CFAA history and cases

The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1986, intended to reduce cracking of computer systems and to address federal computer-related offenses. The Act (codified as 18 U.S.C. § 1030) governs cases with a compelling federal interest, where computers of the federal government or certain financial institutions are involved, where the crime itself is interstate in nature, or where computers are used in interstate and foreign commerce.

It was amended in 1988, 1994, 1996, in 2001 by the USA PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act. Subsection (b) of the act punishes anyone who not just commits or attempts to commit an offense under the Act, but also those who conspire to do so.

Contents 1 Protected computers 2 Criminal offenses under the Act 3 Specific sections 4 Notable cases and decisions referring to the Act 5 See also 6 References 7 External links

Protected computers

Main article: Protected computer

The CFAA defines “protected computers” under 18 U.S.C. § 1030(e)(2) to mean a computer:

• exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
• which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;

Criminal offenses under the Act

This section does not cite any references or sources. Please help improve this section by adding citations to reliable sources. Unsourced material may be challenged and removed. (June 2011)

1. Knowingly accessing a computer without authorization in order to obtain national security data
2. Intentionally accessing a computer without authorization to obtain:
   • Information contained in a financial record of a financial institution, or contained in a file of a consumer reporting agency on a consumer.
   • Information from any department or agency of the United States
   • Information from any protected computer if the conduct involves an interstate or foreign communication
3. Intentionally accessing without authorization a government computer and affecting the use of the government’s operation of the computer.
4. Knowingly accessing a protected computer with the intent to defraud and there by obtaining anything of value.
5. Knowingly causing the transmission of a program, information, code, or command that causes damage or intentionally accessing a computer without authorization, and as a result of such conduct, causes damage that results in:
   • Loss to one or more persons during any one-year period aggregating at least $5,000 in value.
   • The modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of one or more individuals.
   • Physical injury to any person.
   • A threat to public health or safety.
   • Damage affecting a government computer system
6. Knowingly and with the intent to defraud, trafficking in a password or similar information through which a computer may be accessed without authorization.

A detailed account of the various sections of 18 USC 1030 was written by Charles Doyle of the Congressional Research Service, and is available at the Federation of American Scientists website, below, under ‘External Links’.

Specific sections

• 18 U.S.C. § 1030(a)(1): Computer Espionage
• 18 U.S.C. § 1030(a)(2): Computer tresspassing, and taking government, financial, or commerce info
• 18 U.S.C. § 1030(a)(3): Computer tresspassing in a government computer
• 18 U.S.C. § 1030(a)(4): Committing fraud with a protected computer
• 18 U.S.C. § 1030(a)(5): Damaging a protected computer (including viruses, worms)
• 18 U.S.C. § 1030(a)(6): Trafficking in passwords of a government or commerce computer
• 18 U.S.C. § 1030(a)(7): Threatening to damage a protected computer
• 18 U.S.C. § 1030(b): Conspiracy to violate (a)
• 18 U.S.C. § 1030(c): Penalties
• 18 U.S.C. § 1030(d) thru h: Miscellaney

Notable cases and decisions referring to the Act

• United States v. Riggs, the famous case against people associated with Phrack magazine for taking the E911 document, as described in Bruce Sterling‘s “Hacker Crackdown of 1990″. The government dropped the case after it was revealed that the document was for sale from AT&T for $13. The E911 document was related to the founding of the Electronic Frontier Foundation.^[1]

• United States v. Morris, 928 F.2d 504, decided March 7, 1991. After the release of the Morris worm, an early computer worm, its creator was convicted under the Act for causing damage and gaining unauthorized access to federal interest computers. This case in part led to the 1996 amendment of the act, which clarified the language that was argued during the case.^[2]

• Theofel v. Farey Jones, 2003 U.S. App. Lexis 17963, decided August 28, 2003 (U.S. Court of Appeals for the Ninth Circuit). Using a civil subpoena which is “patently unlawful”, “bad faith” and “at least gross negligence” to gain access to stored email is a breach of this act and the Stored Communications Act.^[3]

• International Airports v Jacob Citrin, 2006, 18 U.S.C. § 1030(a)(5)(A)(i). Citrin deleted files off his company computer before he quit, in order to hide his alleged bad behavior while an employee. ^[4]

• United States v. Brekka, 2009 1030(a)(2), 1030(a)(4). LVRC sued Brekka for allegedly taking information about clients and using it to start his own competing business. ^[5][6]

• Robbins v. Lower Merion School District (U.S. Eastern District of Pennsylvania), where plaintiffs charged two suburban Philadelphia high schools secretly spied on students by surreptitiously and remotely activating webcams embedded in school-issued laptops the students were using at home, violating the Act. The schools admitted to secretly snapping over 66,000 webshots and screenshots, including webcam shots of students in their bedrooms.^[7][8]

• United States v. Lori Drew, 2008. The ‘cyberbullying’ case involving the suicide of a girl harassed on myspace. Charges were under 18 USC 1030(a)(2)(c) and (b)(2)(c). Judge Wu decided that using 18 U.S.C. § 1030(a)(2)(C) against someone violating a ‘terms of service’ agreement would make the law overly broad. 259 F.R.D. 449 ^[9][10]

• People v. SCEA, 2010. Class action lawsuit against SCEA for removing OtherOS, the ability to install and run Linux (or other operating systems) on the PlayStation 3. Consumers were given the option to either keep OtherOS support or not. SCEA was allegedly in violation of this Act because if the consumers updated or not, they would still lose system functionality.^[11]

• Sony Computer Entertainment America v. George Hotz and Hotz v. SCEA, 2011. SCEA sued ‘Geohot’ and others for jailbreaking the PlayStation 3 system. The lawsuit alleged, among other things, that Hotz violated 18 U.S.C. § 1030(a)(2)(c) ([by] taking info from any protected computer). Hotz denied liability and contested the Court’s exercise of personal jurisdiction over him. ^[12] The parties settled out of court.

• United States v. Nosal, 2011. Nosal and others allegedly accessed a protected computer to take a database of contacts from his previous employer for use in his own business, violating 1030(a)(4)^[13][14]

• United States v. Drake, 2010. Drake was part of a whistle-blowing effort inside the NSA to expose waste, fraud, and abuse with the Trailblazer Project. He talked to a reporter about the project. He was originally charged with five Espionage Act counts for doing this. These charges were dropped just before his trial was to begin, and instead he pleaded guilty to one misdemeanor count of violating the CFAA, (a)(2), unauthorized access. One of his advisors, Jesselyn Radack of the Government Accountability Project, called his work an “act of civil disobedience“.^[15]

• United States v. Bradley Manning, 2010-. Bradley Manning was a soldier who allegedly disclosed tens of thousands of documents to those ‘not entitled to receive’ them. Among the 34 counts against him, there are several under (a)(1) and (a)(2) of the CFAA, some specifically linked to files like the Reykjavic 13 State Department cable and a video of the July 12, 2007 Baghdad airstrike. ^[16]

• Grand Jury investigation in Cambridge, 2011. Unknown persons in Cambridge, Massachusetts, were ordered to attend Grand Jury hearings regarding charges under the CFAA, as well as the Espionage Act. Journalist Glenn Greenwald has written these were likely related to Wikileaks. ^[17]

• United States v. Aaron Swartz, 2011. Aaron Swartz allegedly entered an MIT wiring closet and set up a laptop to mass-download articles from JSTOR, which he later used in an academic study. He allegedly avoided various attempts by JSTOR and MIT to stop this, such as MAC address spoofing. The CFAA statutes against him were (a)(2), (a)(4), (c)(2)(B)(iii), (a)(5)(B), and (c)(4)(A)(i)(I),(VI). ^[18]

• United States v. Peter Alfred-Adekeye 2011. Adekeye allegedly violated (a)(2), when he allegedly downloaded CISCO iOS, allegedly something that the CISCO employee who gave him an access password did not permit. Adekeye was CEO of Multiven and had accused CISCO of anti-competitive practices.^[19]

• United States v. Laborer’s International Union of North America et al. 2011. Pelte company fired a LIUNA employee, resulting in a labor dispute with LIUNA. LIUNA told its members to email and phone the company and tell it how they felt. This resulted in a CFAA charge because the company’s email system got overloaded. ^[20]

• United States v Sergey Aleynikov, 2011. Aleynikov was a programmer at Goldman Sachs accused of copying code, like high-frequency trading code, allegedly in violation of 1030(a)(2)(c) and 1030(c)(2)(B)i-iii and 2. This charge was later dropped, and he was instead charged with theft of trade secrets and transporting stolen property.^[21][22]

See also

• Defense Secrets Act of 1911 / Espionage Act of 1917 / McCarran Internal Security Act 1950
• California Comprehensive Computer Data Access and Fraud Act
• Electronic Communications Privacy Act
• LVRC Holdings v. Brekka
• In re DoubleClick
• MBTA v. Anderson

• Information technology audit
• Computer security audit
• Computer fraud case studies
• The Hacker Crackdown (mentions the law, & the eponymous Chicago task force)
• Protected Computer
• Wikileaks

References

External links

• 18 U.S.C. § 1030, text of the law
• Cybercrime: A Sketch of 18 U.S.C. 1030 and Related Federal Criminal Laws, by Charles Doyle, CRS, 12 27 2010, (FAS.org)