Computer Fraud and Abuse Act

COMPUTER-RELATED crime grew exponentially throughout the 1990s. Into the 21st century, computer-related crimes have become more and more prevalent and diverse. The primary federal statute used in combating the various types of computer crime is 18 U.S.C. § 1030(a)(1)-(a)(7). Section 1030, is better known as the Computer Fraud and Abuse Act (CFAA).

It was enacted originally in 1986 and has been several times by Congress. The CFAA includes an extremely expansive definition that includes coverage of all “protected” computers from a wide variety of activities of unauthorized access to and/or theft of information from “protected” computers.

A “protected” computer includes any computer “used in interstate or foreign commerce or communication.” In other words, the CFAA allows punishment of all unauthorized assess to and/or theft of information, in a variety of manners, government, as well as from private, computers. The original statute only included a “federal interest computer” but this was too limiting given the substantial growth of the internet.

The CFAA is comprised of seven main subsections, (a)(1) through (a)(7), aimed at defining specific computer-related criminal conduct. The first subsection prohibits accessing a computer without authorization or in excess of authorization and using information, which could be used to injure the United States. The second subsection prohibits obtaining, without authorization or in excess of authorization, information from a financial institution.

The third subsection prohibits intentional, without authorization or in excess of authorization, access of a nonpublic computer of a U.S. department or agency. The fourth subsection prohibits access to a protected computer with the intent to defraud or obtain anything of value. This subsection also requires without authorization or in excess of authority.

The fifth subsection is the primary anti-hacking section of the CFAA. This subsection makes it a crime to intentionally damage a protected computer without authorization through the transmission of a program, information, code or command. This subsection is an amendment to the original statute. Under this subsection, if harm does result from unauthorized access, even if there was no intention of harm, the perpetrator could still be punished by law.

The sixth subsection criminalizes the unauthorized access and trafficking of passwords or similar information where it is done knowingly and with the intent to defraud. The last subsection prohibits the transmission of communication which contains any threat to cause damage to a protected computer and extort or gain anything of value from that transmission.

Given that the CFAA is a federal statute, the Federal Sentencing Guidelines govern sentences. In 1996, Robert Morris, a Cornell University graduate student, was the first person prosecuted under the CFAA. Morris created a worm, a computer virus that infected over 6,000 computers across the United States. He was sentenced to three years probation, fined over $10,000 and ordered to perform 400 hours of community service. The public was not pleased by the light sentence. In 1997, Congress directed the U.S. Sentencing Commission to provide for a minimum of six months of imprisonment for defendants convicted under sections 1030(a)(4) and (a)(5).

The CFAA provides a tool for the criminal justice system to respond to illegal use of computers, but a central problem remains. The identification of perpetrators and the ability to effectively use the CFAA relies on law enforcement personnel who may not be as familiar with a computer and various software systems and digital files as the potential perpetrator.

...