The Computer Fraud and Abuse Act has been law in the United States since its passage by Congress back in 1986. At the time, computers had been deployed in some contexts, but the pervasiveness of the PC on every desk and a microchip in nearly every device was still about a decade away. However, the Congress of the time was able to perceive emerging threats and problems and craft bipartisan solutions. The solution was a law that authorized federal prosecutors to go after individuals who obtain unauthorized access to computer networks and systems or use computers to perpetrate a fraud or other crime.
However, there are problems with the CFAA that now has members of Congress and President Obama proposing fix. Understanding the law and potential changes can help talented and savvy individuals avoid crossing a line and committing a computer crime.
If you or a loved one has been charged with a fraudulent act, it is imperative to contact an experienced New Jersey fraud defense attorney immediately to gain the best outcome.
What is the CFAA?
Under the CFAA, the computers that are known as “protected computers” receive protection under the law. Protected computers include computers that are used by a bank or financial institution, or by the U.S. government. Furthermore, computers that are in use to carry out interstate or foreign commerce or communications are also considered protected computers. In today’s world, nearly all computers including cell phones, tablets, and other connected devices would likely satisfy the second definition.
As such, the law is incredibly broad. Some notable CFAA cases include:
- U.S. v. Riggs – An early case regarding the release of a document pertaining to the Emergency 911 system apparently gained through unauthorized access. The case was alter dropped after it was revealed that the document in question was being sold by AT&T for $13.
- U.S. v. Drew – This case arose due to cyberbullying on Myspace. In the case a judge found that imposing criminal sanctions for the violations of a website’s terms of service (TOS) would make the law overly broad and essentially authorized companies to write law.
- U.S. v. Swartz – Swartz set-up a laptop to automatically mass download articles from academic resource JSTOR. Swartz would later become a symbol for CFAA reform after he committed suicide in 2013 due to the CFAA charges he faced.
- Sony v. Hotz – George Hotz, known online as “geohotz”, was accused of violating the CFAA for his efforts in “jailbreaking” the PlayStation 3 video games console. It was alleged that Hotz was able to hack the PS3 “by taking information from a protected computer.”
- Lee v. PMSI, Inc. – A company sued a former employee for violation of the company’s acceptable computer use policy due to Facebook and personal e-mail usage. The court determined that breaching an acceptable use provision is not.
The law is broadly applicable and can cover a broad range of behavior and activities carried out on or over a computer. Unfortunately security researchers, tinkerers, and builders can end up facing significant criminal or other penalties if their actions cross a sometimes seemingly arbitrary line.
What Would the Changes to the Law Accomplish?
Unfortunately changes to the law are likely to give this already broad law, additional reach. Senator Sheldon Whitehouse introduced an amendment that bring more activities under the CFAA. Changes to the law would include a provision that establish a new felony for causing damage to a “critical infrastructure computer.” The law would also remove a judge’s ability to exercise discretion eliminating their ability to impose probation rather than prison time under the law. Furthermore, when assessing the proper sentence, judges will be forced to view the alleged crime through the lens of “aggravated damage.” Furthermore the law would reduce the mens rea required for alleged trafficking in passworks to “knowing such conduct to be wrongful.” This term is not well-defined and precedent is at least sparse and is perhaps completely lacking as to what this term actually means.
Finally, legitimate security research could be imperiled by the amendment’s expansion of the trafficking provision to include any “means of access.” Surely this language can’t mean that routine and standard penetration testing and searching for exploits will become illegal.
Facing Federal Charges due to the CFAA?
If you have been charged with computer crimes under the Computer Fraud and Abuse Act you face serious consequences. Proposed changes to the law would likely magnify many of the law’s flaws and result in additional people being charged with serious felonies for seemingly innocuous activities. If you have questions about the computer fraud or hacking charges you face call the experienced Cape May criminal defense attorneys of the Law Offices of John J. Zarych at (609) 616-4956 today or contact us online. We offer free initial consultations, and Atlantic City defense attorneys have a strong reputation throughout New Jersey.