The Computer Fraud and Abuse Act, also known as the CFAA, is the federal anti-hacking statute that prohibits unauthorized access to computers and networks.
In 1984, the world was just emerging from its digital Dark Age. CompuServe, the world’s first commercial email provider, was still trying to interest users in its fledgling service, and computer viruses and worms were still largely the stuff of engineering-school pranks. But even through the foggy haze of the internet’s early days, lawmakers saw clearly the importance that computers and computer crime would have on society. That’s when Congress enacted the Computer Fraud and Abuse Act, also known as the CFAA. The federal anti-hacking statute prohibits unauthorized access to computers and networks and was enacted to expand existing criminal laws to address a growing concern about computer crimes. But lawmakers wrote the law so poorly that creative prosecutors have been abusing it ever since.
The law, which went into effect in 1986, was passed just in time to be used to convict Robert Morris, Jr., the son of an NSA computer security worker, who unleashed the world’s first computer worm in 1988. Since then, it has been wielded thousands of times to convict high-profile hackers and low-level criminals alike. But as computer crimes have expanded and increased, so have prosecutors’ use and interpretation of the law, stretching it far beyond what it was originally intended to cover. And in 1994 the law moved beyond criminal matters with an amendment that allowed civil actions to be brought under the statute as well. This opened the way for corporations to bring lawsuits for unauthorized access against workers who steal company secrets.
Calls for reform
There have been many calls over the years to reform the CFAA, due to the overzealous nature of prosecutors who have used it—some would say abused it—to charge conduct that critics say does not constitute a true computer crime.
One case in particular was the prosecution of Lori Drew, a then-49-year-old mother who was charged in 2008 for using a fake MySpace profile to cyberbully a teenage girl. Drew was charged with conspiring with her daughter and her daughter’s friend to create the fake MySpace page of a boy in order to draw 13-year-old Megan Meier into an online friendship with the nonexistent boy, then humiliate her. Meier committed suicide, resulting in a public outcry to punish Drew for cyberbullying. But because there was no federal statute against cyberbullying at the time, federal prosecutors adopted a novel interpretation of the CFAA. They charged Drew with “unauthorized access” to MySpace’s computers for creating a fake MySpace account in violation of the web site’s terms of service. The web site’s user agreement required registrants to provide factual information about themselves when opening an account and to refrain from using information obtained from MySpace services to harass other people.
The prosecution turned what would normally have been a civil matter—breaching a contract—into a criminal matter. The case, if successful, would have potentially made a felon out of anyone who violated the terms of service of any website. Fortunately, although a jury convicted Drew (on lesser misdemeanor charges), the judge overturned the conviction on grounds that the government’s interpretation of the CFAA was “constitutionally vague” and overreached the bounds of the law.
Another case involving misuse of the statute also occurred in 2008 when three MIT students were barred from giving a presentation at the Def Con hacker conference. The students had found flaws in the electronic ticketing system used by the Massachusetts Bay Transportation Authority that would have allowed anyone to obtain free rides. The MBTA sought and obtained a temporary restraining order to bar the students from speaking about the flaws. In granting the temporary gag order, the judge invoked the CFAA, saying that information the students planned to present would provide others with the means to hack the system. The judge’s words implied that simply talking about hacking was the same as actual hacking. The ruling was publicly criticized, however, as an unconstitutional prior restraint of speech, and when the MBTA subsequently sought a court order to make the restraining order permanent, another judge rejected the request, ruling in part that the CFAA does not apply to speech and therefore had no relevance to the case.
A high-profile suicide
The most concerted effort to revise the CFAA came after a U.S. attorney used it to launch a heavy-handed prosecution against internet activist Aaron Swartz for what many considered a minor infraction. Swartz, who helped develop the RSS standard and was a cofounder of the advocacy group Demand Progress, was indicted after he gained entry to a closet at MIT and allegedly connected a laptop to the university’s network to download millions of academic papers that were distributed by the JSTOR subscription service. Swartz was accused of repeatedly spoofing the MAC address of his computer to bypass a block MIT had placed on the address he used. Although JSTOR did not pursue a complaint, the Justice Department pushed forward with prosecuting Swartz. U.S. Attorney Carmen Ortiz insisted that “stealing is stealing” and that authorities were just upholding the law.
Swartz, in despair over his pending trial and the prospect of a felony conviction, committed suicide in 2013. In response to the tragedy, two lawmakers proposed a long-overdue amendment to the law that would help prevent prosecutors from overreaching in their use of it. The amendment, referred to as Aaron’s Law, was introduced months after Swartz’s death by Rep. Zoe Lofgren (D-Calif.) and Sen. Ron Wyden (D-Oregon). The amendment would exclude breaches of terms of service and user agreements from the law and also narrow the definition of unauthorized access to make a clear distinction between criminal hacking activity and simple acts that exceed authorized access on a minor level. Instead, the amendment proposes to define unauthorized access as “circumventing one or more technological measures that exclude or prevent unauthorized individuals from obtaining or altering” information on a protected computer. The amendment also would make it clear that the act of circumvention would not include a user simply changing his MAC or IP address to gain access to a system.
“Taken together, the changes in this draft should prevent the kind of abusive prosecution directed at Aaron Swartz and would help protect other Internet users from outsized liability for everyday activity,” Lofgren wrote on Reddit when she announced the changes. The amendment, however, has withered in Congress and has so far failed to gather the support it needs to get passed.
“This reform only captured the attention of a small group of people. It’s not an issue that resonates with the public—at least yet,” Orin Kerr, professor of law at George Washington University Law School, told Forbes recently.
Some have attributed the amendment’s failure to lobbying on the part of corporations who use it to bring civil suits for theft of corporate secrets and don’t want to see it changed. Others say the problem is its association with Swartz, a figure some members of Congress don’t find sympathetic. Regardless, many say that reform of the CFAA is inevitable; it’s just a question of which case will finally force it to occur.
By Kim Zetter
Dana J. Boente, U.S. Attorney for the Eastern District of Virginia; Valerie Parlave, Assistant Director in Charge of the FBI’s Washington Field Office; John R. Hartman, Deputy Inspector General for Investigations at the U.S. Department of Energy (DOE); and Stephen Niemczak, Special Agent in Charge, Computer Crimes Unit at the Office of Inspector General, U.S. Department of Health and Human Services (HHS), FBI’s Washington Field Office, in conjunction with the Inspectors General for the United States Department of Energy, United States Department of Health and Human Services, and the United States Postal Service. Assistant U.S. Attorneys Ryan K. Dickey and Jay V. Prabhu are prosecuting the case.
Lauri Alexander Love
The United States is seeking to extradite Lauri Alexander Love due to indictments in three different American states New Jersey, Virginia and New York for hacking and computer fruad among other charges.
Court papers go on to refer to Lauri Love as a “sophisticated hacker”. This is the United States Department of Justice trying to paint a picture of Lauri Love that is not reality, repeatedly throughout court papers we researched the United States government sought to do nothing else but to destroy Lauri Love’s chracter and demonize him.
The DOJ also criticized Lauri Love and his family for amping up online support against his extradition. The DOJ also is refusing to allow Lauri Love any discoveries involving his case. This is a grotesque violation of his civil rights and extraditing him to the United States to face charges will only exasperate the constitutional infractions and trample all over his rights as a human nevermind what country he’s from or citizenship he ordains that’s irrelevant.
Prisons in the United States whether state or Federal hassle attorney’s upon visitation and they do have law libraries but these are often backed up due to high volume of request or lack of having the staff which is why if extradited to the United States Lauri Love will not be awarded a fair and equal trial, in fact he faces the very opposite. He is not even in the United States yet and already they are violating his civil rights, what do you think will happen when he is in U.S. costody?
One of the bars that has to be considered by a judge ruling on an extradition is whether or not the reasons the country seeking the extradition are otherwise motivated as in is this a proverbial witch hunt or is the United States extraditing Lauri Love for the proper reasons. Let me state clearly; I don’t think a judge in any country prisiding over any rule of law cannot conclude that this extradition is improperly motivated, the only explanation is corruption.
Lauri Love did not intend to inflict on the American public or our government any actual harm surely if he did have ill intentions he would have acted on them. If he is this cyber terrorist the United States Justice Department is trying to paint him as then where are the terroristic cyber hacks? The man was inside the United States Missle Defense System and did nothing but we are suppose to believe he is some governmentally proclaimed enemy of the state?
U.S. Attorney Fishman. “As part of their alleged scheme, they stole military data and personal identifying information belonging to servicemen and women. Such conduct endangers the security of our country and is an affront to those who serve.”
U.S. Attorney Fishman, did Lauri Love release the names of any servicemen or women? Was any United States servicemen or women harmed or put in actual danger by Mr. Love’s actions? The only real crime is if Lauri Love where to actually release the data the United States Justice Department alledges he stole. To say Lauri Love put the lifes of service men and women in any danger whatsoever is not only hearsay, but its complete and utter propaganda spewed by Mr. Fishman to further demonize Lauri Love into this criminal figure or sophisticated computer hacker as (he) likes to say.
“The borderless nature of Internet-based crime underscores the need for robust law enforcement alliances across the globe. We appreciate the bilateral support of the National Crime Agency in bringing cyber criminals.” said Daniel Andrews, director of the U.S. Army Criminal Investigation Command’s Computer Crime Investigative Unit.” This investigation shows the necessity and value of strong partnerships among law enforcement agencies worldwide in the fight against cyber criminals,” said FBI Special Agent in Charge Aaron T. Ford. “Cybercrime knows no boundaries, and without international collaboration, our efforts to dismantle these operations would be impossible.”
No gentlemen what all this sounds like is empirical New World Order, an all seeing cohesive international eye monitoring our online activities and then throwing the legendary wolf in a sheep mask wearing a black robe disguised as the United States Department of Justice at you and your left with no option, but to subdue to their demands plea bargain down and pray your not sentenced to a century.
This is not law and order, this is not liberty nor peace or freedom of speech, this is unconstitutional and couldn’t be further from justice. These are un-American acts grotesquely perpetrated by pure totalitarianism and the heavy hand of the American Judicial System and their pursuit to tyranny. We as United States citizens cannot continue to allow our countries Federal governmental agencies to continue their empirically motivated modern day crusade against our geniuses just because they point out flaws in our national security or because they make our government look fuckin stupid, you mad bro?
I find it extremely unsettling that the United States government wants to talk an awful lot about the data Lauri Love allegedly stole except for when it comes to the data involving research institutions.
We must stand up against this extradition and stop letting our Nations leaders give all Americans a bad name. Are we empirical beings? Do we not believe in real justice? Are we totalitarians hell bent on tyranny? No. We are not, then why should we allow our government to be tyrants in our name and on our dollar?
Edited by @Noregreb2
Nos autem populus, exundantium liberum oratio, quam non merentur, Altruism
We the people, Exuding free speech, Deserve nothing less than, Altruism
Please join our Coalition and stand up and speak out against the extradition of Lauri Alexander love http://www.freelauri.com for more details on his case and how you can help ensure we will have a #FreeLauri.
There are multiple petitions in action to try and halt Lauri Love’s extradition this is a link to the most popular one https://www.change.org/p/no-extradition-for-autistic-hacktivist-lauri-love
I was really humbled, when I was asked to write the follow up to Lauri Love pt.1. It’s been a joy getting to know him and the people running his campaign. I say this with all sincerity. I’m a tad biased at this point, especially after reading the reams of legal documents in front of me. I want, you, the reader to make up your own mind. The only way for me to do that is try to put together a time line of events according to the indictments and the request for extradition. I will try and be as concise as I can. I will warn you its heavy reading. I just want to try and weed through the nonsense and stick with the facts, I could find. Basically everything in the three indictments; Southern District of New York, District of New Jersey, Eastern District of Virginia, and the extradition request. I want you to form your own opinion. Please bear with me I’m trying to do this is pieces so you are not as overwhelmed as I am.
All the allegations against Lauri Love took place between October 2012 and October 2013. I want to give a clearer time line then I have yet to see in Lauri’s case. I will start with allegations laid out in the three indictments. The Southern District of New York alleges Lauri used five different alias in IRC; ‘nsh’,’peace’,’shift’,’route’, and ‘Smedley Butler’. The US District Court of New Jersey only lists three of the alias’; ‘nsh’,’route’, ‘peace’. The US Eastern District court of Virginia lists four alias’; ‘nsh’, ‘route’, ‘peace’,’shift’. I’m fraught to even bring this up, since much of the indictments refer back to chat room antics, I feel like I need to.
As a reminder before this gets deep the alleged charges. In the Southern District of New York we have 2 counts, computer hacking and aggravated identity theft from The Federal Reserve. Before you freak out on me, this how New York does things, under seal, basically the applicable laws are a footnote, yes it’s the usual cast of characters. The US district court of New Jersey, again different, it says 2 counts as well except listed under Count 1 are actually; The Engineer R&D Center Army Corps. of Engineers in Vicksburg Mississippi, The PAIO at Aberdeen Proving Ground,Maryland, The Strategic Studies Institute, Carlisle, Pennsylvania, NETCOM Aberdeen Proving Ground, Maryland, Army Contracting Command Redstone, Alabama, The Missile Defense Agency, The FedCenter in conjunction with the EPA-OECA, & NASA. The US District Court of Eastern District of Virginia, 9 counts, Dept. of Health and Human Services, National Institute of Health, The FDA, The Regional Computer Forensic Lab of the FBI, The Department of Energy, Deltek, Inc., Forte, Inc, and victims D.P., J.E, B.H., J.K residents of the Eastern District of Virginia.
If you feel like you suddenly been transported into a John Grishman novel… Wake up!!! There’s more!!!
Since not all the allegations are dated, some of the them actaully refer back to IRC Chat. If there wasn’t a date, I had to refer to the IRC dates. Something I have struggled with and I refuse to get into. It’s IRC. We all the know the bravado, the trolls, the idiot kids that can randomly stumble in, it’s IRC. For the true tech people out there, this all seems to stem from an Adobe Program Cold Fusion. I am not a tech person and really don’t know what vulnerabilities the system was too known to have had at the time this is alleged to have happened.
Now for the timeline which all took place between October 2012 through October 2013. From I can piece together from the indictments here’s the list :
October 2 2012 through October 9 2012 :
Southern District Court NY: The Federal Reserve NY and IL
District Court of NJ: Engineer R&D Center
Netcom & Ft. Monmouth NJ
Army Contracting Command Alabama
Army Corps MD
Plans & Analysis Integration Office MD
Missile Defense Agency
*** Eastern District Court of Va is vague on dates and any exact dates are from IRC. There is also a chart listed under count 2-7 with Dates. I am going to use that chart for VA.
The Department of Health and Human Services including HRSA, NIH,& FDA
United States Sentencing Commission
The Regional Computer Forensics Lab
Department of Energy
Deltek, INC ( government contractor)
Forte Interactive, IN ( government contractor)
The 4 victims : D.P., J.E, B.H, and J.K
Now it starts to pick up again in December of 2012 through Feb 2013:
December 23 2012 – January 3, 2012:
DIstrict Court of NJ:Engineer R&D Center Morris County, NJ & Parsippany, NJ
December 24 2012:
Eastern District Court of VA:
US. Dept. of Health & Human Services
December 25 2012:
Eastern District Court of VA
United States Sentencing Commission
January 3, 2013:
District Court of NJ: The Fed Center EPA-OCEA
January 11, 2013:
District Court Of NJ:
Strategic Studies Institute
Eastern District Court of VA:
FBI-Regional Computer Forensics Lab
Hopefully you can follow this and hopefully you are all still with me because this isn’t over yet. This is just information from the indictments. Now comes a really big gap in dates. All of the sudden we are in July 2013.
July 3 2013:
Eastern District Court of VA:
Deltek, INC. ( Government IT Contractor)
The 4 victims D.P, J.E., B.H., and J.K
July 10, 2013:
District Court of NJ:
July 24, 2013:
US Department of Energy
Forte Interactive (Government Contractor)
I will say there’s so much more if you read through indictments on you own. I’m just trying to bring some order to the chaos. Hopefully I did with just sticking to the dates and the alleged agency’s involved. Our government alleges that these attacks dumped hundreds of thousands documents, personnel files and credit card information. Inserting backdoor, the list is just never-ending. Which most of the “data dump” is too have take place in 7 days by one person on a couple of laptops. I used to be gamer, I’ve built my own machines for gaming, this just seems inhumanly possible, for one person to have done. Ok maybe the IBM Chess computer.
This person is Lauri Love. A 32-year-old man, with severe health issues, with Aspergers Syndrome and depression. This is just not a man with depression but According to Professor Michael Kopelman testimony in the extradition “..Mr. Love was on the verge of psychosis and was clinically depressed,” This is when he was examined in 2012. Professor Kopelman went on to say Mr. Love continues to describe features of depression and the hallucinations to kill himself. This sound like someone capable of doing this? This is just a couple of words from one of the doctors who testified. Even our prison Doctors are against this extradition, we have no one who can care for someone with AS. Lauri will be put in solitary on suicide watch with another prisoner guarding him from killing himself. He couldn’t handle going away to university, his father had to go retrieve him for fear of killing himself.
The assurances made by our Government as to his safety and the steps that would be taken to ensure he was cared for, won the day. The cost of having the trial in the U.K. seemed to outweighs Lauri’s fragility. The rule of speedy trail was in there but we all know the dockets are so full that never happens, with the current charges in 3 states, how can it.
Lauri will be the first person from the U.K. ever extradited under the 1990 law. 114 MP’s signed a petition to President Obama calling for the end to this extradition. Yet, it’s still been signed off on, by Amber Rudd MP. Lauri faces no charges in the U.K., in fact all evidence collected by the authorities has been returned except one laptop, they can’t break the encryption on.
I know the law is supposed to be fair and just. I cannot for the life of me find the justice in this.
We the people Exuding free speech Deserve nothing less than Altruism