Date post: | 25-Dec-2014 |
Category: |
Technology |
Upload: | source-conference |
View: | 2,176 times |
Download: | 0 times |
The Latest Developments in
Computer Crime Law
SOURCE Seattle
June 15, 2011
Marcia Hofmann, EFF
what we’ll talk about today
✪ The federal hacking law and why it’s problematic.
✪ A couple trends that have emerged from recent
cases in which courts have interpreted the scope of
this law.
✪ What these trends suggest about the future.
Background
The Computer Fraud and Abuse Act
18 U.S.C. § 1030
seven basic prohibitions1) espionage
2) improperly accessing financial records, governmentinformation, or information on a “protected computer”
3) trespass to government computers
4) improperly accessing someone else’s computer with intentto defraud
5) causing damage to someone else’s computer
6) password trafficking with intent to defraud
7) extortion
improper access
The CFAA prohibits, among other things,
“intentionally access[ing] a computer withoutauthorization or in excess of authorization, andthereby obtain[ing] . . . information from anyprotected computer.”
18 U.S.C. § 1030(a)(2)(C).
improper access
Courts have interpreted “obtaining information”
broadly.
Basically any computer connected to the internet is a
“protected computer.”
So the major limiting principle is “authorized.”
development 1
expansive theories of unauthorized
access/exceeding authorized access
Some people have argued that authorization endswhen an employee violates a duty of loyalty to
an employer...
International Airport Centers v. Citrin
LVRC Holdings v. Brekka
Others have gone so far as to argue thatauthorization ends when a person violates a
web site’s terms of use.
United States v. Drew
Facebook v. Power Ventures
United States v. Lowson
The case law in this area recently took a turn for
the worse when an appeals court found that
violating an employer’s computer use policies
“exceeds authorized access.”
United States v. Nosal
The future?
Lee v. PMSI, Inc.
Sony v. Hotz
development 2
attempts to double-count penalties for
unauthorized access
A first-time violation of the “unauthorized
access” provision is generally a misdemeanor.
However, it can be elevated to a felony in certain
circumstances, like when the offense is
committed in furtherance of another crime or
tortious act.
United States v. Drew
Government: felony unauthorized access to a
computer in furtherance of intentionally
inflicting emotional distress.
Jury: no, misdemeanor unauthorized access.
Judge: no, violating terms of service is not
unauthorized access.
United States v. Kernell
Government: felony unauthorized access to a
computer in furtherance of unauthorized access
to email and unauthorized access to a computer.
United States v. Kernell
Government: felony unauthorized access to a
computer in furtherance of unauthorized access
to email and unauthorized access to a computer.
Do over!
United States v. Kernell
Government: felony unauthorized access to acomputer in furtherance of invasion of privacy
and aiding and abetting other unauthorizedaccesses to a computer.
Jury: no, misdemeanor unauthorized access.
United States v. Cioni
Government: felony unauthorized access to a
computer in furtherance of unauthorized access
to email.
Jury: yup, two felonies.
(This is a problem.)
The CFAA prohibits unauthorized access to and
obtaining information from a computer.
(Here, email.)
The Stored Communications Act prohibits
unauthorized access to an electronic communication
service and obtaining stored communications.
(Here, email.)
It’s the same thing.
United States v. Cioni
Government: felony unauthorized access to a
computer in furtherance of unauthorized access
to email.
Jury: yup, two felonies.
Appeals court: no, these are misdemeanors.
The future?
legislative changes
(enhanced penalties?)