Guest Lecture

Andrew Sellars - BU School of Law

  1. Director, Technology & Cyberlaw Clinic
    • Clinical Instructor
    • Protecting Innovation by supporting students in their research and Discovery
    • BU Law students advise MIT students on laws and regulations that may affect their innovation-related academic and extracurricular projects.

The Computer Fraud and Abuse Act (CFAA) - Overview

  1. This law came into effect in 1982
  2. The movie WarGames played a part in motivating congress to enact this law
    • Since then, this law has experienced steady expansion from it’s initial boundaries
  3. Three Main Crimes
  4. “theft crimes” — stealing data I want for myself
  5. “fraud crimes” — gaining information through misrepresentation
  6. “trespass civil torts” — being where you shouldn’t be

The CFAA Today — 18 U.S. Code § 1030(a)

  • Whoever—
    1. having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
    2. intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains (A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); (B) information from any department or agency of the United States; or (C) information from any protected computer;
    3. intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;
    4. knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
    5. . (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.[2]
    6. knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if— (A) such trafficking affects interstate or foreign commerce; or (B) such computer is used by or for the Government of the United States; [3]
    7. with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any— (A) threat to cause damage to a protected computer; (B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or (C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion;
  • shall be punished as provided in subsection (c) of this section.

Breakdown of Vocabulary

  1. Intentionally: The outcome is why the act was performed
  2. Knowingly: The attacker is aware of the outcome
  3. Recklessly: Conscious disregard of risk resulting from actions
  4. Negligently: A reasonable person in a given circumstance would know what the outcome will be
  5. Strict Liability: It doesn’t matter what the intention was, you are still responsible
  6. What is a computer?
    • A computer is a device that computes, often a programmable machine, which can perform a programmed list of instructions and respond to new instructions given to it. An electronic computer accepts data, manipulates data, produces results, and stores results.
    • Examples: Smart Watch, Smart TV, Cellphone, etc.
  7. What is a protected computer?
    • (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
    • (B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.
    • Note: In today’s law, this term encompasses essentially all computers, which was not the original intention/version of the law.

Authorization

  • Most important component, because every part of the CFAA includes a reference to an action “exceed[ing] authorized access” or “without authorization.”
  • Example: United States v. Morris was an appeal of the conviction of Robert Tappan Morris for creating and releasing the Morris worm, one of the first Internet-based worms. This case resulted in the first conviction under the Computer Fraud and Abuse Act. In the process, the dispute clarified much of the language used in the law, which had been heavily revised in a number of updates passed in the years after its initial drafting. Also clarified was the concept of “unauthorized access,” which is central in the United States’ computer security laws.[1] The decision was the first by a U.S. court to refer to “the Internet”,[2] which it described simply as “a national computer network.”[1]

Hypotheticals (class participation exercise)

1.Example 1: I care about March Madness and I want to check the scores while I’m at work on my BU computer. (class was 50/50 split)

  • Authorized:
    • Not harming anything; Not breaking any laws outside of the one in question; Not gaining anything by using the BU computer vs. a home computer.
  • Unauthorized:
    • Potentially using university bandwidth; Against acceptable use policy, clearly not being used for work.
  • Punishment: Class decided no punishment necessary. Perhaps an informal warning.
    1. Example 2: I work for a company that deals with databases containing personal information. I see that my neighbor is in the database and look at their information out of sheer curiosity.
  • Authorized?:
    • If it can be justified as specifically for work purposes, then it is okay.
  • Unauthorized:
    • The information is not necessary to do your job; potentially breaking an employee acceptable use policy.
  • Punishment: Class decided still no punishment in this circumstance.
    1. Example 3: I have share permission for a private drive at work. I store tons of movies and raw image wedding photos that take up a lot of space on the drive.
  • Authorized?:
    • As long as it’s not damaging anything or taking up space needed for something work related.
  • Unauthorized:
    • Same arguments as before (acceptable use policy, bandwidth, etc.)
  • Punishment: Class decided still no punishment in this circumstance, unless it costs the employee money because they have to purchase more storage space.
  • Overall Question to Think About: Can we avoid many of these issues through contracts from the employer?*
  1. Example 4: My friend is starting a business similar to the one that I work at and so I access the client list from my company and send it to him.
    • Authorized?:
    • If the information is public, then it is okay. * Unauthorized:
    • Did I sign an NDA?; Is it theft? * Punishment: Class decided civil lawsuit in this case.

#Measuring Computer Use Norms Paper

  • This article, written by Matthew B. Kugler, presents a study that measures lay authorization beliefs and punishment preferences for a variety of computer misuse activities. Though perceived authorization is strongly predictive of punishment preferences, many people view common misuse activities as unauthorized but not deserving of any meaningful punishment.
  • Results from study:

Code Based Hypotheticals - Continuation of Class Exercise

  1. Example 1: I want to log into my friends Facebook page and I know their birthday so I can get their password
    • General Consensus: Unauthorized
  2. Example 2: I want to gain router access and I know the login information has been left at default so I can log in as ‘admin’ with password = ‘password’.
    • General Consensus: Unauthorized
    • explanation: The lock is there. Analogous to leaving a front door unlocked, it doesn’t mean you are authorized to enter.
  3. Example 3: Bypassing a captcha?
    • Authorized?:
    • Seen more as circumventing a speed bump, since the user does have permission not what’s beyond the page, they are just getting their by an alternative route. * Unauthorized:
    • If your permission to access the next page is reliant on you ‘not being a robot,’ then you are unauthorized to access the page unless you can prove you are human. * Class was unsure