Skip to main content

What is the Computer Fraud and Abuse Act?


Background

In 1986, Congress enacted the Computer Fraud and Abuse Act, or CFAA. The Act, codified in 18 U.S.C. § 1030, criminalizes unauthorized access of “any protected computer.” A “protected computer" is a “computer used in or affecting interstate or foreign commerce or communication.” 18 U.S.C. § 1030(e)(2)(B).

 Notably, the Act is a criminal statute that provides for both criminal and civil liability. 18 U.S.C. § 1030(g). Despite being a criminal statute, civil actions under the CFAA represent the largest number of opinions interpreting the Act. This civil litigation is useful for understanding several key provisions and terms of the Act.


Types of Offenses

This table is adapted from the Department of Justice’s Computer Crimes manual, “Prosecuting Computer Crimes.”

 Punishment Under the Computer Fraud and Abuse Act

This table is adapted from the Department of Justice’s Computer Crimes manual, “Prosecuting Computer Crimes.”

Notable Cases, Convictions, and Indictments

hiQ Labs, Inc.  V. Linkedin Corporation

In May 2017, LinkedIn sent hiQ a cease-and-desist letter to hiQ, a data analytics company, using publicly available information on LinkedIn to create “people analytics.” “People analytics” refers to a suite of tools hiQ offers to employers – these tools analyze LinkedIn data to identify employees likely to be recruited to another company, as well as employee skill gaps. hiQ Labs, Inc. v. LinkedIn Corp., No. 17-16783, 2019 WL 4251889, at *3 (9th Cir. Sept. 9, 2019). LinkedIn’s letter demanded “that hiQ stop accessing and copying data from LinkedIn’s server,” and warned “if hiQ accessed LinkedIn’s data in the future, it would be violating state and federal law, including the Computer Fraud and Abuse Act…” Id.

In response, hiQ demanded that LinkedIn “recognize hiQ’s right to access LinkedIn’s public pages.” Id. at 4. hiQ further threatened to seek an injunction if LinkedIn denied this request. “A week later, hiQ filed suit, seeking injunctive relief … and a declaratory judgment that LinkedIn could not lawfully invoke the CFAA…” Id. The district court granted the motion, and LinkedIn appealed.

 Earlier this month, the Ninth Circuit affirmed the district court’s decision to grant hiQ’s “preliminary injunction forbidding LinkedIn from denying hiQ access to publicly available LinkedIn member profiles.” Id. at 1.

The Ninth Circuit noted that the “pivotal CFAA question ... is whether once hiQ received LinkedIn’s cease-and-desist letter, any further scraping and use of LinkedIn’s data was ‘without authorization’ within the meaning of the CFAA and thus a violation of the statute. 18 U.S.C. § 1030(a)(2).” Id. at 10. The Court adopted hiQ’s reasoning that “where access is open to the general public, the CFAA ‘without authorization’ concept is inapplicable.” Id.

U.S. v. Hammond

In 2013, the Southern District of New York’s U.S. Attorney’s Office announced that Jeremy Hammond, or “Anarchaos,” was sentenced to a decade in prison for his role in the 2011 hack of Strategic Forecasting, Inc. (“Stratfor”), a global intelligence firm. In addition, Mr. Hammond was sentenced for his role in hacks into “the Federal Bureau of Investigation’s Virtual Academy, the Arizona Department of Public Safety, the Boston Police Patrolmen’s Association, and the Jefferson County, Alabama, Sheriff’s Office.”  Mr. Hammond “was sentenced in connection with his guilty plea to one count of conspiracy to engage in computer hacking.”

After entering his guilty plea, Mr. Hammond said, “Now that I have pleaded guilty it is a relief to be able to say that I did work with Anonymous to hack Stratfor, among other websites." Anonymous is an international hacktivist organization. 

On September 3, 2019, the Washington Post reported that “Jeremy Hammond… has been brought to Virginia to testify before a grand jury … he believes is the panel investigating WikiLeaks and its founder, Julian Assange.”

U.S. v. Paige Thompson

In late August, the U.S. Attorney’s Office in the Western District of Washington, announced the indictment of a software engineer “on two counts related to her unauthorized intrusion into stored data of more than 30 different companies.”

The indictment alleges that Ms. Thompson created software that allowed her to find customers of a cloud computing company with misconfigured firewalls, which permitted outside commands to penetrate and access their servers. The indictment continues, stating that she then used this access to steal data, as well as “mine” cryptocurrency.  

Labels:

Comments

Post a Comment

Popular posts from this blog

Second Circuit Holds that Personal Benefit is Not Required for Insider Trading

Insider trading, or “ securities fraud ,” is prohibited by 18 U.S.C. § 1348 and 15 U.S.C. § 10(b) As the Supreme Court explained in Dirks v. SEC , someone engages in insider trading under §10(b) if they breach a fiduciary duty by disclosing material, nonpublic information in exchange for a personal benefit. However, the Second Circuit’s recent holding in United States v. Blaszczak rejected this personal benefit requirement, at least as it relates to § 1348. The result? The range of conduct that triggers criminal liability under § 1348 is far bigger than the range of conduct that triggers liability under § 10(b). Stated another way, Blaszczak makes it easier for federal prosecutors to go after Title 18 securities fraud because - unlike Title 15 securities fraud - they do no need to prove the existence of a personal benefit.
Post a Comment
Read more

U.S. Supreme Court Eases Rules for Miranda Warning

Last week, the Supreme Court issued its opinion in Maryland v. Shatzer . Justice Scalia wrote the opinion, which six other Justices joined in full. Justice Thomas concurred in part and concurred in the judgment; Justice Stevens concurred in the judgment. The Court held that a fourteen-day break in custodial interrogation ends the Edwards v. Arizona rule which states that once a suspect invokes his Miranda rights, any subsequent waiver of the right triggered by a police request is deemed involuntary and is the result of coercion. In reversing the decision of the Maryland Court of Appeals, the Court concluded that Shatzer’s return to his normal pre-interrogation life in the general prison population for a period of two-and-one-half years before re-interrogation constituted a sufficient break in custody enable him to voluntarily waive his Miranda rights. Therefore, the Edwards case did not require that Shatzer’s re-interrogation statements be suppressed, and the Court remanded the case ...
Post a Comment
Read more

California Supreme Court Narrows Exception to the Fourth Amendment’s Warrant Requirement

On November 25, 2019, the California Supreme Court overturned a 17-year-old exception to the Fourth Amendment’s warrant requirement. People v. Lopez holds “that the desire to obtain a driver’s identification following a traffic stop does not constitute an independent, categorical exception to the Fourth Amendment’s warrant requirement.” People v. Lopez , No. S238627, 2019 WL 6267367, at *1 (Cal. Nov. 25, 2019). Before Lopez , police were “allowed … to conduct warrantless vehicle searches for personal identification documents at traffic stops when the driver failed to provide … personal identification upon request.” Id . The Court summarized the facts of Lopez as follows: police “responded to an anonymous tip concerning erratic driving.” Police were “(u)nable to locate the vehicle,” so they “asked dispatch to run a computer search of the license plate.” Police “then drove by the address where the car was registered,” but didn’t see a car matching the description. As such, p...
Post a Comment
Read more