HOME

TheInfoList



OR:

The Computer Fraud and Abuse Act of 1986 (CFAA) is a
United States The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territo ...
cybersecurity Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, th ...
bill that was enacted in 1986 as an amendment to existing
computer fraud Computer fraud is a cybercrime and the act of using a computer to take or alter electronic data, or to gain unlawful use of a computer or system. In the United States, computer fraud is specifically proscribed by the Computer Fraud and Abuse Act, ...
law (), which had been included in the
Comprehensive Crime Control Act of 1984 Comprehensive may refer to: *Comprehensive layout, the page layout of a proposed design as initially presented by the designer to a client. *Comprehensive school, a state school that does not select its intake on the basis of academic achievement o ...
. The law prohibits accessing a computer without
authorization Authorization or authorisation (see spelling differences) is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular. More for ...
, or in excess of authorization. Prior to computer-specific criminal laws, computer crimes were prosecuted as
mail and wire fraud Mail fraud and wire fraud are terms used in the United States to describe the use of a physical or electronic mail system to defraud another, and are federal crimes there. Jurisdiction is claimed by the federal government if the illegal activit ...
, but the applying law was often insufficient. The original 1984 bill was enacted in response to concern that computer-related crimes might go unpunished. The House Committee Report to the original computer crime bill characterized the 1983 techno-thriller film ''
WarGames ''WarGames'' is a 1983 American science fiction techno-thriller film written by Lawrence Lasker and Walter F. Parkes and directed by John Badham. The film, which stars Matthew Broderick, Dabney Coleman, John Wood, and Ally Sheedy, follows ...
''—in which a young teenager (played by
Matthew Broderick Matthew Broderick (born March 21, 1962) is an American actor. His roles include the Golden Globe-nominated portrayal of the title character in '' Ferris Bueller's Day Off'' (1986), the voice of adult Simba in Disney's ''The Lion King'' (1994) ...
) from
Seattle Seattle ( ) is a seaport city on the West Coast of the United States. It is the seat of King County, Washington. With a 2020 population of 737,015, it is the largest city in both the state of Washington and the Pacific Northwest regio ...
breaks into a U.S. military
supercomputer A supercomputer is a computer with a high level of performance as compared to a general-purpose computer. The performance of a supercomputer is commonly measured in floating-point operations per second ( FLOPS) instead of million instructions ...
programmed to predict possible outcomes of
nuclear war Nuclear warfare, also known as atomic warfare, is a theoretical military conflict or prepared political strategy that deploys nuclear weaponry. Nuclear weapons are weapons of mass destruction; in contrast to conventional warfare, nuclear ...
and unwittingly almost starts
World War III World War III or the Third World War, often abbreviated as WWIII or WW3, are names given to a hypothetical worldwide large-scale military conflict subsequent to World War I and World War II. The term has been in use since at ...
—as "a realistic representation of the automatic dialing and access capabilities of the
personal computer A personal computer (PC) is a multi-purpose microcomputer whose size, capabilities, and price make it feasible for individual use. Personal computers are intended to be operated directly by an end user, rather than by a computer expert or tec ...
." The CFAA was written to extend existing
tort law A tort is a civil wrong that causes a claimant to suffer loss or harm, resulting in legal liability for the person who commits the tortious act. Tort law can be contrasted with criminal law, which deals with criminal wrongs that are punishable ...
to
intangible property Intangible property, also known as incorporeal property, is something that a person or corporation can have ownership of and can transfer ownership to another person or corporation, but has no physical substance, for example brand identity or k ...
, while, in theory, limiting federal jurisdiction to cases "with a compelling federal interest—i.e., where computers of the
federal government A federation (also known as a federal state) is a political entity characterized by a union of partially self-governing provinces, states, or other regions under a central federal government (federalism). In a federation, the self-govern ...
or certain
financial institution Financial institutions, sometimes called banking institutions, are business entities that provide services as intermediaries for different types of financial monetary transactions. Broadly speaking, there are three major types of financial insti ...
s are involved or where the crime itself is interstate in nature.", but its broad definitions have spilled over into
contract law A contract is a legally enforceable agreement between two or more parties that creates, defines, and governs mutual rights and obligations between them. A contract typically involves the transfer of goods, services, money, or a promise to tran ...
. (see "Protected Computer", below). In addition to amending a number of the provisions in the original ''section 1030'', the CFAA also criminalized additional computer-related acts. Provisions addressed the distribution of malicious code and
denial-of-service attack In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...
s. Congress also included in the CFAA a provision criminalizing trafficking in
passwords A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...
and similar items. Since then, the Act has been amended a number of times—in 1989, 1994, 1996, in 2001 by the
USA PATRIOT Act The USA PATRIOT Act (commonly known as the Patriot Act) was a landmark Act of the United States Congress, signed into law by President George W. Bush. The formal name of the statute is the Uniting and Strengthening America by Providing Approp ...
, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act. With each amendment of the law, the types of conduct that fell within its reach were extended. In January 2015, then-President
Barack Obama Barack Hussein Obama II ( ; born August 4, 1961) is an American politician who served as the 44th president of the United States from 2009 to 2017. A member of the Democratic Party, Obama was the first African-American president of the U ...
proposed expanding the CFAA and the RICO Act in his ''Modernizing Law Enforcement Authorities to Combat Cyber Crime'' proposal.
DEF CON DEF CON (also written as DEFCON, Defcon or DC) is a hacker convention held annually in Las Vegas, Nevada. The first DEF CON took place in June 1993 and today many attendees at DEF CON include computer security professionals, journalists, lawyers ...
organizer and
Cloudflare Cloudflare, Inc. is an American content delivery network and DDoS mitigation company, founded in 2009. It primarily acts as a reverse proxy between a website's visitor and the Cloudflare customer's hosting provider. Its headquarters are in San F ...
researcher Marc Rogers, Senator
Ron Wyden Ronald Lee Wyden (; born May 3, 1949) is an American politician and retired educator serving as the senior United States senator from Oregon, a seat he has held since 1996. A member of the Democratic Party, he served in the United States Hou ...
, and Representative
Zoe Lofgren Susan Ellen "Zoe" Lofgren ( ; born December 21, 1947) is an American lawyer and politician serving as a U.S. representative from California. A member of the Democratic Party, Lofgren is in her 13th term in Congress, having been first elected in 1 ...
have stated opposition to this on the grounds it will make many regular Internet activities illegal, and moves further away from what they were trying to accomplish with Aaron's Law.


Protected computers

The only computers, in theory, covered by the CFAA are defined as " protected computers". They are defined under section to mean a computer: * exclusively for the use of a
financial institution Financial institutions, sometimes called banking institutions, are business entities that provide services as intermediaries for different types of financial monetary transactions. Broadly speaking, there are three major types of financial insti ...
or the United States Government, or any computer, when the conduct constituting the offense affects the computer's use by or for the financial institution or the government; or * which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States ... In practice, any ordinary computer has come under the jurisdiction of the law, including cellphones, due to the interstate nature of most Internet communication.


Criminal offenses under the Act

(a) Whoever— :(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it; :(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains— ::(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); ::(B) information from any department or agency of the United States; or ::(C) information from any protected computer; :(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States; :(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period; :(5) ::(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; ::(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or ::(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss. :(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if— ::(A) such trafficking affects interstate or foreign commerce; or ::(B) such computer is used by or for the Government of the United States; :(7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any— ::(A) threat to cause damage to a protected computer; ::(B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or ::(C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion


Specific sections

* : Computer espionage. This section takes much of its language from the
Espionage Act of 1917 The Espionage Act of 1917 is a United States federal law enacted on June 15, 1917, shortly after the United States entered World War I. It has been amended numerous times over the years. It was originally found in Title 50 of the U.S. Code (Wa ...
, with the notable addition being that it also covers information related to "Foreign Relations", not simply "National Defense" like the Espionage Act. * : Computer trespassing, and taking government, financial, or commerce info * : Computer trespassing in a government computer * : Committing fraud with computer * : Damaging a protected computer (including viruses, worms) * : Trafficking in passwords of a government or commerce computer * : Threatening to damage a protected computer * : Conspiracy to violate (a) * : Penalties


Notable cases and decisions referring to the Act

The Computer Fraud and Abuse Act is both a criminal law and a statute that creates a
private right of action A cause of action or right of action, in law, is a set of facts sufficient to justify suing to obtain money or property, or to justify the enforcement of a legal right against another party. The term also refers to the legal theory upon which a p ...
, allowing compensation and injunctive or other
equitable relief Equitable remedies are judicial remedies developed by courts of equity from about the time of Henry VIII to provide more flexible responses to changing social conditions than was possible in precedent-based common law. Equitable remedies were gra ...
to anyone harmed by a violation of this law. These provisions have allowed private companies to sue disloyal employees for damages for the misappropriation of confidential information (
trade secret Trade secrets are a type of intellectual property that includes formulas, practices, processes, designs, instruments, patterns, or compilations of information that have inherent economic value because they are not generally known or readily as ...
s).


Criminal cases

* '' United States v. Morris (1991)'', 928 F.2d 504 (2d Cir. 1991), decided March 7, 1991. After the release of the Morris worm, an early
computer worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wil ...
, its creator was convicted under the Act for causing damage and gaining unauthorized access to "federal interest" computers. The Act was amended in 1996, in part, to clarify language whose meaning was disputed in the case. * '' United States v. Lori Drew'', 2009. The
cyberbullying Cyberbullying or cyberharassment is a form of bullying or harassment using electronic means. Cyberbullying and cyberharassment are also known as online bullying. It has become increasingly common, especially among teenagers, as the digital ...
case involving the suicide of a girl harassed on MySpace. Charges were under 18 USC 1030(a)(2)(c) and (b)(2)(c). Judge Wu decided that using against someone violating a terms of service agreement would make the law overly broad. 259 F.R.D. 449 *''United States v. Rodriguez'', 2010. The Eleventh Circuit Court of Appeals ruled that a
Social Security Administration The United States Social Security Administration (SSA) is an independent agency of the U.S. federal government that administers Social Security, a social insurance program consisting of retirement, disability and survivor benefits. To qualify f ...
employee had violated the CFAA when he used an SSA database to look up information about people he knew personally. * '' United States v. Collins et al'', 2011. A group of men and women connected to the collective Anonymous signed a plea deal to charges of conspiring to disrupt access to the payment website PayPal in response to the payment shutdown to
WikiLeaks WikiLeaks () is an international non-profit organisation that published news leaks and classified media provided by anonymous sources. Julian Assange, an Australian Internet activist, is generally described as its founder and director and ...
over the Wau Holland Foundation which was part of a wider Anonymous campaign, Operation Payback. They later became known under the name PayPal 14. * '' United States v. Aaron Swartz'', 2011.
Aaron Swartz Aaron Hillel Swartz (November 8, 1986 – January 11, 2013) was an American computer programmer, entrepreneur, writer, political organizer, and Internet hacktivist. A prolific programmer, Swartz helped develop the web feed format RSS, the techni ...
allegedly entered an MIT wiring closet and set up a laptop to mass-download articles from
JSTOR JSTOR (; short for ''Journal Storage'') is a digital library founded in 1995 in New York City. Originally containing digitized back issues of academic journals, it now encompasses books and other primary sources as well as current issues of j ...
. He allegedly avoided various attempts by JSTOR and MIT to stop this, such as MAC address spoofing. He was indicted for violating CFAA provisions (a)(2), (a)(4), (c)(2)(B)(iii), (a)(5)(B), and (c)(4)(A)(i)(I),(VI). The case was dismissed after Swartz committed
suicide Suicide is the act of intentionally causing one's own death. Mental disorders (including depression, bipolar disorder, schizophrenia, personality disorders, anxiety disorders), physical disorders (such as chronic fatigue syndrome), and ...
in January 2013. * '' United States v. Nosal'', 2011. Nosal and others allegedly accessed a protected computer to take a database of contacts from his previous employer for use in his own business, violating 1030(a)(4). This was a complex case with multiple trips to the Ninth Circuit, which ruled that violating a website's terms of use isn't a violation of the CFAA. He was convicted in 2013. In 2016, the Ninth Circuit ruled that he had acted "without authorization" when he used the username and password of a current employee with their consent and affirmed his conviction. The Supreme Court declined to hear the case. * '' United States v. Peter Alfred-Adekeye'' 2011. Adekeye allegedly violated (a)(2), when he allegedly downloaded
CISCO IOS The Internetworking Operating System (IOS) is a family of proprietary network operating systems used on several router and network switch models manufactured by Cisco Systems. The system is a package of routing, switching, internetworking, and ...
, allegedly something that the CISCO employee who gave him an access password did not permit. Adekeye was CEO of Multiven and had accused CISCO of
anti-competitive Anti-competitive practices are business or government practices that prevent or reduce competition in a market. Antitrust laws differ among state and federal laws to ensure businesses do not engage in competitive practices that harm other, usuall ...
practices. * ''United States v Sergey Aleynikov'', 2011. Aleynikov was a programmer at
Goldman Sachs Goldman Sachs () is an American multinational investment bank and financial services company. Founded in 1869, Goldman Sachs is headquartered at 200 West Street in Lower Manhattan, with regional headquarters in London, Warsaw, Bangalore, Hon ...
accused of copying code, like
high-frequency trading High-frequency trading (HFT) is a type of algorithmic financial trading characterized by high speeds, high turnover rates, and high order-to-trade ratios that leverages high-frequency financial data and electronic trading tools. While there is no ...
code, allegedly in violation of 1030(a)(2)(c) and 1030(c)(2)(B)i–iii and 2. This charge was later dropped, and he was instead charged with theft of
trade secret Trade secrets are a type of intellectual property that includes formulas, practices, processes, designs, instruments, patterns, or compilations of information that have inherent economic value because they are not generally known or readily as ...
s and transporting stolen property. * '' United States v Nada Nadim Prouty'', . Prouty was an FBI and CIA agent who was prosecuted for having a fraudulent marriage to get US residency. She claims she was persecuted by a U.S. attorney who was trying to gain media coverage by calling her a terrorist agent and get himself promoted to a federal judgeship.Sibel Edmond's Boiling Frogs podcast 61
Thursday, 13. October 2011. Interview with Prouty by Peter B. Collins and Sibel Edmonds
* '' United States v. Neil Scott Kramer'', 2011. Kramer was a court case where a cellphone was used to coerce a minor into engaging sex with an adult. Central to the case was whether a cellphone constituted a computer device. Ultimately, the United States Court of Appeals for the Eighth Circuit found that a cell phone can be considered a computer if "the phone perform arithmetic, logical, and storage functions", paving the way for harsher consequences for criminals engaging with minors over cellphones. * '' United States v. Kane'', 2011. Exploiting a
software bug A software bug is an error, flaw or fault in the design, development, or operation of computer software that causes it to produce an incorrect or unexpected result, or to behave in unintended ways. The process of finding and correcting bugs ...
in a poker machine does not constitute hacking because the poker machine in question failed to constitute a " protected computer" under the statute (as the poker machine in question did not demonstrate a tangential relationship to
interstate commerce The Commerce Clause describes an enumerated power listed in the United States Constitution ( Article I, Section 8, Clause 3). The clause states that the United States Congress shall have power "to regulate Commerce with foreign Nations, and amon ...
) and because the sequence of button presses that triggered the bug were considered held to have "not exceed dtheir authorized access." the defendant still faces a regular
wire fraud Mail fraud and wire fraud are terms used in the United States to describe the use of a physical or electronic mail system to defraud another, and are federal crimes there. Jurisdiction is claimed by the federal government if the illegal activi ...
charge. *'' United States v. Valle'', 2015. The
Second Circuit Court of Appeals The United States Court of Appeals for the Second Circuit (in case citations, 2d Cir.) is one of the thirteen United States Courts of Appeals. Its territory comprises the states of Connecticut, New York and Vermont. The court has appellate juris ...
overturned a conviction against a police officer who had used a police database to look up information about women he knew personally. *'' Van Buren v. United States'', 2020. A police officer in Georgia was caught in an FBI sting operation using his authorized access to a license plate database to check the identity of a person for cash payment, an "improper purpose". The officer was convicted and sentenced to 18 months under CFAA §1030(a)(2). Though he appealed his conviction on the basis that the "improper purpose" was not "exceeding authorized access", the Eleventh Circuit upheld the conviction based on precedent. The Supreme Court ruled in June 2021 that under CFAA, that a person "exceeds authorized access" of a computer system they otherwise have access to when they access files and other content that are off-limits to the portions of the computer system they were authorized to access. Their opinion restricted CFAA from applying to cases where a person obtains information from areas they do have authorized access to, but uses that information for improper reasons.


Civil cases

* ''Theofel v. Farey Jones'', 2003 U.S. App. Lexis 17963, decided August 28, 2003 (U.S. Court of Appeals for the Ninth Circuit), holding that the use of a civil subpoena which is "patently unlawful," "in bad faith," or "at least gross negligence" to gain access to stored email is a breach of both the CFAA and the
Stored Communications Act The Stored Communications Act (SCA, codified at 18 U.S.C. Chapter 121 §§ 2701–2712) is a law that addresses voluntary and compelled disclosure of "stored wire and electronic communications and transactional records" held by third-party i ...
. * '' International Airport Centers, L.L.C. v. Citrin'', 2006, , in which the
Seventh Circuit Court of Appeals The United States Court of Appeals for the Seventh Circuit (in case citations, 7th Cir.) is the U.S. federal court with appellate jurisdiction over the courts in the following districts: * Central District of Illinois * Northern District of Il ...
ruled that Jacob Citrin had violated the CFAA when he deleted files from his company computer before he quit, in order to conceal alleged bad behavior while he was an employee. * '' LVRC Holdings v. Brekka'', 2009 1030(a)(2), 1030(a)(4), in which LVRC sued Brekka for allegedly taking information about clients and using it to start his own competing business. The Ninth Circuit ruled that an employee accesses a company computer to gather information for his own purposes does not violate the CFAA merely because that personal use was adverse to the interests of the employer. * '' Craigslist v. 3Taps'', 2012. 3Taps was accused by
Craigslist Craigslist (stylized as craigslist) is an American classified advertisements website with sections devoted to jobs, housing, for sale, items wanted, services, community service, gigs, résumés, and discussion forums. Craig Newmark began th ...
of breaching CFAA by circumventing an IP block in order to access Craigslist's website and scrape its classified ads without consent. In August 2013, US federal judge found 3Taps's actions violated CFAA and that it faces civil damages for "unauthorized access". Judge Breyer wrote in his decision that "the average person does not use "
anonymous proxies An anonymizer or an anonymous proxy is a tool that attempts to make activity on the Internet untraceable. It is a proxy server computer that acts as an intermediary and privacy shield between a client computer and the rest of the Internet. It acce ...
" to bypass an IP block set up to enforce a banning communicated via personally-addressed cease-and-desist letter". He also noted "Congress apparently knew how to restrict the reach of the CFAA to only certain kinds of information, and it appreciated the public v. nonpublic distinction—but he relevant sectioncontains no such restrictions or modifiers." * '' Lee v. PMSI, Inc.'', 2011. PMSI, Inc. sued former employee Lee for violating the CFAA by browsing Facebook and checking personal email in violation of the company's
acceptable use policy An acceptable use policy (AUP), acceptable usage policy or fair use policy is a set of rules applied by the owner, creator or administrator of a computer network website, or service. That restricts the ways in which the network, website or system ...
. The court found that breaching an employer's acceptable use policy was not "unauthorized access" under the act and, therefore, did not violate the CFAA. * '' Sony Computer Entertainment America v. George Hotz'' and ''Hotz v. SCEA'', 2011. SCEA sued "Geohot" and others for jailbreaking the PlayStation 3 system. The lawsuit alleged, among other things, that Hotz violated ( ytaking info from any protected computer). Hotz denied liability and contested the Court's exercise of personal jurisdiction over him. The parties settled out of court. The settlement caused Geohot to be unable to legally
hack Hack may refer to: Arts, entertainment, and media Games * ''Hack'' (Unix video game), a 1984 roguelike video game * ''.hack'' (video game series), a series of video games by the multimedia franchise ''.hack'' Music * ''Hack'' (album), a 199 ...
the PlayStation 3 system furthermore. * '' Pulte Homes, Inc. v. Laborers' International Union'' 2011.
Pulte Homes PulteGroup, Inc. is an American residential home construction company based in Atlanta, Georgia, United States. The company is the 3rd largest home construction company in the United States based on the number of homes closed. In total, the compa ...
brought a CFAA suit against the
Laborers' International Union of North America The Laborers' International Union of North America (LIUNA, stylized as LiUNA!), often shortened to just the Laborers' Union, is an American and Canadian labor union formed in 1903. As of 2017, they had about 500,000 members, about 80,000 of whom ...
(LIUNA). After Pulte fired an employee represented by the
union Union commonly refers to: * Trade union, an organization of workers * Union (set theory), in mathematics, a fundamental operation on sets Union may also refer to: Arts and entertainment Music * Union (band), an American rock group ** ''U ...
, LIUNA urged members to call and send
email Electronic mail (email or e-mail) is a method of exchanging messages ("mail") between people using electronic devices. Email was thus conceived as the electronic ( digital) version of, or counterpart to, mail, at a time when "mail" mea ...
to the company, expressing their opinions. As a result of the increased traffic, the company's email system crashed. *''Facebook v. Power Ventures and Vachani'', 2016. The Ninth Circuit Court of Appeals ruled that the CFAA was violated when Facebook's servers were accessed despite an IP block and
cease and desist A cease and desist letter is a document sent to an individual or business to stop alleged illegal activity. The phrase "cease and desist" is a legal doublet, made up of two near-synonyms. The letter may warn that, if the recipient does not disc ...
order. *''HiQ Labs v. LinkedIn'', 2019. The Ninth Circuit Court of Appeals ruled that scraping a public website without the approval of the website's owner isn't a violation of the CFAA. A Supreme Court appeal is pending. *''Sandvig v. Barr'', 2020. The Federal District Court of D.C. ruled that the CFAA does not criminalize the violation of a website's terms of service.


Criticism

There have been criminal convictions for CFAA violations in the context of civil law, for
breach of contract Breach of contract is a legal cause of action and a type of civil wrong, in which a binding agreement or bargained-for exchange is not honored by one or more of the parties to the contract by non-performance or interference with the other pa ...
or terms of service violations. Many common and insignificant online acts, such as password-sharing and copyright infringement, can transform a CFAA
misdemeanor A misdemeanor (American English, spelled misdemeanour elsewhere) is any "lesser" criminal act in some common law legal systems. Misdemeanors are generally punished less severely than more serious felonies, but theoretically more so than adm ...
into a
felony A felony is traditionally considered a crime of high seriousness, whereas a misdemeanor is regarded as less serious. The term "felony" originated from English common law (from the French medieval word "félonie") to describe an offense that resul ...
. The punishments are severe, similar to sentences for selling or importing drugs, and may be disproportionate. Prosecutors have used the CFAA to protect private business interests and to intimidate free-culture activists, deterring undesirable, yet legal, conduct. One such example regarding the harshness of the law was shown in United States vs. Tyler King, where King refused initial offers by the government for involvement in a conspiracy to "gain unauthorized access" to a computer system for a small company that an ex-girlfriend of King worked for. His role, even while not directly involved, resulted in 6.5 years imprisonment. No financial motivate was established. A non-profit was started to advocate against further harshness against others targeted under the broad law. Tim Wu called the CFAA "the worst law in technology". Professor of Law Ric Simmons notes that many provisions of the CFAA merely combine identical language to pre-existing federal laws with "the element of “access nga protected computer without authorization, or yexceed ngauthorized access," meaning that "the CFAA merely provides an additional charge for prosecutors to bring if the defendant used a computer while committing the crime." Professor Joseph Olivenbaum has similarly criticized the CFAA's "computer-specific approach," noting both the risk of redundancy and resultant definitional problems. The CFAA increasingly presents real obstacles to journalists reporting stories important to the public’s interest. As data journalism increasingly becomes “a good way of getting to the truth of things . . . in this post-truth era,” as one data journalist told Google, the need for further clarity around the CFAA increases.


Aaron Swartz

In the wake of the prosecution and subsequent suicide of
Aaron Swartz Aaron Hillel Swartz (November 8, 1986 – January 11, 2013) was an American computer programmer, entrepreneur, writer, political organizer, and Internet hacktivist. A prolific programmer, Swartz helped develop the web feed format RSS, the techni ...
(who used a script to download scholarly research articles in excess of what
JSTOR JSTOR (; short for ''Journal Storage'') is a digital library founded in 1995 in New York City. Originally containing digitized back issues of academic journals, it now encompasses books and other primary sources as well as current issues of j ...
terms of service allowed), lawmakers proposed amending the Computer Fraud and Abuse Act. Representative
Zoe Lofgren Susan Ellen "Zoe" Lofgren ( ; born December 21, 1947) is an American lawyer and politician serving as a U.S. representative from California. A member of the Democratic Party, Lofgren is in her 13th term in Congress, having been first elected in 1 ...
drafted a bill that would help "prevent what happened to Aaron from happening to other Internet users". Aaron's Law (, ) would exclude terms of service violations from the 1984 Computer Fraud and Abuse Act and from the wire fraud statute. In addition to Lofgren's efforts, Representatives
Darrell Issa Darrell Edward Issa ( ; born November 1, 1953) is an American businessman and politician who has served as the U.S. representative for California's 50th congressional district since 2021. A member of the Republican Party, he previously served i ...
and
Jared Polis Jared Schutz Polis (; born May 12, 1975) is an American politician, entrepreneur, businessman, and philanthropist, serving as the 43rd governor of Colorado since January 2019. He served one term on the Colorado State Board of Education from 20 ...
(also on the
House Judiciary Committee The U.S. House Committee on the Judiciary, also called the House Judiciary Committee, is a standing committee of the United States House of Representatives. It is charged with overseeing the administration of justice within the federal courts, a ...
) raised questions in the immediate aftermath of Swartz's death regarding the government's handling of the case. Polis called the charges "ridiculous and trumped up," referring to Swartz as a "martyr." Issa, chair of the
House Oversight Committee The Committee on Oversight and Reform is the main investigative United States congressional committee, committee of the United States House of Representatives. The committee's broad jurisdiction and legislative authority make it one of the most ...
, announced an investigation of the Justice Department's prosecution. By May 2014, Aaron's Law had stalled in committee. Filmmaker Brian Knappenberger alleges this occurred due to
Oracle Corporation Oracle Corporation is an American multinational computer technology corporation headquartered in Austin, Texas. In 2020, Oracle was the third-largest software company in the world by revenue and market capitalization. The company sells d ...
's financial interest in maintaining the status quo. Aaron's Law was reintroduced in May 2015 (, ) and again stalled. There has been no further introduction of related bills at this time.


Amendments history

2008 * Eliminated the requirement that information must have been stolen through an interstate or foreign communication, thereby expanding jurisdiction for cases involving theft of information from computers; * Eliminated the requirement that the defendant's action must result in a loss exceeding $5,000 and created a felony offense where the damage affects ten or more computers, closing a gap in the law; * Expanded to criminalize not only explicit threats to cause damage to a computer, but also threats to (1) steal data on a victim's computer, (2) publicly disclose stolen data, or (3) not repair damage the offender already caused to the computer; * Created a criminal offense for conspiring to commit a computer hacking offense under section 1030; * Broadened the definition of "protected computer" in to the full extent of Congress's commerce power by including those computers used in or affecting interstate or foreign commerce or communication; and * Provided a mechanism for civil and criminal forfeiture of property used in or derived from section 1030 violations.


Popular Culture

The CFAA is mentioned in Episode 8, Season 3 of the AMC series Halt and Catch Fire. The CFAA is mentioned in Act II of the video game
Inscryption ''Inscryption'' is a roguelike deck-building game developed by Daniel Mullins Games and published by Devolver Digital. ''Inscryption'' was released for Microsoft Windows on October 19, 2021. It was released on Linux and macOS on June 22, 2022, wh ...
(2021)


See also

*
Cybercrime A cybercrime is a crime that involves a computer or a computer network.Moore, R. (2005) "Cyber crime: Investigating High-Technology Computer Crime," Cleveland, Mississippi: Anderson Publishing. The computer may have been used in committing the ...
* Defense Secrets Act of 1911 /
Espionage Act of 1917 The Espionage Act of 1917 is a United States federal law enacted on June 15, 1917, shortly after the United States entered World War I. It has been amended numerous times over the years. It was originally found in Title 50 of the U.S. Code (Wa ...
/
McCarran Internal Security Act The Internal Security Act of 1950, (Public Law 81-831), also known as the Subversive Activities Control Act of 1950, the McCarran Act after its principal sponsor Sen. Pat McCarran (D-Nevada), or the Concentration Camp Law, is a United States fed ...
1950 * California Comprehensive Computer Data Access and Fraud Act *
Electronic Communications Privacy Act Electronic Communications Privacy Act of 1986 (ECPA) was enacted by the United States Congress to extend restrictions on government wire taps of telephone calls to include transmissions of electronic data by computer ( ''et seq.''), added new pr ...
* '' LVRC Holdings LLC v. Brekka'' * '' In re DoubleClick'' * '' Massachusetts Bay Transportation Authority v. Anderson'' * Information technology audit *
Information technology security audit An information security audit is an audit on the level of information security in an organization. It is an independent review and examination of system records, activities and related documents. These audits are intended to improve the level of in ...
*
Computer fraud Computer fraud is a cybercrime and the act of using a computer to take or alter electronic data, or to gain unlawful use of a computer or system. In the United States, computer fraud is specifically proscribed by the Computer Fraud and Abuse Act, ...
* '' The Hacker Crackdown'' (mentions the law, & the eponymous Chicago task force) * Protected computer *
Telecommunications Policy Telecommunication is the transmission of information by various types of technologies over wire, radio, optical, or other electromagnetic systems. It has its origin in the desire of humans for communication over a distance greater than that fe ...
*
WikiLeaks WikiLeaks () is an international non-profit organisation that published news leaks and classified media provided by anonymous sources. Julian Assange, an Australian Internet activist, is generally described as its founder and director and ...
*
Weev Andrew Alan Escher Auernheimer ( ; born ), best known by his pseudonym weev, is an American computer hacker and professional Internet troll. Affiliated with the alt-right, the Southern Poverty Law Center has described him as being a neo-Nazi, ...


References


External links

* , text of the law
Cybercrime: A Sketch of 18 U.S.C. 1030 and Related Federal Criminal Laws
by Charles Doyle, CRS, 12 27 2010, (FAS.org) {{Patriot Act 1986 in American law 98th United States Congress Computing legislation Hacking (computer security) Information technology audit United States federal commerce legislation Fraud legislation Fraud in the United States United States federal computing legislation United States federal legislation articles without infoboxes Title 18 of the United States Code