FEBRUARY 23, 2017
115TH CONGRESS 1ST SESSION
To amend title 18, United States Code, to provide a defense to prosecution
for fraud and related activity in connection with computers for persons
defending against unauthorized intrusions into their computers, and for other purposes.
IN THE HOUSE OF REPRESENTATIVES
Mr. GRAVES of Georgia introduced the following bill; which was referred to the Committee on
To amend title 18, United States Code, to provide a defense
to prosecution for fraud and related activity in connec-
tion with computers for persons defending against unau-
thorized intrusions into their computers, and for other
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ‘‘Active Cyber Defense Certainty Act’’.
SEC. 2. EXCLUSION FROM PROSECUTION FOR CERTAIN
COMPUTER CRIMES FOR THOSE TAKING ACTIVE CYBER DEFENSE MEASURES.
Section 1030 of title 18, United States Code, is amended by adding at the end the following:
‘‘(k) CYBER DEFENSE MEASURES NOT A VIOLATION
.—It is a defense to a prosecution under this section that the conduct constituting the offense was an active cyber defense measure.
.—In this subsection—
‘‘(A) the term ‘victim’ means an entity that is a victim of a persistent unauthorized intrusion of the individual entity’s computer;
‘‘(B) the term ‘active cyber defense measure’—
‘‘(i) means any measure—
‘‘(I) undertaken by, or at the direction of, a victim; and
‘‘(II) consisting of accessing without authorization the computer of the attacker to the victim’ own network to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim’s own network; but
‘‘(ii) does not include conduct that—
‘‘(I) destroys the information stored on a computers of another;
‘‘(II) causes physical injury to another person; or
‘‘(III) creates a threat to the public health or safety; and
‘‘(C) the term ‘attacker’ means a person or an entity that is the source of the persistent un-authorized intrusion into the victim’s computer.’’.
1. Computer Fraud and Abuse Act Storage Ctrs., Inc. v. Safeguard Self Storage, Inc.,
119 F. Supp. 2d 1121, 1125
(W.D. Wash. 2000);
Ervin & Smith Advertising and Public Relations, Inc. v. Ervin, 2009 WL 249998 (D. Neb. 2009). Some of these cases further suggest that such a breach can occur when the user decides to access the computer for a purpose that is contrary to the interests of the authorizing party.
See, e.g.,Citrin, 440 F.3d at 420 (defendant’s authorization to access computer terminated when he resolved to destroy employer’s files);
ViChip Corp. v. Lee, 438 F. Supp. 2d 1087, 1100 (N.D. Cal. 2006) (same); NCMIC Finance Corp. v. Artino, 638 F. Supp. 2d 1042, 1057 (S.D. Iowa 2009) (“[T]he determinative question is whether Artino breached his duty of loyalty to NCMIC when Artino obtained information from NCMIC’s computers.”).
The Citrin/Shurgard line of cases has been criticized by courts adopting the view that, under the CFAA, an authorized user of a computer cannot access the computer “without authorization” unless and until the authorization is revoked. Most significantly, the Ninth Circuit recently rejected Citrin’s interpretation of “without authorization” and found that, under the plain language of the CFAA, a user’s authorization to access a computer depends on the actions of the authorizing party and not on the user’s duty of loyalty.
See LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133-34 (9th Cir. 2009) (“It is the employer’s decision to allow or to terminate an employee’s authorization to access a computer that determines whether the employee is with or ‘without authorization.’”). The court also suggested that Citrin’s reading of the CFAA is inconsistent with the rule of lenity, which requires courts to construe any ambiguity in a criminal statute against the government. Id.at 1134-35. The court then held that “a person uses a computer ‘without authorization’ . . . when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” Id.at 1135.
Several district courts have also recently moved away from the Citrin/Shurgard view that a user can lose authorization to access a computer by F.3d 418 (7th Cir. 2006) (“Plaintiffs do not assert that Citrin accessed a computer without authorization.”). After analyzing the § 1030(a)(5)(A)(i) claim that plaintiff actually alleged, the Seventh Circuit then opined that the defendant had also violated § 1030(a)(5)(A)(ii) (now § 1030(a)(5)(B)), which did require that the defendant access a computer without authorization.
See Citrin, 440 F.3d at 420. The court appears to have been discussing this hypothetical §1030(a)(5)(A)(ii) claim when it stated that an employee could lose authorization to access his employer’s computer by breaching a duty of loyalty to the employer.
Prosecuting Computer Crimes breaching a duty of loyalty to the authorizing party.
See, e.g., Bell Aerospace Services, Inc. v. U.S. Aero Services, Inc., 690 F. Supp. 2d 1267 (M.D. Ala. 2010);
U.S. Bioservices v. Lugo, 595 F. Supp. 2d 1189 (D. Kan. 2009);
Losco Foods v. Hall & Shaw Sales, 600 F. Supp. 2d 1045 (E.D. Mo. 2009);
Bro-Tech Corp. v. Thermax, Inc., 651 F. Supp. 2d 378, 407-08 (E.D. Pa. 2009);
Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 964-967 (D. Ariz. 2008);
Diamond Power Int’l, Inc. v. Davidson, 540 F. Supp. 2d 1322, 1342 (N.D. Ga. 2007);
B&B Microscopes v. Armogida, 532 F. Supp. 2d 744, 758 (W.D. Pa. 2007);
Lockheed Martin Corp. v. Speed, 2006 WL 2683058, at *4 (M.D. Fla. 2006). These courts, like the Ninth Circuit, generally hold that an authorized computer user can never access the computer “without authorization” unless and until the authorization is rescinded.
See, e.g., Shamrock Foods, 535 F. Supp. 2d at 967 (“[A] violation for accessing ‘without authorization’ occurs only where initial access is not permitted.”).
Based on this recent case law, courts appear increasingly likely to reject the idea that a defendant accessed a computer “without authorization” in insider cases—cases where the defendant had some current authorization to access the computer. Accordingly, prosecutors should think carefully before charging such defendants with violations that require the defendants to access a computer “without authorization” and instead consider bringing charges under those subsections that require proof that the defendant exceeded authorized access.
Exceeding Authorized Access Several provisions of the CFAA impose criminal liability on a defendant who, among other things, “exceeds authorized access” when accessing a computer.
See 18 U.S.C. §§ 1030(a)(1), (a)(2), & (a)(4). The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
18 U.S.C. §1030(e)(6). Accordingly, to prove that someone has “exceeded authorized access,” prosecutors should be prepared to present evidence showing (a) how the person’s authority to obtain or alter information on the computer was limited, rather than absolute, and (b) how the person exceeded those limitations in obtaining or altering information.
It is relatively easy to prove that a defendant had only limited authority to access a computer in cases where the defendant’s access was limited by “Viewing material on a computer screen constitutes ‘obtaining’ information under the CFAA.”
Healthcare Advocates, Inc. v. Harding, Earley, Follmer & Frailey, 497 F. Supp. 2d 627, 648 (E.D. Pa. 2007) (citing legislative history for CFAA).
1. Computer Fraud and Abuse Act restrictions that were memorialized in writing, such as terms of service, a computer access policy, a website notice, or an employment agreement or similar contract.
See, e.g.EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003) (website notices); Cont’l Group, Inc. v. KW Prop. Mgmt., LLC, 622 F.
Supp. 2d 1357, 1372 (S.D. Fla. 2009) (computer access policies); United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009) (website terms of service); Modis, Inc. v. Bardelli, 531 F. Supp. 2d 314, 319 (D. Conn. 2008) (employment agreement);
Hewlett-Packard Co. v. Byd:Sign, Inc., 2007 WL 275476, at *13 (E.D. Tex. 2007) (confidentiality agreement); Am. Online, Inc. v. Nat’l Health Care Discount, Inc., 174 F. Supp. 2d 890, 899 (N.D. Iowa 2001) (email terms of service). In addition, password protection is an implicit (and technological) limit on access for otherwise authorized users who are not given the password.
See EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003). However, courts have split on the question of whether limits on authorized access can be reasonably inferred from the circumstances in cases where no explicit or implicit restrictions on access existed.
Compare EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003) (rejecting “reasonable expectations” test for lack of authorization), with United States v. Phillips, 477 F.3d 215, 219 (5th Cir. 2007) (“Courts have . . . typically analyzed the scope of a user’s authorization to access a protected computer on the basis of the expected norms of intended use or the nature of the relationship established between the computer owner and the user.”).
The most commonly litigated issue about “exceeding authorized access” in reported opinions is whether a particular defendant exceeded authorized access by accessing the computer for an improper purpose. Although United States v. Drew confirms that the government may rely on a website’s terms of service to establish that a website user exceeded her authorization to access the site, the district court also held in that case that the CFAA is unconstitutionally vague to the extent that it permits a defendant to be charged with a misdemeanor violation of § 1030(a)(2)(C) based on a conscious violation of a website’s terms of service. 259 F.R.D. 449, 464 (C.D. Cal. 2009) (“[I]f any conscious breach of a website’s terms of service is held to be sufficient by itself to constitute intentionally accessing a computer without authorization or in excess of authorization, the result will be that section 1030(a)(2)(C) becomes a law ‘that affords too much discretion to the police and too little notice to citizens who wish to use the [Internet].’”).
Note that one author argues that the law would be better off if all “unauthorized access” cases were based only on code-based restrictions, arguing that “contract-based” restrictions are harder to define. Orin S. Kerr, “Cybercrime’s Scope: Interpreting ‘Access’ and ‘Authorization’ in Computer Misuse Statutes,” 78 N.Y.U. L. Rev. 1596 (2003). However, this proposal would essentially read “exceeding authorized access” out of the statute, which the author generally acknowledges. Id.at 1662-63.
Prosecuting Computer Crimes issues are difficult to untangle, but this argument generally arises in one of three contexts: (1) the authorizing party has expressly prohibited the defendant from accessing the computer for the improper purpose; (2) the authorizing party has expressly prohibited the defendant from using the authorizing party’s data for the improper purpose but did not condition the defendant’s computer access on compliance with this prohibition; and (3) the authorizing party did not expressly prohibit the defendant from using its data for the improper purpose, but the defendant was acting against the authorizing party’s interests.
The first category of cases is the least controversial. Because the authorizing party explicitly imposed a purpose-based limitation on the defendant’s computer access, a defendant exceeds authorized access when he accesses the computer for an expressly forbidden purpose.
See, e.g., United States v. John, 597 F.3d 263, 272 (5th Cir. 2010) (“Access to a computer and data that can be obtained from that access may be exceeded if the purposes for which the access has been given are exceeded.”);
Cont’l Group, Inc. v. KW Prop. Mgmt., LLC, 622 F. Supp. 2d 1357, 1372 (S.D. Fla. 2009) (computer access policies stated that computers were provided “for business use” and were “to be used solely for the [authorizing party’s] purposes”); United States v. Salum, 257 Fed.
Appx. 225, 227 (11th Cir. 2007) (officers could access NCIC system only for official business of criminal justice agency);
Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238, 242-43, 248 (S.D.N.Y. 2000), aff’d, 356 F.3d 393 (2d Cir. 2004) (in order to submit query to website, users must agree not to use responsive data for direct marketing activities);
United States v. Czubinski, 106 F.3d 1069, 1071 (1st Cir. 1997) (“[IRS] employees may not use any Service computer system for other than official purposes.”). It may be more difficult to prove that a defendant exceeded authorized access in the second category of cases. In these cases, the authorizing party has expressly prohibited the defendant from using the authorizing party’s data for certain purposes, but it did not condition the defendant’s computer access on compliance with this prohibition. For example, the defendant might have signed a confidentiality agreement in which he agreed not to use the authorizing party’s information for personal gain, but the agreement did not specifically prohibit the defendant from accessing the authorizing party’s computer for that purpose. In essence, the authorizing party has explicitly limited the defendant’s authorization to use information that he might find on the computer, but it has not imposed the same purpose-based limitations on the defendant’s authorization to obtain or alter that information. The CFAA
1. Computer Fraud and Abuse Act provides that a defendant “exceeds authorized access” when he “obtain[s] or alter[s] information in the computer that [he] is not entitled so to obtain or alter,” 18 U.S.C. § 1030(e)(6), but it does not discuss using the information in an unauthorized way. Because of this statutory language, several courts have concluded that defendants did not “exceed authorized access” when they were permitted to obtain certain information from the computers, but then used that information for a specifically forbidden purpose.
See, e.g. Brett Senior & Assocs, P.C. v. Fitzgerald, 2007 WL 2043377, at *4 (E.D. Pa. 2007) (defendant permissibly copied data from computer but then allegedly used data in a way that violated his employment contract); Int’l Ass’n of Machinists and Aerospace
Workers v. Werner-Masuda, 390 F. Supp. 2d 479, 498-99 (D. Md. 2005) (defendant was authorized to access data on proprietary website but then violated agreement not to use the data for certain purposes). However, at least one circuit has upheld an “exceeding authorized access” claim in this context.
See EF Cultural Travel BV v. Explorica, 274 F.3d 577, 582-83 (1st Cir. 2001) (defendant exceeded authorized access by disclosing computer data in violation of confidentiality agreement).
The third and final category of “improper purposes” cases is arguably the most controversial. In these cases, the defendant accessed the computer within the limits of his authorization but used the computer for a purpose that was contrary to the implicit interests or intent of the authorizing party.
The case law is divided on whether these facts are sufficient to establish that the defendant exceeded authorized access. Some courts have concluded that the improper purpose, without more, establishes that the defendant exceeded authorized access.
See, e.g., Motorola, Inc. v. Lemko Corp. 609 F. Supp. 2d 760, 767 (N.D. Ill. 2009) (“Allegations that an employee e-mailed and downloaded confidential information for an improper purpose are sufficient to state a claim that the employee exceeded her authorization.”). These cases typically rely on the reasoning set forth in Citrin, 440 F.3d at 420-21, which is discussed in more detail in the previous subsection.
However, a number of recent civil cases have rejected the idea that users can exceed authorized access within the meaning of section 1030(e)(6) when they access information that they are authorized to access, even if their access is motivated by an implicitly improper purpose.
See, e.g., LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1135 n.7 (9th Cir. 2009) (stating in dicta that defendant does not “exceed authorized access” under the CFAA when he
breaches a duty of loyalty to authorizing party); Bell Aerospace Services, Inc. v.
Prosecuting Computer Crimes
U.S. Aero Services, Inc. 690 F. Supp. 2d 1267 (M.D. Ala. 2010); Orbit One Communications, Inc. v. Numerex Corp., 652 F. Supp. 2d 373 (S.D.N.Y. 2010);
National City Bank v. Republic Mortgage Home Loans, 2010 WL 959925 (W.D. Wash. 2010);
RedMedPar, Inc. v. Allparts Medical, LLC, 683 F. Supp. 2d 605
(M.D. Tenn. 2010); U.S. Bioservices Corp. v. Lugo, 595 F. Supp. 2d 1189, 1192 (D. Kan. 2009) (collecting cases);
Jet One Group, Inc. v. Halcyon Jet Holdings, Inc., 2009 WL 2524864, at *5-6 (E.D.N.Y. 2009);
Brett Senior & Assocs, P.C. v. Fitzgerald, 2007 WL 2043377, at *4 (E.D. Pa. 2007).
B. Obtaining National Security Information:
18 U.S.C. §1030(a)(1)
The infrequently-used section 1030(a)(1) punishes the act of obtaining national security information without or in excess of authorization and then willfully providing or attempting to provide the information to an unauthorized recipient, or willfully retaining the information.
Any steps in investigating or indicting a case under section 1030(a)(1) require the prior approval of the National Security Division of the Department of Justice, through the Counterespionage Section. See USAM 9-90.020. Please contact them at (202) 514-1187.
Title 18, United States Code, Section 1030(a)(1) provides:
(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or 1030(a)(1) Summary (Felony)
1. Knowingly access computer without or in excess of authorization
2. Obtain national security information
3. Reason to believe the information could injure the U.S. or benefit a foreign nation, willful communication, delivery, transmission (or attempt) OR willful retention of the information
1. Computer Fraud and Abuse Act to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it . . .shall be punished as provided in subsection (c) of this section.
1. Knowingly Access a Computer Without or In Excess of Authorization
A violation of this section requires proof that the defendant knowingly accessed a computer without authorization or in excess of authorization. This covers both completely unauthorized individuals who intrude into a computer containing national security information as well as insiders with limited privileges who manage to access portions of a computer or computer network to which they have not been granted access. The scope of authorization will depend upon the facts of each case. However, it is worth noting that computers and computer networks containing national security information will normally be classified and incorporate security safeguards and access controls of their own, which should facilitate proving this element.
Please see page 5 for the discussion of access and authorization.
2. Obtain National Security Information.
A violation of this section requires that the information obtained is national security information, meaning information “that has been determined by the United States Government pursuant to an Executive Order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph 14. of section 11 of the Atomic Energy Act of 1954.” An example of national security information used in section 1030(a)(1) would be classified information obtained from a Department of Defense computer or restricted data obtained from a Department of Energy computer. Prosecuting Computer Crimes.
3. Information Could Injure the United States or Benefit a Foreign Nation. A violation of this section requires proof that the defendant had reason to believe that the national security information so obtained could be used to the injury of the United States or to the advantage of any foreign nation. The fact that the national security information is classified or restricted, along with proof of the defendant’s knowledge of that fact, should be sufficient to establish this element of the offense.
4. Willful Communication, Delivery, Transmission, or Retention A violation of this section requires proof that the defendant willfully communicated, delivered, or transmitted the national security information, attempted to do so, or willfully retained the information instead of delivering it to the intended recipient. This element could be proven through evidence showing that the defendant did any of the following:
(a) communicated, delivered, or transmitted national security information, or caused it to be communicated, delivered, or transmitted, to any person not entitled to receive it; (b) attempted to communicate, deliver, or transmit national security information, or attempted to cause it to be communicated, delivered, or transmitted to any person not entitled to receive it; or (c) willfully retained national security information and failed to deliver it to an officer or employee of the United States who is entitled to receive it in the course of their official duties.
5. Penalties Convictions under this section are felonies punishable by a fine, imprisonment for not more than ten years, or both. 18 U.S.C. §1030(c)(1)(A). A violation that occurs after another conviction under section 1030 is punishable by a fine, imprisonment for not more than twenty years, or both. 18 U.S.C. §1030(c)(1)(B). 6.
Relation to Other Statutes Section 1030(a)(1) was originally enacted in 1984 and was substantially amended in 1996. As originally enacted, section 1030(a)(1) provided that anyone who knowingly accessed a computer without authorization or in excess of authorization and obtained classified information “with the intent or reason to believe that such information so obtained is to be used to the injury of the 1. Computer Fraud and Abuse Act 15 United States, or to the advantage of any foreign nation” was subject to a fine or imprisonment for not more than ten years for a first offense. This scienter element mirrored that of 18 U.S.C. §794(a), the statute that prohibits gathering or delivering defense information to aid a foreign government. Section 794(a), however, provides for life imprisonment, whereas section 1030(a)(1) is only a ten-year felony. Based on that distinction, Congress amended section 1030(a)(1) in 1996 to track more closely the language of 18 U.S.C. §793(e), which also provides a maximum penalty of ten years imprisonment for obtaining from any source certain information connected with the national defense and thereafter communicating or attempting to communicate it in an unauthorized manner.
Violations of this subsection are charged quite rarely. The reason for this lack of prosecution may well be the close similarities between sections1030(a)(1) and 793(e). In situations where both statutes are applicable, prosecutors may tend towards using section 793(e), for which guidance and precedent are more prevalent.
Although sections 793(e) and 1030(a)(1) overlap, the two statutes do not reach exactly the same conduct. Section 1030(a)(1) requires proof that the individual knowingly accessed a computer without or in excess of authority and thereby obtained national security information, and subsequently performed some unauthorized communication or other improper act with that data. In this way, it focuses not only on the possession of, control over, or subsequent transmission of the information (as section 793(e) does), but also focuses on the improper use of a computer to obtain the information itself. Existing espionage laws such as section 793(e) provide solid grounds for the prosecution of individuals who attempt to peddle governmental secrets to foreign governments. However, when a person, without authorization or in excess of authorized access, deliberately accesses a computer, obtains national security information, and seeks to transmit or communicate that information to any prohibited person, prosecutors should consider charging a violation section 1030(a)(1) in addition to considering charging a violation of section 793(e).
One other issue to note is that section 808 of the USA PATRIOT Act added section 1030(a)(1) to the list of crimes in that are considered “Federal Crime[s] of Terrorism” under 18 U.S.C. §2332b(g)(5)(B). This addition affects prosecutions under section 1030(a)(1) in three ways. First, because offenses listed under section 2332b(g)(5)(B) are now incorporated into 18 16
Prosecuting Computer Crimes: U.S.C. §3286, the statute of limitation for subsection (a)(1) is extended to eight years and is eliminated for offenses that result in, or create a foreseeable risk of, death or serious bodily injury to another person. Second, the term of supervised release after imprisonment for any offense listed under section 2332b(g)(5)(B) that results in, or creates a foreseeable risk of, death or serious bodily injury to another person, can be any term of years or life. 18 U.S.C. §3583. Formerly, the maximum term of supervised release for any violation of section 1030 was five years. Third, the USA PATRIOT Act added the offenses listed in section 2332b(g)(5)(B) to 18 U.S.C. §1961(1), making them predicate offenses for prosecutions under the Racketeer Influenced and Corrupt Organizations (RICO) statute. As a result, any “RICO enterprise” (which may include terrorist groups) that violates section 1030(a)(1) (or section 1030(a)(5)(A)) can now be prosecuted under the RICO statute.
C. Accessing a Computer and Obtaining Information: 18 U.S.C. §1030(a)(2)
The distinct but overlapping crimes established by the three subsections of section 1030(a)(2) punish the unauthorized access of different types of information and computers. Violations of this section are misdemeanors unless aggravating factors exist. Title 18, United States Code, Section 1030(a)(2) provides:
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of 1030(a)(2) Summary (Misd.)
1. Intentionally access a computer
2. Without or in excess of authorization
3. Obtain information
4. From financial records of financial institution or consumer reporting agency OR the U.S. government OR a protected computer (Felony)
5. Committed for commercial advantage or private financial gain OR committed in furtherance of any criminal or tortious act OR the value of the information obtained exceeds $5,000
The Computer Fraud and Abuse Act, also known as the CFAA, is the federal anti-hacking statute that prohibits unauthorized access to computers and networks.
In 1984, the world was just emerging from its digital Dark Age. CompuServe, the world’s first commercial email provider, was still trying to interest users in its fledgling service, and computer viruses and worms were still largely the stuff of engineering-school pranks. But even through the foggy haze of the internet’s early days, lawmakers saw clearly the importance that computers and computer crime would have on society. That’s when Congress enacted the Computer Fraud and Abuse Act, also known as the CFAA. The federal anti-hacking statute prohibits unauthorized access to computers and networks and was enacted to expand existing criminal laws to address a growing concern about computer crimes. But lawmakers wrote the law so poorly that creative prosecutors have been abusing it ever since.
The law, which went into effect in 1986, was passed just in time to be used to convict Robert Morris, Jr., the son of an NSA computer security worker, who unleashed the world’s first computer worm in 1988. Since then, it has been wielded thousands of times to convict high-profile hackers and low-level criminals alike. But as computer crimes have expanded and increased, so have prosecutors’ use and interpretation of the law, stretching it far beyond what it was originally intended to cover. And in 1994 the law moved beyond criminal matters with an amendment that allowed civil actions to be brought under the statute as well. This opened the way for corporations to bring lawsuits for unauthorized access against workers who steal company secrets.
Calls for reform
There have been many calls over the years to reform the CFAA, due to the overzealous nature of prosecutors who have used it—some would say abused it—to charge conduct that critics say does not constitute a true computer crime.
One case in particular was the prosecution of Lori Drew, a then-49-year-old mother who was charged in 2008 for using a fake MySpace profile to cyberbully a teenage girl. Drew was charged with conspiring with her daughter and her daughter’s friend to create the fake MySpace page of a boy in order to draw 13-year-old Megan Meier into an online friendship with the nonexistent boy, then humiliate her. Meier committed suicide, resulting in a public outcry to punish Drew for cyberbullying. But because there was no federal statute against cyberbullying at the time, federal prosecutors adopted a novel interpretation of the CFAA. They charged Drew with “unauthorized access” to MySpace’s computers for creating a fake MySpace account in violation of the web site’s terms of service. The web site’s user agreement required registrants to provide factual information about themselves when opening an account and to refrain from using information obtained from MySpace services to harass other people.
The prosecution turned what would normally have been a civil matter—breaching a contract—into a criminal matter. The case, if successful, would have potentially made a felon out of anyone who violated the terms of service of any website. Fortunately, although a jury convicted Drew (on lesser misdemeanor charges), the judge overturned the conviction on grounds that the government’s interpretation of the CFAA was “constitutionally vague” and overreached the bounds of the law.
Another case involving misuse of the statute also occurred in 2008 when three MIT students were barred from giving a presentation at the Def Con hacker conference. The students had found flaws in the electronic ticketing system used by the Massachusetts Bay Transportation Authority that would have allowed anyone to obtain free rides. The MBTA sought and obtained a temporary restraining order to bar the students from speaking about the flaws. In granting the temporary gag order, the judge invoked the CFAA, saying that information the students planned to present would provide others with the means to hack the system. The judge’s words implied that simply talking about hacking was the same as actual hacking. The ruling was publicly criticized, however, as an unconstitutional prior restraint of speech, and when the MBTA subsequently sought a court order to make the restraining order permanent, another judge rejected the request, ruling in part that the CFAA does not apply to speech and therefore had no relevance to the case.
A high-profile suicide
The most concerted effort to revise the CFAA came after a U.S. attorney used it to launch a heavy-handed prosecution against internet activist Aaron Swartz for what many considered a minor infraction. Swartz, who helped develop the RSS standard and was a cofounder of the advocacy group Demand Progress, was indicted after he gained entry to a closet at MIT and allegedly connected a laptop to the university’s network to download millions of academic papers that were distributed by the JSTOR subscription service. Swartz was accused of repeatedly spoofing the MAC address of his computer to bypass a block MIT had placed on the address he used. Although JSTOR did not pursue a complaint, the Justice Department pushed forward with prosecuting Swartz. U.S. Attorney Carmen Ortiz insisted that “stealing is stealing” and that authorities were just upholding the law.
Swartz, in despair over his pending trial and the prospect of a felony conviction, committed suicide in 2013. In response to the tragedy, two lawmakers proposed a long-overdue amendment to the law that would help prevent prosecutors from overreaching in their use of it. The amendment, referred to as Aaron’s Law, was introduced months after Swartz’s death by Rep. Zoe Lofgren (D-Calif.) and Sen. Ron Wyden (D-Oregon). The amendment would exclude breaches of terms of service and user agreements from the law and also narrow the definition of unauthorized access to make a clear distinction between criminal hacking activity and simple acts that exceed authorized access on a minor level. Instead, the amendment proposes to define unauthorized access as “circumventing one or more technological measures that exclude or prevent unauthorized individuals from obtaining or altering” information on a protected computer. The amendment also would make it clear that the act of circumvention would not include a user simply changing his MAC or IP address to gain access to a system.
“Taken together, the changes in this draft should prevent the kind of abusive prosecution directed at Aaron Swartz and would help protect other Internet users from outsized liability for everyday activity,” Lofgren wrote on Reddit when she announced the changes. The amendment, however, has withered in Congress and has so far failed to gather the support it needs to get passed.
“This reform only captured the attention of a small group of people. It’s not an issue that resonates with the public—at least yet,” Orin Kerr, professor of law at George Washington University Law School, told Forbes recently.
Some have attributed the amendment’s failure to lobbying on the part of corporations who use it to bring civil suits for theft of corporate secrets and don’t want to see it changed. Others say the problem is its association with Swartz, a figure some members of Congress don’t find sympathetic. Regardless, many say that reform of the CFAA is inevitable; it’s just a question of which case will finally force it to occur.
By Kim Zetter
U.S. Code › Title 18 › Part I › Chapter 47 › § 1030
18 U.S. Code § 1030 – Fraud and related activity in connection with computers
Current through Pub. L. 114-38. (See Public Laws for the current Congress.)
(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n)  of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;
(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.
(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if—
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States; 
(7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—
(A) threat to cause damage to a protected computer;
(B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or
(C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion;
shall be punished as provided in subsection (c) of this section.
(b) Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.
(c) The punishment for an offense under subsection (a) or (b) of this section is—
(A) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(1) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than twenty years, or both, in the case of an offense under subsection (a)(1) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;
(A) except as provided in subparagraph (B), a fine under this title or imprisonment for not more than one year, or both, in the case of an offense under subsection (a)(2), (a)(3), or (a)(6) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;
(B) a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(2), or an attempt to commit an offense punishable under this subparagraph, if—
(i) the offense was committed for purposes of commercial advantage or private financial gain;
(ii) the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or
(iii) the value of the information obtained exceeds $5,000; and
(C) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2), (a)(3) or (a)(6) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;
(A) a fine under this title or imprisonment for not more than five years, or both, in the case of an offense under subsection (a)(4) or (a)(7) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(4), or (a)(7) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;
(A) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 5 years, or both, in the case of—
(i) an offense under subsection (a)(5)(B), which does not occur after a conviction for another offense under this section, if the offense caused (or, in the case of an attempted offense, would, if completed, have caused)—
(I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
(II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(III) physical injury to any person;
(IV) a threat to public health or safety;
(V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or
(VI) damage affecting 10 or more protected computers during any 1-year period; or
(ii) an attempt to commit an offense punishable under this subparagraph;
(B) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 10 years, or both, in the case of—
(i) an offense under subsection (a)(5)(A), which does not occur after a conviction for another offense under this section, if the offense caused (or, in the case of an attempted offense, would, if completed, have caused) a harm provided in subclauses (I) through (VI) of subparagraph (A)(i); or
(ii) an attempt to commit an offense punishable under this subparagraph;
(C) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 20 years, or both, in the case of—
(i) an offense or an attempt to commit an offense under subparagraphs (A) or (B) of subsection (a)(5) that occurs after a conviction for another offense under this section; or
(ii) an attempt to commit an offense punishable under this subparagraph;
(D) a fine under this title, imprisonment for not more than 10 years, or both, in the case of—
(i) an offense or an attempt to commit an offense under subsection (a)(5)(C) that occurs after a conviction for another offense under this section; or
(ii) an attempt to commit an offense punishable under this subparagraph;
(E) if the offender attempts to cause or knowingly or recklessly causes serious bodily injury from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for not more than 20 years, or both;
(F) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for any term of years or for life, or both; or
(G) a fine under this title, imprisonment for not more than 1 year, or both, for—
(i) any other offense under subsection (a)(5); or
(ii) an attempt to commit an offense punishable under this subparagraph.
(1) The United States Secret Service shall, in addition to any other agency having such authority, have the authority to investigate offenses under this section.
(2) The Federal Bureau of Investigation shall have primary authority to investigate offenses under subsection (a)(1) for any cases involving espionage, foreign counterintelligence, information protected against unauthorized disclosure for reasons of national defense or foreign relations, or Restricted Data (as that term is defined in section 11y of the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)), except for offenses affecting the duties of the United States Secret Service pursuant to section 3056(a) of this title.
(3) Such authority shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General.
(e) As used in this section—
(1) the term “computer” means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;
(2) the term “protected computer” means a computer—
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;
(3) the term “State” includes the District of Columbia, the Commonwealth of Puerto Rico, and any other commonwealth, possession or territory of the United States;
(4) the term “financial institution” means—
(A) an institution, with deposits insured by the Federal Deposit Insurance Corporation;
(B) the Federal Reserve or a member of the Federal Reserve including any Federal Reserve Bank;
(C) a credit union with accounts insured by the National Credit Union Administration;
(D) a member of the Federal home loan bank system and any home loan bank;
(E) any institution of the Farm Credit System under the Farm Credit Act of 1971;
(F) a broker-dealer registered with the Securities and Exchange Commission pursuant to section 15 of the Securities Exchange Act of 1934;
(G) the Securities Investor Protection Corporation;
(H) a branch or agency of a foreign bank (as such terms are defined in paragraphs (1) and (3) of section 1(b) of the International Banking Act of 1978); and
(I) an organization operating under section 25 or section 25(a) 1 of the Federal Reserve Act;
(5) the term “financial record” means information derived from any record held by a financial institution pertaining to a customer’s relationship with the financial institution;
(6) the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;
(7) the term “department of the United States” means the legislative or judicial branch of the Government or one of the executive departments enumerated in section 101 of title 5;
(8) the term “damage” means any impairment to the integrity or availability of data, a program, a system, or information;
(9) the term “government entity” includes the Government of the United States, any State or political subdivision of the United States, any foreign country, and any state, province, municipality, or other political subdivision of a foreign country;
(10) the term “conviction” shall include a conviction under the law of any State for a crime punishable by imprisonment for more than 1 year, an element of which is unauthorized access, or exceeding authorized access, to a computer;
(11) the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service; and
(12) the term “person” means any individual, firm, corporation, educational institution, financial institution, governmental entity, or legal or other entity.
(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.
(g) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses  (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.
(h) The Attorney General and the Secretary of the Treasury shall report to the Congress annually, during the first 3 years following the date of the enactment of this subsection, concerning investigations and prosecutions under subsection (a)(5).
(1) The court, in imposing sentence on any person convicted of a violation of this section, or convicted of conspiracy to violate this section, shall order, in addition to any other sentence imposed and irrespective of any provision of State law, that such person forfeit to the United States—
(A) such person’s interest in any personal property that was used or intended to be used to commit or to facilitate the commission of such violation; and
(B) any property, real or personal, constituting or derived from, any proceeds that such person obtained, directly or indirectly, as a result of such violation.
(2) The criminal forfeiture of property under this subsection, any seizure and disposition thereof, and any judicial proceeding in relation thereto, shall be governed by the provisions of section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853), except subsection (d) of that section.
(j) For purposes of subsection (i), the following shall be subject to forfeiture to the United States and no property right shall exist in them:
(1) Any personal property used or intended to be used to commit or to facilitate the commission of any violation of this section, or a conspiracy to violate this section.
(2) Any property, real or personal, which constitutes or is derived from proceeds traceable to any violation of this section, or a conspiracy to violate this section 
(Added Pub. L. 98–473, title II, § 2102(a), Oct. 12, 1984, 98 Stat. 2190; amended Pub. L. 99–474, § 2, Oct. 16, 1986, 100 Stat. 1213; Pub. L. 100–690, title VII, § 7065, Nov. 18, 1988, 102 Stat. 4404; Pub. L. 101–73, title IX, § 962(a)(5), Aug. 9, 1989, 103 Stat. 502; Pub. L. 101–647, title XII, § 1205(e), title XXV, § 2597(j), title XXXV, § 3533, Nov. 29, 1990, 104 Stat. 4831, 4910, 4925; Pub. L. 103–322, title XXIX, § 290001(b)–(f), Sept. 13, 1994, 108 Stat. 2097–2099; Pub. L. 104–294, title II, § 201, title VI, § 604(b)(36), Oct. 11, 1996, 110 Stat. 3491, 3508; Pub. L. 107–56, title V, § 506(a), title VIII, § 814(a)–(e), Oct. 26, 2001, 115 Stat. 366, 382–384; Pub. L. 107–273, div. B, title IV, §§ 4002(b)(1), (12), 4005(a)(3), (d)(3), Nov. 2, 2002, 116 Stat. 1807, 1808, 1812, 1813; Pub. L. 107–296, title II, § 225(g), Nov. 25, 2002, 116 Stat. 2158; Pub. L. 110–326, title II, §§ 203, 204(a), 205–208, Sept. 26, 2008, 122 Stat. 3561, 3563.)
 See References in Text note below.
 So in original. The period probably should be a semicolon.
 So in original. Probably should be followed by “or”.
 So in original. The comma probably should not appear.
 So in original. Probably should be “subclause”.
 So in original. Probably should be followed by a period.
Provided below are example cases of federal prosecutions including CFAA violations charges. The case entries include links to additional materials from the case and resources related to the case. Also, the Department of Justice has published its own manual on “Prosecuting Computer Crimes” that is available online here.
U.S. v. Andrew Auernheimer, No. 13-1816 (3rd Cir. Apr. 11, 2014)
When Apple released the iPad, customers were required to purchase a contract with AT&T and register their accounts on a website controlled by AT&T using their email addresses. When testing AT&T’s security system, Andrew “Weev” Auernheimer discovered a flaw. He was able to gather the email addresses of their customers. When Weev notified AT&T that these personal emails were accessible and that AT&T customers were vulnerable, AT&T took no action. In response, he alerted the press to the security flaw and publicized some of the email addresses in redacted form. He did not possess, nor had access to, any other personally identifiable information or passwords of the customers.
AT&T responded by alerting the federal government, who then prosecuted Weev for violating the Computer Fraud & Abuse Act (CFAA). In order to enhance the potential punishment from a misdemeanor to a felony, the government claimed that the CFAA violation occurred in furtherance of a violation of New Jersey’s computer crime statute, even though no conduct occurred in New Jersey. This is known as “stacking” offenses, when the federal government reaches to a state statute to ramp up the charges, even though the state and federal statute cover the same conduct.
After a jury trial, Weev was convicted and sentenced to 41 months in federal prison and to pay $73,000 in restitution. NACDL filed an amicus brief in support of his appeal to the Third Circuit, urging the court to take a narrow approach to the CFAA and limit the prosecutorial power of the government, which is available here. Holding that venue was not proper in the District of New Jersey, the Third Circuit vacated Weev’s conviction (opinion).
U.S. v. Matthew Keys, No. 2:13-cr-00082 (E.D. Cal. 2013)
On March 14, 2013, Matthew Keys, a former Reuters Social Media Editor, was indicted on multiple counts of CFAA violations for allegedly providing hackers with usernames and passwords for Tribune Company websites in late 2010 after he was fired from his job at a Tribune-owned company. The government alleges this conduct was part of a conspiracy to make unauthorized changes to Tribune websites and to damage Tribune computers. The indictment charges three criminal violations of the CFAA, including conspiracy to cause damage to a protected computer, transmission of a malicious code and attempted transmission of a malicious code. These charges carry up to 25 years in prison and a fine up to $750,000. Keys rejected a plea deal and went to trial. After an 8-day jury trial, Keys was found guilty of three counts of violating the CFAA. On April 13, 2016, he was sentenced to 24 months of imprisonment, 24 months of supervised release, and restitution in the amount of $249,956. His appeal is currently pending before the Ninth Circuit.
U.S. v. Aaron Swartz, Crim. No. 1:11-cr-10260 (D. Mass. 2012)
Aaron Swartz, a computer programmer, entrepreneur and activist, was federally indicted on multiple counts of wire fraud and CFAA violations, including unlawfully obtaining information from a protected computer and recklessly damaging a protected computer. The charges stemmed from Swartz’ alleged effort to download approximately 4.8 million articles from JSTOR, which is a not-for-profit digital library, using the MIT network. Anyone on the MIT campus could access MIT’s computer network and, as a result, JSTOR, but JSTOR’s terms of service limited the amount of articles that could be downloaded at a time. Swartz wrote a script that instructed his computer to download JSTOR articles continuously and, when this violation was detected and requests from his computer were denied, Swartz spoofed his computer’s address to trick the JSTOR servers.
Swartz was first indicted in November 2011, but federal prosecutors filed a superseding indictment in September 2012 that added nine more felony counts, increasing Swartz’s maximum criminal exposure to 50 years of imprisonment and $1 million in criminal fines. According to Swartz’s attorney Elliot Peters, the prosecutors offered Swartz a plea deal in which he would pled guilty to 13 felonies in exchange for a four or six month sentence. The prosecutors also stated that they would seek a seven year sentence should Swartz exercise his constitutional right to a trial. The government took this hard-line position despite the fact that the “victims” MIT and JSTOR declined to pursue civil litigation. In fact, JSTOR actually informed the prosecutors that it did not want to press charges. Tragically, under the weight of the prosecution and potential prison sentence, Swartz committed suicide on January 11, 2013. After his death, the federal prosecutors dropped the charges.
For analysis of the Swartz prosecution, see Professor Orin Kerr’s two-part session here and here, posts from the Electronic Frontier Foundation here and here, and a two-part post from Jennifer Granick at the Center for Democracy and Technology here and here.
U.S. v. Sergey Aleynikov, No. 11-1126 (2d Cir. Apr. 11, 2012)
A computer programmer, Aleynikov allegedly stole proprietary computer source from his former employer (Goldman Sachs) and transferred it to his new employer. He was charged with violating the Economic Espionage Act (EEA), the National Stolen Property Act (NSPA), and the CFAA. Prior to trial, the U.S. District Court dismissed Count Three, the CFAA charge, on the ground that Aleynikov was authorized to access the Goldman computer and did not exceed the scope of authorization. Specifically, the court ruled that authorized use of a computer in a manner that misappropriates information is not an offense under the CFAA. A jury then convicted Aleynikov on the remaining counts and he appealed.
The Second Circuit reversed Aleynikov’s conviction on both counts (opinion). On count one, the court held that the theft and subsequent interstate transmission of purely intangible property is beyond the scope of the NSPA. The court similarly reasoned that the theft of source code relating to the high frequency trading system is not an offense under the EEA. Shortly after the Second Circuit vacated Aleynikov’s conviction, the Manhattan District Attorney’s Office initiated a prosecution against him based on state criminal law.
U.S. v. David Nosal, No. 10-10038 (9th Cir. Apr. 10, 2012)
The prosecution of David Nosal revolved around his enlistment of former colleagues to use their log-in credentials to download certain information from company computers in order to assist him in starting a new, competing business. These colleagues were authorized to access this information, but disclosing it violated company policy. The government charged Nosal with twenty counts, including trade secret theft, mail fraud, conspiracy, and violations of the CFAA. Following a motion to dismiss, the U.S. District Court dismissed the CFAA counts on the ground that the definition of “exceeds authorized access” does not incorporate corporate policies governing use of information. The government appealed and the Ninth Circuit agreed (opinion).
The Ninth Circuit reasoned that the phrase “exceeds authorized access” in the CFAA does not extend to violations of use restrictions. The court cited the rule of lenity, as well as basic common sense, for reaching this conclusion. Specifically, the court reasoned that a narrower interpretation is appropriate since the CFAA is an anti-hacking statute and Congress dealt with misappropriation of trade secrets in another part of the federal code. As the colleagues had permission to access the company databases and obtain the information, their conduct could not be “without authorization” nor could it “exceed authorized access.” The Ninth Circuit affirmed the dismissal of the CFAA counts and the government proceeded to prosecute and convict Nosal on the remaining counts.
U.S. v. Elaine Cioni, No. 09-4321 (4th Cir. Apr. 20, 2011)
The Cioni case involved a federal criminal statute that has two overlapping misdemeanor criminal offenses that prohibit hacking into email accounts. Ordinarily, first offenses under the Computer Fraud and Abuse Act and the Stored Communications Act are misdemeanors, unless committed, among other things, in furtherance of another crime. In Cioni, the government attempted stacking the misdemeanors to obtain a felony conviction. Cioni was convicted of multiple counts and appealed her conviction to the Fourth Circuit.
In an amicus brief, NACDL argued that Cioni’s CFAA offense, unauthorized access to stored email, was not committed “in furtherance of” an SCA violation, because both convictions were based on the same conduct. The government’s attempt to count the same conduct as both an underlying misdemeanor and as the basis for a felony conviction violates the Double Jeopardy Clause. The Fourth Circuit agreed (opinion), holding that the CFAA charges had been improperly elevated to felony offenses and sent the case back to the district court to reduce the convictions to misdemeanors.
U.S. v. Lori Drew, No. CR 08-0582-GW (C.D. Cal. Aug. 28, 2009)
The prosecution of Lori Drew, sometimes referred to as the “MySpace Suicide Case,” took place following the tragic suicide of a 13-year old girl. Drew and others set-up a fictitious account on the social media website MySpace in order to target this girl. Such conducted violated the MySpace terms of service and, when the conduct ultimately resulted in the girl’s suicide, federal prosecutors responded by charging Drew with multiple violations of the CFAA and conspiracy. Following a jury trial, Drew was acquitted of all counts but for one misdemeanor violation of the CFAA.
The U.S. District Court set aside the jury’s guilty verdict in an opinion rejecting the government’s position that violating a website’s terms of service can constitution a federal offense. The judge reasoned that reading the statute in such a manner would deprive individuals of actual notice and be an overwhelmingly overbroad enactment that converts a multitude of otherwise innocent internet users into federal criminals.
The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, was originally enacted in 1984 as a criminal statute to deter hackers and protect data on federal computers. Over time, the scope of the CFAA evolved to include a private right of action for any person who suffers damage or loss because of a violation of the CFAA. Not surprisingly, employers have increasingly taken advantage of the CFAA’s civil remedies to obtain both injunctive and monetary relief against employees, making the federal statute a potent weapon against employees, especially in the context of noncompete and trade secrets litigation. This article examines the CFAA and suggests strategies that an employee can consider when fighting against a CFAA lawsuit.
Elements of a CFAA Claim
To establish a civil action against an employee under the CFAA, an employer must prove that the employee: (1) “knowingly and with the intent to defraud,” (2) accessed a “protected computer,” (3) “without authorization,” and as a result (4) caused a damage or loss of at least $5,000.1 This analysis focuses primarily on the last two elements and the extent to which a former employee has damaged or compromised the integrity of the employer’s computer system.
An employer does not have a cause of action under the CFAA if the alleged misconduct does not involve conduct prohibited by the act. Violations include but are not limited to:
1. damage to a protected computer that results in a loss of at least $5,000;
2. the impairment of a medical examination, diagnosis, treatment or care of an individual;
3. physical injury to a person; and
4. threats to public health or safety.
A. What Is a “Protected Computer” Under the CFAA?
A “protected computer” is defined broadly to include any computer that is “used in interstate or foreign commerce or communication.”2 This includes any computer connected to the internet.3
B. Did the Employee Have Authorization to Access the Protected Computer?
The key element to any CFAA claim is the employee’s unauthorized access to the employer’s computer system. Accordingly, an employer does not have a cause of action under the CFAA if access to the part of the employer’s computer system that the employee allegedly accessed was never revoked.4
The line blurs, however, when an employee planning to leave her job and while still employed and still authorized to use her employer’s computer system, uses that system for purposes adverse to the employer’s interest, for example, if the employee gathers and disseminates information for competitive purposes. Some courts have addressed this issue by treating such conduct as “exceeding authorized access,” while others have ruled that an employee’s authorization to access ends the moment he or she acts contrary to the employer’s interest, thereby rendering the conduct as one “without authorization.”5 Still others have determined that such conduct is outside the scope of the act.6 A review of recent case law reveals the various conclusions that courts have reached in analyzing this particular element of the CFAA.
In International Airport Centers, LLC v. Citrin, the Seventh Circuit ruled in favor of a real estate agency on its claims for violations of the CFAA.7 In Citrin, the employee deleted files from his company-issued laptop and installed a secure-erasure program making it impossible for the agency to recover any of the deleted information.8 According to the employee, there was no basis for the CFAA claim because he was “authorized” to access his computer at the time he deleted the files.9 The Seventh Circuit rejected this argument, finding that “[an employee’s] breach of his duty of loyalty [in deleting relevant files] terminate[s] his agency relationship. . .and with it his authority to access the [company] laptop.”10 The Seventh Circuit concluded that an employee’s authorized access terminates when the employee’s mental state changes from loyal employee to disloyal competitor and the employee accesses his employer’s computer for an unauthorized purpose, i.e., to defraud or cause harm to the former employer.11
Other courts, however, have considered and emphatically rejected the agency law notion of authorization applied in Citrin. For example, in International Ass’n of Machinists & Aerospace Workers v. Werner-Masuda,12 the court held that the employer could not state a claim for relief under the CFAA because “[the employee’s] access had not been revoked.”13 According to the Werner-Masuda court, Congress intended for the statute to apply to outside computer hackers and not to disloyal employees who access their employer’s computer system on behalf of the employer’s competitor.14 Further, the court concluded that the CFAA expressly prohibits “unauthorized access” and not “unauthorized disclosure” of information.15 A Texas court reached a similar result in Bridal Expo Inc. v. Van Florestein16 when it concluded that defendants, former employees of the bridal exposition company Bridal Expo, did not copy information from the company’s computers “without authorization” even though one of the former employees admitted to downloading Bridal Expo’s database and later, used the downloaded information for improper purposes.17 According to the court, “if Congress wanted to reach all wrong doers who access information that they will use to the detriment of their employers, it could have omitted the limiting words on authorization altogether.”18 Thus, finding that the former employees had signed no confidentiality agreement with Bridal Expo or any other
agreement restricting their access to the files they had been working with at their jobs at Bridal Expo, the court denied the CFAA claim.19
In the most recent case to tackle this issue, LVRC Holdings LLC v. Brekka,20 the Ninth Circuit also rejected the agency law notion of authorization applied in Citrin. In Brekka, the Ninth Circuit held that a marketing consultant did not violate the CFAA because he did not access the employer’s computer “without authorization” when he allegedly e-mailed his employer’s documents to himself and to his wife to further his own competing business.21 In reaching its decision, the Ninth Circuit concluded that “[n]o language in the CFAA supports the argument that authorization to use a computer ceases when an employee resolves to use the computer contrary to the employer’s interest.”22 Instead, “[an employee] uses a computer ‘without authorization’ when the person has not received permission to use the computer for any purpose . . . or when the employer has rescinded permission to access the computer and the [employee] uses the computer anyway.”23 The Brekka court also held an employee remains authorized to use the protected computer even when an agreement subjects the employee’s access to certain limitations and the employee violates these limitations.
While many courts have sided with the Werner-Masuda court, the scope of the term “authorization” remains unresolved.25 Even so, courts are more likely to dismiss a CFAA claim where an employee’s counsel can prove that the alleged “access” was harmless, was not for an improper purpose, or that the employee accessed the former employer’s computer system for legitimate, work-related reasons.26 Moreover, a court is less likely to consider a CFAA claim against an employee where the employee’s unauthorized conduct did not produce “anything of value.”27
C. What Constitutes Loss or Damage for a Viable CFAA Claim?
To be actionable, a CFAA claim must also allege that the employee’s wrongful conduct resulted in a $5,000 damage or loss to the employer. Failure of proof on this element is “fatal” to a CFAA cause of action. 28 Thus, employees should always try to challenge an employer’s complaint by arguing that his or her conduct did not result in a “loss” to the employer.
1. “Loss” Under the CFAA.
In determining what constitutes a “loss” under the CFAA, courts have consistently interpreted “loss” to mean expenses related to restoring computer data, fixing actual damages to a computer system and modifying a computer system to preclude further data transfer.29 Courts disagree, however, on whether consequential damages, such as loss in the value of trade secrets or competitive advantage constitute a “loss” under the CFAA.30
In Civic Center Motors Ltd. v. Mason Street Import Cars Ltd.,31 for example, a New York court held that lost profits and wasted investments are not compensable losses under the CFAA.32 In Civic Center, a car dealership brought a CFAA claim against its competitor, seeking compensation for their “now wasted investment” in a customer database and lost profits resulting from its competitor’s unfair competitive edge.33 The court refused to recognize Civic Center’s claims, concluding that “losses under the CFAA are compensable only when they are the result from damage to, or inoperability of, the accessed computer system.”34 Finding that the former employees’ access to the dealership’s web-based database did not affect the integrity of the database’s information, the court dismissed the CFAA claim.35
The court in Nexans Wires S.A. v. Sark-USA Inc.,36 reiterated the court’s position in Civic Center when it rejected an employer’s CFAA claim seeking reimbursement for the cost of flying two executives from Germany to New York to meet and discuss the consequences of their competitor’s gain in competitive edge from their use of unlawfully gained information.37 In reaching its decision, the court pointed to the fact that the executives’ trip and subsequent meetings were unrelated to “investigating or remedying damage to a computer,” and therefore, fell outside the definition of a recoverable “loss” under the statute.38 According to the court, “[g]eneral non-computer costs incurred in investigating the violation [are] too far outside of the scope of the [CFAA].”39 Other courts, however, have taken a broader view, suggesting that items such as misappropriated property, loss of goodwill, and investigative costs can be used to establish the “loss” requirement of a civil CFAA action.40
In EF Cultural Travel BV v. Explorica Inc.,41 for example, the First Circuit held that the CFAA covered more than the losses directly attributed to the actual physical damage of a computer’s hard drive.42 Here, a tour company sued its competitor under the CFAA for allegedly using a “scraper” software program to glean prices from its website.43 The company claimed that it sustained a compensable loss because it had to pay consultants to assess the effect of Explorica’s interference with its website.44 In response, Explorica argued that it could not be liable under the CFAA because “their actions neither caused any physical damage nor placed any stress on EF’s website.”45The court rejected Explorica’s arguments, holding that “a general understanding of the word ‘loss’ would fairly encompass a loss of business, goodwill, and the cost of diagnostic measures” that a company takes to
access the damage to its computer system.46 According to the court, any losses stemming from an employee’s unauthorized conduct are recoverable, so long as it results in a loss of at least $5,000.47
2. “Damage” Under the CFAA.
Under the statute, “damage” includes any “impairment to the integrity or availability of data, a program, a system or information.”48 Some courts have ruled that the misappropriation of trade secrets does not constitute damages under the CFAA.49 Others have ruled that the “damage” requirement can be satisfied when the misappropriation is coupled with other harm.50 Finally, there is authority that establishes the proposition that the misappropriation of trade secrets or confidential information alone is sufficient to establish the $5,000 jurisdictional threshold.
In Shurgard Storage Centers Inc. v. Safeguard Self-Storage Inc.,52 for example, the court held that even though the plaintiff’s data was not physically erased or changed, the misappropriation of the trade secrets constituted an impairment to the integrity of the data in question and thus, fell within the definition of damage.53 The majority of courts, however, have held that the misappropriation of trade secrets does not constitute damages under the CFAA.54 According to one court, the absence of evidence that a computer network was damaged in any quantifiable amount by the alleged unauthorized access of the network precludes recovery under the CFAA.55 Under this standard, a court likely will grant a motion to dismiss in a CFAA case where there is evidence that the misappropriated data remains intact on the employer’s computer or the employer fails to plead impairment to the integrity or availability of data, a program, a system, or information.56 Indeed, more courts are requiring employers to show computer related losses, impairment of the original data, or a complete lack of permitted access.57
The lesson to be gleaned from these cases is that each case will turn on its own facts and the determination of whether the employer has sufficiently pleaded “damage” or “loss” will, among other things, be determined by the jurisdiction overseeing the case.
II. General Tips for Avoiding CFAA Claims
The computer equipment provided by an employer does not belong to an employee. Thus, an employee should return all computerized information to the employer upon departure and refrain from deleting or transferring any information from the company’s computer system to a personal disk or e-mail without the company’s express consent.
III. General Tips for Defending Against CFAA Claims
A. Challenge Reliability of Employer’s Investigation.
An employee should consider attacking the quality and reliability of the former employer’s investigation into the employee’s “access” by demonstrating that the former employer’s methods for collecting evidence was unreliable or defective.58
B. Challenge Any Injunctions That Are Broad or Contrary to Public Policy.
Injunctions are an extraordinary remedy, which in the context of CFAA litigation can stifle competition and punish employees who may have inadvertently retained the former employer’s documents. Accordingly, an employee should object to the entry of an injunction that is considerably broader than that which could ordinarily be obtained under a trade secrets or unfair competition theory.
C. Argue That There Was No Practice, Procedure or Policy Prohibiting “Improper” Access or Use of the Company’s Documents.
In the absence of a promulgated policy or practice prohibiting employees from the “improper” access or use of an employer’s confidential information, a court likely will not find an employee’s allegedly improper access of company documents to be in violation of the CFAA.59
In Brekka, the Ninth Circuit held that an employer could not maintain its CFAA claim against a former employee accused of e-mailing company documents to his personal e-mail account because the employer could not establish that the former employee accessed its computer system “in excess of authorization” or “without authorization.”60 In reaching its decision, the court pointed to the fact that the employer failed to provide notice or employee guidelines distinguishing the proper and authorized use of employer information from the improper and unauthorized use of the company information in question.61 According to the Ninth Circuit, because Section 1030 is primarily a criminal statute and creates criminal liability for violators of the statute, the rule of lenity, which is rooted in considerations of notice, applies.62 Thus, “no citizen should be held accountable for a violation of a statute whose commands are uncertain, or subjected to punishment that is not clearly prescribed.”63 In short, a court will likely not recognize a CFAA claim where an employee “would have no reason to know that making personal use of the company computer . . . would constitute a criminal violation of the CFAA.”64
D. Assert the “Unclean Hands” Defense.
To challenge an employer’s CFAA claims, an employee can rely on the “unclean hands” doctrine. According to this doctrine, “he who asks equity must do equity, and he who comes into equity must come with clean hands.”65 In the context of CFAA litigation, this doctrine provides that “one who has acted in bad faith . . . or [has] been guilty of fraud, injustice or unfairness will appeal in vain to a court of conscience.”66 Thus, a court may not recognize a CFAA claim where there is evidence demonstrating that the employer engaged in wrongful or inequitable conduct with respect to the matter in litigation, i.e., the employer deleted all data that evidenced its retaliatory intent in filing the CFAA action.67
In sum, an employee faced with a lawsuit for violations of the CFAA has options to challenge the CFAA action, including the rule of lenity. Like lawsuits to enforce noncompetition provisions, CFAA actions are typically accompanied by a motion for a preliminary injunction or a motion for a temporary restraining order, which can put an employee out of work. Thus, it is critical quickly to assess and apply options available to the employee to gain the upper hand in the litigation and to avoid costs and being put on the defensive.
1 18 U.S.C. § 1030(a)(4); see also Pacific Aerospace & Elecs. Inc. v. Taylor, 285 F. Supp. 2d 1188, 1195 (E.D. Wash. 2003).
2 18 U.S.C. § 1030(e)(2)(B).
3 See Cont’l Group Inc. v. KW Prop. Mgmt. LLC, 622 F. Supp. 2d 1357, 1370 (S.D. Fla. 2009) (court held that connection to internet is “affecting interstate commerce or communication” and thus, computers connected to internet are protected under CFAA).
4 See LVRC Holdings v. Brekka, 581 F.3d 1127, 29 IER Cases 1153 (9th Cir. 2009); 2009 WL 2928952 (court held that employee uses computer “without authorization” when person has not received permission “to use computer for any purpose . . . or when the employer has rescinded permission to access the computer and the [employee] uses the computer anyway”).
5 Int’l Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006); 4 WLR 329, 3/17/06, (court held that “authorized access” ends when employee breaches his duty of loyalty);Patrick Patterson Custom Homes Inc. v. Bach, 586 F. Supp. 2d 1026, 1034-35 (N.D. Ill. 2008) (court held that employer stated administrative assistant exceeded her authority by installing data shredding software causing permanent deletion of financial records on company’s computer).
6 See B & B Microscopes v. Armogida, 532 F. Supp. 2d 744 (W.D. Pa. 2007) (court held that because CFAA delineates between authorized and unauthorized access, reading of statute that once employee begins violating duty of loyalty to his employer any authorized access is withdrawn, would render the CFAA’s distinction meaningless); see also Lockheed Martin Corp. v. Speed, No. 6:05-CV-1580-ORL-31, 2009 WL 2683058, at *4 (M.D. Fla. Aug. 1, 2006) (court refused to recognize CFAA claim where employer permitted its employees, as a function of their respective positions, to access the precise information at issue on ground that “Congress chose not to reach. . . those [employees] with access authorization.”); Black & Decker Inc. v. Smith, No. 07-1201, 2008 WL 3850825, at *3 (W.D. Tenn. Aug. 13, 2008) (court concluded that “the [CFAA] targets the unauthorized procurement or alteration of information, not its misuse.”).
7 Citrin, 440 F.3d at 421.
8 Id. at 419.
9 Id. at 421.
10 Id. at 420-21.
11 Id. at 421.
12 Int’l Ass’n of Machinists & Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479 (D. Md. 2005).
13 Id. at 499.
14 Id. at 498.
15 Id. at 499.
16 Bridal Expo Inc. v. Van Florestein, No. 4:08-CV-03777, 2009 WL 255862 (S.D. Tex. 2009).
17 Bridal Expo, 2009 WL 255862, at *11.
18 Id. at *10.
19 Id. at *11.
20 581 F.3d 1127, 29 IER Cases 1153, 2009 WL 2928952 (9th Cir. 2009).
21 Brekka, at *6-7.
22 Id. at *5.
23 Id. at *7; see also Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962 (D. Ariz. 2008) (employee’s acquisition of employer’s confidential information prior to resigning for new position with employer’s competitor was not “without authorization” or in matter that “exceeded authorized access” where employee was permitted to view specific files he allegedly e-mailed himself).
24 Brekka, at *5 (“It is the employer’s decision to allow or to terminate an employee’s authorization to access a computer that determines whether the employee is with or ‘without authorization.”).
25 Compare Brekka, at *5 (former employee who e-mailed sensitive company documents that he accessed with permission to his personal computer did not exceed his authorized access, even if he planned to use those documents to furtherhis own business objectives) and Jet One Group Inc. v. Halcyon Jet Holdings, No. 08cv3980, 2009 WL 2524864, *5-6 (E.D.N.Y. Aug. 14 2009) (dismissing complaint claiming that defendants, who were permitted to access client lists in question in normal course of business even when defendants later used those client lists to compete against plaintiff) with Int’l Airport, 440 F.3d at 420 (employee’s misappropriation of confidential information violated his duty of loyalty, thereby “terminating his agency relationship . . . and with it his authority to access the laptop”) and Calyon, No. 07 Civ. 2241, 2007 WL 2618658 at *1 (holding that employees who copied their employer’s proprietary electronic documents before their termination must have known doing so was “in contravention of the wishes and interests of the employer” and therefore exceeded the scope of their authorized access).
26 Hecht v. Components Int’l Inc., 867 N.Y.S.2d 889 (2008) (court granted summary judgment dismissing CFAA counter claim where employee’s access to company’s e-mail server was “standard” suggesting that “sensitive information was not reached”); Lockheed Martin, 2006 WL 2683058, at *8 (“The copying of information from a computer onto a CD or PDA is a relatively common function that typically does not, by itself, cause permanent deletion of the original computer files. In the absence of an allegation of permanent deletion or removal, the Court will not create one.”); Resdev LLC v. Lot Builder Ass’n Inc., No. 6:04-CV-1374ORL31DAB, 2005 WL 1924743, at *4-5 (M.D. Fla. 2005) (Court held that to have “damage” under the CFAA, there must be “some diminution in the completeness or useability of the data or information on a computer system.” Determination of whether damage exists hinges on physical change in data, program, system, or information).
27 United States v. Czubinkski, 106 F.3d 1069, 1070 (1st Cir. 1997) (employee of IRS did not violate CFAA even though he knowingly disregarded IRS confidential information rules by performing searches outside scope of his contract representative duties to satisfy his own curiosity about tax information of friends, political rivals, and acquaintances, because there was no evidence that he printed out, recorded, or used information he read to obtain “anything of value”); see also P.C. Yonkers Inc. v. Celebrations the Party & Seasonal Superstore LLC., 428 F.3d 504, 505 (3rd Cir. 2005); In re America Online Inc., 168 F. Supp. 2d 1359, 1360 (S.D. Fla. 2001).
28 Pearl Investments LLC v. Standard I/O Inc., 257 F. Supp. 2d 326, 349 (D. Me. 2003).
29 See Lasco Foods Inc. v. Hall & Shaw Sales, Marketing & Consulting LLC, No. 4:08CV01683, 2009 WL 151687, at *5 (E.D. Mo. 2009) (“[c]ourts have consistently interpreted loss. . . to mean a cost of investigating or remedying damage to a computer, or a cost incurred because the computer’s service was interrupted.”); Forge Indus. Staffing Inc. v. De La Fuente, No. 06 C 3848, 2006 WL 2982139, at *6-*7 (N.D. Ill. 2006) (loss includes cost of hiring forensic computer expert to recover destroyed data in addition to actual damages to computer system); see also Matter of Doubleclick Inc. Privacy Litigation, 154 F. Supp. 2d 497, 521 (S.D.N.Y. 2001) (court noted that “Congress intended the term ‘loss’ to target remedial expenses borne by victims that could not properly be considered direct damage caused by a computer hacker.”); 18 U.S.C. § 1030(e)(11) (loss is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment and restoring the data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred or other consequential damages incurred because of interruption of service.”).
30 Compare Garelli Wong & Associates Inc. v. Nichols, 551 F. Supp. 2d 704 (N.D. Ill. 2008) (court ruled that copying or misappropriation of trade secret through use of computer does not, on its own, constitute “damage” under CFAA) with HUB Group, Inc. v. Clancy, No. Civ. A. 05-2046, 2006 WL 208684, at *3-4 (E.D. Pa. 2006) (employee exceeded scope of his authorization into former employer’s database when he took information to use as TTS employee) and Caylon, No. 07 Civ. 2241, 2007 WL 2618658 at*1 (S.D.N.Y. Sept. 5, 2007) (holding that employees who copied their employer’s proprietary electronic documents before their termination must have known doing so was “in contravention of the wishes and interests of the employer” and therefore exceeded scope of their authorized access). 31 Civic Ctr. Motors Ltd. v. Mason St. Import Cars Ltd., 387 F. Supp. 2d 378 (S.D.N.Y. 2005).
32 Id.at 381.
33 Id. at 382.
34 Id. at 381.
36 Nexans Wires S.A. v. Sark-USA Inc., 319 F. Supp. 2d 468 (S.D.N.Y. 2004).
37 Id. at 476.
38 Id. at 473.
39 Id. at 476.
40 Cont’l Group Inc. v. KW Prop. Mgmt. LLC, 622 F. Supp. 2d 1357, 1370 (S.D. Fla. 2009); Creative Computing v. Getloaded.com LLC, 386 F.3d 930 (9th Cir. 2004).
41 EF Cultural Travel BV EF v. Explorica Inc., 274 F.3d 577 (1st Cir. 2001).
42 Id. at 585.
43 Id. at 579.
44 Id. at 580.
45 Id. at 584.
46 Id.; see also Creative Computing v. Getloaded.com LLC, 386 F.3d 930, 935 (9th Cir. 2004) (court held that loss of business and business goodwill are economic damages under CFAA).
47 Explorica, 274 F.3d at 585 (court held that $20,000 that EF spent to determine whether its website had been compromised met $5,000 threshold for loss or damage under CFAA).
48 18 U.S.C. § 1030(e)(8).
49 See, e.g., Garelli Wong & Assocs. Inc. v. Nichols, 551 F. Supp. 2d 704 (N.D. Ill. 2008) (court ruled that copying or misappropriation of trade secret through use of computer alone does not constitute “damage” under CFAA); Lockheed Martin, 2006 WL 2683058, at *4 (copying of confidential data does not constitute “damage” under the CFAA); Resdev, 2005 WL 1924743, at *5 n.3 (noting that “damage” contemplates “some diminution in the completeness or useability of data or information on a computer system.”); Davis v. Afilias Ltd., 293 F. Supp. 2d 1265 (M.D. Fla. 2003) (registry operator was not entitled to summary judgment on its counterclaim that employee that individual violated CFAA by using authorization codes to register domain names because World Intellectual Property Organization gave individual authorization codes to register his names, which individual did through his registrar, there was no evidence that individual directly accessed registry operator’s computer system to register domain names in question, and although it was discovered that codes were given to individual in error, individual could not be held simply on basis that he used codes to register domain names).
50 Black & Decker, 568 F. Supp. 2d at 937 (W.D. Tenn. 2008) (misappropriating a trade secret coupled with other harm to the data constitutes “damage” under CFAA).
51 See e.g., Four Seasons Hotel & Resorts BV v. Consorcio Barr SA, 267 F. Supp. 2d 1268, 1324 (S.D. Fla. 2003).
52 Shurgard Storage Centers Inc. v. Safeguard Self Storage, 119 F. Supp. 2d 1121, 1126-27 (W.D. Wash. 2000).
53 Id.; see also 18 USC § 1030(e)(8)(A) (2000).
54 Id. at 710; see also Andritz v. S. Maint. Corp, 626 F. Supp. 2d 1264 (M.D. Ga. 2009); Sam’s Wines & Liquors Inc. v. Hartig, No. 08 C 570, 2008 WL 4394962, at *3 (N.D. Ill. Sept. 24, 2008).
55 See Pearl Investments LLC v. Standard I/O Inc., 257 F.Supp. 2d 326, 349 (D. Me. 2003) (lack of evidence that computer network was damaged in any quantifiable amount by alleged unauthorized access by custom software company and its owners precluded developer’s recovery under CFAA).
56 See, e.g., Garelli, 551 F. Supp. 2d at 710 (court concluded that plaintiff failed to sufficiently plead damage under CFAA because misappropriation alone did not show “impairment to the integrity or availability of data, a program, a system, or information.”); Hartig, 2008 WL 4394962, at *4 (court granted employee’s 12(b)(6) motion to dismiss where employer failed to properly plead damage, i.e., impairment to integrity or availability of data, program, system, or information on its computer).
57 See, e.g., Condux Int’l v. Haugum, No. 08-4824, 2008 WL 5244818, at *8 (D. Minn. 2008) (concludes that plain language of statute requires “some alteration of or diminution to the integrity, stability, or accessibility of the computer data itself” to be damage under CFAA); P.C. Yonkers, 428 F.2d at 513 (franchisees were not entitled to preliminary injunction where they demonstrated that former employee of their franchisor accessed computer system and did not show any information was taken; absent something more than mere access, franchisees could not succeed on their claim).
58 Brekka, 2009 WL 2928952, at *8 (CFAA claim against employee failed because of contradictory evidence between the employer’s own witness and expert evidence).
59 Id. at *6.
60 Id. at *1.
61 Id. at *6.
62 Id. at *6
63 Id. at *6 (quoting United States v. Santos, 128 S. Ct. 2020, 2025 (2008)).
65 Albert v. Albert, 38 Va. App. 284, 299 (2002) (citing Walker v. Henderson, 151 Va. 913, 927-28 (1928)).
66 Matter of Garfinkle, 672 F.2d 1340, 1346, n. 7 (11th Cir. 1982) (quoting Peninsula Land Co. v. Howard, 6 So. 2d 384, 389 (Fla. 1941)).
67 Cont’l Group Inc., 622 F. Supp. 2d at 1377.
Washington, DC (TFC) – In the United States, computer crimes are typically prosecuted under an obsolete and anachronistic law known as the Computer Fraud and Abuse Act, or simply CFAA. The CFAA is a vague piece of shit legislation, written in a time before personal computers were in everybodys homes and pockets, and before the internet as it exists today even existed. At its heart, the law was intended to protect U.S. Government computer systems, systems owned and operated by financial institutions, as well as computers “affecting interstate and foreign commerce and communications”. Because the internet is, by design and by definition, nothing more than a collection of computers affecting interstate and foreign commerce and communications, the CFAA can be applied to virtually anyone, anytime, and for almost any reason.
Since being enacted into law in 1986, the CFAA has been the favorite means of the U.S. Government to prosecute everybody, from Kevin Mitnick to Aaron Swartz. Violations of the CFAA can carry as much as a life sentence in some cases, and have carried potential restitution totaling over a million dollars. Violations of the CFAA can range from simply violating a websites terms of service to distributing malicious code; from trafficking in passwords, to hacking government networks. Any computer or network that could reasonably be described using the intentionally vague adjective “protected” is covered by the CFAA. In practice, the CFAA can be applied to any number of activities not explicitly written into the law, depending essentially on who you’ve managed to piss off and how important they think they are.
In 2012, for instance, Adam Nafa was charged with violations of the CFAA for making a YouTube video promoting Op Telecom, a DDoS in protest against Verizons systematic corporate greed and their efforts against the proposed Net Neutrality Act. Adam was charged with conspiracy to damage a protected computer under 18 U.S.C. 1030 (c)(4)(B) (i) and (ii), despite the fact that the proposed DDoS never actually took place. Simply suggesting that it should take place was enough for the government to arrest Adam and charge him with conspiracy to violate the CFAA. After being threatened with years in prison and exorbitant punitive restitution, Adam was forced to accept a plea deal for probation and restitution totaling $18,500, even though no damage was ever done to Verizons’ networks. The proposed DDoS never actually took place.
From the time of his arrest until the time he accepted his plea deal, Adam was prevented from using a computer for any reason, including assisting in his own defense, potentially violating his 6th amendment rights. As a condition of his plea deal and subsequent probation, Adam was given strict computer use monitoring and restrictions. In essence, Adam made a YouTube video that pissed off Verizon enough to sic the might of the U.S. Government on him and attempt to crush him under the weight of the cumbersome CFAA. Resistance is futile, dissenters will be shot on site; we’ll bill you for the bullet later.
In 2012, a man named Higinio Ochoa, also known as W0rmer, was charged with multiple violations of the CFAA. Before he was even convicted of a crime, as a condition of his bond, he was completely banned from using a computer of any sort for any reason, again potentially involving his 6th amendment rights. In order to fulfill the conditions to secure his release from prison, he too was ordered to participate in strict computer monitoring. A somewhat amusing, albeit unintended side effect of his post release restrictions was that he was, for all intents and purposes, unable to even apply for employment: another condition of his release. This created a sort of slapstick feedback loop wherein he could not be released unless he accepted gainful employment but could not apply for employment to begin with due to his overbearing computer use restrictions, and the fact that most employers do not even offer paper applications anymore. Short of scribbling his resume on a piece of cardboard with a crayon and standing outside of Starbucks shaking a cup, he was screwed. Somewhat comically, he was banned from using any cell phone that has access to the internet. Trying to find a phone these days that cannot access the internet is about as easy as trying to find a rainbow colored Unicorn that grants magical wishes. Before Higinio could even attempt to abide by the conditions of his release, his wife and newborn son were forced to move 4 hours away from his hometown and his family because the government allegedly was unable to monitor his computer use where he had intended to live, a dubious claim at best.
One final and particularly troubling example is the case of Jon Cowden. Jon was charged and found guilty of violating the CFAA in relation to his attack on a state-run Israeli government website. He was also charged with hacking Mayor Francis Slay of St. Louis during the Occupy camp evictions. Jon accepted a plea deal for 21-27 months in prison, which was later reduced to 15 months due to mitigating circumstances that included a prior diagnosis of bipolar disorder, manic depression, and alcoholism. Jon has suffered severe PTSD as a result of his incarceration, which continues to be debilitating to this day. Jon’s post release restrictions have had tragically damaging consequences that have made it impossible for him to find work, and therefore support himself. All of Jon’s computer use is monitored as a condition of his release. He is also required to notify any potential client or employer that they are subject to federal search and seizure of all electronics, should Jon decide to break the law again. Jon is essentially required to wear his conviction like a scarlet letter and inform anyone who might be remotely interested in hiring him that he is a potentially massive liability, to the effect that he is now homeless and has been completely unable to find work for himself.
Computer use restrictions are not unique to Hacktivists prosecuted in the United States. Most so-called western countries have their own laws that mimic or mirror the CFAA in whole or in part. Adam Bennet, aka Lorax, arrested in Australia for allegedly hacking government websites, has been subject to harsh internet use restrictions since his arrest. As his case drags its way through the Australian court system, Adam is only allowed to use the internet for communicating with his lawyer to assist in his own defense and for conducting financial transactions, a particularly amusing fact considering that the CFAA in the U.S. was intended specifically in part to protect financial institutions. Two people arrested in connection with Adam’s case, “absantos” and “rax,” are currently under similar restrictions. None of these individuals have been convicted of a crime. Two people arrested in Italy in connection with Operation Green Rights, and three arrested in France in relation to other Hacktivism related computer crimes are all facing similarly oppressive restrictions. None have been convicted of any crime.
These are but a few cases where egregious and punitive computer use restrictions have had devastating consequences for not only the individual convicted, but their friends and family as well. These restrictions exist solely as a result of the terms of laws like the CFAA and the leeway given to prosecutors, judges, and probation officers in deciding how much and how long a person convicted of a computer related crime should suffer for their sins. If Jon Cowden had flown to Israel and simply unplugged the server hosting the website he was convicted of hacking he would likely face jail time, but would not have to suffer the consequences of his computer use restrictions, even though the result would be essentially the same. The website would go down, Jon’s point would be made, but his life would not be in the shambles it is today.
But that’s the point, isn’t it? Where sentencing guidelines and plea deals fall short, the Government has itself a mighty hammer in computer use restrictions, to the effect that everyone starts to look like a nail. Computer use restrictions are, in effect, an invisible prison that surrounds an individual arrested for or convicted of computer crimes. Unlike someone convicted of any number of violent felonies who can serve his sentence and walk away with his freedom,people convicted under the CFAA and similar laws may find themselves imprisoned after release for some minor insignificant violation of their computer use restrictions, regardless of the nature of the violation or even if the violation was intentional or not.
As in the case of Jon Cowden, computer use restrictions can and often do affect a persons ability to find employment. Aside from the obvious impossibility of submitting or even creating a resume without use of a computer, employers are often uncomfortable hiring someone who brings with them the baggage of constant computer monitoring and the implied liability and potential financial loss that comes with hiring someone shackled by computer use restrictions. This has the effect of forcing often talented computer programmers and engineers to accept employment outside of their knowledge base, for a fraction of the pay they could otherwise earn if they were able to work in their own field. In order to pay restitution, a person needs a job. In order to get a job, most people need to have some access to computers, including the internet. If a person cannot pay his restitution he will eventually be returned to prison: and on, and on, and on.
As has been demonstrated, computer use restrictions are often more damaging to the individual, the friends, and the families of those convicted than their inevitable detention and incarceration, and in fact may lead to further detention and incarceration down the road. These people were convicted of nonviolent, essentially victimless crimes, yet face continued incarceration, even where there are no bars, no guards, no shanks, no strip searches. These people were activists behaving in what they believed was the most moral way they knew how, prosecution be damned. They chose to stand up for a cause in which they believed and as a result they get to bend over and take it, years after their incarceration has ended. Computer use restrictions that include computer monitoring represent one way for the government to keep a person incarcerated indefinitely and beyond the terms of their pleas or sentences. They are applied exclusively to people convicted of violating laws like the CFAA, and disproportionately to Hacktivists specifically.
Computer use restrictions are but one glaring symptom of a fundamental disconnect between how the law sees Hacktivists and how Hacktivists see themselves. The cops, judges, and prosecutors watch too much TV, basing their opinions on the last cheesey action movie where some kid takes out the entire internets. Rather than educate themselves about the technology and the reality of just how little actual damage is ever really done, they rely on pure fiction and innuendo to demonize Hacktivists in the minds of the public, and indeed in their own minds. On the other hand, you have Hacktivists who are intimately familiar with the technology and the reality of what kind of damage is actually done during the commission of their so called crimes. They see themselves as being on the morally right side of things, little more than protesters trying to be proactive in affecting change in the only way they know how. While the governments who prosecute these cases would have us believe that but for their swift and merciless action we would all be sent back to the stone age every time some kid DDoSed Walmart, the reality is far more benign. The so called victims in all of these cases are the corporations who are killing us and the Governments that allow them to do it. That a conflict of interest may exist in even prosecuting these cases is lost on them entirely.
For more information on the CFAA, Computer Use Restrictions, and Hacktivism related arrests in general, please visit http://www.freeanons.org.
~Sue Crabtree, Guest Fifth Columnist
Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, is an amendment made in 1986 to the Counterfeit Access Device and Abuse Act that was passed in 1984 and essentially states that whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer if the conduct involved an interstate or foreign communication shall be punished under the Act. In 1996 the CFAA was, again, broadened by an amendment that replaced the term “federal interest computer” with the term “protected computer.”18 U.S.C. § 1030. While the CFAA is primarily a criminal law intended to reduce the instances of malicious interferences with computer systems and to address federal computer offenses, an amendment in 1994 allows civil actions to brought under the statute, as well.
How the CFAA Works
Types of Offenses (7 Prohibitions)
There are seven types of criminal activity enumerated in the CFAA: obtaining national security information, compromising confidentiality, trespassing in a government computer, accessing to defraud and obtain a value, damaging a computer or information, trafficking in passwords, and threatening to damage a computer. Attempts to commit these crimes are also criminally punishable.
Protected Computer the term “protected computer” means a computer
- (1) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
- (2) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.
18 U.S.C. § 1030
In MBTA v. Anderson, No. 08-11364, (D. Mass. filed Aug. 19, 2008), Plaintiff claimed that defendants violated or threatened to violate the CFAA by releasing the findings of their research regarding the security holes associated with the MBTA fare charging system. The court found that a violation of the CFAA only occurs if the person knowingly causes the transmission of programmed information to a protected computer. Because the defendants, in this case, were only seeking to transmit information to a non-computer audience, the court found that the MBTA was not likely to succeed on a claim under the CFAA.
A violation of the CFAA can be committed in two ways: either by an outsider who trespasses into a computer or an intruder who goes beyond the scope of his given authorization.
Without Authorization “Congress did not define the phrase ‘without authorization,’ perhaps assuming that the words speak for themselves. The meaning, however, has proven to be elusive.” EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001). Some courts have applied a “reasonable expectation” standard in that conduct is without authorization only if it is not “in line with the reasonable expectations” of the website owner and its users. Id. While other courts, finding the “reasonable expectations” standard to be an overly broad reading that restricts access and is at odds with the Internet’s intended purpose of providing the “open and free exchange of information,” urge us to adopt the reasoning that computer use is “without authorization” only if the use is not “in any way related to [its] intended function.” Id. at 582.
Instances where an outsider trespasses onto a computer system are fairly easy to recognize, however in some instances an insider can stray so far from the realm of his given authorization that the court treats the user as having acted without authorization. In United States v. Morris, a case prosecuted under a previous version of the CFAA that punished “intentionally accessing a Federal interest computer without authorization,” Morris spread a program known as a “worm” that affected computers across the country and caused damage. U.S. v. Morris, 928 F.2d 504 (2d Cir. 1991) (Internet worm violated CFAA). Morris argued that he had merely exceeded his authorized access and not accessed the computers without authorization. The court noted that Congress “did not mean to insulate from liability the person authorized to use computers at the State Department who causes damage to computers at the Defense Department.” Id at 511. Further, the court goes on to state that, “Congress did not intend an individual’s authorized access to one federal interest computer to protect him from prosecution, no matter what other federal interest computers he accesses.” Id. As such, they found that Morris was acting without authorization.
Agency In determining if an employee has exceeded authorization in accessing a computer system, issues regarding agency often arise. In Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., Plaintiff sued a competitor for violations of the CFAA resulting from allegations that Defendant created an agency relationship with one of Plaintiff’s employees whereby the employee accessed Plaintiff’s computers to provide Defendant proprietary information regarding Plaintiff’s company while still employed by Plaintiff. Regarding the agency issue, the court held that “for purposes of stating claim under CFAA, former employees lost access to computers when they allegedly became agents of a competitor.” Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121 (W.D. Wash. 2000)(finding that insiders with authorization to use a system can lose that authorization when they act as agents of an outside organization).
Like Shurgard, where Defendant accessed files on Plaintiff’s computer and used the files against Plaintiff, in LVRC Holdings v. Brekka the defendant transferred files from his employer’s computer and later used these files for reasons contrary to the employer’s interests. However, unlike Shurgard, where the employee’s behavior changed as a result of his new agency relationship with Defendant, in Brekka, Defendant regularly emailed documents from his work computer to his personal computers and Plaintiff did not have an employment agreement or give guidelines to Defendant prohibiting the transfer of Plaintiff’s computer files to personal computers. Thus, the court found that, “because Brekka was authorized to use [Plaintiff’s] computers while he was employed [by Plaintiff], he did not access a computer ‘without authorization’ in violation of § 1030(a)(2) or § 1030(a)(4) when he emailed documents to himself and to his wife prior to leaving [Plaintiff’s company]. Nor did emailing the documents ‘exceed authorized access,’ because [Defendant] was entitled to obtain the documents.” LVRC Holdings v. Brekka, No. 07-17116, (9th Cir. Sept. 15, 2009). Moreover, the Ninth Circuit noted that, “[n]o language in the CFAA supports [Plaintiff’s] argument that authorization to use a computer ceases when an employee resolves to use the computer contrary to the employer’s interest.”Id.
The Seventh Circuit, in Citrin, noting the principles of agency in their decision stated that Defendant, a former employee of the plaintiff, breached his duty of loyalty to his employer, thus terminating his agency relationship with said employer. As such, the court found that any rights that were granted as a result of the agency relationship, including authorization to use the employer’s computer, were also terminated. Thus, because defendant was not authorized to use Plaintiff’s computer, the court held that the “employee’s alleged installation of [a] program on employer’s computer that caused deletion of files would violate the Computer Fraud and Abuse Act.” International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. March 8, 2006).
Exceeds Authorization The term “exceeds authorized access” is defined by the CFAA to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6).
Misuse/TradeSecret Recent judicial decisions and statutory amendments have broadened the scope of the CFAA. This broadened CFAA scope combined with today’s corporate practice of storing confidential information electronically has created an environment where plaintiffs bring claims for the misappropriation of proprietary information under the CFAA. However, because more than merely unauthorized use is required to establish a violation of the CFAA, the majority of courts have found that misappropriation alone does not constitute an offense under the statute.
In Therapeutic Research Faculty v. NBTY, 488 F. Supp. 2d 991 (E.D. Cal. 2007), Plaintiff alleged that Defendant purchased a single user subscription to Plaintiff’s publication, but proceeded to share its provided “confidential username and passcode among many [of its employees] for two-and-a-half years, thereby infringing on [Plaintiff’s] rights in the Publication.” Id. As such, Plaintiff brought suit for a number of claims including violation of the CFAA and the court found that Plaintiff adequately “alleged that its username and passcode constituted ‘trade secret’ under California law.” Id. Regarding the CFAA claim, the court held that “Plaintiff’s allegations sufficiently state a claim under the CFAA” and they go on to state “several district courts have recognized that damage caused by unauthorized access or access in excess of authorization to a computer system may be redressed under the CFAA.” Id. at 997.
Unlike Therapeutic Research Faculty, where Defendant provided information to other users that allowed for unauthorized access to Plaintiff’s computer system, in U.S. v. Czubinski, Defendant made no attempt to damage the data or the usability of the computer system he was accessing. Instead, Defendant merely accessed files on the IRS’s computer system without authorization and the court noted that there was no evidence to show that defendant’s end was no more than to satisfy his own curiosity and that the showing of some additional end to which the unauthorized access is a means is required. Thus, the hurdle to making a successful claim for trade secrets violation under the CFAA appears to stem from the CFAA’s requirement that the inflicted damage diminished the completeness or usability of data or information on a computer system. However, misappropriated data very often remains intact on the originating computer; as such, in these instances, most plaintiffs will not be able to make a CFAA claim.
Drew/EULA Recently, during the U.S. v. Drew case, questions arose regarding whether an intentional breach of a website’s end user license agreement, without more, is enough to sustain a violation of the CFAA. In U.S. v. Drew, Plaintiff created a fictitious profile for a boy named “Josh” on the social networking website, Myspace. In doing so, Plaintiff violated Myspace’s Terms of Service. Plaintiff then used this fictitious profile to communicate with her daughter’s classmate. During one of the communications, Plaintiff, using the fictitious profile, told her daughter’s classmate “that [‘Josh’] no longer liked her and that ‘the world would be a better place without her in it.’” United States v. Drew, 259 F.R.D. 449 (C.D.Cal.) Her daughter’s classmate killed herself later that day. Upon learning of the classmate’s death, Plaintiff deleted the fictitious Myspace account. The court in Drew concluded that, “an intentional breach of the MSTOS can potentially constitute accessing the MySpace computer/server without authorization and/or in excess of authorization under the statute.” Id. at 461.
However, the court goes on to note that, “[t]he pivotal issue herein is whether basing a CFAA misdemeanor violation as per 18 U.S.C. §§ 1030(a)(2)(C) and 1030(c)(2)(A) upon the conscious violation of a website’s terms of service runs afoul of the void-for-vagueness doctrine. This Court concludes that it does primarily because of the absence of minimal guidelines to govern law enforcement, but also because of actual notice deficiencies.” Id. at 465. A violation of the CFAA in this instance appears to hinge on whether a reasonable person, upon consenting to a clickwrap agreement, would be put on notice that potential criminal penalties could be enforced for breaching the contract. The court in Drew noted that the CFAA, “does not explicitly state (nor does it implicitly suggest) that the CFAA has ‘criminalized breaches of contract’ in the context of website terms of service.” Id. Moreover, the court goes on to point out that, “[n]ormally, breaches of contract are not the subject of criminal prosecution . . . [and that] by utilizing violations of the terms of service as the basis for the section 1030(a)(2)(C) crime . . . the website owner-in essence [becomes the] party who ultimately defines the criminal conduct.” Id. “In sum, if any conscious breach of a website’s terms of service is held to be sufficient by itself to constitute intentionally accessing a computer without authorization or in excess of authorization, the result will be that section 1030(a)(2)(C) becomes a law “that affords too much discretion to the police and too little notice to citizens who wish to use the [Internet].” Id. (citing City of Chicago v. Morales, 527 U.S. 41 at 64, 119 S.Ct. 1849).
Civil Action – Damages
The CFAA is primarily a criminal statute. However, in 1994 a civil suit provision was added that provides a private cause of action if a violation causes loss or damage, as those terms are defined in the statute. 18 U.S.C. § 1030(g). To state a civil claim for violation of the CFAA, a plaintiff must allege
- damage or loss;
- caused by;
- a violation of one of the substantive provisions set forth in § 1030(a); and
- conduct involving one of the factors in § 1030(c)(4)(A)(i)(I)-(V).
18 U.S.C. § 1030(g).
Persons found to be civilly liable for a CFAA violation can be responsible for compensatory damages and injunctive or other equitable relief.
Moreover, an action brought under this section must be brought within two years of the date the act has complained or the date of the discovery of the damage. Additionally, no action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware. June 23, 2008) (must plead intent to cause harm, intent to transmit software code is not enough).
In 2008, the CFAA was amended by the Identity Theft Enforcement and Restitution Act, Pub. Law 110-326, 122 Stat. 3560. This amendment enhanced a number of aspects of the CFAA. Most notably, the 2008 amendment eliminated the need for Plaintiff’s loss to be greater than $5,000 and made it a felony for a user to cause damage to ten or more computers. Thus, while the $5,000 threshold has been done away with, a Plaintiff still needs to show that they suffered damage or loss.
Prior to the USA PATRIOT ACT in 2001, the CFAA contained no definition for “loss.” In United States v. Middleton, a case argued before the enactment of the USA PATRIOT Act, the defendant accessed his former employer’s computer system without authorization and as a result, the company was forced to pay to repair the system. At trial, Defendant argued that his actions had not caused “damage” as the term is defined in the CFAA. The Ninth Circuit disagreed, however, reasoning that, “[i]n determining the amount of losses, [one] may consider what measures were reasonably necessary to restore the data, program, system, or information that [one] finds was damaged or what measures were reasonably necessary to resecure the data, program, system, or information from further damage. “United States v. Middleton, 231 F.3d 1207 (9th Cir. 2000). The court’s holding in Middleton then became the basis for the definition of “loss” in the USA PATRIOT Act. As such, “loss” is now statutorily defined as, “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”
- Response costs
- Damage assessments
- Restoration of data or programs
- Wages of employees for these tasks
- Lost sales from website
- Lost advertising revenue from website
Loss might include
- Harm to reputation or goodwill
- Other costs if reasonable
Loss does not include
- Assistance to law enforcement
Moreover, lost revenue resultant from the theft of proprietary information is also not considered loss. While the following cases do not meet the current definition of “loss,” they are relevant to understanding what damage or loss is. In Andritz, Inc. v. Southern Maintenance Contractor, LLC, Plaintiff claimed that Defendant violated the CFAA by misappropriating Plaintiff’s trade secrets. The court found that:
Plaintiff simply fails to allege that it suffered any damages that fall within CFAA’s statutory definition of “loss” or “damage.” Plaintiff does not allege that there was any impairment to its computer system or data as a result of Defendants’ conduct. After the alleged theft of the data, Plaintiff still had access to the data just as it had before Defendants’ actions. The alleged CFAA violation is not that Defendants deleted or altered any data but that Defendants used the data inappropriately. Plaintiff also does not allege any damages related to responding to the offense or conducting a damage assessment, nor does Plaintiff allege that it lost revenue or incurred costs because of an interruption of service. Rather, Plaintiff alleges that it lost revenue because Defendants copied Plaintiff’s proprietary information and intellectual property and then used that information to steal customers away from Plaintiff. While a remedy may exist for such conduct, Congress did not provide one in CFAA. See Nexans Wires S.A. v. Sark-USA, Inc., 319 F.Supp.2d 468, 477 (S.D.N.Y.2004) (finding that lost revenue due to unfair competition and lost business opportunity does not constitute a loss under CFAA). Andritz, Inc. v. Southern Maintenance Contractor, LLC, 2009 WL 48187 (M.D. Ga. January 7, 2009).
CFAA Criminal Cases
- United States v. Stegora, 849 F.2d 291, 292 (8th Cir. 1988)
Defendant was convicted in the United States District Court for the District of Minnesota, James M. Rosenbaum, J., of interstate transportation of stolen property and mail fraud, and he appealed. The Court of Appeals, Fagg, Circuit Judge, held that: (1) finding that stolen samples of synthetic casting material for use by orthopedic surgeons to repair broken bones were worth more than $5,000 was supported by evidence, and (2) refusal to instruct jury regarding definition of term “patent pending” was not abuse of discretion.
- U.S. v. Middleton, 231 F.3d 1207 (9th Cir. 2000)(CFAA protects corporate entities)
Defendant was convicted of intentionally causing damage to protected computer by the United States District Court for the Northern District of California, William H. Orrick, Jr., J., and he appealed. The Court of Appeals, Graber, Circuit Judge, held that: (1) statute that prohibits any person from knowingly causing damage, without authorization, to protected computer criminalizes computer crime that damages natural persons and corporations alike; (2) refusal to give defendant’s requested instruction on “damage” was not abuse of district court’s discretion; and (3) in calculating damage resulting from ex-employee’s unauthorized access to employer’s computers and deletion of internal databases, district court could compute “damage” based on salaries paid to, and hours worked by, in-house employees who corrected problem.
- U.S. v. Czubinski, 106 F.3d 1069 (1st Cir. 1997) (unauthorized browsing of computer files did not violate CFAA)
Defendant was convicted of wire fraud and computer fraud by the United States District Court for the District of Massachusetts, Nathaniel M. Gorton, J., and Robert B. Collings, United States Magistrate Judge. Defendant appealed. The Court of Appeals, Torruella, Chief Judge, held that: (1) interstate transmission element of wire fraud could be inferred from circumstantial evidence that defendant’s searches of master taxpayer files caused information to be sent to his computer terminal in different state; (2) defendant’s unauthorized browsing of confidential taxpayer information did not defraud Internal Revenue Service (IRS) of its property within meaning of wire fraud statute; (3) defendant’s unauthorized browsing of confidential taxpayer information did not deprive taxpayers of their intangible, nonproperty right to honest government services; and (4) defendant could not be convicted of computer fraud in connection with his browsing of confidential taxpayer files.
- U.S. v. Morris, 928 F.2d 504 (2d Cir. 1991) (Internet worm violated CFAA)
Defendant was convicted in the United States District Court for the Northern District of New York, Howard G. Munson, J., of violating Computer Fraud and Abuse Act. Defendant appealed. The Court of Appeals, Jon O. Newman, Circuit Judge, held that: (1) statute punishing anyone who intentionally accesses without authorization federal interest computers and damages or prevents authorized use of information in those computers causing loss of $1,000 or more does not require Government to demonstrate that defendant intentionally prevented authorized use and thereby caused loss, and (2) there was sufficient evidence to conclude that defendant acted without authorization within meaning of statute.
- U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012)
In United States v. Nosal, an ex-employee of an executive recruiting firm was prosecuted on the theory that he induced current company employees to use their legitimate credentials to access the company’s proprietary database and provide him with information in violation of corporate computer-use policy. The government claimed that the violation of this private policy was a violation of the Computer Fraud and Abuse Act (CFAA). Following a decision issued in 2009 by the Ninth Circuit, the district court ruled that violations of corporate policy are not equivalent to violations of federal computer crime law.
Trespassing a Government Computer:
- Sawyer v. Department of Air Force, 31 M.S.P.R. 193, 196 (M.S.P.B. 1986)
- U.S. v. Middleton, 231 F.3d 1207 (9th Cir. 2000)(CFAA protects corporate entities)
Employee was removed on charges of misconduct. The presiding official upheld removal, and employee petitioned for review. The Merit Systems Protection Board held that: (1) agency was not required to prove employee’s specific intent to defraud in regard to his alteration of contracts; (2) agency had reasonable cause to believe that criminal violation had occurred, so as to invoke crime provision; and (3) penalty of removal was reasonable for employee’s alteration of official contract, receiving of unauthorized agency records, and submission of fraudulent invoices.
Accessing to Defraud and Obtain Value:
- Fasulo v. United States, 272 U.S. 620, 629 (1926)
Certiorari to United States Circuit Court of Appeals for the Ninth Circuit. Cologero Fasulo was convicted of conspiracy to violate Criminal Code, s 215, and to review a judgment (7 F.(2d) 961), affirming conviction, he brings certiorari. Judgment reversed.
- United States v. Sadolsky, 234 F.3d 938 (6th Cir. 2000)
Defendant pleaded guilty to computer fraud and was sentenced by the United States District Court for the Western District of Kentucky, John G. Heyburn II, J., and the United states appealed sentence. The Court of Appeals, Suhrheinrich, Circuit Judge, held that: (1) the district court’s two-level downward departure, based on defendant’s alleged gambling disorder, was not an abuse of discretion, and (2) finding that defendant had a gambling problem that qualified as an significantly reduced mental capacity (SRMC) was not clearly erroneous.
- United States v. Bae, 250 F.3d 774 (D.C. Cir. 2001)
Defendant was convicted before the United States District Court for the District of Columbia, Thomas Penfield Jackson, J., of computer fraud, and he appealed. The Court of Appeals, Ginsburg, J., held that in calculating sentence for computer fraud which involved the fraudulent procurement of lottery tickets by operator of terminal which printed and dispensed the tickets for sale, district court correctly valued the “loss” due to the fraud based on the fair market value of the tickets prior to the drawing, rather than on the value of the winning tickets, replacement cost, or lost profits.
Damaging a Computer or Information:
- United States v. Sullivan, 40 Fed. Appx. 740 (4th Cir. 2002) (unpublished)
Defendant was convicted in the United States District Court for the Western District of North Carolina, Richard L. Voorhees, J., of intentionally causing damage to protected computer. Defendant appealed. The Court of Appeals held that: (1) items seized from defendant’s home and home computer were admissible under other acts rule, and (2) conviction was supported by evidence.
Trafficking in Passwords:
- United States v. Rushdan, 870 F.2d 1509, 1514 (9th Cir. 1989)
Defendant was found guilty of conspiracy to traffic in and possess counterfeit credit cards and possession of 15 or more counterfeit credit cards, and he moved for judgment of acquittal. The United States District Court for the Central District of California, J. Spencer Letts, J., granted motion as to possession count and denied motion as to conspiracy count. On appeal, the Court of Appeals, Leavy, Circuit Judge, held that: (1) conspiracy conviction did not require that conspiracy itself actually affect interstate commerce and was supported by evidence of defendant’s possession of numbers of out-of-state accounts he and his codefendants intended to use; (2) defendant was not prejudiced by failure of conspiracy instruction to include reference to interstate commerce in describing object of conspiracy; and (3) illicit possession of out-of-state credit card numbers was “offense affecting interstate or foreign commerce” for purposes of possession count.
- United States v. Scartz, 838 F.2d 876, 879 (6th Cir. 1988)
Defendant was convicted of conspiracy to use and using credit access devices in violation of federal statute by the United States District Court for the Southern District of Ohio, John D. Holschuh, J., and he appealed. The Court of Appeals, Nathaniel R. Jones, Circuit Judge, held that fraudulent use of credit card conviction was sufficiently supported by evidence that defendant had directed confederate to charge over $1,000 in merchandise at merchant’s store.
CFAA Civil Cases
- WEC Caroline Energy Solutions LLC v. Miller, No. 11-1201, (4th Cir. 2012)
Miller quit his job, but before leaving, and before his access to the company’s intranet was terminated, violates the company’s use policy by downloading proprietary information to a personal computer. He then used this information in a sales pitch representing a competitor to WEC, a competitor that Miller began to work for shortly after leaving WEC. Miller and the competitor won the sales contract. The Fourth Circuit found that improper use of information that an employee was authorized to access could not fit the definition in § 1030(e)(6).
- LVRC Holdings v. Brekka, No. 07-17116, (9th Cir. Sept. 15, 2009).
LVRC Holdings, LLC (LVRC) filed this lawsuit in federaldistrict court against its former employee, Christopher Brekka, his wife, Carolyn Quain, and the couple’s two consulting businesses, Employee Business Solutions, Inc., a Nevada corporation (EBSN), and Employee Business Solutions, Inc., a Florida corporation (EBSF). LVRC alleged that Brekka violated the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, by accessing LVRC’s computer “without authorization,” both while Brekka was employed at LVRC and after he left the company. See 18 U.S.C. § 1030(a)(2), (4). The district court granted summary judgment in favor of the defendants. We affirm. Because Brekka was authorized to use LVRC’s computers while he was employed at LVRC, he did not access a computer “without authorization” in violation of § 1030(a)(2) or § 1030(a)(4) when he emailed documents to himself and to his wife prior to leaving LVRC. Nor did emailing the documents “exceed authorized access,” because Brekka was entitled to obtain the documents. Further, LVRC failed to establish the existence of a genuine issue of material fact as to whether Brekka accessed the LVRC website without authorization after he left the company.
- CollegeSource, Inc. v. AcademyOne, Inc., 2012 WL 5269213 (E.D. Pa. October 25, 2012)
- Eagle v. Morgan, 2012 WL 4739436 (E.D.Pa. 2012)
While Dr. Eagle was president of Edcomm, she established an account on LinkedIn. Immediately after Dr. Eagle was terminated from her position at Edcomm, Edcomm, using Dr. Eagle’s LinkedIn password, accessed her account and changed the password so that Dr. Eagle could no longer access the account, and then changed Dr. Eagle’s account profile to display the new president’s name and photograph. “Plaintiff is not claiming that she lost money because her computer was inoperable or because she expended funds to remedy damage to her computer. Rather, she claims that she was denied potential business opportunities as a result of Edcomm’s unauthorized access and control over her account. Loss of business opportunities, … is simply not compensable under the CFAA.”
- Cassetica Software, Inc. v. Computer Sciences Corp, 2009 WL 1703015 (N.D.Ill. 2009)
Plaintiff Cassetica Software, Inc. (“Cassetica”) filed suit against Defendant Computer Sciences Corporation (“CSC”), claiming copyright infringement, breach of contract, violation of the Computer Fraud and Abuse Act, conversion, trespass to chattels and unjust enrichment. Pursuant to Fed.R.Civ.P. 12(b)(6), CSC has moved to dismiss Cassetica’s First Amended Complaint . . . CSC’s Motion to Dismiss is granted.
- Andritz, Inc. v. Southern Maintenance Contractor, LLC, 2009 WL 48187 (M.D. Ga. January 7, 2009) (“loss” and “damages” do not include “lost revenue caused by the misappropriation of proprietary information and intellectual property from an employer’s computer.”)
In this action, Plaintiff alleges that Defendants, who are former employees of Plaintiff, stole Plaintiff’s trade secrets and other proprietary business information and that Defendants’ conduct gives rise to a civil claim under the federal Computer Fraud and Abuse Act. Presently pending before the Court is Defendants’ Motion to Dismiss (Doc. 13) . . . Plaintiff’s federal claim fails to state a claim upon which relief may be granted, and therefore Defendants’ motion is granted as to that claim. The Court declines to exercise supplemental jurisdiction over Plaintiff’s remaining state law claims, and those claims are dismissed without prejudice.
- Garelli Wong & Assoc. v. Nichols, 551 F.Supp.2d 704 (N.D.Ill. 2008) (no CFAA liability for only copying data)
Employer brought action against former employee for breach of contract and violation of Computer Fraud and Abuse Act (CFAA), alleging that employee was working in direct competition with employer in his new position. Employee moved to dismiss . . . The District Court, Charles P. Kocoras, J., held that:(1) employer failed to allege damage under CFAA, and (2) employer failed to allege loss under CFAA.
- GWR Medical, Inc. v. Baez, 2008 WL 698995 (E.D.Pa. March 13, 2008) (“CD-ROM does not, in and of itself, process information. The CD-ROM at issue is analogous to a compilation of documents and training materials, and cannot be considered a computer under the CFAA without processing capabilities.”)
This matter comes before the Court on Defendant Hector M. Baez’s Motion to Dismiss the Amended Complaint [Doc. No. 17], Plaintiff GWR Medical, Inc.’s Response thereto [Doc. No. 18], and Defendant’s Reply [Doc. No. 21]. After reviewing the pleadings, the applicable law, and after a hearing thereon, the Court will grant the Motion in part and deny it in part.
- Kalow & Springnut, LLP v. Commence Corporation, 2008 WL 2557506 (D.N.J. June 23, 2008) (must plead intent to cause harm, intent to transmit software code is not enough)
Plaintiff Kalow & Springnut, LLP (“Plaintiff” or “Kalow”) brings the instant class action suit against Defendant Commence Corporation (“Defendant” or “Commence”) to recover damages arising from the alleged failure of computer software that Plaintiff purchased from Defendant seven years ago. Plaintiff filed a Class Action Complaint on behalf of a class that consists of those who purchased Commence’s software. Specifically, the three-count Complaint alleges: 1) violations of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, for Defendant’s alleged intentional transmission of a software code causing damage to Plaintiff’s computer systems; 2) violations of the New Jersey Consumer Fraud Act (“NJCFA”), N.J.S.A. § 56:8-2, for Defendant’s alleged engagement in deceptive and misleading practices in the marketing of its software; and 3) violations of various consumer fraud acts in the states where Defendant conducts business (virtually all states), in anticipation of class certification. Presently before the Court is Defendant’s motion to dismiss Plaintiff’s Complaint. For the reasons set forth below, Plaintiff’s claims are dismissed without prejudice; however, Plaintiff shall have Twenty (20) days from the date of the Order accompanying this Opinion to amend its Complaint.
- Brett Senior & Assocs. v. Fitzgerald, No. 06-1412, 2007 WL 2043377 (E.D. Pa. July 13, 2007)
The plaintiff claimed that the defendant accountant violated the CFAA by accessing its computer system to transfer files to the defendant firm. Specifically, the plaintiff claimed that the defendant accountant violated section 1030(a)(4) of the CFAA when he copied the plaintiff’s client files, created a list of the clients he serviced while working with the plaintiff, transformed plaintiff’s files to certain formats for the purpose of transferring them to the defendant firm, and e-mailed information relating to four clients of the plaintiffs to the defendant firm. Court ruled that section 1030(a)(4) of the CFAA prohibits the unauthorized procurement or alteration of information, not its misappropriation or misuse. Because there was no allegation that the defendant accountant lacked authority to see, reformat or email any information in the plaintiff’s computer system, the District Court ruled that the CFAA claim failed.
- Southwest Airlines Co. v. Boardfirst, L.L.C., 2007 U.S. Dist. LEXIS 96230 (N.D. Tex Sept. 12, 2007)(unpublished). Plaintiff alleges Defendat violated the CFAA by accessing Plaintiff’s website as a 3rd party to obtain boarding passes for Defendant’s paying clients. The court states that Plaintiff must “establish that [Defendant] obtained ‘information’ from its protected computer as a result of the unauthorized use. Southwest points to no evidence on that score. Nor has it shown that BoardFirst’s use of its computer itself ‘involved an interstate or foreign communication’ as required by the statute. For these reasons, and construing the available evidence in a light favorable to [Defendant], the Court finds that [Plaintiff] has failed to establish its entitlement to summary judgment on its CFAA claim.” Id. at *46.
- International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. March 8, 2006).
Former employer brought action against former employee, alleging violation of the Computer Fraud and Abuse Act. The United States District Court for the Northern District of Illinois, Wayne R. Andersen, J., dismissed action. Former employer appealed . . . The Court of Appeals, Posner, Circuit Judge, held that: (1) employee’s alleged installation of program on employer’s computer that caused deletion of files would violate the Computer Fraud and Abuse Act, and (2) Court of Appeals would not determine whether files destroyed were confidential, as would arguably be permitted by employment contract.
- International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (holding that an employee’s access to data became unauthorized when breach of his duty of loyalty terminated his agency relationship).
Former employer brought action against former employee, alleging violation of the Computer Fraud and Abuse Act. The United States District Court for the Northern District of Illinois, Wayne R. Andersen, J., dismissed action. Former employer appealed . . . The Court of Appeals, Posner, Circuit Judge, held that: (1) employee’s alleged installation of program on employer’s computer that caused deletion of files would violate the Computer Fraud and Abuse Act, and (2) Court of Appeals would not determine whether files destroyed were confidential, as would arguably be permitted by employment contract.
- Vi Chip Corp. v. Lee, 438 F.Supp.2d 1087, 1100 (N.D.Ca. 2006) (applying the holding of Citrin to an employee who deleted data after being informed that his employment was to be terminated)
- WEC Caroline Energy Solutions LLC v. Miller, No. 11-1201, (4th Cir. 2012)
Electrical engineering company involved in manufacture and sale of integrated circuits, as employer, brought action against former chief executive officer (CEO) claiming breach of contract in connection with employee agreement, breach of fiduciary duty, trade secret misappropriation, violation of Computer Fraud and Abuse Act (CFAA), and conversion on allegations that CEO stole confidential and proprietary information. Former CEO counterclaimed alleging misappropriation, unjust enrichment, and intentional interference with contractual relations and prospective economic advantage, and sought declaratory relief regarding ownership of intellectual property embodied in relevant patent applications. Employer brought motion for summary judgment . . . The District Court, Hamilton, J., held that:(1) consultant agreement only transferred ownership in all technology expressly “produced by or created for” contracting party after execution of agreement;(2) consulting agreement only bound those named parties to agreement;(3) CEO expressly assigned all chip technology to corporation upon which CEO worked as employee;(4) patent assignment form was adequately supported by consideration;(5) patent assignment form conveyed to assignee exclusive rights to same technology that was source for CEO’s subsequent utility patents;(6) company set up as joint venture could not be considered stranger to original joint venture agreement;(7) CEO violated confidentiality provision in employee agreement; and(8) CEO breached fiduciary duty owed to corporate employer.
- Int’l Ass’n of Machinists & Aero. Workers v. Werner-Matsuda, 390 F. Supp. 2d 479, 498 (D. Md. 2005)
Incumbent airline employees’ union filed suit under Stored Wire and Electronic Communications and Transactional Records Access Act (SECA) and Computer Fraud and Abuse Act (CFAA), as well as common law and Maryland statute, alleging that secretary treasurer of local had accessed confidential membership information on secure proprietary website on behalf of herself and rival union. Advisory group allegedly staffing rival union’s efforts with respect to flight attendants at one airline was also named in suit. Defendants moved to dismiss for lack of subject matter jurisdiction, lack of personal jurisdiction, and failure to state a claim, and plaintiff moved to seal certain exhibits, to amend complaint,to file surreply, and for leave to file response to motion to reduce sanctions imposed by Charles B. Day, United States Magistrate Judge . . . The District Court, Chasanow, J., held that:(1) exhibits containing confidential membership information that rested at heart of case and that allegedly constituted trade secret under Maryland statute would be sealed; (2) magistrate judge’s overall award in sanctions against defendant union for failure to provide adequate deposition witness on two occasions was too large and would be reduced; (3) action was not representation dispute over which National Mediation Board (NMB) had exclusive jurisdiction; (4) complaint failed to state a claim under SECA and CFAA, as defendant local union official was authorized to access website and entitled to see all information stored therein; and (5) having dismissed all federal claims, court would decline to exercise supplemental jurisdiction over remaining state law claims.
- Lockheed Martin Corp. v. Speed, 2006 WL 2683058 at *5-7 (M.D. Fla. 2006) (criticizing Citrin)
- Int’l Ass’n of Machinists & Aero. Workers v. Werner-Matsuda, 390 F. Supp. 2d 479, 498 (D. Md. 2005)
This matter comes before the Court upon the Motion to Dismiss by Defendants Kevin Speed (“Speed”) and Steve Fleming (“Fleming”) (Doc. 53), to which Plaintiff Lockheed Martin Corporation (“Lockheed” or “the company”) responded in opposition (Doc. 71), and the Motion to Dismiss by Patrick St. Romain (“St.Romain”) (Doc. 68), to which Lockheed responded in opposition (Doc. 75). Lockheed alleges that three of its former employees accessed Lockheed computers, copied proprietary information, and delivered trade secrets to Defendant L-3 Communications Corporation (“L-3”) in violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. For the reasons herein stated, the Court grants the Motions to Dismiss.
- HUB Group, Inc. v. Clancy, 2006 WL 208684 (E.D. Pa. 2006) (downloading employer’s customer database to a thumb drive for use at a future employer created sufficient damage to state claim under the CFAA)
Plaintiff, HUB Group, Inc. (“HUB”) seeks a preliminary injunction temporarily barring defendant, Jeffrey Clancy, from contacting, soliciting, or servicing any of the 29 customers he serviced during his final year of employment with HUB. HUB contends that Clancy stole secret information regarding those current and former HUB clients, and that he should not be allowed the opportunity to use that information to unfairly compete against HUB. HUB’s complaint alleges violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, et. seq., Misappropriation of Trade Secrets, Breach of Contract, Breach of Fiduciary Duty, Conversion, Tortious Interference with an Economic Advantage, and Unfair Competition. This court entered a temporary restraining order on May 4, 2005 directing the defendant to cease using or disclosing any confidential or proprietary information that Mr. Clancy obtained from HUB. On August 23, 2005, a hearing was held so the court could consider evidence as to whether its temporary restraining order should remain in place. Based upon my findings of fact after careful consideration of the evidence from the hearing . . . I will dissolve the temporary injunction entered on May 4, 2005.
- ResDev v. Lot Builders, 2005 WL 1924743 (M.D. Fla. August 10, 2005) ( “integrity” needs “some diminution in the completeness or useability of data or information on a computer system”)
This case is before the Court on Defendants Lot Builders Association Inc.’s, Michael Boswell’s, and Brad Luken’s (collectively, “Lot Builders”) Motion for Summary Judgment (Doc. 52), Plaintiff ResDev LLC’s Cross Motion for Summary Judgment (Doc. 53), and Resdev’s and Lot Builder’s respective Oppositions (Docs. 73 and 71).
- I.M.S. Inquiry Management Systems, Ltd. v. Berkshire, 307 F.Supp.2d 521 (SDNY 2004). Section 1030(a)(2)(c) forbids obtaining information from a protected computer involved in interstate or foreign communication through intentional and unauthorized access. Court allowed a civil cause of action under this section, in conjunction with a § 1030(g) claim. See also Theofel v. Farey-Jones, 341 F.3d 978, 986 (9th Cir.2003) (same).
Provider of advertising tracking services, which utilized Internet website, sued competitor alleging copyright violations. Competitor moved to dismiss . . . The District Court, Buchwald, J., held that:(1) provider alleged damages and loss, under Computer Fraud and Abuse Act;(2) provider could proceed under Act despite claim there was no provision for private action;(3) copyright registration certificate did not cover allegedly infringed item, precluding infringement action;(4) version covered by certificate was not derivative of earlier version, allowing suit covering earlier version; (5) there was no violation of Digital Millennium Copyright Act (DMCA). Motion granted in part, denied in part.
- Southwest Airlines Co. v. Farechase, Inc., 318 F. Supp.2d 435 (ND Tex. 2004). CFAA does not require damage as defined in 18 U.S.C. § 1030(e)(8) over $5,000, only “loss” as defined in (e)(11).
Software company, which created a product which allowed corporate travelers to search online for airline fares, filed motion to dismiss airline’s claims for computer fraud and abuse, misappropriation, breach of a use agreement, tortious interference, trespass, unjust enrichment, and harmful access by computer . . . The District Court, Sanders, Senior District Judge, held that: (1) airline stated claim under Computer Fraud and Abuse Act (CFAA); (2) fare, route, and scheduling information which were allegedly misappropriated were not copyrightable and therefore airline’s misappropriation claim under Texas law was not preempted by federal copyright law; (3) airline stated a claim for interference with business relations; (4) airline stated claim for harmful access by computer.
- Nexans Wires S.A. v. Sark-USA, Inc., 319 F.Supp.2d 468, 477 (S.D.N.Y.2004) (lost revenue due to unfair competition and lost business opportunity does not constitute a loss under CFAA)
Wire and cable manufacturer sued competitor for, inter alia, violations of Computer Fraud and Abuse Act (CFAA). Competitor moved for summary judgment . . . The District Court, Cedarbaum, J., held that manufacturer lacked standing to assert civil claim based on competitor’s alleged violation of CFAA.
- Role Models America, Inc. v. Jones, 305 F.Supp.2d 564 (D. Md. 2004)
- ResDev v. Lot Builders, 2005 WL 1924743 (M.D. Fla. August 10, 2005) ( “integrity” needs “some diminution in the completeness or useability of data or information on a computer system”)
Private school sued its former principal and Internet-based university in which he had enrolled, alleging violation of Computer Fraud and Abuse Act (CFAA) and misappropriation of trade secrets. University moved to dismiss . . . The District Court, Blake, J., held that: (1) university did not violate CFAA, but (2) fact issue existed as to whether university misappropriated school’s trade secrets.
- EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003), (rejecting a CFAA claim based on a “reasonable expectations” test but stating in dicta that “a lack of authorization could be established by an explicit statement on the website restricting access”)
Travel company brought action against maker of “scraper tool” software program provided to competitor that collected pricing information from the travel company’s public website, alleging violations of the Computer Fraud and Abuse Act (CFAA) and the Copyright Act, and seeking preliminary injunction under both acts. The United States District Court for the District of Massachusetts, Morris E. Lasker, J.FN*, granted preliminary injunction under the CFAA but denied preliminary injunction under the Copyright Act. Software maker appealed. The Court of Appeals, Boudin, Chief Circuit Judge, held that: (1) reasonable expectations test was not the proper gloss for determining lack of authorization for purpose of CFAA provision setting forth offense of fraudulently accessing a protected computer without authorization; (2) software maker was bound by terms of preliminary injunction even though it was not named in the injunction; and (3) injunction did not violate software maker’s First Amendment rights.
- Ingenix, Inc. v. Lagalante, 2002 U.S. Dist. LEXIS 5795 (E.D. La. 2002). The court held that plaintiff had properly alleged damages in excess of the statutory minimum due to the cost of hiring forensic experts to recover the deleted files and carry out an investigation on the laptops and email servers.
Appeal was taken from a preliminary injunction of the United States District Court for the District of Mississippi, Walter L. Nixon, Jr., Chief Judge, staying demand for arbitration of contract dispute between general contractor and city. The Court of Appeals, Jerre S. Williams, Circuit Judge, held that: (1) an order granting a stay of arbitration pending outcome of litigation is an appealable interlocutory order; (2) general contractor’s claim was arbitrable; and (3) district court abused its discretion in staying arbitration.
- EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001)
Tour company sued competitor and individual executives of competitor, alleging that competitor’s use of “scraper” software program to systematically glean company’s prices from its website violated Computer Fraud and Abuse Act (CFAA), Copyright Act, and Racketeer Influenced and Corrupt Organizations Act (RICO). Company moved for preliminary injunction on CFAA claim. The United States District Court for the District of Massachusetts, Lasker, Senior District Judge, granted injunction, and competitor appealed. The Court of Appeals, Coffin, Senior Circuit Judge, held that: (1) use of “scraper” program “exceeded authorized access” within meaning of CFAA, assuming program’s speed and efficiency depended on executive’s breach of his confidentiality agreement with company, his former employer, and (2) company’s payment of consultant fees to assess effect on its website was compensable “loss” under CFAA.
- Thurmond v. Compaq Computer Corp., 171 F.Supp.2d 667 (E.D. Tex. 2001) Holding that losses suffered by unnamed members of proposed class made up of buyers of allegedly defective computers could not be used to CFAA damage threshold. Noted in dicta that if the defective program corrupted $5,000 worth of data, then Plaintiffs would have met the statutory minimum.
Buyers of personal computers sued manufacturer under Computer Fraud and Abuse Act (CFAA), alleging sale of machines containing defective floppy diskette controllers, and asserting state-law claims including breach of contract. Manufacturer moved for summary judgment. The District Court, Heartfield, J., held that: (1) showing of “damage” is required for CFAA civil claim; (2) fact question existed as to whether buyers suffered “impairment to the integrity” of their data within meaning of CFAA; (3) damages allegedly suffered by unnamed proposed class members could not be used to satisfy Act’s threshold damages requirement; and (4) damages resulting from transmissions to multiple computers could not be aggregated to meet threshold.
- Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121 (W.D. Wash. 2000)(finding that insiders with authorization to use a system can lose that authorization when they act as agents of an outside organization)
Employer of former employees, alleged to have appropriate trade secrets stored on employer’s computers, sued competitor which allegedly received secrets, under Computer Fraud and Abuse Act (CFAA). Competitor moved to dismiss. The District Court, Zilly, J., held that: (1) for purposes of stating claim under CFAA, former employees lost access to computers when they allegedly became agents of competitor; (2) CFAA was not limited to situations in which national economy was affected; (3) fraud provision of CFAA did not require showing of common law elements; (4) provision penalizing infliction of damage on protected computers was not limited to conduct of outsiders; and (5) damage claim was stated, even though appropriation did not affect integrity of secrets within employers’ computers.
- EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003), (rejecting a CFAA claim based on a “reasonable expectations” test but stating in dicta that “a lack of authorization could be established by an explicit statement on the website restricting access”)
Internet domain name registrar sued competitor providing website host services, alleging breach of contract, trespass to chattels, breach of Computer Fraud and Abuse Act and violation of Lanham Act. Registrar moved for preliminary injunction. The District Court, Jones, J., held that: (1) registrar satisfied requirements for issuance of preliminary injunction barring competitor from offering website hosting services to registrar’s new registrants, by means of direct mail or telephone solicitation; (2) requirements were satisfied for injunction based on commission of trespass to chattels; (3) requirements were satisfied for injunction barring violation of Computer Fraud and Abuse Act; and (4) requirements were satisfied in connection with violations of Lanham Act.
- America Online, Inc. v. National Health Care Discount, Inc., 121 F.Supp.2d 1255 (N.D. Iowa 2000) (noting that no other published decision contains the same interpretation as America Online, Inc. v. LCGM, Inc. on the issue of unauthorized access)
Internet service provider (ISP) brought action against Iowa corporation engaged in selling discount optical and dental service plans, alleging that corporation hired e-mailers to send unauthorized and unsolicited bulk e-mail advertisements to ISP’s customers, in violation of state and federal law. On ISP’s motion for summary judgment, the District Court, Zoss, United States Magistrate Judge, held that: (1) non-statutory claims were governed by Virginia law, rather than Iowa law; (2) genuine issues of material fact precluded summary judgment on ISP’s claims under the Computer Fraud and Abuse Act (CFAA); (2) genuine issues of material fact precluded summary judgment for ISP on its claim of unjust enrichment under Virginia law; (3) genuine issues of material fact precluded summary judgment on grounds that corporation was liable for trespass to chattels and violation of Virginia Computer Crimes Act (VCCA) based upon acts of e-mailers.
- YourNetDating v. Mitchell, 88 F.Supp.2d 870, 871 (N.D. Ill. 2000) (granting temporary restraining order where defendant installed code on plaintiff’s web server that diverted certain users of plaintiff’s website to pornography website)
Internet dating service sought temporary restraining order (TRO) prohibiting a former programmer from “hacking” the dating service’s website and diverting its clients and users to a porn site. The District Court, Bucklo, J., held that dating service was entitled to TRO.
- America Online, Inc. v. LCGM, Inc., 46 F.Supp.2d 444, 450-51 (E.D. Va. 1998) (holding that AOL members acted without authorization when they used AOL network to send unsolicited bulk emails in violation of AOL’s member agreement)
Internet service provider brought action against operators of web sites, and principals of those operators, alleging that defendants sent unauthorized and unsolicited bulk e-mail advertisements to provider’s customers, in violation of state and federal law. On provider’s motion for summary judgment, the District Court, Lee, J., held that: (1) operators’ use of provider’s Internet domain name violated Lanham Act’s prohibition on false designations of origin; (2) operators’ use of domain name constituted dilution; (3) operators violated Computer Fraud and Abuse Act; (4) operators violated Virginia Computer Crimes Act; (5) operators’ conduct amounted to trespass to chattels under Virginia law; and (6) fact issues precluded sum
Dana J. Boente, U.S. Attorney for the Eastern District of Virginia; Valerie Parlave, Assistant Director in Charge of the FBI’s Washington Field Office; John R. Hartman, Deputy Inspector General for Investigations at the U.S. Department of Energy (DOE); and Stephen Niemczak, Special Agent in Charge, Computer Crimes Unit at the Office of Inspector General, U.S. Department of Health and Human Services (HHS), FBI’s Washington Field Office, in conjunction with the Inspectors General for the United States Department of Energy, United States Department of Health and Human Services, and the United States Postal Service. Assistant U.S. Attorneys Ryan K. Dickey and Jay V. Prabhu are prosecuting the case.
Lauri Alexander Love
The United States is seeking to extradite Lauri Alexander Love due to indictments in three different American states New Jersey, Virginia and New York for hacking and computer fruad among other charges.
Court papers go on to refer to Lauri Love as a “sophisticated hacker”. This is the United States Department of Justice trying to paint a picture of Lauri Love that is not reality, repeatedly throughout court papers we researched the United States government sought to do nothing else but to destroy Lauri Love’s chracter and demonize him.
The DOJ also criticized Lauri Love and his family for amping up online support against his extradition. The DOJ also is refusing to allow Lauri Love any discoveries involving his case. This is a grotesque violation of his civil rights and extraditing him to the United States to face charges will only exasperate the constitutional infractions and trample all over his rights as a human nevermind what country he’s from or citizenship he ordains that’s irrelevant.
Prisons in the United States whether state or Federal hassle attorney’s upon visitation and they do have law libraries but these are often backed up due to high volume of request or lack of having the staff which is why if extradited to the United States Lauri Love will not be awarded a fair and equal trial, in fact he faces the very opposite. He is not even in the United States yet and already they are violating his civil rights, what do you think will happen when he is in U.S. costody?
One of the bars that has to be considered by a judge ruling on an extradition is whether or not the reasons the country seeking the extradition are otherwise motivated as in is this a proverbial witch hunt or is the United States extraditing Lauri Love for the proper reasons. Let me state clearly; I don’t think a judge in any country prisiding over any rule of law cannot conclude that this extradition is improperly motivated, the only explanation is corruption.
Lauri Love did not intend to inflict on the American public or our government any actual harm surely if he did have ill intentions he would have acted on them. If he is this cyber terrorist the United States Justice Department is trying to paint him as then where are the terroristic cyber hacks? The man was inside the United States Missle Defense System and did nothing but we are suppose to believe he is some governmentally proclaimed enemy of the state?
U.S. Attorney Fishman. “As part of their alleged scheme, they stole military data and personal identifying information belonging to servicemen and women. Such conduct endangers the security of our country and is an affront to those who serve.”
U.S. Attorney Fishman, did Lauri Love release the names of any servicemen or women? Was any United States servicemen or women harmed or put in actual danger by Mr. Love’s actions? The only real crime is if Lauri Love where to actually release the data the United States Justice Department alledges he stole. To say Lauri Love put the lifes of service men and women in any danger whatsoever is not only hearsay, but its complete and utter propaganda spewed by Mr. Fishman to further demonize Lauri Love into this criminal figure or sophisticated computer hacker as (he) likes to say.
“The borderless nature of Internet-based crime underscores the need for robust law enforcement alliances across the globe. We appreciate the bilateral support of the National Crime Agency in bringing cyber criminals.” said Daniel Andrews, director of the U.S. Army Criminal Investigation Command’s Computer Crime Investigative Unit.” This investigation shows the necessity and value of strong partnerships among law enforcement agencies worldwide in the fight against cyber criminals,” said FBI Special Agent in Charge Aaron T. Ford. “Cybercrime knows no boundaries, and without international collaboration, our efforts to dismantle these operations would be impossible.”
No gentlemen what all this sounds like is empirical New World Order, an all seeing cohesive international eye monitoring our online activities and then throwing the legendary wolf in a sheep mask wearing a black robe disguised as the United States Department of Justice at you and your left with no option, but to subdue to their demands plea bargain down and pray your not sentenced to a century.
This is not law and order, this is not liberty nor peace or freedom of speech, this is unconstitutional and couldn’t be further from justice. These are un-American acts grotesquely perpetrated by pure totalitarianism and the heavy hand of the American Judicial System and their pursuit to tyranny. We as United States citizens cannot continue to allow our countries Federal governmental agencies to continue their empirically motivated modern day crusade against our geniuses just because they point out flaws in our national security or because they make our government look fuckin stupid, you mad bro?
I find it extremely unsettling that the United States government wants to talk an awful lot about the data Lauri Love allegedly stole except for when it comes to the data involving research institutions.
We must stand up against this extradition and stop letting our Nations leaders give all Americans a bad name. Are we empirical beings? Do we not believe in real justice? Are we totalitarians hell bent on tyranny? No. We are not, then why should we allow our government to be tyrants in our name and on our dollar?
Edited by @Noregreb2
Nos autem populus, exundantium liberum oratio, quam non merentur, Altruism
We the people, Exuding free speech, Deserve nothing less than, Altruism
Please join our Coalition and stand up and speak out against the extradition of Lauri Alexander love http://www.freelauri.com for more details on his case and how you can help ensure we will have a #FreeLauri.
There are multiple petitions in action to try and halt Lauri Love’s extradition this is a link to the most popular one https://www.change.org/p/no-extradition-for-autistic-hacktivist-lauri-love
I was really humbled, when I was asked to write the follow up to Lauri Love pt.1. It’s been a joy getting to know him and the people running his campaign. I say this with all sincerity. I’m a tad biased at this point, especially after reading the reams of legal documents in front of me. I want, you, the reader to make up your own mind. The only way for me to do that is try to put together a time line of events according to the indictments and the request for extradition. I will try and be as concise as I can. I will warn you its heavy reading. I just want to try and weed through the nonsense and stick with the facts, I could find. Basically everything in the three indictments; Southern District of New York, District of New Jersey, Eastern District of Virginia, and the extradition request. I want you to form your own opinion. Please bear with me I’m trying to do this is pieces so you are not as overwhelmed as I am.
All the allegations against Lauri Love took place between October 2012 and October 2013. I want to give a clearer time line then I have yet to see in Lauri’s case. I will start with allegations laid out in the three indictments. The Southern District of New York alleges Lauri used five different alias in IRC; ‘nsh’,’peace’,’shift’,’route’, and ‘Smedley Butler’. The US District Court of New Jersey only lists three of the alias’; ‘nsh’,’route’, ‘peace’. The US Eastern District court of Virginia lists four alias’; ‘nsh’, ‘route’, ‘peace’,’shift’. I’m fraught to even bring this up, since much of the indictments refer back to chat room antics, I feel like I need to.
As a reminder before this gets deep the alleged charges. In the Southern District of New York we have 2 counts, computer hacking and aggravated identity theft from The Federal Reserve. Before you freak out on me, this how New York does things, under seal, basically the applicable laws are a footnote, yes it’s the usual cast of characters. The US district court of New Jersey, again different, it says 2 counts as well except listed under Count 1 are actually; The Engineer R&D Center Army Corps. of Engineers in Vicksburg Mississippi, The PAIO at Aberdeen Proving Ground,Maryland, The Strategic Studies Institute, Carlisle, Pennsylvania, NETCOM Aberdeen Proving Ground, Maryland, Army Contracting Command Redstone, Alabama, The Missile Defense Agency, The FedCenter in conjunction with the EPA-OECA, & NASA. The US District Court of Eastern District of Virginia, 9 counts, Dept. of Health and Human Services, National Institute of Health, The FDA, The Regional Computer Forensic Lab of the FBI, The Department of Energy, Deltek, Inc., Forte, Inc, and victims D.P., J.E, B.H., J.K residents of the Eastern District of Virginia.
If you feel like you suddenly been transported into a John Grishman novel… Wake up!!! There’s more!!!
Since not all the allegations are dated, some of the them actaully refer back to IRC Chat. If there wasn’t a date, I had to refer to the IRC dates. Something I have struggled with and I refuse to get into. It’s IRC. We all the know the bravado, the trolls, the idiot kids that can randomly stumble in, it’s IRC. For the true tech people out there, this all seems to stem from an Adobe Program Cold Fusion. I am not a tech person and really don’t know what vulnerabilities the system was too known to have had at the time this is alleged to have happened.
Now for the timeline which all took place between October 2012 through October 2013. From I can piece together from the indictments here’s the list :
October 2 2012 through October 9 2012 :
Southern District Court NY: The Federal Reserve NY and IL
District Court of NJ: Engineer R&D Center
Netcom & Ft. Monmouth NJ
Army Contracting Command Alabama
Army Corps MD
Plans & Analysis Integration Office MD
Missile Defense Agency
*** Eastern District Court of Va is vague on dates and any exact dates are from IRC. There is also a chart listed under count 2-7 with Dates. I am going to use that chart for VA.
The Department of Health and Human Services including HRSA, NIH,& FDA
United States Sentencing Commission
The Regional Computer Forensics Lab
Department of Energy
Deltek, INC ( government contractor)
Forte Interactive, IN ( government contractor)
The 4 victims : D.P., J.E, B.H, and J.K
Now it starts to pick up again in December of 2012 through Feb 2013:
December 23 2012 – January 3, 2012:
DIstrict Court of NJ:Engineer R&D Center Morris County, NJ & Parsippany, NJ
December 24 2012:
Eastern District Court of VA:
US. Dept. of Health & Human Services
December 25 2012:
Eastern District Court of VA
United States Sentencing Commission
January 3, 2013:
District Court of NJ: The Fed Center EPA-OCEA
January 11, 2013:
District Court Of NJ:
Strategic Studies Institute
Eastern District Court of VA:
FBI-Regional Computer Forensics Lab
Hopefully you can follow this and hopefully you are all still with me because this isn’t over yet. This is just information from the indictments. Now comes a really big gap in dates. All of the sudden we are in July 2013.
July 3 2013:
Eastern District Court of VA:
Deltek, INC. ( Government IT Contractor)
The 4 victims D.P, J.E., B.H., and J.K
July 10, 2013:
District Court of NJ:
July 24, 2013:
US Department of Energy
Forte Interactive (Government Contractor)
I will say there’s so much more if you read through indictments on you own. I’m just trying to bring some order to the chaos. Hopefully I did with just sticking to the dates and the alleged agency’s involved. Our government alleges that these attacks dumped hundreds of thousands documents, personnel files and credit card information. Inserting backdoor, the list is just never-ending. Which most of the “data dump” is too have take place in 7 days by one person on a couple of laptops. I used to be gamer, I’ve built my own machines for gaming, this just seems inhumanly possible, for one person to have done. Ok maybe the IBM Chess computer.
This person is Lauri Love. A 32-year-old man, with severe health issues, with Aspergers Syndrome and depression. This is just not a man with depression but According to Professor Michael Kopelman testimony in the extradition “..Mr. Love was on the verge of psychosis and was clinically depressed,” This is when he was examined in 2012. Professor Kopelman went on to say Mr. Love continues to describe features of depression and the hallucinations to kill himself. This sound like someone capable of doing this? This is just a couple of words from one of the doctors who testified. Even our prison Doctors are against this extradition, we have no one who can care for someone with AS. Lauri will be put in solitary on suicide watch with another prisoner guarding him from killing himself. He couldn’t handle going away to university, his father had to go retrieve him for fear of killing himself.
The assurances made by our Government as to his safety and the steps that would be taken to ensure he was cared for, won the day. The cost of having the trial in the U.K. seemed to outweighs Lauri’s fragility. The rule of speedy trail was in there but we all know the dockets are so full that never happens, with the current charges in 3 states, how can it.
Lauri will be the first person from the U.K. ever extradited under the 1990 law. 114 MP’s signed a petition to President Obama calling for the end to this extradition. Yet, it’s still been signed off on, by Amber Rudd MP. Lauri faces no charges in the U.K., in fact all evidence collected by the authorities has been returned except one laptop, they can’t break the encryption on.
I know the law is supposed to be fair and just. I cannot for the life of me find the justice in this.
We the people Exuding free speech Deserve nothing less than Altruism