The Computer Fraud and Abuse Act (CFAA),18 U.S.C. § 1030, is a federal “anti-hacking” statute. While it is primarily a criminal law, a 1994 amendment allows civil actions to be brought by private litigants.
Violations can be committed by either an outside intruder who is not authorized to access the protected computer, such as a hacker, or by someone who is authorized to use the computer, but exceeds their authorized access.
The CFAA lists seven types of offences:
Attempts to commit these crimes are also criminally punishable, as is conspiring to commit a computer hacking offense.
The CFAA began as a 1986 amendment to the Counterfeit Access Device and Abuse Act, passed by Congress two years earlier. It was written to supplement existing mail and wire fraud laws, which Congress concluded didn’t adequately cover the emerging class of computer crimes.
At the time the CFAA was passed, computer networks were mostly limited to universities, government and military institutions. The scope of the CFAA was similarly narrow. It mainly served to criminalize unauthorized access to national defense information, if that information was then used to harm the United States, as well as financial institution and consumer reporting records.
Since then, Congress has amended the CFAA five times, greatly expanding its scope and application.
The 1994 amendments removed the requirement that the offender access the computer “without authorization”. This introduced a whole new class of offenders: individuals who are authorized to use a third-party computer, and use that access to break the law.
Secondly, the law expanded to allow civil actions. Private litigants could bring a case under the CFAA, if the violation caused more than $5,000 in loss or damage as defined by the statute.
This opened the door for companies to bring civil lawsuits against employees and former employees suspected of stealing information for competitive purposes.
In 1996 the CFAA was amended to cover any “protected computer,” defined to include government-operated or affiliated computers, financial institution computers, and computers used in interstate or foreign commerce or communications.
In practice, this puts ordinary computers, including smartphones, under the jurisdiction of the law, due to the interstate nature of online communication.
The PATRIOT Act further expanded the CFAA, increasing both its penalties and its effectiveness as a prosecution tool. Some of the changes:
The CFAA was amended by the Identity Theft Enforcement and Restitution Act to address the rise in computer crimes. Among the notable changes, the amendment made it a felony to damage ten or more computers.
In civil cases, the amendment eliminated the need for the Plaintiff’s loss to be greater than $5,000. A Plaintiff still must show that they suffered damage or loss.
Loss, as defined by the CFAA, includes:
Harm to reputation or goodwill might be, but is not always, considered loss under the CFAA. Lost revenue resulting from the theft of proprietary information is not considered loss.
The CFAA has been subject to much debate and differences in interpretation, as computer technology has moved forward at lightning speed. How should the law be applied today, when computers are involved in hundreds or thousands of everyday actions, and are carried with us constantly in the form of smartphones?
Some critics of the CFAA argue that the law is written too broadly, leaving it open to overreach. This, they believe, expands the law far beyond its original intent to stop malicious computer crimes, like hacking, data theft, and introducing viruses.
A violation of the CFAA can be committed by either accessing a computer without authorization or by exceeding authorized access.
As defined by the CFAA, “exceeding authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to obtain or alter.”
Critics of the CFAA argue that “exceeds authorized access” can be interpreted so broadly that it could be used to criminally charge individuals for violating the terms of service (TOS) policy of a website, software program, smartphone app, or Internet Service Provider (ISP).
These policies, they argue, are not always readily visible, can change without notice, and involve pages of legalese that few people outside of the legal profession understand. People come under dozens of these policies every day, through routine activities like using a smartphone, doing internet research, paying bills online, or watching TV.
Lawmakers have proposed an amendment to the CFAA to address this concern. Introduced in the Senate in 2013, Aaron's Law H.R. 2454, S. 1196, would exclude TOS violations from the CFAA. The future of the amendment is unclear.
As high-profile data breaches, computer crimes, and “hacktivism” continue to dominate the headlines, the CFAA will also be front-and-center. How the law is applied and enforced, and how it will need to adapt to an increasingly tech-centered society, is a continually developing story.