Guest Lecture: Andrew Sellars (BU/ MIT technology and cyberlaw clinic) (Laws governing hacking)

Protecting innovation by supporting student research and discovery. (Protecting students from cyber laws by creating this Technology and Cyberlaw clinic).

** The Computer Fraud and Abuse Act (1982/83) **

War Games movie motivated Congress to generate and pass this law.

Also motivated by an airport having its landing lights system compromised.

Roots of the CFAA (1970s)

“Theft, fraud” crimes and “trespass” civil torts Theft -> stealing data (copying, etc.) -> breaching the exclusivity of data Fraud -> pretending to be someone else and getting someone to give you something due to this misrepresentation Trespass -> access to systems you shouldn’t have access to

CFAA Today 1.) Access a computer w/o authorization and stealing classified information 2.) Obtaining information from any protected computer 3.) Accessing any non public computer of the U.S. government with intent to defraud 4.) Knowingly accessing a protected computer without authorization or exceeding authorized access, with intent to defraud 5.) Damaging a computer 6.) Accessing a computer without legitimate authorization 7.) Obtain information from a computer without authorization

3 main portions that apply to students studying security:

  • Obtaining information (2)
  • Fraud but with computers (4)
  • Three damages crimes (5)

These main 3 portions of CFAA:

  • A lot of mention of ‘intentionally, protected computer, knowingly’
  • Intentionally -> outcome is why you re doing it
  • Knowingly -> you are aware that this will be the outcome of your actions
  • Recklessly -> you consciously disregard the risk that this will happen because of your actions
  • Negligently -> a reasonable person would have known that this would happen because of your actions
  • Strict liability -> doesn’t matter what you intended, you are liable if this happens
  • Computer -> electronic, magnetic, high-speed data processing device…similar device (very wide definition including a portable calculator, automated typewriter, smart phones, etc).
  • Protected computer -> exclusively for the use of a financial institution or the U.S. government, or which is used affecting interstate or foreign commerce/communication (a federal government computer that is used in or affects interstate and foreign commerce/communication).
  • The ‘affects’ terminology is very broad; the parts could come from many different states, thus technically affecting the commerce of many states.
  • Essentially, almost any computer is covered by this broad definition of ‘protected computer.’
  • Damage -> any impairment to the integrity or loss of data.
  • Loss -> any reasonable cost to any victim
  • Exceed authorized access -> access with authorization and use such access to obtain or alter information in the computer that the accesser is not entitled to. (Technically have legitimate access, but using it for an illegitimate reason.)
  • Without authorization -> accessing something you should not be.
  • Went through a few hypothetical situations to try to get a gauge for how difficult it is to determine the definitions of the CFAA.