The Computer Fraud and Abuse Act, also known as the CFAA, is the federal anti-hacking statute that prohibits unauthorized access to computers and networks.
In 1984, the world was just emerging from its digital Dark Age. CompuServe, the world’s first commercial email provider, was still trying to interest users in its fledgling service, and computer viruses and worms were still largely the stuff of engineering-school pranks. But even through the foggy haze of the internet’s early days, lawmakers saw clearly the importance that computers and computer crime would have on society. That’s when Congress enacted the Computer Fraud and Abuse Act, also known as the CFAA. The federal anti-hacking statute prohibits unauthorized access to computers and networks and was enacted to expand existing criminal laws to address a growing concern about computer crimes. But lawmakers wrote the law so poorly that creative prosecutors have been abusing it ever since.
The law, which went into effect in 1986, was passed just in time to be used to convict Robert Morris, Jr., the son of an NSA computer security worker, who unleashed the world’s first computer worm in 1988. Since then, it has been wielded thousands of times to convict high-profile hackers and low-level criminals alike. But as computer crimes have expanded and increased, so have prosecutors’ use and interpretation of the law, stretching it far beyond what it was originally intended to cover. And in 1994 the law moved beyond criminal matters with an amendment that allowed civil actions to be brought under the statute as well. This opened the way for corporations to bring lawsuits for unauthorized access against workers who steal company secrets.
Calls for reform
There have been many calls over the years to reform the CFAA, due to the overzealous nature of prosecutors who have used it—some would say abused it—to charge conduct that critics say does not constitute a true computer crime.
One case in particular was the prosecution of Lori Drew, a then-49-year-old mother who was charged in 2008 for using a fake MySpace profile to cyberbully a teenage girl. Drew was charged with conspiring with her daughter and her daughter’s friend to create the fake MySpace page of a boy in order to draw 13-year-old Megan Meier into an online friendship with the nonexistent boy, then humiliate her. Meier committed suicide, resulting in a public outcry to punish Drew for cyberbullying. But because there was no federal statute against cyberbullying at the time, federal prosecutors adopted a novel interpretation of the CFAA. They charged Drew with “unauthorized access” to MySpace’s computers for creating a fake MySpace account in violation of the web site’s terms of service. The web site’s user agreement required registrants to provide factual information about themselves when opening an account and to refrain from using information obtained from MySpace services to harass other people.
The prosecution turned what would normally have been a civil matter—breaching a contract—into a criminal matter. The case, if successful, would have potentially made a felon out of anyone who violated the terms of service of any website. Fortunately, although a jury convicted Drew (on lesser misdemeanor charges), the judge overturned the conviction on grounds that the government’s interpretation of the CFAA was “constitutionally vague” and overreached the bounds of the law.
Another case involving misuse of the statute also occurred in 2008 when three MIT students were barred from giving a presentation at the Def Con hacker conference. The students had found flaws in the electronic ticketing system used by the Massachusetts Bay Transportation Authority that would have allowed anyone to obtain free rides. The MBTA sought and obtained a temporary restraining order to bar the students from speaking about the flaws. In granting the temporary gag order, the judge invoked the CFAA, saying that information the students planned to present would provide others with the means to hack the system. The judge’s words implied that simply talking about hacking was the same as actual hacking. The ruling was publicly criticized, however, as an unconstitutional prior restraint of speech, and when the MBTA subsequently sought a court order to make the restraining order permanent, another judge rejected the request, ruling in part that the CFAA does not apply to speech and therefore had no relevance to the case.
A high-profile suicide
The most concerted effort to revise the CFAA came after a U.S. attorney used it to launch a heavy-handed prosecution against internet activist Aaron Swartz for what many considered a minor infraction. Swartz, who helped develop the RSS standard and was a cofounder of the advocacy group Demand Progress, was indicted after he gained entry to a closet at MIT and allegedly connected a laptop to the university’s network to download millions of academic papers that were distributed by the JSTOR subscription service. Swartz was accused of repeatedly spoofing the MAC address of his computer to bypass a block MIT had placed on the address he used. Although JSTOR did not pursue a complaint, the Justice Department pushed forward with prosecuting Swartz. U.S. Attorney Carmen Ortiz insisted that “stealing is stealing” and that authorities were just upholding the law.
Swartz, in despair over his pending trial and the prospect of a felony conviction, committed suicide in 2013. In response to the tragedy, two lawmakers proposed a long-overdue amendment to the law that would help prevent prosecutors from overreaching in their use of it. The amendment, referred to as Aaron’s Law, was introduced months after Swartz’s death by Rep. Zoe Lofgren (D-Calif.) and Sen. Ron Wyden (D-Oregon). The amendment would exclude breaches of terms of service and user agreements from the law and also narrow the definition of unauthorized access to make a clear distinction between criminal hacking activity and simple acts that exceed authorized access on a minor level. Instead, the amendment proposes to define unauthorized access as “circumventing one or more technological measures that exclude or prevent unauthorized individuals from obtaining or altering” information on a protected computer. The amendment also would make it clear that the act of circumvention would not include a user simply changing his MAC or IP address to gain access to a system.
“Taken together, the changes in this draft should prevent the kind of abusive prosecution directed at Aaron Swartz and would help protect other Internet users from outsized liability for everyday activity,” Lofgren wrote on Reddit when she announced the changes. The amendment, however, has withered in Congress and has so far failed to gather the support it needs to get passed.
“This reform only captured the attention of a small group of people. It’s not an issue that resonates with the public—at least yet,” Orin Kerr, professor of law at George Washington University Law School, told Forbes recently.
Some have attributed the amendment’s failure to lobbying on the part of corporations who use it to bring civil suits for theft of corporate secrets and don’t want to see it changed. Others say the problem is its association with Swartz, a figure some members of Congress don’t find sympathetic. Regardless, many say that reform of the CFAA is inevitable; it’s just a question of which case will finally force it to occur.
By Kim Zetter
Provided below are example cases of federal prosecutions including CFAA violations charges. The case entries include links to additional materials from the case and resources related to the case. Also, the Department of Justice has published its own manual on “Prosecuting Computer Crimes” that is available online here.
U.S. v. Andrew Auernheimer, No. 13-1816 (3rd Cir. Apr. 11, 2014)
When Apple released the iPad, customers were required to purchase a contract with AT&T and register their accounts on a website controlled by AT&T using their email addresses. When testing AT&T’s security system, Andrew “Weev” Auernheimer discovered a flaw. He was able to gather the email addresses of their customers. When Weev notified AT&T that these personal emails were accessible and that AT&T customers were vulnerable, AT&T took no action. In response, he alerted the press to the security flaw and publicized some of the email addresses in redacted form. He did not possess, nor had access to, any other personally identifiable information or passwords of the customers.
AT&T responded by alerting the federal government, who then prosecuted Weev for violating the Computer Fraud & Abuse Act (CFAA). In order to enhance the potential punishment from a misdemeanor to a felony, the government claimed that the CFAA violation occurred in furtherance of a violation of New Jersey’s computer crime statute, even though no conduct occurred in New Jersey. This is known as “stacking” offenses, when the federal government reaches to a state statute to ramp up the charges, even though the state and federal statute cover the same conduct.
After a jury trial, Weev was convicted and sentenced to 41 months in federal prison and to pay $73,000 in restitution. NACDL filed an amicus brief in support of his appeal to the Third Circuit, urging the court to take a narrow approach to the CFAA and limit the prosecutorial power of the government, which is available here. Holding that venue was not proper in the District of New Jersey, the Third Circuit vacated Weev’s conviction (opinion).
U.S. v. Matthew Keys, No. 2:13-cr-00082 (E.D. Cal. 2013)
On March 14, 2013, Matthew Keys, a former Reuters Social Media Editor, was indicted on multiple counts of CFAA violations for allegedly providing hackers with usernames and passwords for Tribune Company websites in late 2010 after he was fired from his job at a Tribune-owned company. The government alleges this conduct was part of a conspiracy to make unauthorized changes to Tribune websites and to damage Tribune computers. The indictment charges three criminal violations of the CFAA, including conspiracy to cause damage to a protected computer, transmission of a malicious code and attempted transmission of a malicious code. These charges carry up to 25 years in prison and a fine up to $750,000. Keys rejected a plea deal and went to trial. After an 8-day jury trial, Keys was found guilty of three counts of violating the CFAA. On April 13, 2016, he was sentenced to 24 months of imprisonment, 24 months of supervised release, and restitution in the amount of $249,956. His appeal is currently pending before the Ninth Circuit.
U.S. v. Aaron Swartz, Crim. No. 1:11-cr-10260 (D. Mass. 2012)
Aaron Swartz, a computer programmer, entrepreneur and activist, was federally indicted on multiple counts of wire fraud and CFAA violations, including unlawfully obtaining information from a protected computer and recklessly damaging a protected computer. The charges stemmed from Swartz’ alleged effort to download approximately 4.8 million articles from JSTOR, which is a not-for-profit digital library, using the MIT network. Anyone on the MIT campus could access MIT’s computer network and, as a result, JSTOR, but JSTOR’s terms of service limited the amount of articles that could be downloaded at a time. Swartz wrote a script that instructed his computer to download JSTOR articles continuously and, when this violation was detected and requests from his computer were denied, Swartz spoofed his computer’s address to trick the JSTOR servers.
Swartz was first indicted in November 2011, but federal prosecutors filed a superseding indictment in September 2012 that added nine more felony counts, increasing Swartz’s maximum criminal exposure to 50 years of imprisonment and $1 million in criminal fines. According to Swartz’s attorney Elliot Peters, the prosecutors offered Swartz a plea deal in which he would pled guilty to 13 felonies in exchange for a four or six month sentence. The prosecutors also stated that they would seek a seven year sentence should Swartz exercise his constitutional right to a trial. The government took this hard-line position despite the fact that the “victims” MIT and JSTOR declined to pursue civil litigation. In fact, JSTOR actually informed the prosecutors that it did not want to press charges. Tragically, under the weight of the prosecution and potential prison sentence, Swartz committed suicide on January 11, 2013. After his death, the federal prosecutors dropped the charges.
For analysis of the Swartz prosecution, see Professor Orin Kerr’s two-part session here and here, posts from the Electronic Frontier Foundation here and here, and a two-part post from Jennifer Granick at the Center for Democracy and Technology here and here.
U.S. v. Sergey Aleynikov, No. 11-1126 (2d Cir. Apr. 11, 2012)
A computer programmer, Aleynikov allegedly stole proprietary computer source from his former employer (Goldman Sachs) and transferred it to his new employer. He was charged with violating the Economic Espionage Act (EEA), the National Stolen Property Act (NSPA), and the CFAA. Prior to trial, the U.S. District Court dismissed Count Three, the CFAA charge, on the ground that Aleynikov was authorized to access the Goldman computer and did not exceed the scope of authorization. Specifically, the court ruled that authorized use of a computer in a manner that misappropriates information is not an offense under the CFAA. A jury then convicted Aleynikov on the remaining counts and he appealed.
The Second Circuit reversed Aleynikov’s conviction on both counts (opinion). On count one, the court held that the theft and subsequent interstate transmission of purely intangible property is beyond the scope of the NSPA. The court similarly reasoned that the theft of source code relating to the high frequency trading system is not an offense under the EEA. Shortly after the Second Circuit vacated Aleynikov’s conviction, the Manhattan District Attorney’s Office initiated a prosecution against him based on state criminal law.
U.S. v. David Nosal, No. 10-10038 (9th Cir. Apr. 10, 2012)
The prosecution of David Nosal revolved around his enlistment of former colleagues to use their log-in credentials to download certain information from company computers in order to assist him in starting a new, competing business. These colleagues were authorized to access this information, but disclosing it violated company policy. The government charged Nosal with twenty counts, including trade secret theft, mail fraud, conspiracy, and violations of the CFAA. Following a motion to dismiss, the U.S. District Court dismissed the CFAA counts on the ground that the definition of “exceeds authorized access” does not incorporate corporate policies governing use of information. The government appealed and the Ninth Circuit agreed (opinion).
The Ninth Circuit reasoned that the phrase “exceeds authorized access” in the CFAA does not extend to violations of use restrictions. The court cited the rule of lenity, as well as basic common sense, for reaching this conclusion. Specifically, the court reasoned that a narrower interpretation is appropriate since the CFAA is an anti-hacking statute and Congress dealt with misappropriation of trade secrets in another part of the federal code. As the colleagues had permission to access the company databases and obtain the information, their conduct could not be “without authorization” nor could it “exceed authorized access.” The Ninth Circuit affirmed the dismissal of the CFAA counts and the government proceeded to prosecute and convict Nosal on the remaining counts.
U.S. v. Elaine Cioni, No. 09-4321 (4th Cir. Apr. 20, 2011)
The Cioni case involved a federal criminal statute that has two overlapping misdemeanor criminal offenses that prohibit hacking into email accounts. Ordinarily, first offenses under the Computer Fraud and Abuse Act and the Stored Communications Act are misdemeanors, unless committed, among other things, in furtherance of another crime. In Cioni, the government attempted stacking the misdemeanors to obtain a felony conviction. Cioni was convicted of multiple counts and appealed her conviction to the Fourth Circuit.
In an amicus brief, NACDL argued that Cioni’s CFAA offense, unauthorized access to stored email, was not committed “in furtherance of” an SCA violation, because both convictions were based on the same conduct. The government’s attempt to count the same conduct as both an underlying misdemeanor and as the basis for a felony conviction violates the Double Jeopardy Clause. The Fourth Circuit agreed (opinion), holding that the CFAA charges had been improperly elevated to felony offenses and sent the case back to the district court to reduce the convictions to misdemeanors.
U.S. v. Lori Drew, No. CR 08-0582-GW (C.D. Cal. Aug. 28, 2009)
The prosecution of Lori Drew, sometimes referred to as the “MySpace Suicide Case,” took place following the tragic suicide of a 13-year old girl. Drew and others set-up a fictitious account on the social media website MySpace in order to target this girl. Such conducted violated the MySpace terms of service and, when the conduct ultimately resulted in the girl’s suicide, federal prosecutors responded by charging Drew with multiple violations of the CFAA and conspiracy. Following a jury trial, Drew was acquitted of all counts but for one misdemeanor violation of the CFAA.
The U.S. District Court set aside the jury’s guilty verdict in an opinion rejecting the government’s position that violating a website’s terms of service can constitution a federal offense. The judge reasoned that reading the statute in such a manner would deprive individuals of actual notice and be an overwhelmingly overbroad enactment that converts a multitude of otherwise innocent internet users into federal criminals.
JULY 12TH: Internet-wide day of action to save Net Neutrality.
The FCC wants to destroy net neutrality and give big cable companies control over what we see and do online. If they get their way, they’ll allow widespread throttling, blocking, censorship, and extra fees. On July 12th, the Internet will come together to stop them.
Net neutrality is the basic principle that protects our free speech on the Internet.
“Title II” of the Communications Act is what provides the legal foundation for net neutrality and prevents Internet Service Providers like Comcast, Verizon, and AT&T from slowing down and blocking websites, or charging apps and sites extra fees to reach an audience (which they then pass along to consumers.)
Greetings, Citizens of the World, We are Anonymous.
On July 12th, 2017, internet users worldwide will gather in the streets to protest draconian cyber monitoring and control. Since as early as 2014 the issue of Net Neutrality became a major issue in public and political debates worldwide. HBO political talk-show host, John Oliver has brought this issue to the forefront of the minds of activists and in doing so has given the cause a voice we can not allow to be silenced.
Over-reaching political leaders and their allies in classified international agencies are moving faster than ever in the history of cyber dictatorship, to censor and manipulate the usage and access granted to any user on the internet. They do this not only for themselves but for the financial gain of their supporting industries. Data brokering and Federal Surveillance are but two of many terrifyingly specific methods of manipulating the content citizens of the world are allowed to access and edit. This level of observation and control is unprecedented and is a complete affront to freedom and guidelines set forth in the Universal Declaration of Human Rights.
When our Internet Service Providers have a monopoly on our access to unbiased and uncensored information and their motivation becomes financial, free and open information becomes a casuality. The ability to choose which services and sources you wish to employ becomes a thing of the past. As a result, a dystopian state in which governments and corporations control what you think, do and buy is rapidly becoming the future.
At the of the time of this video’s release there are confirmed acts of civil disobedience planned in many major cities across the United States. There are boots coordinating on the ground in Ottawa and London, ready to mobilize and fight for your rights as free people. This is not enough. Any individual, regardless of nationality, regardless of internet usage who accesses the internet for any purpose needs to educate themselves on what we as citizens stand to lose when net neutrality is in jeopardy.
We are calling on activists and citizens of the world alike in every city of every nation to step up and rally together in the face of surveillence and censorship of the one free and open resource to information we have. Inform your friends, your family, your coworkers.
There is no act of defiance too small or too risky.
The free internet must be defended at all costs. Information needs to be free and accessible to all, not dictated by the whim of cable company lobbyists or controlled by petty financial desires.
Join Anonymous on July 12th around the world to protest the censoring of the internet by the acts of net neutrality and government surveillance. Fill the streets with your presence and drown the FCC comment board with your voice. Write letters and make phone calls to politicians. Tell then why they must change course, and do so with passion.
We are Anonymous.
We are legion.
We do not forgive.
We do not forget.
Collaborate and register your protest – This is a battle for the future of the internet
After the tragic death of programmer and Internet activist Aaron Swartz, EFF calls to reform the infamously problematic Computer Fraud and Abuse Act (CFAA). In June 2013, Aaron’s Law, a bipartisan bill to make common sense changes to the CFAA was introduced by Reps. Lofgren and Sensenbrenner. You can help right now by emailing your Senator and Representative to reform the draconian computer crime law. The CFAA is the federal anti-hacking law. Among other things, this law makes it illegal to intentionally access a computer without authorization or in excess of authorization; however, the law does not explain what “without authorization” actually means. The statute does attempt to define “exceeds authorized access,” but the meaning of that phrase has been subject to considerable dispute. While the CFAA is primarily a criminal law intended to reduce the instances of malicious hacking, a 1994 amendment to the bill allows for civil actions to be brought under the statute.
Fix computer crime law.
Creative prosecutors have taken advantage of this confusion to bring criminal charges that aren’t really about hacking a computer, but instead target other behavior prosecutors dislike. For example, in cases like United States v. Drew and United States v. Nosal the government claimed that violating a private agreement or corporate policy amounts to a CFAA violation. This shouldn’t be the case. Compounding this problem is the CFAA’s disproportionately harsh penalty scheme. Even first-time offenses for accessing a protected computer without sufficient “authorization” can be punishable by up to five years in prison each (ten years for repeat offenses), plus fines. Violations of other parts of the CFAA are punishable by up to ten years, 20 years, and even life in prison. The excessive penalties were a key factor in the government’s case against Aaron Swartz, where eleven out of thirteen alleged crimes were CFAA offenses, some of which were “unauthorized” access claims. EFF is championing reforms to the CFAA. These suggestions expand on Zoe Lofgren’s terrific draft bill known as Aaron’s Law. We will expand on this and address other flaws of the CFAA, as well.
Part 1: No Prison Time For Violating Terms of Service
Part 2: Protect Tinkerers, Security Researchers, Innovators, and Privacy Seekers
Part 3: The Punishment Should Fit the Crime
Specific Reasons to Improve the CFAA
The CFAA Hampers Security Research
The CFAA Stifles Innovation
The CFAA Must Allow for Anonymity and Privacy
Initial Suggestions for improving Aaron’s Law
Introduction Blog Post
Additional Suggestions for improving the Penalty Scheme
Introduction Blog Post
Explanation of Proposal
Chart of Penalties Reform After Proposed Language
The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, was originally enacted in 1984 as a criminal statute to deter hackers and protect data on federal computers. Over time, the scope of the CFAA evolved to include a private right of action for any person who suffers damage or loss because of a violation of the CFAA. Not surprisingly, employers have increasingly taken advantage of the CFAA’s civil remedies to obtain both injunctive and monetary relief against employees, making the federal statute a potent weapon against employees, especially in the context of noncompete and trade secrets litigation. This article examines the CFAA and suggests strategies that an employee can consider when fighting against a CFAA lawsuit.
Elements of a CFAA Claim
To establish a civil action against an employee under the CFAA, an employer must prove that the employee: (1) “knowingly and with the intent to defraud,” (2) accessed a “protected computer,” (3) “without authorization,” and as a result (4) caused a damage or loss of at least $5,000.1 This analysis focuses primarily on the last two elements and the extent to which a former employee has damaged or compromised the integrity of the employer’s computer system.
An employer does not have a cause of action under the CFAA if the alleged misconduct does not involve conduct prohibited by the act. Violations include but are not limited to:
1. damage to a protected computer that results in a loss of at least $5,000;
2. the impairment of a medical examination, diagnosis, treatment or care of an individual;
3. physical injury to a person; and
4. threats to public health or safety.
A. What Is a “Protected Computer” Under the CFAA?
A “protected computer” is defined broadly to include any computer that is “used in interstate or foreign commerce or communication.”2 This includes any computer connected to the internet.3
B. Did the Employee Have Authorization to Access the Protected Computer?
The key element to any CFAA claim is the employee’s unauthorized access to the employer’s computer system. Accordingly, an employer does not have a cause of action under the CFAA if access to the part of the employer’s computer system that the employee allegedly accessed was never revoked.4
The line blurs, however, when an employee planning to leave her job and while still employed and still authorized to use her employer’s computer system, uses that system for purposes adverse to the employer’s interest, for example, if the employee gathers and disseminates information for competitive purposes. Some courts have addressed this issue by treating such conduct as “exceeding authorized access,” while others have ruled that an employee’s authorization to access ends the moment he or she acts contrary to the employer’s interest, thereby rendering the conduct as one “without authorization.”5 Still others have determined that such conduct is outside the scope of the act.6 A review of recent case law reveals the various conclusions that courts have reached in analyzing this particular element of the CFAA.
In International Airport Centers, LLC v. Citrin, the Seventh Circuit ruled in favor of a real estate agency on its claims for violations of the CFAA.7 In Citrin, the employee deleted files from his company-issued laptop and installed a secure-erasure program making it impossible for the agency to recover any of the deleted information.8 According to the employee, there was no basis for the CFAA claim because he was “authorized” to access his computer at the time he deleted the files.9 The Seventh Circuit rejected this argument, finding that “[an employee’s] breach of his duty of loyalty [in deleting relevant files] terminate[s] his agency relationship. . .and with it his authority to access the [company] laptop.”10 The Seventh Circuit concluded that an employee’s authorized access terminates when the employee’s mental state changes from loyal employee to disloyal competitor and the employee accesses his employer’s computer for an unauthorized purpose, i.e., to defraud or cause harm to the former employer.11
Other courts, however, have considered and emphatically rejected the agency law notion of authorization applied in Citrin. For example, in International Ass’n of Machinists & Aerospace Workers v. Werner-Masuda,12 the court held that the employer could not state a claim for relief under the CFAA because “[the employee’s] access had not been revoked.”13 According to the Werner-Masuda court, Congress intended for the statute to apply to outside computer hackers and not to disloyal employees who access their employer’s computer system on behalf of the employer’s competitor.14 Further, the court concluded that the CFAA expressly prohibits “unauthorized access” and not “unauthorized disclosure” of information.15 A Texas court reached a similar result in Bridal Expo Inc. v. Van Florestein16 when it concluded that defendants, former employees of the bridal exposition company Bridal Expo, did not copy information from the company’s computers “without authorization” even though one of the former employees admitted to downloading Bridal Expo’s database and later, used the downloaded information for improper purposes.17 According to the court, “if Congress wanted to reach all wrong doers who access information that they will use to the detriment of their employers, it could have omitted the limiting words on authorization altogether.”18 Thus, finding that the former employees had signed no confidentiality agreement with Bridal Expo or any other
agreement restricting their access to the files they had been working with at their jobs at Bridal Expo, the court denied the CFAA claim.19
In the most recent case to tackle this issue, LVRC Holdings LLC v. Brekka,20 the Ninth Circuit also rejected the agency law notion of authorization applied in Citrin. In Brekka, the Ninth Circuit held that a marketing consultant did not violate the CFAA because he did not access the employer’s computer “without authorization” when he allegedly e-mailed his employer’s documents to himself and to his wife to further his own competing business.21 In reaching its decision, the Ninth Circuit concluded that “[n]o language in the CFAA supports the argument that authorization to use a computer ceases when an employee resolves to use the computer contrary to the employer’s interest.”22 Instead, “[an employee] uses a computer ‘without authorization’ when the person has not received permission to use the computer for any purpose . . . or when the employer has rescinded permission to access the computer and the [employee] uses the computer anyway.”23 The Brekka court also held an employee remains authorized to use the protected computer even when an agreement subjects the employee’s access to certain limitations and the employee violates these limitations.
While many courts have sided with the Werner-Masuda court, the scope of the term “authorization” remains unresolved.25 Even so, courts are more likely to dismiss a CFAA claim where an employee’s counsel can prove that the alleged “access” was harmless, was not for an improper purpose, or that the employee accessed the former employer’s computer system for legitimate, work-related reasons.26 Moreover, a court is less likely to consider a CFAA claim against an employee where the employee’s unauthorized conduct did not produce “anything of value.”27
C. What Constitutes Loss or Damage for a Viable CFAA Claim?
To be actionable, a CFAA claim must also allege that the employee’s wrongful conduct resulted in a $5,000 damage or loss to the employer. Failure of proof on this element is “fatal” to a CFAA cause of action. 28 Thus, employees should always try to challenge an employer’s complaint by arguing that his or her conduct did not result in a “loss” to the employer.
1. “Loss” Under the CFAA.
In determining what constitutes a “loss” under the CFAA, courts have consistently interpreted “loss” to mean expenses related to restoring computer data, fixing actual damages to a computer system and modifying a computer system to preclude further data transfer.29 Courts disagree, however, on whether consequential damages, such as loss in the value of trade secrets or competitive advantage constitute a “loss” under the CFAA.30
In Civic Center Motors Ltd. v. Mason Street Import Cars Ltd.,31 for example, a New York court held that lost profits and wasted investments are not compensable losses under the CFAA.32 In Civic Center, a car dealership brought a CFAA claim against its competitor, seeking compensation for their “now wasted investment” in a customer database and lost profits resulting from its competitor’s unfair competitive edge.33 The court refused to recognize Civic Center’s claims, concluding that “losses under the CFAA are compensable only when they are the result from damage to, or inoperability of, the accessed computer system.”34 Finding that the former employees’ access to the dealership’s web-based database did not affect the integrity of the database’s information, the court dismissed the CFAA claim.35
The court in Nexans Wires S.A. v. Sark-USA Inc.,36 reiterated the court’s position in Civic Center when it rejected an employer’s CFAA claim seeking reimbursement for the cost of flying two executives from Germany to New York to meet and discuss the consequences of their competitor’s gain in competitive edge from their use of unlawfully gained information.37 In reaching its decision, the court pointed to the fact that the executives’ trip and subsequent meetings were unrelated to “investigating or remedying damage to a computer,” and therefore, fell outside the definition of a recoverable “loss” under the statute.38 According to the court, “[g]eneral non-computer costs incurred in investigating the violation [are] too far outside of the scope of the [CFAA].”39 Other courts, however, have taken a broader view, suggesting that items such as misappropriated property, loss of goodwill, and investigative costs can be used to establish the “loss” requirement of a civil CFAA action.40
In EF Cultural Travel BV v. Explorica Inc.,41 for example, the First Circuit held that the CFAA covered more than the losses directly attributed to the actual physical damage of a computer’s hard drive.42 Here, a tour company sued its competitor under the CFAA for allegedly using a “scraper” software program to glean prices from its website.43 The company claimed that it sustained a compensable loss because it had to pay consultants to assess the effect of Explorica’s interference with its website.44 In response, Explorica argued that it could not be liable under the CFAA because “their actions neither caused any physical damage nor placed any stress on EF’s website.”45The court rejected Explorica’s arguments, holding that “a general understanding of the word ‘loss’ would fairly encompass a loss of business, goodwill, and the cost of diagnostic measures” that a company takes to
access the damage to its computer system.46 According to the court, any losses stemming from an employee’s unauthorized conduct are recoverable, so long as it results in a loss of at least $5,000.47
2. “Damage” Under the CFAA.
Under the statute, “damage” includes any “impairment to the integrity or availability of data, a program, a system or information.”48 Some courts have ruled that the misappropriation of trade secrets does not constitute damages under the CFAA.49 Others have ruled that the “damage” requirement can be satisfied when the misappropriation is coupled with other harm.50 Finally, there is authority that establishes the proposition that the misappropriation of trade secrets or confidential information alone is sufficient to establish the $5,000 jurisdictional threshold.
In Shurgard Storage Centers Inc. v. Safeguard Self-Storage Inc.,52 for example, the court held that even though the plaintiff’s data was not physically erased or changed, the misappropriation of the trade secrets constituted an impairment to the integrity of the data in question and thus, fell within the definition of damage.53 The majority of courts, however, have held that the misappropriation of trade secrets does not constitute damages under the CFAA.54 According to one court, the absence of evidence that a computer network was damaged in any quantifiable amount by the alleged unauthorized access of the network precludes recovery under the CFAA.55 Under this standard, a court likely will grant a motion to dismiss in a CFAA case where there is evidence that the misappropriated data remains intact on the employer’s computer or the employer fails to plead impairment to the integrity or availability of data, a program, a system, or information.56 Indeed, more courts are requiring employers to show computer related losses, impairment of the original data, or a complete lack of permitted access.57
The lesson to be gleaned from these cases is that each case will turn on its own facts and the determination of whether the employer has sufficiently pleaded “damage” or “loss” will, among other things, be determined by the jurisdiction overseeing the case.
II. General Tips for Avoiding CFAA Claims
The computer equipment provided by an employer does not belong to an employee. Thus, an employee should return all computerized information to the employer upon departure and refrain from deleting or transferring any information from the company’s computer system to a personal disk or e-mail without the company’s express consent.
III. General Tips for Defending Against CFAA Claims
A. Challenge Reliability of Employer’s Investigation.
An employee should consider attacking the quality and reliability of the former employer’s investigation into the employee’s “access” by demonstrating that the former employer’s methods for collecting evidence was unreliable or defective.58
B. Challenge Any Injunctions That Are Broad or Contrary to Public Policy.
Injunctions are an extraordinary remedy, which in the context of CFAA litigation can stifle competition and punish employees who may have inadvertently retained the former employer’s documents. Accordingly, an employee should object to the entry of an injunction that is considerably broader than that which could ordinarily be obtained under a trade secrets or unfair competition theory.
C. Argue That There Was No Practice, Procedure or Policy Prohibiting “Improper” Access or Use of the Company’s Documents.
In the absence of a promulgated policy or practice prohibiting employees from the “improper” access or use of an employer’s confidential information, a court likely will not find an employee’s allegedly improper access of company documents to be in violation of the CFAA.59
In Brekka, the Ninth Circuit held that an employer could not maintain its CFAA claim against a former employee accused of e-mailing company documents to his personal e-mail account because the employer could not establish that the former employee accessed its computer system “in excess of authorization” or “without authorization.”60 In reaching its decision, the court pointed to the fact that the employer failed to provide notice or employee guidelines distinguishing the proper and authorized use of employer information from the improper and unauthorized use of the company information in question.61 According to the Ninth Circuit, because Section 1030 is primarily a criminal statute and creates criminal liability for violators of the statute, the rule of lenity, which is rooted in considerations of notice, applies.62 Thus, “no citizen should be held accountable for a violation of a statute whose commands are uncertain, or subjected to punishment that is not clearly prescribed.”63 In short, a court will likely not recognize a CFAA claim where an employee “would have no reason to know that making personal use of the company computer . . . would constitute a criminal violation of the CFAA.”64
D. Assert the “Unclean Hands” Defense.
To challenge an employer’s CFAA claims, an employee can rely on the “unclean hands” doctrine. According to this doctrine, “he who asks equity must do equity, and he who comes into equity must come with clean hands.”65 In the context of CFAA litigation, this doctrine provides that “one who has acted in bad faith . . . or [has] been guilty of fraud, injustice or unfairness will appeal in vain to a court of conscience.”66 Thus, a court may not recognize a CFAA claim where there is evidence demonstrating that the employer engaged in wrongful or inequitable conduct with respect to the matter in litigation, i.e., the employer deleted all data that evidenced its retaliatory intent in filing the CFAA action.67
In sum, an employee faced with a lawsuit for violations of the CFAA has options to challenge the CFAA action, including the rule of lenity. Like lawsuits to enforce noncompetition provisions, CFAA actions are typically accompanied by a motion for a preliminary injunction or a motion for a temporary restraining order, which can put an employee out of work. Thus, it is critical quickly to assess and apply options available to the employee to gain the upper hand in the litigation and to avoid costs and being put on the defensive.
1 18 U.S.C. § 1030(a)(4); see also Pacific Aerospace & Elecs. Inc. v. Taylor, 285 F. Supp. 2d 1188, 1195 (E.D. Wash. 2003).
2 18 U.S.C. § 1030(e)(2)(B).
3 See Cont’l Group Inc. v. KW Prop. Mgmt. LLC, 622 F. Supp. 2d 1357, 1370 (S.D. Fla. 2009) (court held that connection to internet is “affecting interstate commerce or communication” and thus, computers connected to internet are protected under CFAA).
4 See LVRC Holdings v. Brekka, 581 F.3d 1127, 29 IER Cases 1153 (9th Cir. 2009); 2009 WL 2928952 (court held that employee uses computer “without authorization” when person has not received permission “to use computer for any purpose . . . or when the employer has rescinded permission to access the computer and the [employee] uses the computer anyway”).
5 Int’l Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006); 4 WLR 329, 3/17/06, (court held that “authorized access” ends when employee breaches his duty of loyalty);Patrick Patterson Custom Homes Inc. v. Bach, 586 F. Supp. 2d 1026, 1034-35 (N.D. Ill. 2008) (court held that employer stated administrative assistant exceeded her authority by installing data shredding software causing permanent deletion of financial records on company’s computer).
6 See B & B Microscopes v. Armogida, 532 F. Supp. 2d 744 (W.D. Pa. 2007) (court held that because CFAA delineates between authorized and unauthorized access, reading of statute that once employee begins violating duty of loyalty to his employer any authorized access is withdrawn, would render the CFAA’s distinction meaningless); see also Lockheed Martin Corp. v. Speed, No. 6:05-CV-1580-ORL-31, 2009 WL 2683058, at *4 (M.D. Fla. Aug. 1, 2006) (court refused to recognize CFAA claim where employer permitted its employees, as a function of their respective positions, to access the precise information at issue on ground that “Congress chose not to reach. . . those [employees] with access authorization.”); Black & Decker Inc. v. Smith, No. 07-1201, 2008 WL 3850825, at *3 (W.D. Tenn. Aug. 13, 2008) (court concluded that “the [CFAA] targets the unauthorized procurement or alteration of information, not its misuse.”).
7 Citrin, 440 F.3d at 421.
8 Id. at 419.
9 Id. at 421.
10 Id. at 420-21.
11 Id. at 421.
12 Int’l Ass’n of Machinists & Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479 (D. Md. 2005).
13 Id. at 499.
14 Id. at 498.
15 Id. at 499.
16 Bridal Expo Inc. v. Van Florestein, No. 4:08-CV-03777, 2009 WL 255862 (S.D. Tex. 2009).
17 Bridal Expo, 2009 WL 255862, at *11.
18 Id. at *10.
19 Id. at *11.
20 581 F.3d 1127, 29 IER Cases 1153, 2009 WL 2928952 (9th Cir. 2009).
21 Brekka, at *6-7.
22 Id. at *5.
23 Id. at *7; see also Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962 (D. Ariz. 2008) (employee’s acquisition of employer’s confidential information prior to resigning for new position with employer’s competitor was not “without authorization” or in matter that “exceeded authorized access” where employee was permitted to view specific files he allegedly e-mailed himself).
24 Brekka, at *5 (“It is the employer’s decision to allow or to terminate an employee’s authorization to access a computer that determines whether the employee is with or ‘without authorization.”).
25 Compare Brekka, at *5 (former employee who e-mailed sensitive company documents that he accessed with permission to his personal computer did not exceed his authorized access, even if he planned to use those documents to furtherhis own business objectives) and Jet One Group Inc. v. Halcyon Jet Holdings, No. 08cv3980, 2009 WL 2524864, *5-6 (E.D.N.Y. Aug. 14 2009) (dismissing complaint claiming that defendants, who were permitted to access client lists in question in normal course of business even when defendants later used those client lists to compete against plaintiff) with Int’l Airport, 440 F.3d at 420 (employee’s misappropriation of confidential information violated his duty of loyalty, thereby “terminating his agency relationship . . . and with it his authority to access the laptop”) and Calyon, No. 07 Civ. 2241, 2007 WL 2618658 at *1 (holding that employees who copied their employer’s proprietary electronic documents before their termination must have known doing so was “in contravention of the wishes and interests of the employer” and therefore exceeded the scope of their authorized access).
26 Hecht v. Components Int’l Inc., 867 N.Y.S.2d 889 (2008) (court granted summary judgment dismissing CFAA counter claim where employee’s access to company’s e-mail server was “standard” suggesting that “sensitive information was not reached”); Lockheed Martin, 2006 WL 2683058, at *8 (“The copying of information from a computer onto a CD or PDA is a relatively common function that typically does not, by itself, cause permanent deletion of the original computer files. In the absence of an allegation of permanent deletion or removal, the Court will not create one.”); Resdev LLC v. Lot Builder Ass’n Inc., No. 6:04-CV-1374ORL31DAB, 2005 WL 1924743, at *4-5 (M.D. Fla. 2005) (Court held that to have “damage” under the CFAA, there must be “some diminution in the completeness or useability of the data or information on a computer system.” Determination of whether damage exists hinges on physical change in data, program, system, or information).
27 United States v. Czubinkski, 106 F.3d 1069, 1070 (1st Cir. 1997) (employee of IRS did not violate CFAA even though he knowingly disregarded IRS confidential information rules by performing searches outside scope of his contract representative duties to satisfy his own curiosity about tax information of friends, political rivals, and acquaintances, because there was no evidence that he printed out, recorded, or used information he read to obtain “anything of value”); see also P.C. Yonkers Inc. v. Celebrations the Party & Seasonal Superstore LLC., 428 F.3d 504, 505 (3rd Cir. 2005); In re America Online Inc., 168 F. Supp. 2d 1359, 1360 (S.D. Fla. 2001).
28 Pearl Investments LLC v. Standard I/O Inc., 257 F. Supp. 2d 326, 349 (D. Me. 2003).
29 See Lasco Foods Inc. v. Hall & Shaw Sales, Marketing & Consulting LLC, No. 4:08CV01683, 2009 WL 151687, at *5 (E.D. Mo. 2009) (“[c]ourts have consistently interpreted loss. . . to mean a cost of investigating or remedying damage to a computer, or a cost incurred because the computer’s service was interrupted.”); Forge Indus. Staffing Inc. v. De La Fuente, No. 06 C 3848, 2006 WL 2982139, at *6-*7 (N.D. Ill. 2006) (loss includes cost of hiring forensic computer expert to recover destroyed data in addition to actual damages to computer system); see also Matter of Doubleclick Inc. Privacy Litigation, 154 F. Supp. 2d 497, 521 (S.D.N.Y. 2001) (court noted that “Congress intended the term ‘loss’ to target remedial expenses borne by victims that could not properly be considered direct damage caused by a computer hacker.”); 18 U.S.C. § 1030(e)(11) (loss is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment and restoring the data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred or other consequential damages incurred because of interruption of service.”).
30 Compare Garelli Wong & Associates Inc. v. Nichols, 551 F. Supp. 2d 704 (N.D. Ill. 2008) (court ruled that copying or misappropriation of trade secret through use of computer does not, on its own, constitute “damage” under CFAA) with HUB Group, Inc. v. Clancy, No. Civ. A. 05-2046, 2006 WL 208684, at *3-4 (E.D. Pa. 2006) (employee exceeded scope of his authorization into former employer’s database when he took information to use as TTS employee) and Caylon, No. 07 Civ. 2241, 2007 WL 2618658 at*1 (S.D.N.Y. Sept. 5, 2007) (holding that employees who copied their employer’s proprietary electronic documents before their termination must have known doing so was “in contravention of the wishes and interests of the employer” and therefore exceeded scope of their authorized access). 31 Civic Ctr. Motors Ltd. v. Mason St. Import Cars Ltd., 387 F. Supp. 2d 378 (S.D.N.Y. 2005).
32 Id.at 381.
33 Id. at 382.
34 Id. at 381.
36 Nexans Wires S.A. v. Sark-USA Inc., 319 F. Supp. 2d 468 (S.D.N.Y. 2004).
37 Id. at 476.
38 Id. at 473.
39 Id. at 476.
40 Cont’l Group Inc. v. KW Prop. Mgmt. LLC, 622 F. Supp. 2d 1357, 1370 (S.D. Fla. 2009); Creative Computing v. Getloaded.com LLC, 386 F.3d 930 (9th Cir. 2004).
41 EF Cultural Travel BV EF v. Explorica Inc., 274 F.3d 577 (1st Cir. 2001).
42 Id. at 585.
43 Id. at 579.
44 Id. at 580.
45 Id. at 584.
46 Id.; see also Creative Computing v. Getloaded.com LLC, 386 F.3d 930, 935 (9th Cir. 2004) (court held that loss of business and business goodwill are economic damages under CFAA).
47 Explorica, 274 F.3d at 585 (court held that $20,000 that EF spent to determine whether its website had been compromised met $5,000 threshold for loss or damage under CFAA).
48 18 U.S.C. § 1030(e)(8).
49 See, e.g., Garelli Wong & Assocs. Inc. v. Nichols, 551 F. Supp. 2d 704 (N.D. Ill. 2008) (court ruled that copying or misappropriation of trade secret through use of computer alone does not constitute “damage” under CFAA); Lockheed Martin, 2006 WL 2683058, at *4 (copying of confidential data does not constitute “damage” under the CFAA); Resdev, 2005 WL 1924743, at *5 n.3 (noting that “damage” contemplates “some diminution in the completeness or useability of data or information on a computer system.”); Davis v. Afilias Ltd., 293 F. Supp. 2d 1265 (M.D. Fla. 2003) (registry operator was not entitled to summary judgment on its counterclaim that employee that individual violated CFAA by using authorization codes to register domain names because World Intellectual Property Organization gave individual authorization codes to register his names, which individual did through his registrar, there was no evidence that individual directly accessed registry operator’s computer system to register domain names in question, and although it was discovered that codes were given to individual in error, individual could not be held simply on basis that he used codes to register domain names).
50 Black & Decker, 568 F. Supp. 2d at 937 (W.D. Tenn. 2008) (misappropriating a trade secret coupled with other harm to the data constitutes “damage” under CFAA).
51 See e.g., Four Seasons Hotel & Resorts BV v. Consorcio Barr SA, 267 F. Supp. 2d 1268, 1324 (S.D. Fla. 2003).
52 Shurgard Storage Centers Inc. v. Safeguard Self Storage, 119 F. Supp. 2d 1121, 1126-27 (W.D. Wash. 2000).
53 Id.; see also 18 USC § 1030(e)(8)(A) (2000).
54 Id. at 710; see also Andritz v. S. Maint. Corp, 626 F. Supp. 2d 1264 (M.D. Ga. 2009); Sam’s Wines & Liquors Inc. v. Hartig, No. 08 C 570, 2008 WL 4394962, at *3 (N.D. Ill. Sept. 24, 2008).
55 See Pearl Investments LLC v. Standard I/O Inc., 257 F.Supp. 2d 326, 349 (D. Me. 2003) (lack of evidence that computer network was damaged in any quantifiable amount by alleged unauthorized access by custom software company and its owners precluded developer’s recovery under CFAA).
56 See, e.g., Garelli, 551 F. Supp. 2d at 710 (court concluded that plaintiff failed to sufficiently plead damage under CFAA because misappropriation alone did not show “impairment to the integrity or availability of data, a program, a system, or information.”); Hartig, 2008 WL 4394962, at *4 (court granted employee’s 12(b)(6) motion to dismiss where employer failed to properly plead damage, i.e., impairment to integrity or availability of data, program, system, or information on its computer).
57 See, e.g., Condux Int’l v. Haugum, No. 08-4824, 2008 WL 5244818, at *8 (D. Minn. 2008) (concludes that plain language of statute requires “some alteration of or diminution to the integrity, stability, or accessibility of the computer data itself” to be damage under CFAA); P.C. Yonkers, 428 F.2d at 513 (franchisees were not entitled to preliminary injunction where they demonstrated that former employee of their franchisor accessed computer system and did not show any information was taken; absent something more than mere access, franchisees could not succeed on their claim).
58 Brekka, 2009 WL 2928952, at *8 (CFAA claim against employee failed because of contradictory evidence between the employer’s own witness and expert evidence).
59 Id. at *6.
60 Id. at *1.
61 Id. at *6.
62 Id. at *6
63 Id. at *6 (quoting United States v. Santos, 128 S. Ct. 2020, 2025 (2008)).
65 Albert v. Albert, 38 Va. App. 284, 299 (2002) (citing Walker v. Henderson, 151 Va. 913, 927-28 (1928)).
66 Matter of Garfinkle, 672 F.2d 1340, 1346, n. 7 (11th Cir. 1982) (quoting Peninsula Land Co. v. Howard, 6 So. 2d 384, 389 (Fla. 1941)).
67 Cont’l Group Inc., 622 F. Supp. 2d at 1377.
Washington, DC (TFC) – In the United States, computer crimes are typically prosecuted under an obsolete and anachronistic law known as the Computer Fraud and Abuse Act, or simply CFAA. The CFAA is a vague piece of shit legislation, written in a time before personal computers were in everybodys homes and pockets, and before the internet as it exists today even existed. At its heart, the law was intended to protect U.S. Government computer systems, systems owned and operated by financial institutions, as well as computers “affecting interstate and foreign commerce and communications”. Because the internet is, by design and by definition, nothing more than a collection of computers affecting interstate and foreign commerce and communications, the CFAA can be applied to virtually anyone, anytime, and for almost any reason.
Since being enacted into law in 1986, the CFAA has been the favorite means of the U.S. Government to prosecute everybody, from Kevin Mitnick to Aaron Swartz. Violations of the CFAA can carry as much as a life sentence in some cases, and have carried potential restitution totaling over a million dollars. Violations of the CFAA can range from simply violating a websites terms of service to distributing malicious code; from trafficking in passwords, to hacking government networks. Any computer or network that could reasonably be described using the intentionally vague adjective “protected” is covered by the CFAA. In practice, the CFAA can be applied to any number of activities not explicitly written into the law, depending essentially on who you’ve managed to piss off and how important they think they are.
In 2012, for instance, Adam Nafa was charged with violations of the CFAA for making a YouTube video promoting Op Telecom, a DDoS in protest against Verizons systematic corporate greed and their efforts against the proposed Net Neutrality Act. Adam was charged with conspiracy to damage a protected computer under 18 U.S.C. 1030 (c)(4)(B) (i) and (ii), despite the fact that the proposed DDoS never actually took place. Simply suggesting that it should take place was enough for the government to arrest Adam and charge him with conspiracy to violate the CFAA. After being threatened with years in prison and exorbitant punitive restitution, Adam was forced to accept a plea deal for probation and restitution totaling $18,500, even though no damage was ever done to Verizons’ networks. The proposed DDoS never actually took place.
From the time of his arrest until the time he accepted his plea deal, Adam was prevented from using a computer for any reason, including assisting in his own defense, potentially violating his 6th amendment rights. As a condition of his plea deal and subsequent probation, Adam was given strict computer use monitoring and restrictions. In essence, Adam made a YouTube video that pissed off Verizon enough to sic the might of the U.S. Government on him and attempt to crush him under the weight of the cumbersome CFAA. Resistance is futile, dissenters will be shot on site; we’ll bill you for the bullet later.
In 2012, a man named Higinio Ochoa, also known as W0rmer, was charged with multiple violations of the CFAA. Before he was even convicted of a crime, as a condition of his bond, he was completely banned from using a computer of any sort for any reason, again potentially involving his 6th amendment rights. In order to fulfill the conditions to secure his release from prison, he too was ordered to participate in strict computer monitoring. A somewhat amusing, albeit unintended side effect of his post release restrictions was that he was, for all intents and purposes, unable to even apply for employment: another condition of his release. This created a sort of slapstick feedback loop wherein he could not be released unless he accepted gainful employment but could not apply for employment to begin with due to his overbearing computer use restrictions, and the fact that most employers do not even offer paper applications anymore. Short of scribbling his resume on a piece of cardboard with a crayon and standing outside of Starbucks shaking a cup, he was screwed. Somewhat comically, he was banned from using any cell phone that has access to the internet. Trying to find a phone these days that cannot access the internet is about as easy as trying to find a rainbow colored Unicorn that grants magical wishes. Before Higinio could even attempt to abide by the conditions of his release, his wife and newborn son were forced to move 4 hours away from his hometown and his family because the government allegedly was unable to monitor his computer use where he had intended to live, a dubious claim at best.
One final and particularly troubling example is the case of Jon Cowden. Jon was charged and found guilty of violating the CFAA in relation to his attack on a state-run Israeli government website. He was also charged with hacking Mayor Francis Slay of St. Louis during the Occupy camp evictions. Jon accepted a plea deal for 21-27 months in prison, which was later reduced to 15 months due to mitigating circumstances that included a prior diagnosis of bipolar disorder, manic depression, and alcoholism. Jon has suffered severe PTSD as a result of his incarceration, which continues to be debilitating to this day. Jon’s post release restrictions have had tragically damaging consequences that have made it impossible for him to find work, and therefore support himself. All of Jon’s computer use is monitored as a condition of his release. He is also required to notify any potential client or employer that they are subject to federal search and seizure of all electronics, should Jon decide to break the law again. Jon is essentially required to wear his conviction like a scarlet letter and inform anyone who might be remotely interested in hiring him that he is a potentially massive liability, to the effect that he is now homeless and has been completely unable to find work for himself.
Computer use restrictions are not unique to Hacktivists prosecuted in the United States. Most so-called western countries have their own laws that mimic or mirror the CFAA in whole or in part. Adam Bennet, aka Lorax, arrested in Australia for allegedly hacking government websites, has been subject to harsh internet use restrictions since his arrest. As his case drags its way through the Australian court system, Adam is only allowed to use the internet for communicating with his lawyer to assist in his own defense and for conducting financial transactions, a particularly amusing fact considering that the CFAA in the U.S. was intended specifically in part to protect financial institutions. Two people arrested in connection with Adam’s case, “absantos” and “rax,” are currently under similar restrictions. None of these individuals have been convicted of a crime. Two people arrested in Italy in connection with Operation Green Rights, and three arrested in France in relation to other Hacktivism related computer crimes are all facing similarly oppressive restrictions. None have been convicted of any crime.
These are but a few cases where egregious and punitive computer use restrictions have had devastating consequences for not only the individual convicted, but their friends and family as well. These restrictions exist solely as a result of the terms of laws like the CFAA and the leeway given to prosecutors, judges, and probation officers in deciding how much and how long a person convicted of a computer related crime should suffer for their sins. If Jon Cowden had flown to Israel and simply unplugged the server hosting the website he was convicted of hacking he would likely face jail time, but would not have to suffer the consequences of his computer use restrictions, even though the result would be essentially the same. The website would go down, Jon’s point would be made, but his life would not be in the shambles it is today.
But that’s the point, isn’t it? Where sentencing guidelines and plea deals fall short, the Government has itself a mighty hammer in computer use restrictions, to the effect that everyone starts to look like a nail. Computer use restrictions are, in effect, an invisible prison that surrounds an individual arrested for or convicted of computer crimes. Unlike someone convicted of any number of violent felonies who can serve his sentence and walk away with his freedom,people convicted under the CFAA and similar laws may find themselves imprisoned after release for some minor insignificant violation of their computer use restrictions, regardless of the nature of the violation or even if the violation was intentional or not.
As in the case of Jon Cowden, computer use restrictions can and often do affect a persons ability to find employment. Aside from the obvious impossibility of submitting or even creating a resume without use of a computer, employers are often uncomfortable hiring someone who brings with them the baggage of constant computer monitoring and the implied liability and potential financial loss that comes with hiring someone shackled by computer use restrictions. This has the effect of forcing often talented computer programmers and engineers to accept employment outside of their knowledge base, for a fraction of the pay they could otherwise earn if they were able to work in their own field. In order to pay restitution, a person needs a job. In order to get a job, most people need to have some access to computers, including the internet. If a person cannot pay his restitution he will eventually be returned to prison: and on, and on, and on.
As has been demonstrated, computer use restrictions are often more damaging to the individual, the friends, and the families of those convicted than their inevitable detention and incarceration, and in fact may lead to further detention and incarceration down the road. These people were convicted of nonviolent, essentially victimless crimes, yet face continued incarceration, even where there are no bars, no guards, no shanks, no strip searches. These people were activists behaving in what they believed was the most moral way they knew how, prosecution be damned. They chose to stand up for a cause in which they believed and as a result they get to bend over and take it, years after their incarceration has ended. Computer use restrictions that include computer monitoring represent one way for the government to keep a person incarcerated indefinitely and beyond the terms of their pleas or sentences. They are applied exclusively to people convicted of violating laws like the CFAA, and disproportionately to Hacktivists specifically.
Computer use restrictions are but one glaring symptom of a fundamental disconnect between how the law sees Hacktivists and how Hacktivists see themselves. The cops, judges, and prosecutors watch too much TV, basing their opinions on the last cheesey action movie where some kid takes out the entire internets. Rather than educate themselves about the technology and the reality of just how little actual damage is ever really done, they rely on pure fiction and innuendo to demonize Hacktivists in the minds of the public, and indeed in their own minds. On the other hand, you have Hacktivists who are intimately familiar with the technology and the reality of what kind of damage is actually done during the commission of their so called crimes. They see themselves as being on the morally right side of things, little more than protesters trying to be proactive in affecting change in the only way they know how. While the governments who prosecute these cases would have us believe that but for their swift and merciless action we would all be sent back to the stone age every time some kid DDoSed Walmart, the reality is far more benign. The so called victims in all of these cases are the corporations who are killing us and the Governments that allow them to do it. That a conflict of interest may exist in even prosecuting these cases is lost on them entirely.
For more information on the CFAA, Computer Use Restrictions, and Hacktivism related arrests in general, please visit http://www.freeanons.org.
~Sue Crabtree, Guest Fifth Columnist
Call to arms, fides infinitum #Anonymous
The freedoms of the internet are under assault by our own ignorance and those who chose to exploit this ignorance. Governments around the world are becoming increasingly oppressive of our online activities. We’ve seen laws like the CFAA law in America that was written in the eighties and has no impact or relevance to our internet, destroy the lives of young geniuses and their families. The United States Government doesn’t stop there they use this CFAA law to prosecute globally by exploiting extradition treaties in conjunction with the CFAA law. A perfect example of this is the grotesque extradition order that was signed for Lauri Alexander Love.
Where does this end with another suicide? With the world losing another irreplaceable mind like Aaron Swartz? If you look at the recent events in last ten years involving the relentless crusade to quiet information seekers, truth revealers’, corporate squealers, hackers, activist, and Hacktivist. You have to be alarmed and if you aren’t then you have Stockholm Syndrome. I have screamed from the rooftops for years that this is not justice or peace nor even a sliver of liberty it’s information tyrants hellbent on keeping us aimless plastic bags aloft in their propagandist bliss. I refuse to be silent anymore, I refuse to be afraid and I refuse to be a target. You gave us technology, just because we know how to use it better than you do, please don’t be mad at us. You love collecting evidence and building cases against innocent people whilst the real truly heinous offenders are given proverbial slaps on the wrist or their given treatment. In a hacker or activist’s case you cant offer treatment because you’ve never quite understood who we are and this is by far is the most frightening thought each and every one of you alphabet agencies ponder each day and your solution is oppression. The unknown is the uncontrolled and the uncontrolled are an obviously risk to your control, does that frighten you? Of course it does. We will not be lured like fish into your BOP fish tanks nor will we allow Lauri Love to extradited to the United States, we will not stand idly by and let you hide your heinous acts of torture, we will not sit idly by as you crucify our geeks or watch as the United States government destroys another family’s life, WE the People have had enough! This is not about what your political views are, these are human beings most them smarter than you or I but they would never boast about that. In the name of liberty and humanity we must stand together as one collective with one mission to demand the CFAA law be amended and to remind the powers that be that this is #OurInternet.
A global protest is being planned do you want to be apart of it?
Do you believe #OurInternet is at risk?
Do you believe Aarons Law should be passed?
Do you support Internet Privacy?
Do you condemn the Extradition of Lauri Alexander Love?
Do you support #FreeAnons?
Then please contact our twitters @Dapeaple, @AaronsLaw2017 @OpStandUp2CFAA
Fides Infinitum #Information
We the people
Exuding free speech
Deserve nothing less than