Computer Fraud and Abuse Act

From Wikipedia, the free encyclopedia
Jump to: navigation, search

The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1986, intended to reduce cracking of computer systems and to address federal computer-related offenses. The Act (codified as 18 U.S.C. § 1030) governs cases with a compelling federal interest, where computers of the federal government or certain financial institutions are involved, where the crime itself is interstate in nature, or where computers are used in interstate and foreign commerce.

It was amended in 1989, 1994, 1996, in 2001 by the USA PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act. Subsection (b) of the Act punishes anyone who not only commits or attempts to commit an offense under the Act, but also those who conspire to do so.

Contents

[edit] Protected computers

The CFAA defines a “protected computer” under 18 U.S.C. § 1030(e)(2) to mean a computer:

  • exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
  • which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States...

[edit] Criminal offenses under the Act

Question book-new.svg
 This section does not cite any references or sources. Please help improve this section by adding citations to reliable sources. Unsourced material may be challenged and removed. (June 2011)
  1. Knowingly accessing a computer without authorization in order to obtain national security data
  2. Intentionally accessing a computer without authorization to obtain:
    • Information contained in a financial record of a financial institution, or contained in a file of a consumer reporting agency on a consumer;
    • Information from any department or agency of the United States; or
    • Information from any protected computer.
  3. Intentionally accessing without authorization a government computer and affecting the use of the government's operation of the computer.
  4. Knowingly accessing a protected computer with the intent to defraud and there by obtaining anything of value.
  5. Knowingly causing the transmission of a program, information, code, or command that causes damage or intentionally accessing a computer without authorization, and as a result of such conduct, causes damage that results in:
    • Loss to one or more persons during any one-year period aggregating at least $5,000 in value.
    • The modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of one or more individuals.
    • Physical injury to any person.
    • A threat to public health or safety.
    • Damage affecting a government computer system
  6. Knowingly and with the intent to defraud, trafficking in a password or similar information through which a computer may be accessed without authorization.
  7. Making changes in any information on the computer systems of the USA with the intention of misleading or hiding certain information.

A detailed account of the various sections of 18 USC 1030 was written by Charles Doyle of the Congressional Research Service, and is available at the Federation of American Scientists website, below, under 'External Links'.

[edit] Specific sections

[edit] Notable cases and decisions referring to the Act

  • United States v. Morris (1991), 928 F.2d 504, decided March 7, 1991. After the release of the Morris worm, an early computer worm, its creator was convicted under the Act for causing damage and gaining unauthorized access to federal interest computers. This case in part led to the 1996 amendment of the act, which clarified the language that was argued during the case.[2]
  • Theofel v. Farey Jones, 2003 U.S. App. Lexis 17963, decided August 28, 2003 (U.S. Court of Appeals for the Ninth Circuit). Using a civil subpoena which is "patently unlawful", "bad faith" and "at least gross negligence" to gain access to stored email is a breach of this act and the Stored Communications Act.[3]
  • LVRC Holdings v. Brekka, 2009 1030(a)(2), 1030(a)(4). LVRC sued Brekka for allegedly taking information about clients and using it to start his own competing business. [5][6]
  • Robbins v. Lower Merion School District (U.S. Eastern District of Pennsylvania), where plaintiffs charged two suburban Philadelphia high schools secretly spied on students by surreptitiously and remotely activating webcams embedded in school-issued laptops the students were using at home, violating the Act. The schools admitted to secretly snapping over 66,000 webshots and screenshots, including webcam shots of students in their bedrooms.[7][8]
  • United States v. Lori Drew, 2008. The 'cyberbullying' case involving the suicide of a girl harassed on myspace. Charges were under 18 USC 1030(a)(2)(c) and (b)(2)(c). Judge Wu decided that using 18 U.S.C. § 1030(a)(2)(C) against someone violating a 'terms of service' agreement would make the law overly broad. 259 F.R.D. 449 [9][10]
  • People v. SCEA, 2010. Class action lawsuit against SCEA for removing OtherOS, the ability to install and run Linux (or other operating systems) on the PlayStation 3. Consumers were given the option to either keep OtherOS support or not. SCEA was allegedly in violation of this Act because if the consumers updated or not, they would still lose system functionality.[11]
  • United States v. Nosal, 2011. Nosal and others allegedly accessed a protected computer to take a database of contacts from his previous employer for use in his own business, violating 1030(a)(4)[13][14] On April 12, 2012, an en banc panel of the Court of Appeals reversed that ruling, dismissing all charges against Nosal. [4]
  • United States v. Drake, 2010. Drake was part of a whistle-blowing effort inside the NSA to expose waste, fraud, and abuse with the Trailblazer Project. He talked to a reporter about the project. He was originally charged with five Espionage Act counts for doing this. These charges were dropped just before his trial was to begin, and instead he pleaded guilty to one misdemeanor count of violating the CFAA, (a)(2), unauthorized access.
  • Grand Jury investigation in Cambridge, 2011. Unknown persons in Cambridge, Massachusetts, were ordered to attend Grand Jury hearings regarding charges under the CFAA, as well as the Espionage Act. Journalist Glenn Greenwald has written these were likely related to Wikileaks. [16]
  • United States v. Aaron Swartz, 2011. Aaron Swartz allegedly entered an MIT wiring closet and set up a laptop to mass-download articles from JSTOR, which he later used in an academic study. He allegedly avoided various attempts by JSTOR and MIT to stop this, such as MAC address spoofing. The CFAA statutes against him were (a)(2), (a)(4), (c)(2)(B)(iii), (a)(5)(B), and (c)(4)(A)(i)(I),(VI). [17] The government dropped all charges after his January, 2013 suicide.[18]
  • United States v Nada Nadim Prouty, circa 2010. [23] Prouty was an FBI and CIA agent who was prosecuted for having a fraudulent marriage to get US residency. She claims she was persecuted by a US attorney who was trying to gain media coverage by calling her a terrorist agent and get himself promoted to a federal judgeship. [24]
  • United States v. Neil Scott Kramer, 2011. Kramer was a court case where a cellphone was used to coerce a minor into engaging sex with an adult. Central to the case was whether a cellphone constituted a computer device. Ultimately, the United States Court of Appeals for the Eighth Circuit found that a cell phone can be considered a computer if "the phone perform[s] arithmetic, logical, and storage functions," paving the way for harsher consequences for criminals engaging with minors over cellphones. [25]

[edit] Aaron's Law proposal

The government was able to bring such disproportionate charges against Aaron because of the broad scope of the Computer Fraud and Abuse Act (CFAA) and the wire fraud statute. It looks like the government used the vague wording of those laws to claim that violating an online service’s user agreement or terms of service is a violation of the CFAA and the wire fraud statute.

Using the law in this way could criminalize many everyday activities and allow for outlandishly severe penalties.

When our laws need to be modified, Congress has a responsibility to act. A simple way to correct this dangerous legal interpretation is to change the CFAA and the wire fraud statutes to exclude terms of service violations. I will introduce a bill that does exactly that.

Rep. Zoe Lofgren, Jan 15, 2013 [26]

In the wake of the prosecution and subsequent suicide of Aaron Swartz, lawmakers have proposed to amend the Computer Fraud and Abuse Act. Rep. Zoe Lofgren has drafted a bill that would help "prevent what happened to Aaron from happening to other Internet users". [27] The bill would exclude terms of service violations from the 1984 Computer Fraud and Abuse Act and from the wire fraud statute.[28]

In addition to Rep. Lofgren, Rep. Darrell Issa and Rep. Jared Polis— all on the House Judiciary Committee, raised questions about the government's handling of the case. Polis called the charges "ridiculous and trumped up", while referring to Swartz as a "martyr".[29] Issa, also House Oversight Committee Chairman announced he is investigating the actions of the Justice Department's prosecution.[29][30]

[edit] See also

[edit] References

  1. ^ See article United States v. Riggs
  2. ^ United States v. Morris (1991), 928 F.2d 504, 505 (2d Cir. 1991).
  3. ^ "Ninth Circuit Court of Appeals: Stored Communications Act and Computer Fraud and Abuse Act Provide Cause of Action for Plaintiff | Stanford Center for Internet and Society". Cyberlaw.stanford.edu. http://cyberlaw.stanford.edu/packets001500.shtml. Retrieved September 10, 2010.
  4. ^ US v Jacob Citrin, openjurist.org
  5. ^ US v Brekka 2009
  6. ^ Court: Disloyal Computing Is Not Illegal By David Kravets September 18, 2009, Wired.com
  7. ^ Doug Stanglin (February 18, 2010). "School district accused of spying on kids via laptop webcams". USA Today. http://content.usatoday.com/communities/ondeadline/post/2010/02/school-district-accused-of-issuing-webcam-laptops-to-spy-on-students/1. Retrieved February 19, 2010.
  8. ^ "Initial LANrev System Findings", LMSD Redacted Forensic Analysis, L-3 Services – prepared for Ballard Spahr (LMSD's counsel), May 2010. Retrieved August 15, 2010.
  9. ^ US V Lori Drew, scribd
  10. ^ US v Lori Drew, psu.edu KYLE JOSEPH SASSMAN,
  11. ^ ". Retrieved February 21, 2011.
  12. ^ See the links to the original lawsuit documents which are indexed here: [1]
  13. ^ US v Nosal, uscourts.gov, 2011
  14. ^ Appeals Court: No Hacking Required to Be Prosecuted as a Hacker, By David Kravets, Wired, April 29, 2011
  15. ^ See the linked articles about Bradley Manning, and his charge sheets here: Hague Justice Portal
  16. ^ FBI serves Grand Jury subpoena likely relating to WikiLeaks BY GLENN GREENWALD, Salon.com WEDNESDAY, APR 27, 2011 13:28 ET
  17. ^ See Internet Activist Charged in M.I.T. Data Theft, By NICK BILTON New York Times, July 19, 2011, 12:54 PM, as well as the Indictment
  18. ^ Dave Smith, Aaron Swartz Case: US DOJ Drops All Pending Charges Against The JSTOR Liberator, Days After His Suicide, International Business Times, January 15, 2013.
  19. ^ US v Adekeye Indictment. see also Federal Grand Jury indicts former Cisco Engineer By Howard Mintz, 08/05/2011, Mercury News
  20. ^ techdirt.com 2011 8 9, Mike Masnick, "Sending Too Many Emails to Someone Is Computer Hacking"
  21. ^ US v Sergey Aleynikov, Case 1:10-cr-00096-DLC Document 69 Filed 10/25/10
  22. ^ Ex-Goldman Programmer Described Code Downloads to FBI (Update1), David Glovin and David Scheer - July 10, 2009, Bloomberg
  23. ^ http://www.debbieschlussel.com/archives/hezbospyplea.pdf Plea Agreement], US District Court, Eastern District of Michigan, Southern Division. via debbieschlussel.com
  24. ^ Sibel Edmond's Boiling Frogs podcast 61 Thursday, 13. October 2011. Interview with Prouty by Peter B. Collins and Sibel Edmonds
  25. ^ "United States of America v. Neil Scott Kramer". http://www.ca8.uscourts.gov/opndir/11/02/101983P.pdf.
  26. ^ [2]
  27. ^ [3]
  28. ^ news.cnet.com/8301-1023_3-57564193-93/new-aarons-law-aims-to-alter-controversial-computer-fraud-law/
  29. ^ a b Sasso, Brendan. "Lawmakers slam DOJ prosecution of Swartz as 'ridiculous, absurd' - The Hill's Hillicon Valley". Thehill.com. http://thehill.com/blogs/hillicon-valley/technology/277353-lawmakers-blast-trumped-up-doj-prosecution-of-internet-activist. Retrieved 2013-01-16.
  30. ^ "Darrell Issa Probing Prosecution Of Aaron Swartz, Internet Pioneer Who Killed Himself". Huffingtonpost.com. http://www.huffingtonpost.com/2013/01/15/darrell-issa-aaron-swartz-_n_2481450.html. Retrieved 2013-01-16.
Cite error: <ref> tag with name "rad1" defined in <references> is not used in prior text; see the help page.

[edit] External links

Retrieved from "http://en.wikipedia.org/w/index.php?title=Computer_Fraud_and_Abuse_Act&oldid=533388003"