Computer Fraud and Abuse Act With the ever-revolving computer world, there has been a rise in computer frauds and crimes which need to be addressed keenly and strict regulations put into place. This paper is meant to describe the Computer Fraud and Abuse Act and how it has a global and economic effect. Technology is a basic necessity for any business in the current world. Business people need to use the computer to research on their competition, current trends in the market, existing market gaps and other factors that can improve their business. It is therefore impossible in the current economy, to avoid using computers.
Recently, the Ransomware virus brought most large companies down by shutting down computer systems and thereby limiting operations. When such events occur, the economy of the affected state or country will definitely go down, and investors will not risk their money in such an organization until it can pick up again. In the current trend, hackers and cybercriminals seem a step ahead of business organizations and countries when it comes to cybersecurity. A small miscalculation by an organization or country to trust the wrong person can result in effects felt by everyone involved directly or indirectly. This clearly shows that it is very important to ensure that effective cyber laws are put in place.
Regarding globalization, international companies are bound to fail if their computer systems, especially at the headquarters, are hacked. This means managing and communicating with other branches across the world will be impaired. Such big organizations create many employment opportunities, enhance peace and foreign trade, maximize productivity and produce quality goods and services at an affordable price. Where globalization is hindered, the economy of a country will eventually be affected, and subsidized goods and services may be eliminated. In as much as organizations should protect their data, nations should come up with laws that encourage foreign trade and interactions with other nations and thereby promote globalization. Among these laws, computer laws should be implemented.
The Computer Fraud and Abuse Act aims at prohibiting criminal activities in the cyber world and thereby enhance economy and globalization. In the 2008 amendment, the Act included anyone who conspired to commit a cybercrime as an offender of the law. Further, the jurisdiction of the act was expanded to involve all the states in the USA. Offences were increased to include threats of data theft, exposure of stolen data and failure by the offender to repair the harmed computer. The loss limit of $5,000 was replaced with causing damage to ten or more computers.
A criminal under this act is defined as anyone who without authority or through excessive authority accesses information of a company using a computer, conspires to illegally access data. Such information includes financial records of a company, any information from a protected company and data from any government office of the USA. This information can be used to blackmail victims for ransom, expose private and sensitive information such as the key success strategies of an organization and defraud. Using programs and software to access a computer and cause damage, loss or defraud traffic in a site, lock out users and ask for money and other related activities have been listed as criminal activities.
In as much as this act has been helpful, it has broadened its scope too much that it is becoming difficult for courts to make sensible verdicts. For example, in both the Morris case (1988) and the Drew case (2008), both victims were found guilty of a similar offense which left most people wondering how this could be possible yet Morris introduced a worm into several computers, some of which crashed. Drew, on the other hand, created a fake Myspace account and lied to Meier which eventually led to the death of Meier. The victim was below 14 years which was prohibited in terms of service. In another case, Aaron Swartz committed murder in 2013 after the prosecution increased the number of his offenses and thereby the penalty he would have to pay if he were found guilty. At the moment there are efforts being made to pass Aaron’s bill into law. Such effects of the CFAA have raised need to amend the laws so as not to bring harm to the innocent and also provide a fair verdict to offenders.
The Computer Fraud and Abuse Act states that if a person accesses a computer without authorization or uses excessive authority to obtain information from a protected computer either for local or foreign use, then the person is treated as a criminal and punished by this act. The Computer Fraud and Abuse Act was first introduced in 1986 after an amendment was made in 1984 to the then Counterfeit Access Device and Abuse Act that was enacted in 1984(Aaron Kelly lawyer, 2017). The law underwent some minor textual changes in 1988 and was used to convict Robert Morris JR. for creating the first computer worm. This would just be the beginning of computer viruses. Between 1989 and 1990, financial institutions were included to be protected by the act.
In 1994, one of the first major amendments to the Act was made. The Civil action was included in the act, meaning that a citizen could take another to court because of stealing computer information from them. Computers by this time were no longer owned by government organization only. Tampering with a computer was to be treated as a reckless action with a more severe punishment. However, these amendments were still limited to government proceedings.
In 1996, after much debating, the act was expanded to include illegally accessing information from any federal computer and all private computers engaging in e-commerce whether local or foreign. A new vocabulary “non- public” was added in the act. It meant that where people were allowed to access a computer, they were not to commit any computer related crimes using the granted access. Also, accessing information with the aim of deleting or doing away with some files was to be treated as an offense after the amendment. Tampering with information was further classified as a negligence and blackmailing for money was also included in the act. A new definition was given to the term “damage” (Aaron Kelly lawyer, 2017).
In 2001, further amendments were made. The term “loss” was further defined, penalties were increased, and other offenses such as terrorism, money laundering and wiretapping for felony activities, provided computer systems were used, were included in the act. In the same year, protection of computer systems was expanded beyond territories. The Patriot Act, which refers to the 2002 amendment of the act involved minor textual changes. The prosecution and the federal government was given more authority to stalk and prosecute suspect of cybercrimes (Aaron Kelly lawyer, 2017).
The 2008 amendment, commonly referred to as the Identity Theft Enforcement and Restitution Act was meant to include conspirators of a cybercrime alongside the cybercriminals themselves. These conspirators were termed as the masterminds behind the whole crime and ought, therefore, to be punished. The jurisdiction of the act was expanded to involve all the states in the USA. During this amendment, 18 U.S.C. § 1030(a) (7) was expanded to include threats of data theft, exposure of stolen data and failure by the offender to repair the harmed computer. The loss limit of $5,000 was replaced with causing damage to ten or more computers (Aaron Kelly lawyer, 2017).
The Aaron’s law is a bill that was introduced in congress by Zoe Lofgren in 2013 after the defendant, Aaron Swartz committed murder after the prosecution sought to increase his charges and sentence. This raised a lot of questions, and there was the need to modify the Computer Fraud and Abuse Act as stated by, Lofgren. However, the bill died in congress the same year. An attempt to reintroduce it in 2015 was unsuccessful due to lack of commitment and pressure on Congress (Page, 2015). There have been marches recently, and collection of signatures in an attempt to petition and reawaken Aaron’s law which aims at ensuring no other victim is hurt by the CFAA’s war against illegal computer activities. This will be achieved by creating new clauses that ensure breaching terms of service does not automatically result to CFAA violation, proportioning penalties and specifying terms to avoid confusion and similar case rulings in totally different scenarios (Electronic Frontier Foundation, 2017).
When the law was made in 1984, there was only CompuServe which provided email services. Although no case of computer abuse had been reported, the legislators looked into the future and saw a possibility of cybercrimes. However, the laws made have proved to be inadequate throughout the years, and the prosecution has exploited this failure to victimize computer related criminals and serve their personal interests (Kim Zetter Security, 2014). Both extreme and minor criminal cases have been treated alike, and confusion has been created with questions raised on how this act has been interpreted.
In 1988, Robert T. Morris, the son of an NSA computer expert made the first worm program, which according to his father, was as a result of a bored, intelligent student. The then 23-year-old graduate student at Cornell University created a worm that crashed several computers and led to a wake in computer securities. Prosecution aimed at charging him with unauthorized access with the aim to damage but the defense put up a strong case that Morris had no ill intentions which were clearly shown immediately after the worm hit the first computers. He was sentenced to three years of probation and a fine of $10,000 (Lee, 2013).
A mother of 13-year-old Sarah, Lori Drew created a fake MySpace account with the aim of teaching 13-year-old Megan Meier a lesson after Megan called Sarah an ugly lesbian. Drew, with the help of one of her employees, Ashley Grills, created an account for Josh Evans, who lived in the same neighborhood and had good looks with an effort to attract the attention of Megan, which was achieved. Using this account, messages were exchanged, and Megan seemed hooked. At one point, Drew wanted to arrange a meeting between Josh and Megan, upon which they would show up and tease her. However this did not happen and desired to achieve the sole purpose of the account, a message was sent by Grills to Megan saying that the world would be better without her and she should have a lousy rest of her life. To this, Megan replied that some boys are worth a girl dying for. Megan then killed herself in 2006. The trial was considered the first cyberbullying in USA (Hamilton, 2009).
During the trial, the prosecution sought to convince the jury that Drew accessed the computer without authorization and hurt a depressed girl leading to her death. However, the defense tried to bring the jury back to the legal basis of the case which concerned computer access (Glaister, 2017). In the end, Drew was charged with violating MySpace terms of service, which Megan too had violated since she was only 13 and the site had an age limit of 14. Most people create fake accounts every day, and no one reads the term of service anyway. This leaves one wondering how two different cases (Morris and Drew cases) can be treated under the act yet they are so different (Wolff, 2016). In their defense, the prosecution said they used a novel interpretation of the Computer Fraud and Abuse act since most states did not have laws against cyber bullying (Kim Zetter Security, 2014). Clearly, there is need to make changes to this act to avoid overboard interpretation by the judges.
A similar case that hit the headlines was the Aaron’s case. Aaron Swartz was an internet activist who cofounded Demand Progress, an advocacy movement, and had a hand in developing RSS standards. He was accused of continuously stealing academic work issued by JSTOR services from MIT despite being warned to stop. He did this by spoofing his computer’s MAC address and thereby bypassing a block placed on the address by MIT. Although the service provider did not press charges, the prosecution aimed at charging Swartz excessively, which drove him to despair and he committed murder in 2013. This caused a lot of public reaction and two lawmakers, Zoe Lofgren and Ron Wyden introduced an amendment called Aaron’s law which would limit the prosecution’s jurisdiction and thereby avid excessive interpretation of the CFAA. The bill has never gone past congress, and there has been gathering of signatures in an effort to reintroduce the bill.
These are just three cases out of hundreds which can prove that the CFAA has not served the purpose it was meant to. Instead, the prosecution has used this law to excessively charge offenders and create confusion regarding the jurisdiction of this act. It is thus of utter importance that this act is amended fully in a manner that is very specific and which eliminates speculations, excessive fines and sentences for computer frauds and related crimes. This act is made up of frauds and criminal damaging clauses which are in fact covered by other laws.
Some terms such as “loss,” “access” and “authorization” have been poorly defined and this has given an opportunity to the prosecution to distort the word and criminalize victims for crimes non-existent and those that should not lie within these terms. It is clear that congress cannot handle technological aspects and need therefore to seek expertise in the computer world to come up with adequate and efficient laws instead of dwelling on amendments which instead of solving the problems at hand, create more complications. Further, technological advances are on the rise, and the scope cannot be covered by an act implemented thirty years ago when the internet was first introduced into the world (Simmons, 2016).
Imagine a world where there were no rules and people acted on their own accord without any guidelines. The difference in opinion would definitely lead to a lot of chaos. Everyone is right at their angle, and this brings the need to bring in a neutral third party that puts everything into consideration. With the introduction of the internet, lawmakers foresaw the need to put necessary regulations in place which will help solve disputes that were bound to occur. Four years after the original version of CFAA was implemented, the first person was convicted under the CFAA. This section describes what the act covers and how beneficial it has been throughout the years since its enactment, despite its weaknesses.
The CFAA can be categorized into broad sections which describe the crime and the remedy specified by the act either as civil or criminal action. Espionage is where a person knowingly accesses private information from the government computers. It is generally assumed that a person who tries to access this information is a spy (Lamance, 2016). This can be achieved by a government employee, and they are said to have exceeded their authorization. Where an outsider accesses classified information, it is relatively easy to trace their activities and hence track them down and possibly shut them out. Unauthorized access to government computers is another section in the CFAA that is relatively close to espionage. However, in espionage, the prosecution has to prove beyond reasonable doubt that the offender meant to use the information to injure the US or to the advantage of a foreign country. In an unauthorized access to government computers, the offender has to have exceeded authority or never sought access in the first place and had no malicious intent that would sabotage the country’ state of affairs. The penalty is under five years of imprisonment for a first time offender and fines as seen duly depending on the judge and extent of the damage. The penalty is under ten years imprisonment and under 20 years for a repeat offender (Cybertelecom, 2016).
In the Confidentiality of Computer Data section, strict specifications have been laid down to protect financial records and other files related to financial institutions. Also, accessing personal computers without authorization is covered in this section, and a civil action may be brought forward against the offender. Computer fraud is where an offender accesses a protected computer and through fraudulent means obtains goods and services whose worth exceeds $5,000 within a year. The offender must have accessed a protected computer without authorization or exceeded authorization, had the intention of defrauding a penalty of not more than five years may be given (less than ten years for repeat offenders) and a fine as stated under 18 U.S.C. 1030(c)(4). 18 U.S.C. 1030(g) offers the plaintiff to seek relief for damages done. (Cybertelecom, 2016)
Viruses are on the rise during this era of technological advancement. It started with the worm made by Robert Morris Jr. in 1988. His was unintentional, and he has proven over the years he had no motive, just a brilliant bored student. His discovery helped most organizations put security measures in place in case of similar occurrences. It also challenged similar brilliant people to come up with worse and far many damaging viruses. The CFAA act prohibits anyone from introducing a program or code without authorization into a protected computer and which results in damage. Where a person shares passwords or uses them to access classified information or divert site traffics whether, in interstate or foreign business activities, they are treated as offenders and ought to be convicted under this act. Depending on the extent of the damage caused, an imprisonment of one to ten years is stated as the penalty with a fine accompanying it (Legal information institute, 2017).
Extortion is where a person accesses information from a computer without authorization or exceeds authorization granted and using this information, threatens and blackmails the owner of the information in an exchange with money or any other valuable property. This has been observed as a common trend, and people have been forced to pay ransom to avoid exposure and scandals. Most of these cases are never taken to court, and the victim suffers silently. The penalty and fine specified is similar to that of fraud charges (Legal information institute, 2017). This is just a general summary of the crimes specified in the CFAA and their penalties.
The CFAA has also specified the meaning of terms such as a protected computer, loss, computer, financial institution, financial records, exceeds authorized access and other terms with an effort to minimize confusion and getting out of context. Although this is one of the reasons reforms are being called for, the fact that CFAA is specific to some extent and has effectively settled many cases amicably cannot be ignored entirely (Legal information institute, 2017).
The CFAA needs to be modified in such a way that it will include three factors. First, in the reforms, the law should quit copying other laws that have been implemented and thereby narrow down its scope. For example, if a person accesses government computer with the aim of spying on the government and assisting foreign countries, then such a person should be charged under the Espionage Act (1962). Secondly, there should be provision for future changes in the revolving computer world, and lastly, the lawmakers should provide guidelines to prosecutors, citizens, and courts on the new concepts included in the act (Simmons, 2016).
Most of the lawmakers have no adequate knowledge when it comes to matters concerning computers and cybercrimes, which raises the need to hand over the responsibility to the administration. Here, experts will be sought to come up with effective and current laws that are very specific and cover the whole scope of computers. Further, the laws would be analyzed keenly by legislators to ensure that a replica of the failures of the current act is eliminated. With this, failing to read the terms of service (which basically no one does) and thereby breach them will not be treated as a similar crime as hacking into someone’s website and stealing client data (Couts, 2013).
Search the internet anytime concerning CFAA, and the first results push for reforms and discuss at length the failures of the act despite being in place for three decades. The amendments that have been made seem to be complicating matters instead of improving them, and the manner in which this matter has been treated raises questions concerning the conscience of the lawmakers and the prosecution whose overzealousness has resulted in unfair trials. Morris Robert Jr. brought massive changes to the internet world and was very apologetic of his actions. He has led a quiet life and has never tried to commit any other computer crime. Lori Drew, despite giving false information, has faced a lot of cyberbullying and prosecution has done nothing about it yet both Drew, and Megan failed to observe the terms of service of MySpace (Hamilton, 2009).
Some courts have interpreted the CFAA very narrowly in an effort to acquit innocent computer users. In their interpretation, a person violates the act if he obtains information without prior authorized access. This, however, does not put into consideration that the user might misuse the information. An employee would therefore not be charged for snooping around other employees’ records or selling employer’s strategies to a competitor. This interpretation in an effort to exclude innocent online users has been used by the defense to obtain minimal or no charges. This has been well shown in the United States v. Nosal case, where David Nosal, an employee at Korn/Ferry International obtained company information from other employees and used it in his own competitive firm.
Other courts have interpreted this act too broadly, and in such a situation, everyone is committing a felony by failing to read terms of service of their web service provider or using employer’ information for their own benefit despite having expressed or implied permission. Using this interpretation has caused the prosecution to overcharge an offender, for example, Aaron Swartz who got frustrated by the heavy charges against him and the possible penalty was he found guilty. This drove him to commit suicide. Confusion has also resulted due to too broad interpretation. Completely different cases have been treated as same with the prosecution pressing the same charges. This has been observed in the Lori Drew, and Robert Morris cases which were completely different cases but offenders were charged under the CFAA for unauthorized access to cause damage.
With the above argument, it is necessary that some action should be taken. The law is meant to protect the people, not hurt them or not offer justice to victims. At the same time, the CFAA act is out of date, and continuous use of the same clauses has given the prosecution the power to interpret them differently, and press charges that do not offer a remedy to the victim and yet unjustly take an offender to trial. Also, by transforming the act completely, the now growing number of internet activists and movements seeking reforms would have their demands met without further action on their part.
1. Aaron Kelly lawyer. (2017). The United States Computer Fraud and Abuse Act of 1984 Summary | Internet Law Attorney. Retrieved from http://www.aaronkellylaw.com/computer-fraud-and-abuse-act-us-summary/
2. Couts, A. (2013, January 17). You are probably unknowingly breaking laws online thanks to the CFAA. Retrieved from https://www.digitaltrends.com/web/understanding-the-cfaa/
3. Cybertelecom. (2016, August 17). Cybertelecom :: Computer Fraud and Abuse Act. Retrieved from http://www.cybertelecom.org/security/crimeover.htm
4. Electronic Frontier Foundation. (2017). Computer Fraud And Abuse Act Reform. Retrieved from https://www.eff.org/issues/cfaa
5. Glaister, D. (2017, July 14). Lori Drew found guilty on lesser charges in MySpace suicide case. Retrieved from https://www.theguardian.com/world/2008/nov/26/myspace-suicide-cyber-bully
6. Hamilton, K. (2009, August 31). Acquitted “Cyber Bully” Lori Drew Finds Herself a Victim of Online Tormenters. Retrieved from https://www.riverfronttimes.com/newsblog/2009/08/31/acquitted-cyber-bully-lori-drew-finds-herself-a-victim-of-online-tormenters
7. Kim Zetter Security. (2014, November 28). Hacker Lexicon: What Is the Computer Fraud and Abuse Act? Retrieved from https://www.wired.com/2014/11/hacker-lexicon-computer-fraud-abuse-act/
8. Lamance, K. (2016, July 19). Computer Fraud & Abuse Act | LegalMatch Law Library. Retrieved from https://www.legalmatch.com/law-library/article/computer-fraud–abuse-act.html?redesigned=1
9. Larkin, P. (2013, June 19). Reasonably Construing the Computer Fraud and Abuse Act to Avoid Overcriminalization. Retrieved from http://www.heritage.org/government-regulation/report/reasonably-construing-the-computer-fraud-and-abuse-act-avoid
10. Lee, T. B. (2013, November 1). How a grad student trying to build the first botnet brought the Internet to its knees. Retrieved from https://www.washingtonpost.com/news/the-switch/wp/2013/11/01/how-a-grad-student-trying-to-build-the-first-botnet-brought-the-internet-to-its-knees/?utm_term=.1767ec104155
11. Legal information institute. (2017). 18 U.S. Code § 1030 – Fraud and related activity in connection with computers. Retrieved from https://www.law.cornell.edu/uscode/text/18/1030
12. NACDL. (2017). NACDL – Computer Fraud and Abuse Act (CFAA). Retrieved from https://www.nacdl.org/cfaa/
13. Page, V. (2015, March 30). Aaron’s Law. Retrieved from https://www.investopedia.com/terms/a/aarons-law.asp
14. Simmons, R. (2016, February 3). The Failure of the Computer Fraud and Abuse Act: Time to Take a New Approach to Regulating Computer Crime by Ric Simmons :: SSRN. Retrieved from https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2726662
15. Wolff, J. (2016, September 27). The Computer Fraud and Abuse Act Is 30 Years Old. It’s More Confusing Than Ever. Retrieved from http://www.slate.com/articles/technology/future_tense/2016/09/the_computer_fraud_and_abuse_act_turns_30_years_old.html