Congress centralized computer crimes under one statute in 1984 with the passage of the “Counterfeit Access Device and Computer Fraud and Abuse Act.” The intention was to have a tool to prosecute computer-related crimes under the rubric of one statute.
The Act (also called CFAA, for “Computer Fraud and Abuse Act”) was broadened in 1996 to apply to all computers used in interstate commerce, foreign commerce, and foreign communication. Essentially, then, every computer in America connected to the internet can fall under the Act. The Act also allows civil actions for compensatory damages and equitable relief in some situations. 18 U.S.C.A. §1030(g).
In 2002, Congress passed the Cyber Security Enhancement Act, which amended the CFAA to increase the statutory penalties associated with the Act. The scope and reach of enforcement in this area is, to say the least, extensive. It seems clear that many citizens are not fully aware of either the power of the current computer statutes, or the case law holdings in this area. This is an area of the law that deserves wider scrutiny and awareness.
18 U.S.C.A. §1030(a)(1) has been referred to as the “computer espionage statute.” It was intended to prevent knowing access of government computers to obtain classified information. It is a felony to knowingly access a computer without authorization, or to exceed the scope of such authorization if it existed, “with reason to believe that such information could be used to the injury of the United States, or to the advantage of any foreign nation.” A person must (a) have reason to believe that the information so obtained would harm the U.S. or be of advantage to a foreign nation, and (b) either willfully send such information to an unauthorized person or willfully retain such information and fail to deliver it to the U.S. Significantly, the Second and Ninth Circuits have held that the government is not required to prove that the defendant intentionally caused damage, but only that a defendant intentionally accessed the computer. U.S. v. Morris, 928 F.2d 504 (2nd Cir. 1991); U.S. v. Sablan, 92 F.3d 865 (9th Cir. 1996).
18 U.S.C.A. §1030(a)(2) was intended to protect the confidentiality of computer data. In an age where hackers can expose peoples’ personal information, there was held to be a need for such a subsection in the CFAA. Under this subsection, it is a crime to (a) obtain information contained in financial institutions or reporting companies; (b) obtain information from any department or agency of the government; or (c) obtain information from any protected computer if the conduct involves interstate or foreign commerce. A person must first deliberately (as opposed to accidentally or inadvertently) access a computer and then obtain the information.
18 U.S.C.A. §1030(a)(3) prohibits unauthorized access of government computers. Any unauthorized access of a government computer can theoretically trigger a violation of this subsection. If the government does not exclusively use a computer (i.e., if it is a shared computer), then the access is wrong only if the access “adversely affects the use of the government’s operation of such computer.” 18 U.S.C.A. §1030(a)(4) is the “computer fraud” statute. It is a crime to access and fraudulently use a protected computer to obtain something valued at more than $5000 in any one year period. The intention here was to protect computers from hackers who break into computers and use them to commit multiple frauds. There is a requirement of showing an intent to defraud under this subsection.
18 U.S.C.A. §1030(a)(6) governs the trafficking in computer passwords. It is unlawful to traffic (i.e., exchange, sell, distribute, or market) in passwords or similar information through which a government computer may be accessed without authorization. Finally, subsection (a)(7) of the same statute prohibits computer extortion. It prohibits any attempt to extort money or other things of value using a computer. It also covers interstate or international sending of threats against computers or networks.
Defenses to these statutes have been developed by case law. It is apparently a defense to a charge of accessing a protected computer that a person did not obtain anything of value. U.S. v. Czubinski, 106 F.3d 1069, 1079 (1st Cir. 1997). Mere browsing of protected data was not enough, in this case, to sustain a conviction. The government must show, rather, that the information obtained was valuable as part of the defendant’s alleged fraudulent scheme. In addition, the damage from the unauthorized access must cause some injury, in the amount of at least $5000 over a one-year period, or lead to potential injury or a threat to public health or safety.
There are a variety of other statutes (at the federal level, at least forty) that govern computer crimes. This area of criminal law is, without doubt, one of the fastest growing (and fastest changing) and most “cutting edge.” The problems associated with the keeping of vast amounts of electronic data, emails, backup files, and other records ensure that this area of law will continue to be directly relevant to most people in a way that other types of criminal statutes are not.