Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act is a United States cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law, which had been included in the Comprehensive Crime Control Act of 1984. The law prohibits accessing a computer without authorization, or in excess of authorization. Prior to computer-specific criminal laws, computer crimes were prosecuted as mail and wire fraud, but the applying law was often insufficient.
The original 1984 bill was enacted in response to concern that computer-related crimes might go unpunished. The House Committee Report to the original computer crime bill characterized the 1983 techno-thriller film WarGames—in which a young teenager from Seattle breaks into a U.S. military supercomputer programmed to predict possible outcomes of nuclear war and unwittingly almost starts World War III—as "a realistic representation of the automatic dialing and access capabilities of the personal computer."
The CFAA was written to extend existing tort law to intangible property, while, in theory, limiting federal jurisdiction to cases "with a compelling federal interest-i.e., where computers of the federal government or certain financial institutions are involved or where the crime itself is interstate in nature.", but its broad definitions have spilled over into contract law.. In addition to amending a number of the provisions in the original section 1030, the CFAA also criminalized additional computer-related acts. Provisions addressed the distribution of malicious code and denial of service attacks. Congress also included in the CFAA a provision criminalizing trafficking in passwords and similar items.
Since then, the Act has been amended a number of times—in 1989, 1994, 1996, in 2001 by the USA PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act. With each amendment of the law, the types of conduct that fell within its reach were extended.
In January 2015 Barack Obama proposed expanding the CFAA and the RICO Act in his Modernizing Law Enforcement Authorities to Combat Cyber Crime proposal. DEF CON organizer and Cloudflare researcher Marc Rogers, Senator Ron Wyden, and Representative Zoe Lofgren have stated opposition to this on the grounds it will make many regular Internet activities illegal, and moves further away from what they were trying to accomplish with Aaron's Law.
Protected computers
The only computers, in theory, covered by the CFAA are defined as "protected computers". They are defined under section to mean a computer:- exclusively for the use of a financial institution or the United States Government, or any computer, when the conduct constituting the offense affects the computer's use by or for the financial institution or the government; or
- which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States...
Criminal offenses under the Act
Whoever—Specific sections
- : Computer espionage. This section takes much of its language from the Espionage Act of 1917, with the notable addition being that it also covers information related to "Foreign Relations", not simply "National Defense" like the Espionage Act.
- : Computer trespassing, and taking government, financial, or commerce info
- : Computer trespassing in a government computer
- : Committing fraud with computer
- : Damaging a protected computer
- : Trafficking in passwords of a government or commerce computer
- : Threatening to damage a protected computer
- : Conspiracy to violate
- : Penalties
Notable cases and decisions referring to the Act
Criminal cases
- United States v. Morris , 928 F.2d 504, decided March 7, 1991. After the release of the Morris worm, an early computer worm, its creator was convicted under the Act for causing damage and gaining unauthorized access to "federal interest" computers. The Act was amended in 1996, in part, to clarify language whose meaning was disputed in the case.
- United States v. Lori Drew, 2009. The cyberbullying case involving the suicide of a girl harassed on myspace. Charges were under 18 USC 1030 and. Judge Wu decided that using against someone violating a terms of service agreement would make the law overly broad. 259 F.R.D. 449
- United States v. Rodriguez, 2010. The Eleventh Circuit Court of Appeals ruled that a Social Security Administration employee had violated the CFAA when he used an SSA database to look up information about people he knew personally.
- United States v. Collins et al, 2011. A group of men and women connected to the collective Anonymous signed a plea deal to charges of conspiring to disrupt access to the payment website PayPal in response to the payment shutdown to WikiLeaks over the Wau Holland Foundation which was part of a wider Anonymous campaign, Operation Payback. They later became known under the name PayPal 14.
- United States v. Aaron Swartz, 2011. Aaron Swartz allegedly entered an MIT wiring closet and set up a laptop to mass-download articles from JSTOR. He allegedly avoided various attempts by JSTOR and MIT to stop this, such as MAC address spoofing. He was indicted for violating CFAA provisions,,,, and,. The case was dismissed after Swartz committed suicide in January 2013.
- United States v. Nosal, 2011. Nosal and others allegedly accessed a protected computer to take a database of contacts from his previous employer for use in his own business, violating 1030. This was a complex case with multiple trips to the Ninth Circuit, which ruled that violating a website's terms of use isn't a violation of the CFAA. He was convicted in 2013. In 2016, the Ninth Circuit ruled that he had acted "without authorization" when he used the username and password of a current employee with their consent and affirmed his conviction. The Supreme Court declined to hear the case.
- United States v. Peter Alfred-Adekeye 2011. Adekeye allegedly violated, when he allegedly downloaded CISCO IOS, allegedly something that the CISCO employee who gave him an access password did not permit. Adekeye was CEO of Multiven and had accused CISCO of anti-competitive practices.
- United States v Sergey Aleynikov, 2011. Aleynikov was a programmer at Goldman Sachs accused of copying code, like high-frequency trading code, allegedly in violation of 1030 and 1030i-iii and 2. This charge was later dropped, and he was instead charged with theft of trade secrets and transporting stolen property.
- United States v Nada Nadim Prouty, circa 2010. Prouty was an FBI and CIA agent who was prosecuted for having a fraudulent marriage to get US residency. She claims she was persecuted by a U.S. attorney who was trying to gain media coverage by calling her a terrorist agent and get himself promoted to a federal judgeship.
- United States v. Neil Scott Kramer, 2011. Kramer was a court case where a cellphone was used to coerce a minor into engaging sex with an adult. Central to the case was whether a cellphone constituted a computer device. Ultimately, the United States Court of Appeals for the Eighth Circuit found that a cell phone can be considered a computer if "the phone perform arithmetic, logical, and storage functions", paving the way for harsher consequences for criminals engaging with minors over cellphones.
- United States v. Kane, 2011. Exploiting a software bug in a poker machine does not constitute hacking because the poker machine in question failed to constitute a "protected computer" under the statute and because the sequence of button presses that triggered the bug were considered held to have "not exceed their authorized access." the defendant still faces a regular wire fraud charge.
- United States v. Valle, 2015. The Second Circuit Court of Appeals overturned a conviction against a police officer who had used a police database to look up information about women he knew personally.
- Van Buren v. United States, 2020. A police officer in Georgia was caught in an FBI sting operation using his authorized access to a license plate database to check the identity of a person for cash payment, an "improper purpose". The officer was convicted and sentenced to 18 months under CFAA §1030. Though he appealed his conviction on the basis that the "improper purpose" was not "exceeding authorized access", the Eleventh Circuit upheld the conviction based on precedent. The Supreme Court agreed to hear the case, to be heard in October 2020, which is expected to resolve the circuit split on the interpretation of §1030.
Civil cases
- Theofel v. Farey Jones, 2003 U.S. App. Lexis 17963, decided August 28, 2003, holding that the use of a civil subpoena which is "patently unlawful," "in bad faith," or "at least gross negligence" to gain access to stored email is a breach of both the CFAA and the Stored Communications Act.
- International Airport Centers, L.L.C. v. Citrin, 2006,, in which the Seventh Circuit Court of Appeals ruled that Jacob Citrin had violated the CFAA when he deleted files from his company computer before he quit, in order to conceal alleged bad behavior while he was an employee.
- LVRC Holdings v. Brekka, 2009 1030, 1030, in which LVRC sued Brekka for allegedly taking information about clients and using it to start his own competing business. The Ninth Circuit ruled that an employee accesses a company computer to gather information for his own purposes does not violate the CFAA merely because that personal use was adverse to the interests of the employer.
- Craigslist v. 3Taps, 2012. 3Taps was accused by Craigslist of breaching CFAA by circumventing an IP block in order to access Craigslist's website and scrape its classified ads without consent. In August 2013, US federal judge found 3Taps's actions violated CFAA and that it faces civil damages for "unauthorized access". Judge Breyer wrote in his decision that "the average person does not use "anonymous proxies" to bypass an IP block set up to enforce a banning communicated via personally-addressed cease-and-desist letter". He also noted "Congress apparently knew how to restrict the reach of the CFAA to only certain kinds of information, and it appreciated the public v. nonpublic distinction — but contains no such restrictions or modifiers."
- Lee v. PMSI, Inc., 2011. PMSI, Inc. sued former employee Lee for violating the CFAA by browsing Facebook and checking personal email in violation of the company's acceptable use policy. The court found that breaching an employer's acceptable use policy was not "unauthorized access" under the act and, therefore, did not violate the CFAA.
- Sony Computer Entertainment America v. George Hotz and Hotz v. SCEA, 2011. SCEA sued "Geohot" and others for jailbreaking the PlayStation 3 system. The lawsuit alleged, among other things, that Hotz violated . Hotz denied liability and contested the Court's exercise of personal jurisdiction over him. The parties settled out of court. The settlement caused Geohot to be unable to legally hack the PlayStation 3 system furthermore.
- Pulte Homes, Inc. v. Laborers' International Union 2011. Pulte Homes brought a CFAA suit against the Laborers' International Union of North America. After Pulte fired an employee represented by the union, LIUNA urged members to call and send email to the company, expressing their opinions. As a result of the increased traffic, the company's email system crashed.
- Facebook v. Power Ventures and Vachani, 2016. The Ninth Circuit Court of Appeals ruled that the CFAA was violated when Facebook's servers were accessed despite an IP block and cease and desist order.
- HiQ Labs v. LinkedIn, 2019. The Ninth Circuit Court of Appeals ruled that scraping a public website without the approval of the website's owner isn't a violation of the CFAA. A Supreme Court appeal is pending.
- Sandvig v. Barr, 2020. The Federal District Court of D.C. ruled that the CFAA does not criminalize the violation of a website's terms of service.
Criticism
Tim Wu called the CFAA "the worst law in technology".
Aaron Swartz
In the wake of the prosecution and subsequent suicide of Aaron Swartz, lawmakers proposed amending the Computer Fraud and Abuse Act. Representative Zoe Lofgren drafted a bill that would help "prevent what happened to Aaron from happening to other Internet users". Aaron's Law would exclude terms of service violations from the 1984 Computer Fraud and Abuse Act and from the wire fraud statute, despite the fact that Swartz was not prosecuted based on terms of service violations.In addition to Lofgren's efforts, Representatives Darrell Issa and Jared Polis raised questions about the government's handling of the case. Polis called the charges "ridiculous and trumped up," referring to Swartz as a "martyr." Issa, chair of the House Oversight Committee, announced an investigation of the Justice Department's prosecution.
By May 2014, Aaron's Law had stalled in committee. Filmmaker Brian Knappenberger alleges occurred due to Oracle Corporation's financial interest in maintaining the status quo.
Aaron's Law was reintroduced in May 2015 and again stalled.
Amendments history
2008- Eliminated the requirement that information must have been stolen through an interstate or foreign communication, thereby expanding jurisdiction for cases involving theft of information from computers;
- Eliminated the requirement that the defendant's action must result in a loss exceeding $5,000 and created a felony offense where the damage affects ten or more computers, closing a gap in the law;
- Expanded to criminalize not only explicit threats to cause damage to a computer, but also threats to steal data on a victim's computer, publicly disclose stolen data, or not repair damage the offender already caused to the computer;
- Created a criminal offense for conspiring to commit a computer hacking offense under section 1030;
- Broadened the definition of "protected computer" in to the full extent of Congress's commerce power by including those computers used in or affecting interstate or foreign commerce or communication; and
- Provided a mechanism for civil and criminal forfeiture of property used in or derived from section 1030 violations.