The Computer Fraud and Abuse Act (CFAA) is a United States cybersecurity law that was enacted in 1986 as an amendment to existing computer fraud law (18 U.S.C 1030), which had been included in the Comprehensive Crime Control Act of 1984. The statute has been amended several times since and most recently in 2008. With the increased use of technology, the importance and use of this statue has significantly grown in recent years.
The law generally prohibits accessing a computer without authorization. More specifically, the statute criminalizes the following types of conduct.
- knowingly accessing a computer without authorization or exceeding authorized access, and obtaining protected information;
- knowingly and with intent to defraud, accessing a computer without or exceeding authorization, and obtaining anything worth $5,000 or more in any one-year period;
- knowingly causing the transmission of a program, information, code, or command, and as a result of such conduct, causing damage without authorization, to a computer;
- knowingly and with intent to defraud, trafficking in any password or similar information through which a computer may be accessed without authorization; or
- with intent to extort money or other thing of value, transmitting in interstate or foreign commerce any communication containing any threat to cause damage to a computer.
Conspiring or attempting to do the above is also a crime. Depending on the specific provision violated, penalties can range from civil monetary damages up to 20 years in prison.
In addition to criminal cases, which can only be brought by the United States Government, the statue can also be the basis for a civil case. There are other requirements for civil actions, including an actual loss, physical injury, a threat to public health or safety, damage of a United States Government computer, or damage to more than 10 protected computers in a one-year period. While it may not have been the case in the 1980s when the statute was originally enacted, a single one of these requirements is usually not difficult to satisfy. And the number of civil cases under the Act have sky-rocketed.
The Act defines numerous terms, which are generally broadly defined. For example, the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter. Under this definition, current employees of companies have been prosecuted for exceeding their access. The term “loss” is also broadly defined to mean any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. Also significantly, United States Sentencing Guidelines Section 2B1.1 contains several enhancements specifically applicable to 18 U.S.C. 1030.
There is no denying that this statue is a powerful and necessary statute in today’s digital age. Every year innocent individuals and entities suffer damages due to hackers accessing and selling information. Preserving the confidentiality of protected information, such as Government and other data, is critical. Finally, there is likely a deterrent effect on hacking when there are prosecutions under the CFAA.
On the other hand, it is important that prosecutors exercise discretion when bringing charges under this statute. For example, there have been cases where college students were criminally prosecuted for hacking into a university server and changing their grades.
Perhaps the most infamous case under the Act is United States v. Swartz, Crim. No. 1:11-cr-10260 (D. Mass 2012). Aaron Swartz, a computer programmer, was federally indicted on multiple counts of wire fraud and CFAA violations, including unlawfully obtaining information from a protected computer and recklessly damaging a protected computer. The charges arose from Swartz’ alleged effort to download approximately 4.8 million articles from JSTOR, which is a not-for-profit digital library, using the MIT network. Anyone on the MIT campus could access MIT’s computer network and JSTOR. But JSTOR’s terms of service limited the number of articles that could be downloaded at a time. Swartz wrote a script that instructed his computer to download JSTOR articles continuously and, when this violation was detected and requests from his computer were denied, Swartz spoofed his computer’s address to trick the JSTOR servers. Swartz was indicted with ten felony charges, with maximum criminal exposure of 50 years of imprisonment and $1 million in criminal fines. Tragically, under the weight of the prosecution and potential prison sentence, Swartz committed suicide. After his death, the prosecutors dropped the charges. While this behavior is wrong and there should be consequences, it is questionable whether all of these cases are a good use of the Government’s resources and whether these individuals deserve to be incarcerated.