The Computer Fraud and Abuse Act (CFAA) (See 18 U.S.C. § 1030) is a law that, generally, prohibits intentionally accessing a computer, without authorization (or exceeding authorized access), and obtaining information from a protected computer.
Because of the manner it was written and interpreted, the CFAA governs much of our regular online activity. As summarized above, the CFAA prohibits intentional access of a computer “without authorization” or “exceeding authorized access” to obtain information from a “protected computer.” Each of these elements allows from the courts sweeping discretion in applying the CFAA.
The first type of CFAA breach stems from intentionally accessing a protected computer “without authorization”.
“Congress did not define the phrase ‘without authorization,’ perhaps assuming that the words speak for themselves. The meaning, however, has proven to be elusive.” EF Cultural Travel BV v. Explorica, 274 F.3d 577, 582 n.10 (1st Cir. 2001).
This elusive nature of “without authorization” led the lower court in EF Cultural Travel BV to apply a vague “reasonable expectation” standard. The reasonable expectation standard defines access without authorization as access that is not “in line with the reasonable expectations” of the website owner and its users.
Other courts look to “intended function” to determine whether access was authorized. United States v. Morris, 928 F.2d 504, 510 (2d Cir. 1991). This approach mysteriously allows for a subjective analysis of a website’s intended function.
Perhaps the most sensible approach is found in LVRC Holdings LLC v. Brekka. The 9th Circuit held “that a person uses a computer ‘without authorization’ under [the CFAA] when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1135 (9th Cir. 2009).
Exceeding Authorized Access
The second type of CFAA breach arises when access to a protected computer “exceeds authorized access”.
Congress rather generously defines the term “exceeds authorized access” as “access[ing] a computer with authorization and . . . us[ing] such access to obtain or alter information in the computer that the accesser is not entitled . . . to obtain or alter.” 18 U.S.C. § 1030(e)(6).
These issues typically arise in the context of employer-employee relationships. In EF Cultural Travel BV, the Defendant, a former employee of the Plaintiff, was found to have exceeded his authorized access to the Plaintiff’s website by using his proprietary knowledge of the Plaintiff’s website (protected by a “broad confidentiality agreement prohibiting . . . disclosure of any information ‘which might reasonably be construed to be contrary to the interests of [the Plaintiff]'”) to assist in the development of a “web scraper” that made “wholesale use” of the Plaintiff’s information. EF Cultural Travel BV, 274 F.3d 577 at 583.
A protected computer is a computer used by a financial institution, or the U.S. Government, or more importantly, a computer affecting interstate commerce or communication. Because a protected computer is a computer affecting interstate communication, people using ordinary internet connected personal computers (and mobile devices) can been subjected to prosecution under the CFAA due to the inherent interstate nature of normal internet communication.
In US v. Trotter, the Defendant argued that his former employer’s computer network was not a “protected computer” as set forth in 18 U.S.C. § 1030(e)(2)(B). The 8th Circuit rejected this claim and affirmed the Defendant’s conviction because the Defendant admitted, at a plea hearing, that his former employer’s network was connected to the internet. The Court used this admission to determine the computer network met the statutory definition of a “protected computer.” US v. Trotter, 478 F.3d 918, 921 (8th Cir. 2007); see also United States v. Walters, No. 05-15739, 2 (11th Cir. 2006) (“the internet is an instrumentality of interstate commerce”).
Whereas in United States v. Kane the Court determined that exploiting a software bug in a video poker machine does not constitute a CFAA breach because the video poker machine was not connected to the internet. Therefore, it did not qualify as a “protected computer” affecting interstate commerce or communication. Report & Recommendation of United States Magistrate Judge at 6, United States v. Kane, No. 2:11-cr-00022-MMD-GWF (D. Nev. Oct. 15, 2012). Though, the video poker machine was likely a “computer” under the definition of the CFAA (see 18 U.S.C. § 1030(e)(1)), it was not a “protected computer.”
Specific Criminal Conduct
While the CFAA is written broadly, it also includes provisions prohibiting specific types of conduct such as:
- Computer espionage (See 18 U.S.C. § 1030(a)(1))
- Computer trespassing in private or public computers (See 18 U.S.C. § 1030(a)(2)-(3))
- Committing fraud with computer (See 18 U.S.C. § 1030(a)(4))
- Distribution of malicious code (i.e. malware, spyware, and including DDOS attacks) (See 18 U.S.C. § 1030(a)(5))
- Trafficking in passwords (See 18 U.S.C. § 1030(a)(6))
- Threats to damage a protected computer (See 18 U.S.C. § 1030(a)(7))
- And conspiracy or attempt to violate any of the specific criminal conduct in Sections (a)(1)-(7) (See 18 U.S.C. § 1030(b))
The CFAA is mainly a criminal statute (evidenced by its location in Title 18 of the U.S. Code). However, it also includes a civil cause of action (See 18 U.S.C. § 1030(g)) that permits compensatory damages, injunctive and other equitable relief for any specific conduct described in 18 U.S.C. § 1030(a)-(b) if the conduct caused:
- Loss of at least $5,000 in value
- Impairment, or potential impairment, of the medical examination, diagnosis, treatment, or care to one or more persons
- Physical injury to any person
- A threat to public health or safety
- Damage affecting a computer used by or for an entity of the U.S. Government
- Damage affecting 10 or more protected computers during any 1-year period
Civil liability, under the CFAA, is subject to a 2-year statute of limitations.