Computer Fraud and Abuse Act
|Summary: bars people from tampering with protected computers|
|Addresses: Hacking, DDoS Attacks, Botnet Attacks, Malware, Data Theft|
|Also addressed by ICANN Policy: N|
|Related to: Wire Fraud Statute|
The Computer Fraud and Abuse Act or CFAA was originally enacted in 1984. The act addressed "protected" computers, such as government computers or computers that had access to foreign commerce or communication information from unauthorized access. The act also protects the computers of financial institutions from attacks. The CFAA's practical use, however, has expanded in scope to include attacks and unauthorized access to private computers in addition to government computers.
The CFAA has been amended multiple times since it was enacted in 1984. In its original version, it was only used in one case. However, revisions expanded its scope to include transmitting viruses, damaging computers or files, exceeding one's authorization, and attempting to cause financial harm. The first person to be prosecuted under the 1986 CFAA was Robert Morris for releasing a worm that damaged and threatened protected computers. Despite his claims that he did not want to damage other computer networks or realize how quickly the worm would spread, Morris was fined and sentenced to community service.
- This act was aimed at securing government computers from attacks such as botnets attacks, attacks caused by malware, and data theft enabled by hacking, which can be prosecuted using the CFAA.
- The CFAA makes it illegal to use "malicious code" to damage protected computers, although it does not address creating malicious code.
- Under this law, it is also illegal to "knowingly traffic in computer passwords" or to commit extortion by threatening or attacking a protected computer.
- Additionally, civil lawsuits can take place and damages can be awarded.
- Additions to the CFAA in 2008 made "conspiracy" to commit computer crimes punishable as well.
- Penalties under the CFAA include fines and imprisonment depending on the severity of the offense.
Calls for Reform
- Despite periodic reforms, some feel that the CFAA needs major renovation in order to remain relevant and just.
- Aaron's Law, a proposed bill that would change the CFAA, was introduced in the Senate in June of 2013 where it was then referred to a committee.
- This bill named for Aaron Swartz, who committed suicide while facing charges for violations of the CFAA.  These charges arose after Swartz apparently accessed MIT's network without authorization and downloaded articles from the private database JSTOR. According to a New York Times article, for downloading approximately 4.8 million articles, he was possibly facing "up to 35 years in prison and $1 million in fines."
- Another concern voiced about the CFAA involves the act's incredibly broad scope and general application. In fact, employers have tried to use the undefined phrase "unauthorized access" to prosecute employees who use their computers without explicit permission. People have also attempted to use the CFAA to prosecute those who violate the terms and conditions of specific websites or services. Some argue that the current scope of the CFAA may leave it open to possibly abusive or even unconstitutional interpretations.
- In addition to federal law, many states also have anti-computer hacking legislation.
- Read the CFAA
- Learn more about Aaron's Law and the bill's progress.
- http://www.sans.org/reading-room/whitepapers/legal/federal-computer-crime-laws-1446 by Maxim May, (June 1, 2004), Sans Institute
- http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act Wikipedia
- http://us.practicallaw.com/2-508-3428 Practical Law Company
- http://www.law.cornell.edu/uscode/text/18/1030 US Code Title 18, Legal Information Institute--Cornell University Law School
- http://www.forbes.com/sites/billsinger/2012/09/06/botnet-bandit-sentenced-in-federal-malware-case/ by Bill Singer (September 6, 2012), Forbes
- http://www.nytimes.com/2013/01/13/technology/aaron-swartz-internet-activist-dies-at-26.html?_r=0 The New York Times
- https://www.eff.org/deeplinks/2013/06/aarons-law-introduced-now-time-reform-cfaa By Mark Jaycox and Kurt Opsahl and Trevor Timm (June 20, 2013), Electronic Frontier Foundation
- https://www.govtrack.us/congress/bills/113/hr2454 GovTrack.us
- http://www.minnesotalawreview.org/wp-content/uploads/2012/03/Kerr_MLR.pdf Vagueness Challenges to the Computer Fraud and Abuse Act by Orin Kerr, Minnesota Law Review