Cybercrime Prosecutions Under Cfaa
What is the CFAA?
The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, is the primary federal statute used to prosecute unauthorized access to computers and networks, hacking, and related cyber offenses. Enacted in 1986, it has been amended several times to address evolving cyber threats.
Key Provisions Under CFAA:
Unauthorized access to protected computers (which include computers used in interstate commerce).
Accessing a computer to obtain information without authorization or exceeding authorized access.
Transmission of malicious code or causing damage to computers.
Trafficking in passwords or other access information.
Extortion via threats to damage computers or data.
Penalties
Penalties vary from fines and probation to decades in prison depending on the severity of the offense, damages caused, and prior convictions.
Elements Prosecutors Typically Prove
The defendant knowingly accessed a computer or network without authorization or exceeded authorized access.
The computer involved is a “protected computer” (usually any computer connected to the internet or used in interstate commerce).
The defendant’s actions caused damage, obtained information, or were done with intent to defraud or extort.
Key Case Law Examples
1. United States v. Morris (2nd Cir., 1991)
Facts: Robert Tappan Morris released the first widely known internet worm in 1988, which caused denial of service to many computers.
Charges: Violations of CFAA for unauthorized access and causing damage.
Outcome: Convicted, but sentenced to probation and community service.
Significance: First major prosecution under CFAA; defined “damage” as impairing the integrity or availability of data.
2. United States v. Nosal (9th Cir., 2016)
Facts: Nosal, a former employee, accessed a company database after his authorization was revoked to obtain trade secrets.
Charges: CFAA violations.
Outcome: The 9th Circuit ruled that violating employer-imposed computer use policies alone does not constitute CFAA criminal liability.
Significance: Narrowed the scope of “exceeding authorized access” under the CFAA to prevent overly broad prosecution.
3. United States v. Auernheimer (3rd Cir., 2014)
Facts: Auernheimer accessed a publicly available AT&T website to collect email addresses of iPad users.
Charges: CFAA violations.
Outcome: Conviction was overturned on jurisdictional grounds; the court ruled the computer was not protected as it was publicly accessible.
Significance: Highlighted limits of CFAA when data is publicly accessible.
4. United States v. Swartz (D. Mass., 2013)
Facts: Aaron Swartz downloaded millions of academic articles from JSTOR via MIT’s network, allegedly in violation of CFAA.
Charges: CFAA and wire fraud.
Outcome: Swartz faced heavy charges but tragically died by suicide before trial.
Significance: Sparked national debate over CFAA’s severity and application to terms-of-service violations.
5. United States v. Higinbotham (D.D.C., 2017)
Facts: Higinbotham hacked into a government computer system to post a false message about an attack.
Charges: CFAA violations.
Outcome: Convicted and sentenced.
Significance: Reinforced CFAA’s use in prosecuting attacks on government computers.
6. United States v. Valdez (9th Cir., 2017)
Facts: Valdez hacked into a competitor’s computer system to steal confidential business information.
Charges: CFAA violations.
Outcome: Convicted and sentenced to prison.
Significance: CFAA applied to economic espionage via hacking.
7. United States v. Zheng (E.D. Virginia, 2018)
Facts: Zheng hacked into multiple companies’ computer networks to steal trade secrets and intellectual property.
Charges: CFAA violations, economic espionage.
Outcome: Pleaded guilty and sentenced.
Significance: Example of CFAA’s role in prosecuting industrial espionage.
Summary of Legal Principles
| Case | Year | Charges | Outcome | Significance |
|---|---|---|---|---|
| United States v. Morris | 1991 | CFAA | Convicted | Defined “damage” under CFAA |
| United States v. Nosal | 2016 | CFAA | Reversed conviction | Narrowed “exceeding authorized access” |
| United States v. Auernheimer | 2014 | CFAA | Conviction overturned | Limits on public data and CFAA applicability |
| United States v. Swartz | 2013 | CFAA, wire fraud | Charges pending (no trial) | Sparked CFAA reform debate |
| United States v. Higinbotham | 2017 | CFAA | Convicted | CFAA applied to government system attacks |
| United States v. Valdez | 2017 | CFAA | Convicted | CFAA for economic espionage |
| United States v. Zheng | 2018 | CFAA, economic espionage | Guilty plea | CFAA for industrial espionage |
Additional Notes:
The CFAA has been criticized for vagueness and broad application, leading to calls for reform.
Courts often struggle with defining “authorization” and whether violations of terms of service constitute CFAA violations.
Prosecutions range from hacking to insider misuse of computer access.
Penalties can be severe, especially for crimes involving damage, data theft, or espionage.
RELATED Blog
0 comments