Computer Fraud & Abuse Act
© Cybertelecom ::
"The Weakest Link in the security chain is the human element." "I obtained confidential information in the same way government employees did, and I did it all without even touching a computer . . . . I was so successful with this line of attack that I rarely had to go towards a technical attack." - Kevin Mitnick
"The modern thief can steal more with a computer than with a gun. Tomorrow's terrorist may be able to do more damage with a keyboard than with a bomb." National Research Council, Computers at Risk (1991).
There are different flavors of cybercrime. There are those crimes which target the network itself (hacks, worms, DDOS) and there are those crimes which do not impact the network but which are conducted almost uniquely over the network (gambling, fraud, and SPAM). That would seem like a nice sweet distinction, but of course it is not. SPAM for instance, may be a crime over the network, but the impact is clearly felt by the network. The Computer Fraud and Abuse Act, a significant law addressing cybercrime, covers both of these flavors mixed together in one statute.
"The CFAA was designed to target hackers who access computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possess the capacity to "access and control high technology processes vital to our everyday lives..." LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130-31 (9th Cir. 2009) (quoting H.R. Rep. 98-894, 1984 U.S.C.C.A.N. 3689, 3694 (July 24, 1984))." [Hillsboro EDMO 2010]
For crimes against the network, the primary authority is the Computer Fraud and Abuse Act.
The Computer Fraud and Abuse Act was originally enacted in 1984 to provide a clear statement of proscribed activity concerning computers to the law enforcement community, those who own and operate computers and those tempted to commit crimes by unauthorized access to computers. Rather than having to ``boot-strap'' enforcement efforts against computer crime by relying on statutory restrictions designed for other offenses, the Computer Fraud and Abuse statute, 18 U.S.C. 1030, set forth in a single statute computer-related offenses. This first Federal computer crime statute made it a felony to access classified information in a computer without authorization and a misdemeanor to access financial records or credit histories in financial institutions or to trespass into a Government computer.
[DOJ, NIIP] Violations of the CFAA are punishable pursuant to 18 U.S.C. § 1030(c). There is also a potential for a private right of action (individual citizens can initiate litigations) pursuant to 18 U.S.C. § 1030(g).
Crimes against the network can also be prosecuted as violations of the Electronic Communications Privacy Act since no one, including hackers, are permitted to intercept transmissions. Crimes against the network may also be violations of the Anticircumvention provisions of the Digital Millennium Copyright Act.
Crimes and Misdemeanors
- sensitive / classified info that could be used to harm the USG; 18 USC § 1030(a)(1)
- Other information from a financial institution, the USG, or a protected computer; 18 USC § 1030(a)(2)
- a computer of the USG and affects the use of that computer; 18 USC § 1030(a)(3)
- a protected computer with intent to defraud; 18 USC § 1030(a)(4)
- causes damage; 18 USC § 1030(a)(5)
- traffics in passwords; or 18 USC § 1030(a)(6)
- uses threat of damage to the computer for blackmail or extortion. 18 USC § 1030(a)(7)
Constitutionality: The Computer Fraud and Abuse Act does not violate the 10th Amendment of the US Constitution, The Tenth Amendment provides that "powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people." U.S. Const, amend. X. The CFAA is an exercise of a power "delegated to the United States by the Constitution" — specifically, by the Commerce Clause, which grants Congress the power to "regulate Commerce ... among the several States." U.S. CONST, art. I, § 8, cl. 3. See generally Treasurer of N.J. v. U.S. Dep't of Treasury, 684 F.3d 382, 413 (3d Cir. 2012) ("If Congress acts under one of its enumerated powers ... there can be no violation of the Tenth Amendment") (quoting United States v. Parker, 108 F.3d 28, 31 (3d Cir. 1997)).
- United States v. MacEwan, 445 F.3d 237, 245 (3d Cir. 2006) (concluding that the "Internet is an instrumentality and channel of interstate commerce");
- United States v. Trotter, 478 F.3d 918, 921 (8th Cir. 2007)
- United States v. Mitra, 405 F.3d 492, 496 (7th Cir. 2005) (purely local attack on first-responder network upheld as violation of CFAA because the network operated over the electromagnetic spectrum and was an instrumentality of interstate commerce).
- US v. Roque, Dist. Court, D. New Jersey 2013("The CFAA was enacted pursuant to the Commerce Clause power.")