Computer Crime Law Background
The statute, the Computer Fraud and Abuse Act, (CFAA) Title 18 USC 1030 was passed in 1984, and amended several times since then to fill a gap in then-existing law; if you “broke into” a home, an office or a business, you were guilty of burglary and trespass. If you “stole” documents or “damaged” property, you could also be prosecuted for theft or destruction. But with computers (and dial-up modems), the concepts of “trespass” and “burglary” and even of “theft” or “damage” were imperfect analogies. At the end of the day, what we call “computer crimes” are, in reality, crimes against information – its confidentiality, its availability and its integrity. Unlike the theft of a car or a horse, when data is “stolen,” it is still where it belongs. When digital data is “damaged,” it may simply be locked or inaccessible. When a computer system is “damaged,” the hardware and software may be functioning perfectly well. So Congress, first in 1984 and again in 1986, attempted to “fill the gap” created by the new technology, and passed a comprehensive but imperfect computer crime law.
The computer crime law focused on several types of possible mischief. Computer “trespass,” theft of certain classes of protected information (e.g., national security information, federal banking and credit information, trade secrets), damage and destruction of computers, networks and databases (viruses, worms, denial of service and disruption), and trafficking in “counterfeit access devices” — stolen passwords, tokens, etc. The statute was modified to include not simply “unauthorized access” to computers or databases, but also included “exceeding authorization” to access a computer. Another modification included expanding the scope of the types of information protected under the computer crime law to include “any information” on a computer.
The statute has both criminal and civil provisions. Under the criminal provisions, a United States Attorney may prosecute violations of the law either as a misdemeanor (trespass) or a felony (theft, damage, destruction), although some misdemeanors become felonies depending on the circumstances (e.g., “trespass” with intent to commit tortious conduct — including the “tort” of trespass). In one infamous case, a woman was prosecuted under the felony provisions of the statute for creating a MySpace page under a fictitious name (in violation of MySpace’s rules) to harass her daughter’s estranged friend (who ultimately committed suicide). The government’s theory in that case was that the defendant’s “access” to MySpace “exceeded authorization” since the rules required users to provide “accurate” information when opening an account.
What Did Congress Intend?
It’s not clear that this is what Congress intended when it passed an anti-hacking law.
In the case to be decided by the Supreme Court, a Georgia police officer, using his own credentials, accessed the Georgia online police database, not as specified in the user agreement “for authorized law enforcement purposes” but to look up criminal records and rap sheets for people he was paid by a third party to look up. Clearly a violation of policy, and maybe prosecutable under some law, but is it “hacking?” While the police officer’s access to the database was both lawful and authorized, it was his subsequent use and dissemination of the data obtained as a result of the lawful access that was prohibited. The Court will look to the language and history of the statute, its purpose and intent, and may give the law either an expansive or restrictive interpretation.
If the high court rules expansively, then virtually any violation of an agreement which involves electronic data, network access or online databases can be the subject of a CFAA lawsuit or criminal prosecution. A company “acceptable use” policy which prohibits “abusive” language in emails can be used to sue an employee for hacking when they “exceed [their] authorization to access [use]” the email system in violation of the policy. Companies that are granted access to cloud services, databases or networks but agree on how they will use or secure that data are not only subject to breach of contract damages if they fail to live up to their contractual obligations, but can be sued or prosecuted for hacking. And users of social media who run afoul of policies face not only “Facebook jail” but real jail as well.
The case is United States v. Van Buren, Supreme Court Dkt. No. 18-12024 and was argued before the high Court on Nov. 30, 2020. As the Court’s term ends at the end of June or early July, we can expect a ruling before then.
If you have questions about the case or its potential implications, please reach out to Mark Rasch at firstname.lastname@example.org or 301.547.6925.