Computer Fraud and Abuse Act
Encyclopedia
The Computer Fraud and Abuse Act is a law passed by the United States Congress
in 1986, intended to reduce cracking of computer systems and to address federal computer-related offenses. The Act (codified as ) governs cases with a compelling federal interest, where computers of the federal government or certain financial institutions are involved, where the crime itself is interstate in nature, or where computers are used in interstate and foreign commerce.
It was amended in 1988, 1994, 1996, in 2001 by the USA PATRIOT Act
, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act. Subsection (b) of the act punishes anyone who not just commits or attempts to commit an offense under the Act, but also those who conspire to do so.
The CFAA defines “protected computers” under to mean a computer:
A detailed account of the various sections of 18 USC 1030 was written by Charles Doyle of the Congressional Research Service
, and is available at the Federation of American Scientists
website, below, under 'External Links'.
United States Congress
The United States Congress is the bicameral legislature of the federal government of the United States, consisting of the Senate and the House of Representatives. The Congress meets in the United States Capitol in Washington, D.C....
in 1986, intended to reduce cracking of computer systems and to address federal computer-related offenses. The Act (codified as ) governs cases with a compelling federal interest, where computers of the federal government or certain financial institutions are involved, where the crime itself is interstate in nature, or where computers are used in interstate and foreign commerce.
It was amended in 1988, 1994, 1996, in 2001 by the USA PATRIOT Act
USA PATRIOT Act
The USA PATRIOT Act is an Act of the U.S. Congress that was signed into law by President George W. Bush on October 26, 2001...
, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act. Subsection (b) of the act punishes anyone who not just commits or attempts to commit an offense under the Act, but also those who conspire to do so.
Protected computers
Main article: Protected computerProtected Computer
Protected computers is a term used in Title 18, Section 1030 of the United States Code, which prohibits a number of different kinds of conduct, generally involving unauthorized access to, or damage to the data stored on, "protected computers"...
The CFAA defines “protected computers” under to mean a computer:
- exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
- which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;
Criminal offenses under the Act
- Knowingly accessing a computer without authorization in order to obtain national security data
- Intentionally accessing a computer without authorization to obtain:
- Information contained in a financial record of a financial institution, or contained in a file of a consumer reporting agency on a consumer.
- Information from any department or agency of the United States
- Information from any protected computer if the conduct involves an interstate or foreign communication
- Intentionally accessing without authorization a government computer and affecting the use of the government's operation of the computer.
- Knowingly accessing a protected computer with the intent to defraud and there by obtaining anything of value.
- Knowingly causing the transmission of a program, information, code, or command that causes damage or intentionally accessing a computer without authorization, and as a result of such conduct, causes damage that results in:
- Loss to one or more persons during any one-year period aggregating at least $5,000 in value.
- The modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of one or more individuals.
- Physical injury to any person.
- A threat to public health or safety.
- Damage affecting a government computer system
- Knowingly and with the intent to defraud, trafficking in a password or similar information through which a computer may be accessed without authorization.
A detailed account of the various sections of 18 USC 1030 was written by Charles Doyle of the Congressional Research Service
Congressional Research Service
The Congressional Research Service , known as "Congress's think tank", is the public policy research arm of the United States Congress. As a legislative branch agency within the Library of Congress, CRS works exclusively and directly for Members of Congress, their Committees and staff on a...
, and is available at the Federation of American Scientists
Federation of American Scientists
The Federation of American Scientists is a nonpartisan, 501 organization intent on using science and scientific analysis to attempt make the world more secure. FAS was founded in 1945 by scientists who worked on the Manhattan Project to develop the first atomic bombs...
website, below, under 'External Links'.
Specific sections
- Computer Espionage: Computer tresspassing, and taking government, financial, or commerce info: Computer tresspassing in a government computer: Committing fraud with a protected computerProtected ComputerProtected computers is a term used in Title 18, Section 1030 of the United States Code, which prohibits a number of different kinds of conduct, generally involving unauthorized access to, or damage to the data stored on, "protected computers"...
: Damaging a protected computerProtected ComputerProtected computers is a term used in Title 18, Section 1030 of the United States Code, which prohibits a number of different kinds of conduct, generally involving unauthorized access to, or damage to the data stored on, "protected computers"...
(including viruses, worms): Trafficking in passwords of a government or commerce computer: Threatening to damage a protected computerProtected ComputerProtected computers is a term used in Title 18, Section 1030 of the United States Code, which prohibits a number of different kinds of conduct, generally involving unauthorized access to, or damage to the data stored on, "protected computers"...
: Conspiracy to violate (a): Penalties thru h: Miscellaney
Notable cases and decisions referring to the Act
- United States v. RiggsUnited States v. RiggsIn United States v. Riggs, the government of the United States prosecuted Robert Riggs and Craig Neidorf for obtaining unauthorized access to and subsequently disseminating a file held on BellSouth's computers. The file, referred to as the E911 file, gave information regarding BellSouth's products...
, the famous case against people associated with PhrackPhrackPhrack is an ezine written by and for hackers first published November 17, 1985. Described by Fyodor as "the best, and by far the longest running hacker zine," the magazine is open for contributions by anyone who desires to publish remarkable works or express original ideas on the topics of interest...
magazine for taking the E911 document, as described in Bruce SterlingBruce SterlingMichael Bruce Sterling is an American science fiction author, best known for his novels and his work on the Mirrorshades anthology, which helped define the cyberpunk genre.-Writings:...
's "Hacker Crackdown of 1990". The government dropped the case after it was revealed that the document was for sale from AT&T for $13. The E911 document was related to the founding of the Electronic Frontier FoundationElectronic Frontier FoundationThe Electronic Frontier Foundation is an international non-profit digital rights advocacy and legal organization based in the United States...
.
- United States v. MorrisUnited States v. MorrisUnited States v. Morris was an appeal of the conviction of Robert Tappan Morris for creating and releasing the Morris worm, one of the first Internet-based worms. This case resulted in the first conviction under the Computer Fraud and Abuse Act...
, 928 F.2d 504, decided March 7, 1991. After the release of the Morris worm, an early computer wormComputer wormA computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
, its creator was convicted under the Act for causing damage and gaining unauthorized access to federal interest computers. This case in part led to the 1996 amendment of the act, which clarified the language that was argued during the case.
- Theofel v. Farey Jones, 2003 U.S. App. Lexis 17963, decided August 28, 2003 (U.S. Court of Appeals for the Ninth Circuit). Using a civil subpoena which is "patently unlawful", "bad faith" and "at least gross negligence" to gain access to stored email is a breach of this act and the Stored Communications ActStored Communications ActThe Stored Communications Act is a law that was enacted by the United States Congress in 1986. It is not a stand-alone law but forms part of the Electronic Communications Privacy Act; it is codified as 18 U.S.C. §§ 2701 to 2712...
.
- International Airports v Jacob Citrin, 2006, . Citrin deleted filesData erasureData erasure is a software-based method of overwriting data that completely destroys all electronic data residing on a hard disk drive or other digital media. Permanent data erasure goes beyond basic file deletion commands, which only remove direct pointers to data disk sectors and make data...
off his company computer before he quit, in order to hide his alleged bad behavior while an employee.
- LVRC Holdings v. Brekka, 2009 1030(a)(2), 1030(a)(4). LVRC sued Brekka for allegedly taking information about clients and using it to start his own competing business.
- Robbins v. Lower Merion School District (U.S. Eastern District of Pennsylvania), where plaintiffs charged two suburban Philadelphia high schools secretly spied on students by surreptitiously and remotely activating webcams embedded in school-issued laptops the students were using at home, violating the Act. The schools admitted to secretly snapping over 66,000 webshots and screenshots, including webcam shots of students in their bedrooms.
- United States v. Lori DrewUnited States v. Lori DrewUnited States v. Lori Drew was a criminal case in which Lori Drew was convicted and then subsequently acquitted of violations of the Computer Fraud and Abuse Act over the "cyber-bullying" of a 13 year old, Megan Meier...
, 2008. The 'cyberbullying' case involving the suicide of a girl harassed on myspaceMyspaceMyspace is a social networking service owned by Specific Media LLC and pop star Justin Timberlake. Myspace launched in August 2003 and is headquartered in Beverly Hills, California. In August 2011, Myspace had 33.1 million unique U.S. visitors....
. Charges were under 18 USC 1030(a)(2)(c) and (b)(2)(c). Judge Wu decided that using against someone violating a 'terms of service' agreement would make the law overly broad. 259 F.R.D. 449
- People v. SCEA, 2010. Class action lawsuit against SCEA for removing OtherOS, the ability to install and run Linux (or other operating systems) on the PlayStation 3. Consumers were given the option to either keep OtherOS support or not. SCEA was allegedly in violation of this Act because if the consumers updated or not, they would still lose system functionality.
- Sony Computer Entertainment America v. George HotzSony Computer Entertainment America v. George HotzSCEA v. Hotz is a lawsuit in the United States by Sony Computer Entertainment of America against George Hotz and associates of the group fail0verflow for jailbreaking and reverse engineering the Playstation 3.-Timeline:...
and Hotz v. SCEA, 2011. SCEA sued 'Geohot' and others for jailbreaking the PlayStation 3 system. The lawsuit alleged, among other things, that Hotz violated ([by] taking info from any protected computerProtected ComputerProtected computers is a term used in Title 18, Section 1030 of the United States Code, which prohibits a number of different kinds of conduct, generally involving unauthorized access to, or damage to the data stored on, "protected computers"...
). Hotz denied liability and contested the Court's exercise of personal jurisdiction over him. The parties settled out of court.
- United States v. Nosal, 2011. Nosal and others allegedly accessed a protected computerProtected ComputerProtected computers is a term used in Title 18, Section 1030 of the United States Code, which prohibits a number of different kinds of conduct, generally involving unauthorized access to, or damage to the data stored on, "protected computers"...
to take a database of contacts from his previous employer for use in his own business, violating 1030(a)(4)
- United States v. DrakeThomas Andrews DrakeThomas Andrews Drake is a former senior official of the U.S. National Security Agency , decorated United States Air Force and United States Navy veteran, computer software expert, linguist, management and leadership specialist, and whistleblower. In 2010 the government alleged that he 'mishandled'...
, 2010. Drake was part of a whistle-blowing effort inside the NSA to expose waste, fraud, and abuse with the Trailblazer ProjectTrailblazer ProjectTrailblazer was a United States National Security Agency program intended to analyze data carried on communications networks like the internet. It was able to track communication methods such as cell phones and e-mail...
. He talked to a reporter about the project. He was originally charged with five Espionage Act counts for doing this. These charges were dropped just before his trial was to begin, and instead he pleaded guilty to one misdemeanor count of violating the CFAA, (a)(2), unauthorized access. One of his advisors, Jesselyn RadackJesselyn RadackJesselyn Radack is a former ethics adviser to the United States Department of Justice who came to prominence as a whistleblower after she disclosed that the Federal Bureau of Investigation committed an ethics violation in its interrogation of John Walker Lindh , without an attorney present, and...
of the Government Accountability ProjectGovernment Accountability ProjectThe Government Accountability Project is a leading United States whistleblower protection organization. Through litigating of whistleblower cases, publicizing concerns and developing legal reforms, GAP’s mission is to protect the public interest by promoting government and corporate accountability...
, called his work an "act of civil disobedienceCivil disobedienceCivil disobedience is the active, professed refusal to obey certain laws, demands, and commands of a government, or of an occupying international power. Civil disobedience is commonly, though not always, defined as being nonviolent resistance. It is one form of civil resistance...
".
- United States v. Bradley ManningUnited States v. Bradley ManningUnited States v. Bradley Manning is the court-martial case involving US Army Private First Class Bradley E. Manning, who is alleged to have delivered US government documents to those not entitled to receive them in 2009 and 2010. Media reports have alleged that the receiver was Julian Assange of...
, 2010-. Bradley Manning was a soldier who allegedly disclosed tens of thousands of documents to those 'not entitled to receive' them. Among the 34 counts against him, there are several under (a)(1) and (a)(2) of the CFAA, some specifically linked to files like the Reykjavic 13 State Department cable and a video of the July 12, 2007 Baghdad airstrikeJuly 12, 2007 Baghdad airstrikeThe July 12, 2007 Baghdad airstrikes were a series of air-to-ground attacks conducted by a team of two United States Army AH-64 Apache helicopters in Al-Amin al-Thaniyah, in the district of New Baghdad in Baghdad, during the insurgency that followed the Iraq War.In the first strike "Crazyhorse 1/8"...
.
- Grand Jury investigation in Cambridge, 2011. Unknown persons in Cambridge, Massachusetts, were ordered to attend Grand Jury hearings regarding charges under the CFAA, as well as the Espionage Act. Journalist Glenn GreenwaldGlenn GreenwaldGlenn Greenwald is an American lawyer, columnist, blogger, and author. Greenwald worked as a constitutional and civil rights litigator before becoming a contributor to Salon.com, where he focuses on political and legal topics...
has written these were likely related to WikileaksWikileaksWikiLeaks is an international self-described not-for-profit organisation that publishes submissions of private, secret, and classified media from anonymous news sources, news leaks, and whistleblowers. Its website, launched in 2006 under The Sunshine Press organisation, claimed a database of more...
.
- United States v. Aaron Swartz, 2011. Aaron SwartzAaron SwartzAaron Swartz is an American programmer, writer, political organizer and Internet activist. He is best known in programming circles for co-authoring the RSS 1.0 specification...
allegedly entered an MIT wiring closet and set up a laptop to mass-download articles from JSTORJSTORJSTOR is an online system for archiving academic journals, founded in 1995. It provides its member institutions full-text searches of digitized back issues of several hundred well-known journals, dating back to 1665 in the case of the Philosophical Transactions of the Royal Society...
, which he later used in an academic study. He allegedly avoided various attempts by JSTOR and MIT to stop this, such as MAC address spoofing. The CFAA statutes against him were (a)(2), (a)(4), (c)(2)(B)(iii), (a)(5)(B), and (c)(4)(A)(i)(I),(VI).
- United States v. Peter Alfred-Adekeye 2011. Adekeye allegedly violated (a)(2), when he allegedly downloaded CISCOCiscoCisco may refer to:Companies:*Cisco Systems, a computer networking company* Certis CISCO, corporatised entity of the former Commercial and Industrial Security Corporation in Singapore...
iOSCisco IOSCisco IOS is the software used on the vast majority of Cisco Systems routers and current Cisco network switches...
, allegedly something that the CISCO employee who gave him an access password did not permit. Adekeye was CEO of MultivenMultivenMultiven, Inc. provides multi-vendor Internet Protocol network infrastructure technical support, maintenance and consulting services. to Large Enterprises, Internet Service Providers, Small, Medium Businesses, and Government agencies.- History :...
and had accused CISCO of anti-competitive practices.
- Pulte Homes v. Laborer's International Union of North America et al. 2011. Pelte company fired a LIUNA employee, resulting in a labor dispute with LIUNA. LIUNA told its members to email and phone the company and tell it how they felt. This resulted in a CFAA charge because the company's email system got overloaded.
- United States v Sergey AleynikovSergey AleynikovSergey Aleynikov is a former Goldman Sachs computer programmer. He was convicted of stealing computer code that Goldman Sachs used to perform proprietary trading...
, 2011. Aleynikov was a programmer at Goldman SachsGoldman SachsThe Goldman Sachs Group, Inc. is an American multinational bulge bracket investment banking and securities firm that engages in global investment banking, securities, investment management, and other financial services primarily with institutional clients...
accused of copying code, like high-frequency tradingHigh-frequency tradingHigh-frequency trading is the use of sophisticated technological tools to trade securities like stocks or options, and is typically characterized by several distinguishing features:...
code, allegedly in violation of 1030(a)(2)(c) and 1030(c)(2)(B)i-iii and 2. This charge was later dropped, and he was instead charged with theft of trade secretTrade secretA trade secret is a formula, practice, process, design, instrument, pattern, or compilation of information which is not generally known or reasonably ascertainable, by which a business can obtain an economic advantage over competitors or customers...
s and transporting stolen property.
- United States v Nada Nadim ProutyNada Nadim ProutyNada Nadim Prouty, née Al-Aouar is a former American intelligence professional of Lebanese descent who worked in counter-terrorism with the FBI and CIA. She worked on high profile cases like the USS Cole bombing and was stationed in Baghdad during the Iraq War...
, circa 2010. Prouty was an FBI and CIA agent who was prosecuted for having a fraudulent marriage to get US residency. She claims she was persecuted by a US attorney who was trying to gain media coverage by calling her a terrorist agent and get himself promoted to a federal judgeship.
See also
- Defense Secrets Act of 1911Defense Secrets Act of 1911The Defense Secrets Act of 1911 was one of the first laws in the United States specifically criminializing the disclosure of government secrets. It was based in part on the British Official Secrets Act and criminalized obtaining or delivering "information respecting the national defense, to which...
/ Espionage Act of 1917Espionage Act of 1917The Espionage Act of 1917 is a United States federal law passed on June 15, 1917, shortly after the U.S. entry into World War I. It has been amended numerous times over the years. It was originally found in Title 50 of the U.S. Code but is now found under Title 18, Crime...
/ McCarran Internal Security ActMcCarran Internal Security ActThe Internal Security Act of 1950, , also known as the Subversive Activities Control Act or the McCarran Act, after Senator Pat McCarran , is a United States federal law of the McCarthy era. It was passed over President Harry Truman's veto...
1950 - California Comprehensive Computer Data Access and Fraud ActCalifornia Comprehensive Computer Data Access and Fraud ActThe California Comprehensive Computer Data Access and Fraud Act is in §502 of the California Penal Code.According to the State Administrative Manual of California, the purposes is as follows:...
- Electronic Communications Privacy ActElectronic Communications Privacy ActThe Electronic Communications Privacy Act is a United States law.- Overview :The “electronic communication” means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or...
- LVRC Holdings v. Brekka
- In re DoubleClickIn re DoubleClickIn re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 , had Internet users initiate proceedings against DoubleClick, alleging that DoubleClick's placement of web cookies on computer hard drives of Internet users who accessed DoubleClick-affiliated web sites constituted violations of...
- MBTA v. Anderson
- Information technology auditInformation technology auditAn information technology audit, or information systems audit, is an examination of the management controls within an Information technology infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating...
- Computer security auditComputer security auditA computer security audit is a manual or systematic measurable technical assessment of a system or application. Manual assessments include interviewing staff, performing security vulnerability scans, reviewing application and operating system access controls, and analyzing physical access to the...
- Computer fraud case studiesComputer fraud case studiesComputer fraud is the use of information technology to commit fraud. In the United States, computer fraud is specifically proscribed by the Computer Fraud and Abuse Act, which provides for jail time and fines.-Notable incidents:...
- The Hacker CrackdownThe Hacker CrackdownThe Hacker Crackdown: Law and Disorder on the Electronic Frontier is a work of nonfiction by Bruce Sterling first published in 1992.The book discusses watershed events in the hacker subculture in the early 1990s...
(mentions the law, & the eponymous Chicago task force) - Protected ComputerProtected ComputerProtected computers is a term used in Title 18, Section 1030 of the United States Code, which prohibits a number of different kinds of conduct, generally involving unauthorized access to, or damage to the data stored on, "protected computers"...
- WikileaksWikileaksWikiLeaks is an international self-described not-for-profit organisation that publishes submissions of private, secret, and classified media from anonymous news sources, news leaks, and whistleblowers. Its website, launched in 2006 under The Sunshine Press organisation, claimed a database of more...
External links
, text of the law- Cybercrime: A Sketch of 18 U.S.C. 1030 and Related Federal Criminal Laws, by Charles Doyle, CRS, 12 27 2010, (FAS.org)