(Course/Major)
In the aftermath of the suicide of Aaron Swartz, who hanged himself after Federal prosecutors charged Swartz with 11 felony cases that could landed him in prison for 35 years, there have been calls for reforming the Computer Fraud and Abuse Act (CFAA), the frontline statute tasked to combat cyber crime and fraud committed on the Internet.
The 1986 law was designed to providing a law to combat “unauthorized access” to large computers that are “time-shared”. In the past, the assumed threat was activities related to computer “hacking”- individuals who illegally gain access into computer databases, such as gaining illegal entry into a bank’s or any institution, or personal, data base or even Defense Department data bases and hacking into the nuclear arsenal of the United States.
Since the initial enactment of the law, it has been extended numerous times, including phases that the law was incorporated as part of the United States PATRIOT law. And with the spate of recent news of terrorist attacks on American diplomatic posts abroad, there is a growing call in Congress to once again extend the life of the law (Hendler 1).
The Swartz suicide has began to show the shifting of the purpose of the CFAA; in the past, the law was designed to restrict illegal entry to computers; at present, the design of the law is to seize property as a civil damages weapon. Over the years, various state legislatures and court systems, as well as the Federal courts and Congress, have addressed the illegal transfer of data bits unto someone else’s “chattel” or domain. Various states have enacted computer crime statutes to restrain and regulate illegal use of the Internet and other telecommunications tools. One case, Compuserve v Cyber Promotions, held that sending spam emails constituted computer crimes.
After this case and from the time of the initial enactment of the CFAA, Congress as well as the court system in the United States have expanded and embraced the concepts in the CFAA. The expansion has resulted in the law that is in effect today, a Federal law that prohibits illegal sending of data or extraction of data from another person’s computer. These actions in the context of the tenets of the CFAA are sanctioned both in the criminal sense as well as the civil litigation arena.
In summation, the legal canons listed in these laws and statutes-the CFAA, local and state anti-computer crime laws and “common law crimes with respect to trespass to chattels” mandate the aggrieved party, or the “chattel” owner, must be able to prove beyond contention that the activity of the hacker was illegal and unauthorized, and the owner suffered some degree of damage owing to the activity of the defendant; however, the legal barometers to show violations of the CFAA and state computer crime laws vary from jurisdiction to jurisdiction. There are portions of the CFAA that demand higher evidencing of damage for the law to hold the action as illegal (Goldman 1).
However, the law does not accurately define what comprises the action “exceeds authorized access, and this has resulted in the generation of considerable debate. Though the CFAA is designed as a criminal statute designed to decrease events of illegal hacking activities, amendments to the law introduced in 1994 allowed aggrieved parties to file for civil damages against parties accused of violating their rights under the CFAA.
This disparity in assigning a concrete, universally accepted definition of the term has allowed some enterprising prosecutors to file criminal cases that, upon further examination, do not actually involve gaining illegal entry into a computer, but more on the behaviors that the dispositions that the defendants exhibit and the prosecutors take offense at. Cases such as United States v Drew and United States v Nosal posited the contention that infringing on private agreements or violating company policies can be regarded as violations and can be litigated under the tenets of the CFAA.
However, there is a growing dissent to this policy and practice. These sectors claim that this should not the operating mechanism attendant to the law. Exacerbating the problem is the inordinately disparate and caustic penalty mechanism. In the penalty mechanism in the CFAA, first time offenses for cases of attempting to access secure computer/s bereft of the appropriate authorizations is traditionally punished by sentences of up to five years imprisonment. This sentence doubles for recidivists, in addition to hefty fines. For infringing on the other provisions of the CFAA, these can send the offender to prison for periods ranging from 5 years to life sentences. These extremely harsh punishments were said to be a significant in the suicide of Swartz (Electronic Frontier Foundation 1).
The drift in the scope of the CFAA was one the distinguishing features of Nosal. The CFAA imposes both civil and criminal punishments on those who infringe on the law. Often times, the CFAA is used in civil litigation cases as a tool coupled with trade secret laws in various states in order to prevent the abuse of confidential trade and business information and to gain Federal jurisdiction over the issue. In the case facts, Nosal left his company and formed a competing firm by persuading his former company’s existing and former employees to obtain confidential business information and then forward the information to Nosal.
After the United States Federal Bureau of Investigation (FBI) conducted an investigation into the case, using an email intercepted by the agency from Nosal, the government indicted Nosal as well as some of his cohorts. The indictment listed two violations of the CFAA committed by Nosal; one, that existing employees of Nosal’s former company accessed the database of the company and gave confidential trade information to Nosal. Two, that former employees of the company utilized the password of an existing employee to access the company’s database to give Nosal with the company’s source lists. In total, Federal prosecutors charged Nosal with eight counts of violating the CFAA.
The conviction of Nosal of the cases against him allowed the Supreme Court and the Ninth Circuit to chance to strengthen the scope of the CFAA. Critics of the law contend that the CFAA must only be used in the context of an anti hacking law, and opposed the tenet that the law encompasses a wide array of illegal activities involving computer and data systems. Narrowing the tenets of the CFAA will hamper the efforts of companies in safeguarding their trade secrets. In this light, the CFAA, even with the restrictive interpretation of the Ninth, reaffirms the use of the law as a vital toll against fraud and theft of trade information (Dial, Bush, Wheeler, Fisher and Moye 1).
Works Cited
Dial, Audra, Bush, Joel D., Wheeler, Clay C., Fisher, Jeffrey H., and Moye, John M. “United States: guilty verdict in critical Computer Fraud and Abuse Act trial”. <http://www.mondaq.com/unitedstates/x/237772/White+Collar+Crime+Fraud/Guilty+Verdict+In+Critical+Computer+Fraud+And+Abuse+Act+Trial>
Electronic Frontier Foundation. “Computer Fraud and Abuse Act reform”. <https://www.eff.org/issues/cfaa>
Goldman, Eric. “The Computer Fraud and Abuse Act is a failed experiment”. <http://www.forbes.com/sites/ericgoldman/2013/03/28/the-computer-fraud-and-abuse-act-is-a-failed-experiment/>
Hendler, James. “It’s time to reform the Computer Fraud and Abuse Act”. <http://www.scientificamerican.com/article/its-times-reform-computer-fraud-abuse-act/>
