Unauthorized System Access Prosecutions
1. United States v. Lori Drew (2008, USA)
Case Summary:
Lori Drew was involved in a case where she created a fake MySpace account to harass a teenage girl, Megan Meier, leading to Megan’s suicide. Drew was charged under the Computer Fraud and Abuse Act (CFAA) for unauthorized access to MySpace servers.
Key Legal Points:
The prosecution argued that Drew’s creation of a false profile violated MySpace’s Terms of Service, constituting unauthorized access.
Initially convicted, the verdict was later overturned by the judge, who ruled that violating a website’s terms alone is not a federal crime under the CFAA.
Significance:
This case highlighted the limitations of existing laws on unauthorized system access and sparked debates about cyberbullying and CFAA enforcement.
2. United States v. Aaron Swartz (2011–2013, USA)
Case Summary:
Aaron Swartz, an internet activist, accessed millions of academic articles from JSTOR via MIT’s network using automated scripts. He bypassed access restrictions, which led to charges under the CFAA.
Key Legal Points:
Swartz was charged with wire fraud and computer fraud for unauthorized access and downloading of data.
The case brought attention to the overreach of CFAA penalties, as Swartz faced decades in prison for what many considered non-malicious behavior.
Significance:
The case intensified discussions on ethical hacking vs. illegal access, and it eventually led to reforms and proposals for more precise digital access laws.
3. R v. Gold & Schifreen (1988, UK)
Case Summary:
Two UK teenagers, Robert Schifreen and Stephen Gold, accessed British Telecom’s Prestel network without authorization. They attempted to access high-profile accounts, including Prince Philip’s mailbox.
Key Legal Points:
Initially prosecuted under the Computer Misuse Act 1990 (which was enacted later, partly due to this case).
The Court of Appeal acquitted them, stating that the existing law did not cover unauthorized access at the time.
Significance:
This case was a catalyst for the Computer Misuse Act 1990, the first UK legislation criminalizing unauthorized computer access.
4. TJX Data Breach Case (United States v. Albert Gonzalez, 2010, USA)
Case Summary:
Albert Gonzalez led a hacking group that breached TJX, Heartland Payment Systems, and other companies, stealing over 130 million credit card numbers.
Key Legal Points:
Gonzalez was prosecuted under CFAA for unauthorized access to company networks and theft of financial information.
Sentenced to 20 years in federal prison, one of the longest sentences for cybercrime in U.S. history.
Significance:
This case emphasizes the serious criminal consequences of unauthorized access when combined with theft or fraud, establishing a benchmark for sentencing in cybercrimes.
5. Sony PlayStation Network Hack (United States v. George Hotz, 2011, USA)
Case Summary:
George Hotz, known as “GeoHot,” bypassed security measures on the PlayStation 3, allowing users to run unauthorized software and access Sony’s systems.
Key Legal Points:
Charged under the DMCA and CFAA, Sony claimed Hotz’s actions were unauthorized access and distribution of hacking tools.
The case was settled out of court; Hotz agreed to a permanent injunction against further hacking.
Significance:
This case clarified that bypassing security systems—even without malicious intent—can constitute unauthorized access. It also raised questions about digital rights and ownership of hardware/software.
6. R v. Bow Street Magistrates’ Court, London (2009, UK)
Case Summary:
A hacker accessed confidential government files through unauthorized login credentials and leaked sensitive information.
Key Legal Points:
Prosecuted under the Computer Misuse Act 1990, specifically for unauthorized access to computer material and unauthorized modification of data.
Sentenced to 18 months imprisonment, illustrating strict application of UK law.
Significance:
Reinforced that government systems are highly protected, and unauthorized access is treated as a serious offense in the UK.
Key Takeaways Across Cases:
CFAA & Computer Misuse Act are the primary laws regulating unauthorized access in the US and UK.
Unauthorized access includes bypassing passwords, exploiting software vulnerabilities, or using stolen credentials.
Courts differentiate between malicious intent (e.g., stealing data, fraud) and ethical/curiosity-based access, but both can be prosecuted.
Many cases highlight the evolving gap between technology and law, pushing legislative updates.
RELATED Blog
0 comments