|
|
Cybertelecom
Federal Internet Law & Policy
An Educational Project
|
|
Computer Fraud & Abuse Act |
The following pages list bad deeds may constitute violations of the Computer Fraud and Abuse Act (note that a hack may involve both damage to the network and theft of information; violation of one provision does not preclude violation of another).
Whoever
- Hacks a non public computer (“knowingly accessed a computer without authorization or exceeding authorized access”), and
- Such behavior affects the use of that computer.
18 U.S.C. § 1030(a)(3) (hacker does not swipe information - includes computers owned by government and computers merely used by government). [NIIP Analysis]
Protected Computers
The CFAA deals with bad people who bother about “protected computers.” This is not a reference to the use of firewalls or virus protection (although these are good ideas). Originally “protected computers” were computers from financial institutions and the government. Gradually this definition has been expanded to include all networked computers, inside the U.S. or outside. 18 U.S.C. § 1030(e)(2)(B). [Shurgard] [Trotter Non-profit's computers are engaged in interstate communications connect to Internet]
Causing Damage (Private Right of Action)
Whoever
- Knowingly transmits a worm or virus and intentionally causes damage [Smith] [Mitnick] [Morris]
- Intentionally hacks a computer and recklessly causes damage, or
- Intentionally hacks a computer and causes damage
- And the damage results in
- The loss of at least $5000 in a year for a person
- A change to a medical examination, diagnosis, treatment or care
- Physical injury to a person
- A threat to public health or safety, or
- Harm to a computer owned or used by the government in furtherance of justice, defense, or security.
Section 1030(a)(5) Matrix |
| |
Trespassers |
Authorized Users |
Intentional Damage |
Felony |
Felony |
Reckless Damage |
Felony |
No Crime |
Negligent Damage |
Misdemeanor |
No Crime |
| Source: The National Information Infrastructure Protection Act of 1996, Legislative Analysis by CCIPS USDOD (updated June 1998) |
18 U.S.C. § 1030(a)(5).
There has been clarification on what constitutes a bad deed:
Bad deeds:
- Inserting a disabling code into software without a provision in the license. [North Texas Sec. IV.A]
- Data-mining where consent is lacking. [Register] [EFCultural]
- Email harvesting in violation of terms of service. [Can Spam Act] [LCGM]
- Accessing and sending proprietary information from current employer to new employer. [Shurgard]
- Deleting files and using a trace removal tool to scrub the memory of any vestiges of the files. [Citrin]
Not Bad Deeds:
Note that this provision has a mens rea; the hack must be intentional. Some courts have interpreted "intentional" to mean "intentional access" as opposed to "intentional damage." [Morris p 509] [Sablan p 868]
Where the bad deed falls under 18 U.S.C. § 1030(a)(5)(B), there is a private right of action (if you are injured, you can sue!). 18 U.S.C. § 1030(g). [Theofel at 1078] [IMS at 526] [Yonkers] [See Fiber Sys Intl (finding private right of action for violation of any CFAA provision)] Remedy includes compensatory damages, injunctive relief, or equitable relief. Actions must be brought within 2 years of the date of the act or the discovery of the damage. Injured parties may also consider seeking relief under the Electronic Communications Privacy Act which prohibits the unauthorized interception and access of communications.
Whoever
- Knowingly and with intent to defraud traffics in
- computer passwords or
- “similar information through which a computer may be accessed.”
18 U.S.C. § 1030(a)(6).
Whoever
- With intent to blackmail, transmits a threatens to damage a computer.
18 U.S.C. § 1030(a)(7).
In order for a cause of action to be maintained, there must be a minimum $5000 damage. This has been a notorious problem where, for example, Clifford Stoll’s $0.75 accounting discrepancy was insufficient to garner federal attention, even if the hacker’s breadcrumbs indicated international espionage of highly sensitive military information.
So what is “damage” and “loss”? “The term ‘damage’ means any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. § 1030(e)(8). A “loss” is
any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to condition prior to the offense, and any revenue lost, cost incurred or other consequential damages incurred because of interruption of service.
18 U.S.C. § 1030(e)(11). Damages can include
Damage does not include
According to DOJ, "any reasonable method can be used to establish the value of the information obtained. For example, the research, development, and manufacturing costs, or the value of the property ‘in the thieves' market,’ can be used to meet the” required showing of a minimum $5,000 minimum damage. [NIIP] [Steroga]
Hack / Unauthorized Access
One legal issue is what does it mean to have "unauthorized access" to a computer or network. [18 U.S.C. §§ 1030(a)(2), 1030(a)(5)(A)] There are lots of circumstances where this is less than clear. One example of this that has arisen is open wifi networks. If a coffee house leaves a network open and unsecured, and a bloke standing outside with a Skype phone automatically detects and connects to that wifi network, is it unauthorized access? Some states have concluded that it is. [Register (defendant on notice lacked permission to datamine website)] [Galbraith (critiquing use of CFAA in Register case)] [Four Seasons Hotels (spoofed computer made to look authorized on network)] [LCGM (violation of TOS can create unauthorized access)]
Open network? Where an individual come upon an open network, if the individual uses that network, does the individual run afoul of state law. This issue is commonly seen in the context of the question of access to a computer network utilizing an open, unsecured wireless access point (WAP), where an individual with a WiFi enabled device seeks to access the computer network. See WiFi Theft for a discussion. But it could be as simple as a stand alone remote terminal in a library or other public space, or an open, unsecured ethernet jack in a public government building.
Security Requirement: Several states have conclude that for access to be unauthorized, the network or system must be using security of some type. See Louisiana, New York, Nebraska, Massachusetts, and Minnesota.
Notice Burden: The state laws seem to fall out into two categories:
- Those states that require the outsider to know that access to a network is unauthorized for the access to be unauthorized. This creates the defense on the part of the outsider that the outsider simply did not know. This places the burden on the network owner to provide notice to the outsider.
- Those states that require the outsider to know that access is authorized for the access to be authorized. This places the burden on the outsider to acquire knowledge that access is permissive before utilizing a network. A few states require notice to potential network users. Minnesota
The States Chart has a column labled Open Network? This column seeks to break state laws into groups according to whom has the burden. This is clearly just are opinion in the context of an academic evaluation and discussion (in other words, if you need legal advice, consult an attorney)
Recall that the issue is whether an individual accessing an open network runs afoul of state law; no nefarious intent is assumed - we can assume that this is just Joe Dude seeking to do a quick email check. Therefore some states' laws which have an element of bad intent or bad action would not appear to apply at all.
Many scholars have likened this analysis to a Trespass to Chattels argument. [Hale] [Kern] [Bierlein] Several courts have applied Trespass to Chattels jurisprudence to "unauthorized access" to computers issues. [Register.com at 404] Trespass to Chattels has been used in spam cases. [Compuserv] [AOL v IMS] [AOL v LCGM] [AOL v Natl Health Care Disc] Other course have been unpersuaded that Trespass to Chattels applies to computer access cases. [Intel]
Contrasting Trespass to Chattels and Trespass to Real Property (land) , the problem is that Trespass to Chattels addresses the deprivation of use from the owner of some thing - while Trespass to Real Property addresses whether access to the real property is authorized or not (ie., trespass).
According to the Restatement (Second) of Torts, “A trespass to a chattel may be committed by
intentionally (a) dispossessing another of the chattel, or (b) using or
intermeddling with a chattel in the possession of another.” RESTATEMENT (SECOND) OF TORTS § 217.
While Trespass to Chattels typically is the appropriate analysis for stuff that is not real property, the question before us is whether access is authorized (trespass), not whether someone has deprived someone else the use of some thing.
Some authorities note that the use of security to restrict access to a network is provides notice to individuals that access is restricted and potentially unauthorized. [EF Cultural Travel p 63 (“After all, password protection itself normally limits authorization by
implication (and technology), even without express terms.”)]
Caselaw
- Thrifty-Tel, 54 Cal. Rptr. 2d at 473 n.6 (Trespass to Chattels: “In our view, the electronic signals
generated by the Bezenek boys’ activities were sufficiently tangible to support a trespass
cause of action.”)
- White Buffalo Ventures L.L.C. v. Univ. of Texas, 420 F.3d
366, 377 n.24 (5th Cir. 2005) (Trespass to Chattels)
Papers
- Matthew Bierlein, Policing the Wireless World: Access Liability in the Open WiFi Era, 67 Ohio St. L.J. 1123 (2006)
- HALE, ROBERT V., "Wi-Fi Liability: Potential Legal Risks in Accessing and Operating Wireless Internet" . Santa Clara Computer and High Technology Law Journal, Vol. 21, p. 543, 2005 Available at SSRN: http://ssrn.com/abstract=692881
- Benjamin D. Kern, Whacking, Joyriding and War-Driving: Roaming Use of Wi- Fi and the Law, 21 SANTA CLARA COMPUTER & HIGH TECH. L.J. 101 (2004)
|
|
