|
Computer Fraud & Abuse Act |
- Crime / CFAA Cybersecurity - Agencies - - White House - - DHS - - NIST - - NTIA - - FCC - Reference - Cryptography Crimes Against Network Crimes Over Network Info Gathering - EAS - Assessment - Reliability - Vulnerabilities |
© Cybertelecom ::Unauthorized Access to a Computer + Theft or misuse of information
He who seeks to deceive will always find someone who will allow himself to be deceived.
~ Nicolo Machiavelli, The Prince, 1513There's a Sucker Born Every Minute.
- Attributed to PT BarnumTheft of Information
The Computer Fraud and Abuse Act also deals with crimes over the network where the hack is targeted to swipe information (note that a hack may involve both damage to the network and theft of information; violation of one provision does not preclude violation of another).
The following bad deeds may constitute violations of the Computer Fraud and Abuse Act:
Classified Information / Espionage
Whoever
Hacks a computer (“knowingly accessed a computer without authorization or exceeding authorized access”) Swipes classified information Believes that this information will harm the US or benefit “Charlie” (where “Charlie” is any country other than the US), and Transmits it to someone other than the Feds, or doesn’t transmit it. 18 U.S.C. § 1030(a)(1). [NIIP]
Derived From: Charles Doyle, Cybercrime: A Sketch of 18USC 1030 and Related Federal Criminal Laws, Congressional Research Service (Dec. 27, 2010)
Paragraph 1030(a)(1) essentially tracks existing federal espionage laws, 18 U.S.C. 793, 794 and 798, that ban disclosure of information potentially detrimental to U.S. national defense and well being, or more simply laws that outlaw spying. The distinctive feature of paragraph 1030(a)(1) is its merger of elements of espionage and computer abuse. Broken down into a simplified version of its constituent elements it bars anyone from:
either willfully disclosing, willfully attempting to disclose, or willfully failing to return classified information concerning national defense, foreign relations or atomic energy with reason to believe that the information either could be used to injure the United States, or could be used to the advantage of a foreign nation when the information was acquired by unauthorized computer access. Penalties: not more than 10 years (not more than 20 years for repeat offenders) and/or a fine under title 18, 18 U.S.C. 1030(c)(1).
Other Crimes: Espionage prosecutions are not common. The attempt, conspiracy and complicity observations continue to apply and the RICO (18 U.S.C. 1962) and money laundering (18 U.S.C. 1956, 1957) may be implicated through the application of sections 793, 794 or 798 to conduct that offends paragraph 1030(a)(1).
Government Information
Derived From: Charles Doyle, Cybercrime: A Sketch of 18USC 1030 and Related Federal Criminal Laws, Congressional Research Service (Dec. 27, 2010)
One step beyond simple hacking is the prohibition against acquiring certain protected information by intentional unauthorized access. It covers three types of information—information of the federal government, consumer credit or other kinds of financial information, and information acquired from a protected computer.
Penalties: Simple violations: not more than one year and/or a fine under title 18, 18 U.S.C. 1030(c)(2)(A); violations for gain or involving more than $5000: not more than five years and/or a fine under title 18; repeat offenders: not more than 10 years and/or a fine under title 18, 18 U.S.C. 1030(c). Offenders are also subject to civil liability, 18 U.S.C. 1030(g). Paragraph 1030(a)(2) is somewhat unique. There are a host of other federal conversion statutes, but all of the others appear to require that the offender either commit embezzlement by failing to comply with some fiduciary obligation or commit larceny by intending to acquire the property or to deprive another of it.
Paragraph 1030(a)(2) in contrast to the conversion statutes and to the computer fraud provisions of paragraph 1030(a)(4) requires no larcenous intent.
18 U.S.C. § 1030(a)(2)(A).
Swiping Information from Protected Computers
Whoever
Hacks a computer, and Swipes financial records or [S Report No 99-432 at 6] information. [This provisions is a reaction against “United States v Brown , 925 F2d 1301, 1308 (10th Cir. 1991), where the court held that purely intangible intellectual property, such as a computer program, cannot constitute goods, wares, merchandise, securities, or moneys which have been stolen converted, or taken."] [USA v Lori Drew] 18 U.S.C. § 1030(a)(2)(A)&(C). See Identity Theft. [IMS] [Shurgard]
But 1030(a)(2) is designed to redress hackers, not merely misappropriation of information in excess of existing authorized authority (ie, an employee who has authority to access computer system, and uses that access to swipe company records and give them to a competitor).
Fraud
"A claim under CFAA §1030(a)(4) has four elements:
- defendant has accessed a "protected computer;"
- has done so without authorization or by exceeding such authorization as was granted; [See Lockheed s III.B.]
- has done so "knowingly" and with "intent to defraud"; and
- as a result has "further[ed] the intended fraud and obtain[ed] anything of value.""
P.C. Younkers, Inc. v. Celebrations the Party and Seasonal Superstore, LLC, 428 F. 3d 504, 508 (3d Cir. 2005) Other than simply scamming computer services of less that $5000 a year. [S Report No 99-432 at 10 ] 18 U.S.C. § 1030(a)(4). [Czubinski] [Pacific at 1195]
Derived From: Charles Doyle, Cybercrime: A Sketch of 18USC 1030 and Related Federal Criminal Laws, Congressional Research Service (Dec. 27, 2010)
Paragraph 1030(a)(4) outlaws fraud by computer intrusion. Its elements consist of:
knowingly and with intent to defraud; accessing a protected computer without authorization, or exceeding authorization; thereby furthering a fraud and obtaining anything of value other than a minimal amount of computer time (more than $5,000 over the course of a year). Penalties: not more than five years (not more than 10 years for subsequent offenses) and/or a fine under title 18, 18 U.S.C. 1030(c)(4). Victims may sue for compensatory damages and/or injunctive relief, 18 U.S.C. 1030(g).
Other Crimes: Earlier observations with respect to attempt, conspiracy and complicity apply with equal force here. Other federal laws that might be implicated are: 18 U.S.C. 1343 (wire fraud); 18 U.S.C. 2314 (interstate transportation of stolen property); 18 U.S.C. 659 (theft from interstate carriers); 18 U.S.C. 1832 (economic espionage); 18 U.S.C. 1832 (theft of trade secrets); 18 U.S.C. 1029 (fraud involving credit cards and access devices); 18 U.S.C. 641 (theft of federal property); 18 U.S.C. 1001 (false statements on a matter within the jurisdiction of a federal agency or department); 18 U.S.C. 1014 (false statements on federally insured loan and credit applications); 18 U.S.C. 1010, 1012 (false statements concerning various HUD transactions); 18 U.S.C. 287 (false claims against the United States); 18 U.S.C. 1344 (bank fraud); 18 U.S.C. 657 (theft or embezzlement by officer or employee of lending, credit and insurance institutions); 18 U.S.C. 1005 (false entries bank officers or employees); 18 U.S.C. 1006 (false entries by officers or employees of federal credit institutions); 18 U.S.C. 1007 (false statements to influence the Federal Deposit Insurance Corporation); 18 U.S.C. 2319 (copyright infringement); 18 U.S.C. 1956 & 1957 (money laundering); 18 U.S.C. 1962 (racketeering); 18 U.S.C. 1952 (travel act).
Punishment
Violations of the CFAA are punishable pursuant to 18 U.S.C. § 1030(c).
Data Retention
While ISPs are not currently to retain data and records in general, they can be requested by a government entity to "take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process." The retention period is 90 days which can be renewed. 18 U.S.C. § 1030(f)