§ 7.05 The Computer Fraud and Abuse Act (18 U.S.§ 1030)

• Jurisdiction: United States
• Publication year: 2020

§ 7.05 The Computer Fraud and Abuse Act (18 U.S.C. § 1030)

[1] Introduction

Since being originally enacted in 1986, the Computer Fraud and Abuse Act (CFAA) has been amended a number of times in response to both perceived shortcomings in its scope and to better reflect the changes in technology. The CFAA was first amended in 1994⁵⁰ and then on October 3, 1996, by the National Information Infrastructure Protection Act of 1996⁵¹ (NIIPA or 1996 Amendments) and again on October 26, 2001, by the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001⁵² (USA PATRIOT Act or 2001 Amendments). The Act was then amended by the Cyber Security Enhancement Act of 2002,⁵³ which was part of the law that created the Department of Homeland Security.⁵⁴ Finally, the Act was amended in 2008 as part of the Identity Theft Enforcement and Restitution Act.⁵⁵ However, courts have noted that "'the CFAA is anything but a well-settled area of law'" and courts have "adopted significantly different interpretations of this act."⁵⁶

The existing version of the CFAA, like its predecessors, seeks to protect the confidentiality, integrity, and availability of data and systems. "The CFAA prohibits a number of different computer crimes, the majority of which involve accessing computers without authorization or in excess of authorization, and then taking specified forbidden actions, ranging from obtaining information to damaging a computer or computer data."⁵⁷ The CFAA contains seven major provisions that create liability for different types⁵⁸ of crimes against "protected computers"—those used in interstate or foreign commerce or communications, and any computer connected to the Internet:⁵⁹

• Section 1030(a)(1) is a narrow subsection that prohibits accessing a computer without authorization or exceeding authorized access to obtain classified information to injure the United States or aid a foreign power. It is very rarely charged by the government.
• Section 1030(a)(2) prohibits accessing a computer without authorization or exceeding authorized access and obtaining information. It is one of the most frequently charged subsections.
• Section 1030(a)(3) applies specifically to United States government computers. It prohibits accessing a United States government computer without authorization. It is very rarely used by the government.
• Section 1030(a)(4) is the federal computer fraud statute.
• Section 1030(a)(5) is the federal computer damage statute. It prohibits both unauthorized damage to a computer and also unauthorized access that results in damage.
• Section 1030(a)(6) prohibits computer password trafficking.
• Section 1030(a)(7) is an extortion statute and prohibits extorting money or other property using threats to cause damage to computers.
• Section 1030(b) provides that any attempt to engage in conduct that would be a violation of § 1030 (a) is considered a violation of § 1030(b).
• Section 1030(c) contains the statutory maximum for all of the different §§ 1030(a) and (b) offenses. It is very detailed since Congress decided to treat some § 1030 offenses as misdemeanors, others as felonies with five-year maximum punishments, and others as more serious felonies.
• Section 1030(d) concerns which federal agency is allowed to investigate potential violations of the CFAA.
• Section 1030(e) contains the statutory definitions of certain key terms used in the statute.
• Section 1030(f) is a jurisdictional subsection.
• Section 1030(g) provides a civil remedy for certain types of violations permitting victims of computer misuse to sue in federal court. Most of the published cases interpreting § 1030 arise in the civil context and not in the criminal arena.
• Section 1030(h) provides for reporting certain government officials.
• Section 1030(i) provides for the forfeiture of certain property used in the criminal offense.
• Section 1030(j) is another forfeiture provision.

[2] Critical Terms

The CFAA contains a number of core concepts and terms that need to be understood before turning to the substantive section of the Act.

[a] Computer

The definition of "computer" under the CFAA is very broad⁶⁰ and includes nearly any electronic device that is not specifically excluded by statute.⁶¹ It "captures any device that makes use of a[n] electronic data processor, examples of which are legion."⁶² For example, it has been held to include cell phones.⁶³ Many everyday products that contain processing capabilities, such as cars and refrigerators, now apparently would meet this definition.

[b] Protected Computer

Regardless of the subsection under which the allegations arise, it must be established that defendant's conduct involved a "protected computer."⁶⁴ A "protected computer" is simply a computer that is used in or affects interstate or foreign commerce, "including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States."⁶⁵ Any arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device" that is connected to the Internet qualifies as a protected computer.⁶⁶ "[T]he statute does not ask whether the person who caused the damage acted in interstate commerce; it protects computers (and computerized communication systems) used in such commerce, no matter how the harm is inflicted. Once the computer is used in interstate commerce, Congress has the power to protect it from a local hammer blow, or from a local data packet that sends it haywire."⁶⁷ As long as the defendant and the protected computer are located in different states this element is satisfied. Despite the breadth of this understanding of "protected computer," it is not impermissibly broad under the Constitution, "such that a substantial amount of innocent conduct is potentially prohibited."⁶⁸ This element arguably may also be satisfied even where the defendant's computer and the victim's computer are located in the same state if the ISP or ISPs involved in the communication are located out of state or that the actual transmission went out of state.⁶⁹ The latter situation may not be that uncommon, since information that is transmitted over the Internet is broken down in "packets" that are sent in the most efficient way—taking into account Internet traffic. Thus, it is possible that a communication that is sent from one computer to another computer located in the same state may have crossed state lines to get to its final destination. Whether a court would find that this satisfies the interstate communication element, however, is a question that has not been addressed yet. Finally, in a criminal matter, a court held that the "protected computer" definition is satisfied where the defendant accessed a computer that contained "the design and production programs necessary for the manufacturing of products sold in interstate commerce."⁷⁰ There was no mention in the decision that this computer was connected to the Internet. The court simply noted that "[t]he manufacturing of interstate goods . . . falls within the definition of interstate commerce under § 1030. Thus, the damaged computer was a 'protected computer' under § 1030."⁷¹ While this element is usually easily satisfied, plaintiffs must still allege sufficient facts in the complaint that the computer was used or affected interstate commerce or communications.⁷²

However, despite the breadth of the definition of protected computer, plaintiff may be required to do more than simply state that a computer is "used within interstate commerce" to survive the pleading requirements under Bell Atlantic v. Twombly.⁷³

[c] Access

The term "access" under the CFAA, because not altogether clear what it means to "access" a computer,⁷⁴ is open to interpretation and, as one commentator has noted, judicial interpretations of this term vary tremendously⁷⁵ In one Eighth Circuit case,⁷⁶ AOL sued NHCD for hiring a spammer to send bulk e-mails about NHCD to AOL customers. AOL contended that by harvesting e-mail addresses and sending e-mail to AOL customers in violation of AOL's terms of service, the spammers had accessed AOL's computers without authorization. In ruling on AOL's motion for summary judgment, the court offered a very broad definition of "access":

"The CFAA does not define 'access,' but the general definition of the word, as a transitive verb, is to 'gain access to.' '[A]ccess' in this context, means to exercise the 'freedom or ability to . . . make use of' something. . . . For purposes of the CFAA, when someone sends an e-mail message from his or her own computer, and the message then is transmitted through a number of other computers until it reaches its destination, the sender is making use of all of those computers, and is therefore 'accessing' them."⁷⁷

The court, therefore, found that access is a physical world concept, not a virtual world concept. "The question is not whether the sender of the communication gains a virtual entrance into the computer from the sender's standpoint, but whether the communication itself is transmitted through the computer. As a result, sending an e-mail through a computer accesses the computer even if a user might not perceive the interaction as an access."⁷⁸

Similarly, the issue of whether receiving information via e-mail can qualify as "access" has also arisen in a number of cases.⁷⁹ The decisions suggest that the answer to this question may depend on whether the recipient of the e-mail can be characterized as actually having "'direct[ed] or even encourage[d]' the sender to email the information or where the sender acts as the recipient's agent."⁸⁰ In contrast, another court⁸¹ concluded, without analysis, that defendant's port scan of plaintiff's computer did not constitute access under the CFAA.⁸² Similarly, the Kansas Supreme Court⁸³ in interpreting access under a...