Computer Hacking Prosecutions In Us Law
1. Overview of Computer Hacking in U.S. Law
Computer hacking generally refers to unauthorized access to computer systems or networks, often to steal information, cause damage, or commit fraud. The U.S. legal framework includes criminal statutes targeting these offenses, primarily under the Computer Fraud and Abuse Act (CFAA), codified at 18 U.S.C. § 1030.
2. Relevant Statute: The Computer Fraud and Abuse Act (CFAA)
Enacted in 1986 and amended multiple times.
Makes it illegal to:
Access a computer without authorization or exceed authorized access.
Obtain classified or protected information.
Commit fraud or theft via computer systems.
Cause damage or impairment to computers or networks.
Penalties range from fines to decades in prison depending on the offense.
3. Elements of a CFAA Offense
Prosecutors must generally prove:
The defendant knowingly accessed a protected computer (generally any computer used in interstate commerce).
Access was without authorization or exceeded authorized access.
The defendant intentionally engaged in the conduct (fraud, data theft, damage, etc.).
The defendant’s actions caused loss or damage in certain cases.
4. Key Case Law Examples with Detailed Explanation
🔹 Case 1: United States v. Aaron Swartz (2013, SDNY)
Facts:
Aaron Swartz was charged with illegally downloading millions of academic articles from JSTOR via MIT’s network, allegedly exceeding authorized access.
Legal Issue:
Does accessing a computer network for unauthorized purposes constitute a crime under CFAA?
Holding:
Though Swartz pled not guilty and the case was eventually dropped posthumously, the prosecution's expansive interpretation of CFAA as criminalizing terms-of-service violations sparked public debate.
Significance:
Highlighted controversies about overbroad CFAA enforcement.
Raised questions about “exceeding authorized access” scope.
Influenced calls for reform of computer crime laws.
🔹 Case 2: United States v. Nosal (2012, 9th Cir.)
Facts:
Nosal convinced former employees to access their employer’s computers to obtain confidential data, violating company policy.
Legal Issue:
Does violating company policy or terms of use constitute "exceeding authorized access" under CFAA?
Holding:
The 9th Circuit ruled that violations of use restrictions alone do NOT constitute a CFAA violation.
Significance:
Narrowed CFAA application, focusing on unauthorized access rather than policy breaches.
Protected employees from criminal liability for misuse of access.
🔹 Case 3: United States v. Andrew Auernheimer (2014, 3rd Cir.)
Facts:
Auernheimer exploited a website flaw to collect thousands of email addresses without authorization.
Legal Issue:
Was the collection of publicly accessible data a CFAA violation?
Holding:
Auernheimer’s conviction was overturned due to improper venue, but the case highlighted debates on what constitutes unauthorized access when data is publicly accessible.
Significance:
Questioned limits of CFAA regarding public vs. private data.
Sparked discussion on criminalizing scraping or data collection.
🔹 Case 4: United States v. Morris (1991, 2nd Cir.)
Facts:
Robert Tappan Morris created one of the first internet worms, causing widespread damage.
Legal Issue:
Did Morris’s intentional creation and release of a damaging worm violate CFAA?
Holding:
Yes. The court affirmed conviction for knowingly causing damage without authorization.
Significance:
Landmark case establishing criminal liability for malicious code release.
Set precedent for handling cyber-attacks under CFAA.
🔹 Case 5: United States v. Lori Drew (2009, Central District of California)
Facts:
Drew created a fake MySpace account to cyberbully a teen who later committed suicide.
Legal Issue:
Did creating a fake account violate CFAA?
Holding:
The jury convicted Drew of violating CFAA by accessing MySpace with false information, but the conviction was later overturned.
Significance:
Raised questions about criminalizing deceptive access.
Led to critique of broad CFAA use against social media misconduct.
🔹 Case 6: United States v. Collins (2010, 11th Cir.)
Facts:
Collins hacked into his ex-girlfriend’s email and Facebook accounts without authorization.
Legal Issue:
Did unauthorized access to personal online accounts constitute a CFAA violation?
Holding:
Yes. The court upheld conviction under CFAA for unauthorized access and obtaining information.
Significance:
Confirmed CFAA applicability to personal accounts and social media hacking.
Supported prosecution of cyberstalking and harassment via hacking.
🔹 Case 7: United States v. Valle (2015, 2nd Cir.)
Facts:
A police officer accessed law enforcement databases without authorization for personal reasons.
Legal Issue:
Does accessing a government database without legitimate purpose violate CFAA?
Holding:
Yes. The court ruled misuse of authorized access for unauthorized purposes violates CFAA.
Significance:
Emphasized that authorized access does not permit unauthorized uses.
Applied CFAA to misuse by insiders.
5. Legal Doctrines and Interpretations
| Doctrine | Explanation |
|---|---|
| Unauthorized Access | Access without any permission or exceeding permission |
| Exceeding Authorized Access | Accessing areas or data beyond one’s authorized scope |
| Use Restrictions vs. Access | Violating use policies is distinct from unauthorized access (Nosal ruling) |
| Loss or Damage | Criminal liability often requires proving damage or financial loss |
| Intent | Must knowingly access without authorization, reckless or negligent access may suffice in some cases |
6. Conclusion
Computer hacking prosecutions under the CFAA and related statutes aim to combat cybercrime, but courts have increasingly scrutinized the scope and application of “unauthorized access” to avoid overcriminalization. Cases range from traditional hacking and malware distribution to insider misuse and social media deception, highlighting the complexity of cyber law enforcement.
RELATED Blog
0 comments