|
|
|
Cybertelecom
Federal Internet Law & Policy
An Educational Project
|
|
Computer Fraud & Abuse Act |
The following pages list bad deeds may constitute violations of the Computer Fraud and Abuse Act (note that a hack may involve both damage to the network and theft of information; violation of one provision does not preclude violation of another).
Whoever
- Hacks a non public computer (“knowingly accessed a computer without authorization or exceeding authorized access”), and
- Such behavior affects the use of that computer.
18 U.S.C. § 1030(a)(3) (hacker does not swipe information - includes computers owned by government and computers merely used by government). [NIIP Analysis]
Protected Computers
The CFAA deals with bad people who bother about “protected computers.” This is not a reference to the use of firewalls or virus protection (although these are good ideas). Originally “protected computers” were computers from financial institutions and the government. Gradually this definition has been expanded to include all networked computers, inside the U.S. or outside. 18 U.S.C. § 1030(e)(2)(B). [Shurgard WDWA 2000]
Computers on the Internet are 'protected computers.'
[Trotter 8th Cir 2007 (Non-profit's computers are engaged in interstate communications connect to Internet)] [Walters 11th Cir. 2006) (stating that the internet is an instrumentality of interstate commerce)] [Fowler 945 MDFL 2010 (computer connected to Internet is 'protected computer')] [Multiven NDCA 2010 (finding that a computer connected to the internet was a protected computer)] [National City Bank, N.A. EDWA 2010 (stating that "any computer connected to the internet is a protected computer")] [Expert Janitorial EDTN Mar. 12, 2010] [Dedalus Foundation SDNY 2009 (noting that courts have "found that computers that access the Internet through programs such as email qualify as protected computers")] [Continental Group, SDFL 2009 (noting that a connection to the internet affects interstate commerce or communication)]
Causing Damage (Private Right of Action)
Whoever
- Knowingly transmits a worm or virus and intentionally causes damage [Smith] [Mitnick] [Morris]
- Intentionally hacks a computer and recklessly causes damage, or
- Intentionally hacks a computer and causes damage
- And the damage results in
- The loss of at least $5000 in a year for a person
- A change to a medical examination, diagnosis, treatment or care
- Physical injury to a person
- A threat to public health or safety, or
- Harm to a computer owned or used by the government in furtherance of justice, defense, or security.
Section 1030(a)(5) Matrix |
| |
Trespassers |
Authorized Users |
Intentional Damage |
Felony |
Felony |
Reckless Damage |
Felony |
No Crime |
Negligent Damage |
Misdemeanor |
No Crime |
| Source: The National Information Infrastructure Protection Act of 1996, Legislative Analysis by CCIPS USDOD (updated June 1998) |
18 U.S.C. § 1030(a)(5).
There has been clarification on what constitutes a bad deed:
Bad deeds:
- Inserting a disabling code into software without a provision in the license. [North Texas Sec. IV.A]
- Data-mining where consent is lacking. [Register] [EFCultural]
- Email harvesting in violation of terms of service. [Can Spam Act] [LCGM]
- Accessing and sending proprietary information from current employer to new employer. [Shurgard]
- Deleting files and using a trace removal tool to scrub the memory of any vestiges of the files. [Citrin]
Not Bad Deeds:
Note that this provision has a mens rea; the hack must be intentional. Some courts have interpreted "intentional" to mean "intentional access" as opposed to "intentional damage." [Morris p 509] [Sablan p 868]
Where the bad deed falls under 18 U.S.C. § 1030(a)(5)(B), there is a private right of action (if you are injured, you can sue!). 18 U.S.C. § 1030(g). [Theofel at 1078] [IMS at 526] [Yonkers] [See Fiber Sys Intl (finding private right of action for violation of any CFAA provision)] Remedy includes compensatory damages, injunctive relief, or equitable relief. Actions must be brought within 2 years of the date of the act or the discovery of the damage. Injured parties may also consider seeking relief under the Electronic Communications Privacy Act which prohibits the unauthorized interception and access of communications.
Whoever
- Knowingly and with intent to defraud traffics in
- computer passwords or
- “similar information through which a computer may be accessed.”
18 U.S.C. § 1030(a)(6).
Whoever
- With intent to blackmail, transmits a threatens to damage a computer.
18 U.S.C. § 1030(a)(7).
In order for a cause of action to be maintained, there must be a minimum $5000 damage. This has been a notorious problem where, for example, Clifford Stoll’s $0.75 accounting discrepancy was insufficient to garner federal attention, even if the hacker’s breadcrumbs indicated international espionage of highly sensitive military information.
The damage must be caused by the alleged CFAA violation. [Hillsboro EDMO 2010] [Global Policy Partners at 647 EDVA 2010]
So what is “damage” and “loss”? “The term ‘damage’ means any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. § 1030(e)(8). A “loss” is
any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to condition prior to the offense, and any revenue lost, cost incurred or other consequential damages incurred because of interruption of service.
18 U.S.C. § 1030(e)(11). Damages can include
- Cost of salaries of employees to repair system [Larsen 553 9th Cir 2006 (stating that losses "include[] the time that the victim's salaried employees spend responding to the unauthorized intrusion")] [Millot 1061 8th Cir 2006 (recognizing that hours spent by employees responding to an intrusion constitute losses under the statute, because their time could have been spent on other duties)] [Middleton 1214 9th Cir 2000 (finding that a salaried employee's time spent responding to an intrusion is a loss under the statute, because "[t]here is no basis to believe that Congress intended the element of `damage' to depend on a victim's choice whether to use hourly employees, outside contractors, or salaried employees to repair the . . . harm to a protected computer")] [Fowler MDFL 2010] [NCMIC Finance Corp 1065 SDIowa 2009 (finding that the company's chief information officer's time spent investigating the matter was appropriately considered a loss under the statute)]
- Theft of trade secrets and [Shurgard]
- Lost profits. 18 U.S.C. 1030(e)(11)
Damage does not include
According to DOJ, "any reasonable method can be used to establish the value of the information obtained. For example, the research, development, and manufacturing costs, or the value of the property ‘in the thieves' market,’ can be used to meet the” required showing of a minimum $5,000 minimum damage. [NIIP] [Steroga]
Unauthorized Access
One legal issue is what does it mean to have "unauthorized access" to a computer or network. [18 U.S.C. §§ 1030 (a)(2), 1030(a)(5)(A)] This can become a complicated issue when a network like a Wi-Fi network is openly available to the public with no notice of restriction, or when an employee has authorization to access a network but then does something disgruntled. When does a use of a computer or network cross the line from authorized to unauthorized?
The Southern District of New York stated:
Where a statutory term is undefined, it must be given its ordinary meaning. Santos, 553 U.S. 507, 128 S. Ct. at 2024 ; Broxmeyer, 2010 WL 3001351, at *3; see also United States v. Morris, 928 F.2d 504, 511 (2d Cir. 1991) (holding that the word "authorization" for purposes of the CFAA is "of common usage, without any technical or ambiguous meaning," and therefore the district court "was not obliged to instruct the jury on its meaning"). "Authorization" is generally defined as the "act of authorizing" or "permission or power granted by an authority." See, e.g., The Random House Dictionary of the English Language 100 (Unabridged ed. 1970). The term "authorize," in turn, ordinarily means to grant authority or permission to do something. See, e.g., The American Heritage Dictionary 121 (4th ed. 2000) ("To grant authority or power to; [t]o give permission for; sanction."); 1 Oxford English Dictionary 799 (2d ed. 1989) ("To give legal or formal warrant to (a person) to do something; to empower, permit authoritatively."); The Random House Dictionary of the English Language 100 (1970) ("[T]o give authority or official power to; empower; to give authority for; formally sanction (an act or proceeding)."); Webster's Third New International Dictionary 146 (1993) ("[T]o endorse, empower, justify, or permit by or as if by some recognized or proper authority."). Based on the ordinary meaning of "authorization," then, a person who "accesses a computer without authorization" does so without any permission at all. By contrast, a person who "exceeds authorized access" has permission to access the computer, but not the particular information on the computer that is at issue.
[Aleynikov Sec. D SDNY 2010] "Courts have generally and sensibly concluded that the scope of an individual's
authorization to access a computer network is analyzed 'on the basis of the expected norms of
intended use.'" [Phillips 219 5th Cir 2007] [Creative Computing 9th Cir 2004] [EF Cultural Travel 582 1st Cir 2001] [Morris 505 2nd 1991]
- Violation of Terms of Service is not sufficient to establish that unauthorized access. [USA v Lori Drew CDCA 2009]
- use of another's password to access website without website owner's permission was unauthorized access in violation of CFAA [Vanderhye 645 4th Cir 2009] [State Analysis 316 EDVA 2009]
- Misuse of information
- Having authorized access to information, but then misusing or misappropriating that information, is not a violation of the CFAA [Aleynikov Sec. D SDNY 2010]
[Shamrock Foods 965-66 DAr 2008 ("[L]egislative history confirms that the CFAA was intended to prohibit electronic trespassing, not the subsequent use or misuse of information.")]
- "an employee accesses a computer "without authorization" or "exceeds authorized access" within the meaning of § 1030 whenever the employee, without knowledge of the employer, possesses an adverse interest or breaches the duty of loyalty to the employer, thereby terminating her agency relationship." [US v John 271 5th Cir 2010 ("`authorization' may encompass limits placed on the use of information obtained by permitted access to a computer system and data available on that system . . . at least when the user knows or reasonably should know that he or she is not authorized to access a computer and information obtainable from that access in furtherance of or to perpetrate a crime")] [Int'l Airports Ctrs 420 7th Cir 2006 (defendant's "breach of his duty of loyalty terminated his agency relationship . . . and with it his authority to access the laptop, because the only basis of his authority had been that relationship") ] [EF Cultural Travel 583-84 1st Cir 2001 (defendant's use of "scraper" software to systematically glean tour company's prices from its website "exceeded authorized access," assuming program's speed and efficiency was attributable to defendant's breach of his confidentiality agreement with the company, his former employer)] [Mktg Tech Solutions at 7 SDNY 2010] [Calyon at 1 SDNY 2007] [Register 252-53 2000]
- Employment
- During Employment
- After Employment
- Posession of former employer's laptop with company proprietary information, and accessing that information, may give rise to a CFAA cause of action. [Formulas DUtah 2010]
Open network? There are lots of circumstances where this is less than clear. One example of this that has arisen is open wifi networks. If a coffee house leaves a network open and unsecured, and a bloke standing outside with a Skype phone automatically detects and connects to that wifi network, is it unauthorized access? Some states have concluded that it is. [Register (defendant on notice lacked permission to datamine website)] [Galbraith (critiquing use of CFAA in Register case)] [Four Seasons Hotels (spoofed computer made to look authorized on network)] [LCGM (violation of TOS can create unauthorized access)]
Where an individual come upon an open network, if the individual uses that network, does the individual run afoul of state law. This issue is commonly seen in the context of the question of access to a computer network utilizing an open, unsecured wireless access point (WAP), where an individual with a WiFi enabled device seeks to access the computer network. See WiFi Theft for a discussion. But it could be as simple as a stand alone remote terminal in a library or other public space, or an open, unsecured ethernet jack in a public government building.
Security Requirement: Several states have conclude that for access to be unauthorized, the network or system must be using security of some type. See Louisiana, New York, Nebraska, Massachusetts, and Minnesota.
Notice Burden: The state laws seem to fall out into two categories:
The States Chart has a column labled Open Network? This column seeks to break state laws into groups according to whom has the burden. This is clearly just are opinion in the context of an academic evaluation and discussion (in other words, if you need legal advice, consult an attorney)
Recall that the issue is whether an individual accessing an open network runs afoul of state law; no nefarious intent is assumed - we can assume that this is just Joe Dude seeking to do a quick email check. Therefore some states' laws which have an element of bad intent or bad action would not appear to apply at all.
Many scholars have likened this analysis to a Trespass to Chattels argument. [Hale] [Kern] [Bierlein] Several courts have applied Trespass to Chattels jurisprudence to "unauthorized access" to computers issues. [Register.com at 404] Trespass to Chattels has been used in spam cases. [Compuserv] [AOL v IMS] [AOL v LCGM] [AOL v Natl Health Care Disc] Other course have been unpersuaded that Trespass to Chattels applies to computer access cases. [Intel]
Contrasting Trespass to Chattels and Trespass to Real Property (land) , the problem is that Trespass to Chattels addresses the deprivation of use from the owner of some thing - while Trespass to Real Property addresses whether access to the real property is authorized or not (ie., trespass).
According to the Restatement (Second) of Torts, “A trespass to a chattel may be committed by
intentionally (a) dispossessing another of the chattel, or (b) using or
intermeddling with a chattel in the possession of another.” RESTATEMENT (SECOND) OF TORTS § 217.
While Trespass to Chattels typically is the appropriate analysis for stuff that is not real property, the question before us is whether access is authorized (trespass), not whether someone has deprived someone else the use of some thing.
Some authorities note that the use of security to restrict access to a network is provides notice to individuals that access is restricted and potentially unauthorized. [EF Cultural Travel p 63 (“After all, password protection itself normally limits authorization by
implication (and technology), even without express terms.”)]
Caselaw
- LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1135 (9th Cir. 2009) "The Ninth Circuit holds: "[A] person uses a computer 'without authorization' under §§ 1030(a)(2) and (4)
when the person has not received permission to use the computer for any purpose (such as when a hacker accesses
someone's computer without any permission), or when the employer has rescinded permission to access the computer
and the defendant uses the computer anyway.""
- White Buffalo Ventures L.L.C. v. Univ. of Texas, 420 F.3d
366, 377 n.24 (5th Cir. 2005) (Trespass to Chattels)
- US v Powers (D Nebraska Mar. 4, 2010) upholding claim where allegedly defendant accessed email account of victim, with password she had provided to him, and sent out emails with nude pictures of her to addresses in her address book - court implicitly finding that intent of defendant in accessing computer is relevant to whether access is unauthorized. Computer Fraud Blog
- Am. Family Mut. Ins. Co. v. Rickman, 554
F. Supp. 2d 766, 768-70 (N.D. Ohio 2008) ("recognizing split of authority as to meaning of "without
authorization"")
- SecureInfo Corp. v. Telos Corp., 387 F. Supp. 2d 593 (E.D.
Va. 2005) ("dismissing CFAA claims against non-party to licensing agreement where licensee of
software permitted non-party to access licensee's server and copy licensor's proprietary information
because licensee "authorized" non-party's access to its own computers")
- Thrifty-Tel, 54 Cal. Rptr. 2d at 473 n.6 (Trespass to Chattels: “In our view, the electronic signals generated by the Bezenek boys’ activities were sufficiently tangible to support a trespass cause of action.”)
Employment Settings
- Int'l Airport Ctrs., LLC
v. Citrin, 440 F.3d 418 (7th Cir. 2006) ("holding that employee who scrubbed incriminating files from
company-owned computer acted "without authorization" from moment he breached his duty of
loyalty to company by resolving to destroy files")
- Citrin, 440 F.3d
418; Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F. Supp.2d 1121, 1125 (W.D.
Wash. 2000) (holding that employees' authority to access company computers ended when those
employees surreptitiously became agents of defendant competitor and sent company's proprietary
information to competitor via email)
Papers
- Matthew Bierlein, Policing the Wireless World: Access Liability in the Open WiFi Era, 67 Ohio St. L.J. 1123 (2006)
- HALE, ROBERT V., "Wi-Fi Liability: Potential Legal Risks in Accessing and Operating Wireless Internet" . Santa Clara Computer and High Technology Law Journal, Vol. 21, p. 543, 2005 Available at SSRN: http://ssrn.com/abstract=692881
- Benjamin D. Kern, Whacking, Joyriding and War-Driving: Roaming Use of Wi- Fi and the Law, 21 SANTA CLARA COMPUTER & HIGH TECH. L.J. 101 (2004)
|
|
