Computer Fraud And Abuse Act

Created by Laura Biber on April 03, 2016 1610

The Computer Fraud and Abuse Act (CFAA) imposes criminal and civil penalties for unauthorized access to computers. Originally passed in 1984, this law has been amended several times since then.

The CFAA imposes both criminal and civil penalties. The CFAA creates the following seven crimes (18 U.S.C.  § 1030(a)): (1) computer espionage; (2) computer trespassing, and taking of government, financial, or commerce information; (3) computer trespassing in a government computer; (4) committing fraud with a computer; (5) damaging a protected computer (i.e. viruses, worms); (6) trafficking in passwords of a government or commerce computer; and (7) extortion by threatening a protected computer.

The CFAA also provides for civil damages. Any person who incurs damages or a loss as a result of violation of sections I-VI of 18 U.S.C. § 1030(c)(4)(A)(i) may bring a civil action against the violator to obtain compensatory damages, injunctive relief, or other equitable relief. 

Written by Laura Biber on March 31, 2016 0 2461
View all explanation (1)

Supporting Authority

United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009)
Link to Supporting Resource

This case raised the question of whether creating a MySpace page in violation of MySpace's terms of service violated the CFAA. The jury initially found the Drew guilty of a misdemeanor violation of the CFAA. However, Drew filed a motion to acquit, which the judge granted. The judge reasoned that allowing a violation of a website's terms of service to amount to "unauthorized access" under the CFAA was an overly broad interpretation that would turn "innocent Internet users into misdemeanor criminals."

Created by Laura Biber on March 30, 2016 0 2614

U.S. v. Willis, 476 F.3d 1121 (10th Cir. 2007)
Link to Supporting Resource

The court held that the crime of accessing a protected computer without authorization only requires proof that the individual intentionally accessed information from a protected computer, not that they intended to defraud or knew the value of the information obtained.

Created by Laura Biber on March 31, 2016 0 2588


Fraud and Related Activity in Connection with Computers (18 U.S.C. § 1030)
Link to Supporting Resource

This statute outlines the criminal acts, associated punishments, available civil damages, and investigative authority for violations of the CFAA.

Created by Laura Biber on March 29, 2016 0 2604
A Vague Law In A Smartphone World: Limiting The Scope Of Unauthorized Access Under The Computer Fraud And Abuse Act
Link to Supporting Resource

The author argues that that courts have struggled to interpret the CFAA, and in doing so have turned to principles of contract law and agency law. The author argues that in the context of mobile application data privacy, these interpretations will be insufficient and that liability should be limited only to "traditional notions of hacking and serious misuse of information" in order to accomplish the intended purpose of the CFAA. 

Created by Laura Biber on April 23, 2016 0 2628

The Computer Fraud and Abuse Act: Protecting the United States from Cyber-Attacks, Fake Dating Profiles, and Employees Who Check Facebook at Work
Link to Supporting Resource

This article argues that the "broad, catch-all" language of the CFFA should be discarded to make way for a more narrow, specific framework. The author contends that the "excessively broad scope and vague provisions" of the law have resulted in "discriminatory enforcement, conflicts with the federal private non delegation doctrine, and in over criminalization." Furthermore, the author argues that the protection of personal privacy, once a primary interest of the CFAA, has been minimized to the point of being forgotten.

Created by Laura Biber on April 23, 2016 0 2604