the crime itself is interstate in nature." (see "Protected Computer", below). In addition to clarifying a number of the provisions in the original section 1030, the CFAA also criminalized additional computer-related acts. Provisions addressed the distribution of malicious code and denial of service attacks. Congress also included in the CFAA a provision criminalizing trafficking in passwords and similar items. [1]

The Act has been amended a number of times—in 1989, 1994, 1996, in 2001 by the USA PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act.

Protected computers[edit]

The only computers, in theory, covered by the CFAA are defined as “protected computers”. They are defined under section 18 U.S.C. § 1030(e)(2) to mean a computer:

In practice, any ordinary computer has come under the jurisdiction of the law, including cellphones, due to the inter-state nature of most internet communication. (See the case history, below).

Criminal offenses under the Act[edit]

(a) Whoever—

(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;
(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
(5)
(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.
(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if—
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States;
(7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—
(A) threat to cause damage to a protected computer;
(B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or
(C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion[2]

Specific sections[edit]

Notable cases and decisions referring to the Act[edit]

Aaron's Law proposal[edit]

The government was able to bring such disproportionate charges against Aaron because of the broad scope of the Computer Fraud and Abuse Act (CFAA) and the wire fraud statute. It looks like the government used the vague wording of those laws to claim that violating an online service’s user agreement or terms of service is a violation of the CFAA and the wire fraud statute.

Using the law in this way could criminalize many everyday activities and allow for outlandishly severe penalties.

When our laws need to be modified, Congress has a responsibility to act. A simple way to correct this dangerous legal interpretation is to change the CFAA and the wire fraud statutes to exclude terms of service violations. I will introduce a bill that does exactly that.

Rep. Zoe Lofgren, Jan 15, 2013 [34]

In the wake of the prosecution and subsequent suicide of Aaron Swartz, lawmakers have proposed to amend the Computer Fraud and Abuse Act. Representative Zoe Lofgren has drafted a bill that would help "prevent what happened to Aaron from happening to other Internet users".[34] Aaron's Law (H.R. 2454, S. 1196[35]) would exclude terms of service violations from the 1984 Computer Fraud and Abuse Act and from the wire fraud statute, despite the fact that Swartz was not prosecuted based on Terms of Service violations.[36]

In addition to Lofgren, Representative Darrell Issa and Representative Jared Polis—all on the House Judiciary Committee, raised questions about the government's handling of the case. Polis called the charges "ridiculous and trumped up," while referring to Swartz as a "martyr."[37] Issa, also chair of the House Oversight Committee, announced that he is investigating the actions of the Justice Department's prosecution.[37][38]

Amendments history[edit]

2008[1]

• Eliminated the requirement that information must have been stolen through an interstate or foreign communication, thereby expanding jurisdiction for cases involving theft of information from computers;

• Eliminated the requirement that the defendant’s action must result in a loss exceeding $5,000 and created a felony offense where the damage affects ten or more computers, closing a gap in the law;

• Expanded 18 U.S.C. § 1030(a)(7) to criminalize not only explicit threats to cause damage to a computer, but also threats to (1) steal data on a victim's computer, (2) publicly disclose stolen data, or (3) not repair damage the offender already caused to the computer;

• Created a criminal offense for conspiring to commit a computer hacking offense under section 1030;

• Broadened the definition of “protected computer” in 18 U.S.C. § 1030(e)(2) to the full extent of Congress’s commerce power by including those computers used in or affecting interstate or foreign commerce or communication; and

• Provided a mechanism for civil and criminal forfeiture of property used in or derived from section 1030 violations.

See also[edit]

References[edit]

  1. ^ a b c Jarrett, H. Marshall; Bailie, Michael W. (2010). "Prosecution of Computer Crimes". justice.gov. Office of Legal Education Executive Office for United States Attorneys. Retrieved June 3, 2013. 
  2. ^ Legal Information Institute, Cornell University Law School. "18 USC 1030". 
  3. ^ United States v. Morris (1991), 928 F.2d 504, 505 (2d Cir. 1991).
  4. ^ "Ninth Circuit Court of Appeals: Stored Communications Act and Computer Fraud and Abuse Act Provide Cause of Action for Plaintiff | Stanford Center for Internet and Society". Cyberlaw.stanford.edu. Retrieved September 10, 2010. 
  5. ^ US v Jacob Citrin, openjurist.org
  6. ^ U.S. v Brekka 2009
  7. ^ Kravets, David, Court: Disloyal Computing Is Not Illegal, Wired, September 18, 2009.
  8. ^ Doug Stanglin (February 18, 2010). "School district accused of spying on kids via laptop webcams". USA Today. Retrieved February 19, 2010. 
  9. ^ "Initial LANrev System Findings", LMSD Redacted Forensic Analysis, L-3 Services—prepared for Ballard Spahr (LMSD's counsel), May 2010. Retrieved August 15, 2010.
  10. ^ U.S. v. Lori Drew, scribd
  11. ^ US v Lori Drew, psu.edu KYLE JOSEPH SASSMAN,
  12. ^ ". Retrieved February 21, 2011.
  13. ^ See the linked articles about Bradley Manning, and his charge sheets here: Hague Justice Portal
  14. ^ FBI serves Grand Jury subpoena likely relating to WikiLeaks by Glenn Greenwald, Salon.com 27 April 2011.
  15. ^ See Internet Activist Charged in M.I.T. Data Theft, By NICK BILTON New York Times, July 19, 2011, 12:54 PM, as well as the Indictment
  16. ^ Dave Smith, Aaron Swartz Case: U.S. DOJ Drops All Pending Charges Against The JSTOR Liberator, Days After His Suicide, International Business Times, January 15, 2013.
  17. ^ See the links to the original lawsuit documents which are indexed here
  18. ^ U.S. v. Nosal, uscourts.gov, 2011
  19. ^ Appeals Court: No Hacking Required to Be Prosecuted as a Hacker, By David Kravets, Wired, April 29, 2011
  20. ^ Man Convicted of Hacking Despite Not Hacking | Threat Level | Wired.com
  21. ^ US v Adekeye Indictment. see also Federal Grand Jury indicts former Cisco Engineer By Howard Mintz, 08/05/2011, Mercury News
  22. ^ techdirt.com 2011 8 9, Mike Masnick, "Sending Too Many Emails to Someone Is Computer Hacking"
  23. ^ Hall, Brian, Sixth Circuit Decision in Pulte Homes Leaves Employers With Few Options In Response To Union High Tech Tactics, Employer Law Report, 3 August 2011. Retrieved 27 January 2013.
  24. ^ US v Sergey Aleynikov, Case 1:10-cr-00096-DLC Document 69 Filed 10/25/10
  25. ^ Ex-Goldman Programmer Described Code Downloads to FBI (Update1), David Glovin and David Scheer - July 10, 2009, Bloomberg
  26. ^ Plea Agreement, U.S. District Court, Eastern District of Michigan, Southern Division. via debbieschlussel.com
  27. ^ Sibel Edmond's Boiling Frogs podcast 61 Thursday, 13. October 2011. Interview with Prouty by Peter B. Collins and Sibel Edmonds
  28. ^ "United States of America v. Neil Scott Kramer". 
  29. ^ Feds Drop Hacking Charges in Video-Poker Glitching Case | Threat Level | Wired.com
  30. ^ No Expansion of CFAA Liability for Monetary Exploit of Software Bug | New Media and Technology Law Blog
  31. ^ IP Cloaking Violates Computer Fraud and Abuse Act, Judge Rules | Threat Level | Wired.com
  32. ^ Craigslist v. 3taps | Digital Media Law Project
  33. ^ 3Taps Can't Shake Unauthorized Craigslist Access Claims - Law360
  34. ^ a b Zoe Lofgren Introduces 'Aaron's Law' To Honor Swartz On Reddit
  35. ^ H.R. 2454 at THOMAS; H.R. 2454 at GovTrack; H.R. 2454 at OpenCongress. S. 1196 at THOMAS; S. 1196 at GovTrack; S. 1196 at OpenCongress.
  36. ^ news.cnet.com/8301-1023_3-57564193-93/new-aarons-law-aims-to-alter-controversial-computer-fraud-law/
  37. ^ a b Sasso, Brendan. "Lawmakers slam DOJ prosecution of Swartz as 'ridiculous, absurd' - The Hill's Hillicon Valley". Thehill.com. Retrieved 2013-01-16. 
  38. ^ "Darrell Issa Probing Prosecution Of Aaron Swartz, Internet Pioneer Who Killed Himself". Huffingtonpost.com. Retrieved 2013-01-16. 

External links[edit]