Computer Fraud and Abuse Act

Guest Lecture from Andy Sellars of LAW’s Tech and Cyberlaw Clinic —————————————————————————————-

Andy shows trailer from the film War Games

The scenario presented by the film (that of hacking into senstive Government computing systems and interfereing with their normal operation) moviated Congress in writing the law. The law itself is an example of expanding the scope of the law after it was initially written.

Roots of the law are in:

  • Theft crimes
  • Fraud crimes (misrepresentation of self)
  • Tresspass civil torts (entering restricted space)

Class Question: Does duplication of information fall under the category of theft?

Andy (paraphrased): A 1970s case prior to the enactment of the CFAA dealt with this. An employee which had made copies of client information before leaving for a competitor argued that because they had merely copied the information, and that the employer still had their origional copies, the act wasn’t theft. The (lower level) court ruled that becuase the information itself was no longer exclusvie, the act was still considered theft.

Related to the above question, a case involving eBay was heard in which eBay argued that competitors were guilty of “their electrons tresspassing eBay’s servers without permission”. Despite not things not working this way in reality, eBay still won the case.

The law itself is comprised of multiple sections (The following is taken from the actual text of the law itself, Andy used paraphrased versions in class but scrolled too quickly to copy down full text)

(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—

    (A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
    (B) information from any department or agency of the United States; or
    (C) information from any protected computer;

(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
(5)

    (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
    (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
    (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.

(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if—

    (A) such trafficking affects interstate or foreign commerce; or
    (B) such computer is used by or for the Government of the United States;

(7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—

    (A) threat to cause damage to a protected computer;
    (B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or
    (C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion

Most action involving the law deals with violations of sections 2, 4, and 5

Discussion of the law requires the concept of “mens rea” - the intentionality of an act, as opposed to simply causing things to happen.

There are multiple levels of this:

  • Intentionally: Outcome is why you do it.
  • Knowlingly: Fully aware of outcome, but the outcome isn’t necessarily the motivation
  • Recklessly: Aware of risk this will happen, but so it anyway.
  • Negligently: A reasonable person would have known this to be the result.
  • Strict Liability: The intention isn’t relevant, you’re still liable if something happens

As seen above, different sections of the CFAA are based on different levels of mens rea.

Class Question: What do “and” and “or” mean in a legal context?

Andy (paraphrased): Generally, the level of scrutiny applied to “and” and “or” in a Mathematical Logic sense isn’t carried into legal realm, although will generally carry the same meanings.

The definition of what is covered under the CFAA is broad, though does exlcude specific electronic devices such as calculators and auto typewriters. This means that “smart” electronics (smartphones, smartwatches, etc.) also fall under the law.

A protected computer is either of:

  1. Exclusively for use by the US Government
  2. Used in or affecting insterstate or foreign commerce or communication

The latter results in the definition being extended to any and all internet connected computers. (The justiciation from this comes from the “interstate commerce” clause of the Constitution)

Other important terms defined in relation to the CFAA:

  • “damage”: impairment to integrity or availability of data
  • “loss”: any reasonable cost to to victim responding to an issue, including determining if damage occured at all.
  • exceeding authorized access: what this means is typically taken to be self evident.

Courts typically deal more in questions of authorization instead of access, since access is a binary quesiton of whether you have it or not, and is usually straightforward to answer.

What is authorization in legal sense?

Hypothetical 1: Andy has a work computer issued by BU. Uses the computer to check scores from the NCAA DI Men’s Basketball Tournament. Is this use authorized access? ————————————————————

Class arguments for yes:

  • Not told otherwise that this was unauthorized; use isn’t breaking a different statue
  • Not causing harm
  • Not gaining some sort of advantage from use of work vs personal computer to do this

Class arguments for no:

  • Not part of work duties
  • Consumes bandwidth, thus possibly causing harm
  • Per letter of acceptable use policy, can’t use the computer or network for personal use

Likely punishment?

  • asks class for show of hands regarding various severities of punishment* Consensus: “Normative” sanction - informal warning regarding use. Alternatively, could be added to a list of reasons for taking action but would not be considered actionable if this were the lone violation.

Hypothetical 2: User works with customer database, looks neighbor’s information. Is this use authorized access?

(Per Andy: for this exercise assume that HIPPA doesn’t apply as this is not a medical database - noted in response to a student suggesting HIPPA violations as a reason this is not authorized access)

Class arguments for yes:

  • None given

Class arguments for no:

  • Information retreived is not related to work.
  • Possible violation of applicable Accetpable Use Policy.

Andy notes that the customer themselves can’t bring charges under the CFAA since while their information was accessed, the information does not reside on the customer’s computer, but in the company’s database.

Hypothetical 3: User has access to a private shared drive, which they then use to store films. (The films themselves were otherwise leaglly obtained, thus again should only be considering this in relation to the CFAA). Is this use authroized access?

Class arguments for yes:

  • Not causing damage if space isn’t needed

Class arguements for no:

  • Exceeds authorization for what is permitted to store

Class question: Should this be covered by employer/employee contracts?

Andy (paraphrased): It could be as an alternative to resorting to the CFAA. (This is refered to as the Private Ordering Question in general - resolving disputes per private agreements). However, companies do forget to have employees/contractors to sign such doucments.

Hypothetical 4: User gives a client list to a friend who is starting their own business. Is this use authorized access?

Class arugments for yes:

  • None Given

Class arguements for no:

  • Causes damage to employer by introducing competition for clients.

Class Question: Can negligence theory be applied if the information was leaked?

Andy: Generally, no.

The above scenarios were taken from literature on Measuring Computer Science Norms. While the majority believe that most of the scenarios aren’t “heavy” crime worthy (i.e. criminal charges and possible jail time as opposed to “parking ticket” or normative level sanctions. The class trended along these lines as well for each question), the CFAA reads most computer related crimes as high crimes.

Court of Appeals case introduced a precdent of interpreting CFAA cases based on code based breaches instead of contractual breaches. Courts in general waffle on terms of use violations affecting authorization.

Example questions of authorized access:

  • Access with stolen password to website? Unauthorized
  • Access to router with default password? While the default router password is public knowledge, this is still breaking and entering, and thus unauthorized. The analogy is drawn to an open door not necessarily meaning that anyone is allowed to enter a home.
  • Bypassing reCAPTCHA code? Courts are split on this: Ticketmaster has won cases against scalpers on the grounds that reCAPTCHA is itself a gatekeeper of information. Others have argued that it is not a separte gatekeeper, but a “speed bumb” and the user in reaching this point already has authorized access to the information on the next screen.