Computer crimes.

Author:Pelker, Catherine
Position:II. Issues D. Hacking and The Computer Fraud and Abuse Act (CFAA - Thirtieth Annual Survey of White Collar Crime
  1. Hacking and The Computer Fraud and Abuse Act (CFAA)

    As governments and corporations increasingly rely on the Internet to transmit sensitive data and communications, instances of hacking and cyber espionage have increased globally. (242) Recently, the Department of Justice announced the indictment of five members of the Chinese military for thirty-one counts of hacking and "economic espionage." (243) The Computer Fraud and Abuse Act ("CFAA") (244) is the primary federal statute used to prosecute hacking offenses.

    1. CFAA Overview

      The Computer Fraud and Abuse Act ("CFAA") (245) prohibits accessing a computer "without authorization" or "exceeding authorized access." (246) While "without authorization" is not defined, the statute does define "exceeds authorized access." (247) There is, however, a Circuit split over how broadly to construe "exceeding authorization." The First, Fifth, Seventh, and Eleventh Circuits interpret the provision to cover violation of terms of service or of an employer's acceptable computer use policy, while the Fourth and Ninth Circuits have rejected this broader interpretation. (248)

      The CFAA specifically prohibits certain activities involving "protected computers." (249) "Protected computers" are defined as those used in or affecting interstate or foreign commerce or communications. (250) This includes any computer connected to the Internet, even if the defendant did not access the computer through the Internet or use the computer to access the Internet. (251)

    2. Provisions

      The CFAA prohibits seven specific types of computer-related crime. (252) First, it is a crime to knowingly access computer files without authorization or to exceed authorized access and to subsequently transmit, or attempt to transmit, classified government information if the information "could be used" to injure the United States, or to the advantage of any foreign nation. (253) Second, the CFAA prohibits intentionally accessing a computer without authorization or exceeding authorization and obtaining (254) information from a financial institution, (255) any department or agency of the United States, or a protected computer, (256) which encompasses any computer operating on the Internet. Third, it proscribes intentional, unauthorized access to a nonpublic computer belonging to a U.S. department or agency. (257) If the department or agency does not use the computer exclusively, the illegal access must affect the government's use. (258) Fourth, knowingly accessing a protected computer, without authorization, with the intent to defraud and obtain something of value is prohibited. (259)

      The fifth prohibition, which addresses computer hacking, has three categories of offenses. The first category criminalizes knowingly causing a transmission that intentionally causes unauthorized damage to a protected computer. (260) The second offense category prohibits intentional access without authorization that recklessly causes damage. (261) The third offense category is similar to the second but has a strict liability standard for damage resulting from the unauthorized access. Damage under the statute is "any impairment to the integrity or availability of data, a program, a system, or information." (262)

      The CFAA's sixth prohibition bars knowingly trafficking in passwords, or information that similarly facilitates unauthorized access, with intent to defraud. (263) The trafficking must either affect interstate commerce or relate to unauthorized access of a government computer. (264) Finally, the CFAA makes it illegal to transmit in interstate or foreign commerce any threat against a protected computer with intent to extort something of value. (265) Threats against protected computers only violate the CFAA if they are intended to extort individuals. (266)

      (3). Penalties

      The CFAA punishes an attempt to commit an offense as though the offense had been successfully carried out. (267) A repeat offender of the CFAA can receive an enhanced sentence even if she commits a different type of computer fraud and violates a different CFAA section. (268) Conviction includes any conviction under state law with a punishment of more than one year if the elements include unauthorized access, or exceeding authorized access, to a computer. (269) Repeat offenders may receive much tougher sentences. Maximum sentences under subsections (a)(2), (a)(3), (a)(4), (a)(5)(B), (a)(6), and (a)(7) rise to ten years for recidivists. (270) The maximum sentence goes up to twenty years for repeat offenders who obtain national security information or intentionally or recklessly damage a protected computer. (271)

      The CFAA differentiates between conduct that involves improper access and conduct in which the defendant uses access for pernicious purposes. It does so by increasing the maximum prison sentence for first-time violations of the CFAA to five years if the crime was committed for financial gain or commercial advantage, in furtherance of a criminal or tortious act, or if the value of the information obtained exceeds $5,000. (272)

      The Guidelines set the base offense level for obtaining national security information at thirty-five if the unlawfully accessed national defense information is top secret, and at thirty otherwise. (273) The offense levels for violations of the rest of the CFAA, except subsection (a)(3), are largely dependent on the value of the loss suffered. Subsections (a)(2), (a)(4), (a)(5), and (a)(6) are covered by the theft, property, and fraud guideline. (274) The trespass guideline covers subsection (a)(3), (275) and the extortion guideline covers subsection (a)(7). (276) Additionally, an enhancement may be applied for "use of special skill." (277)

    3. Proposed Reform

      The CFAA has attracted criticism as being overbroad and outdated. In June 2013, the US House of Representatives introduced a reform bill, titled "Aaron's Law" after Aaron Swartz, who committed suicide in January 2013 while facing charges under the CFAA. The bill would have removed the term "exceeds authorized access" and defined "[access] without authorization" as "obtain information on a protected computer; that the accessor lacks authorization to obtain; by knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information." (278) Under this definition, a breach of terms of service or an employer's acceptable use policy would not be a violation. In an effort to reduce punishments, the bill also removes [section] 1030(a)(4) to prevent defendants from being charged separately under duplicative provisions and lessens punishment for first-time offenders. (279)

      Internet privacy advocates such as the Electronic Frontier Foundation have hailed Aaron's Law as "much-needed reform," though noting that "it doesn't go as far as [they] would like." (280) Others have expressed concerns that Aaron's Law "would make it effectively impossible to use the CFAA to prosecute, or to bring civil suits based on, insider thefts of intellectual property or other proprietary business information." (281)

      Aaron's Law was referred to the U.S. House Subcommittee on Crime, Terrorism, Homeland Security, and Investigations but was not considered by the 113th Congress. (282)

  2. Copyright Infringement

    U.S. copyright law seeks to protect authors' rights and to encourage creative development to benefit the public. (283) While most copyright cases are civil, (284) certain copyright violations incur criminal liability. (285) Copyright violations of digital media presents unique challenges to law enforcement (286) because of the varying piracy methods, (287) the ease (288) and minimal cost of reproduction, (289) and the minimal degradation (if any) in the quality of pirated media. (290) The difficulty of detection exacerbates the problem of electronic infringement. (291)

    1. Criminal Copyright Infringement in the Copyright Act

      Criminal copyright offenses are set forth in 17 U.S.C. [section] 506, while punishment for violations is addressed in 18 U.S.C. [section] 2319. (292)

      1. Provisions

        To succeed in a claim for criminal copyright infringement, a prosecutor must prove that: (293) (i) a valid copyright existed; (294) (ii) the defendant infringed on the copyright; (iii) the infringement was willful; and (iv) the defendant either: (1) acted for commercial advantage or private financial gain; (295) (2) reproduced or distributed infringing copies of works with a total retail value of more than $1000 over a 180-day period; or (3) distributed a work being prepared for commercial distribution by making it available on a publicly-accessible computer network, if the defendant knew or should have known that the work was intended for commercial distribution. (296)

        Section 506 addresses only willful copyright infringement. (297) Most jurisdictions have interpreted "willfulness" to require the intentional violation of a known legal duty. (298) The Second Circuit, however, has "suggested that a lower standard of 'willfulness' may support criminal prosecution." (299) Commentators are divided as to whether the Second Circuit's approach to willfulness in Backer constitutes a true circuit split; however, recent civil copyright cases suggest that the Second Circuit interprets willfulness to require either actual knowledge that an infringement violated copyright law or "constructive knowledge" demonstrated by reckless disregard for whether an infringement violated copyright law. (300)

      2. Defenses

        Some courts require the government to prove as an element of the offense that the infringement was not permissible under the first sale doctrine, (301) which allows an individual who legally purchases a copy of a copyrighted work to freely distribute that particular copy. (302) Generally, however, the first sale doctrine may be raised as an affirmative defense, and the defendant bears the burden of proving that the doctrine applies. (303)...

To continue reading