The Latest Developments in

Computer Crime Law

SOURCE Seattle

June 15, 2011

Marcia Hofmann, EFF

what we’ll talk about today

✪ The federal hacking law and why it’s problematic.

✪ A couple trends that have emerged from recent

cases in which courts have interpreted the scope of

this law.

✪ What these trends suggest about the future.

Background

The Computer Fraud and Abuse Act

18 U.S.C. § 1030

seven basic prohibitions1) espionage

2) improperly accessing financial records, governmentinformation, or information on a “protected computer”

3) trespass to government computers

4) improperly accessing someone else’s computer with intentto defraud

5) causing damage to someone else’s computer

6) password trafficking with intent to defraud

7) extortion

improper access

The CFAA prohibits, among other things,

“intentionally access[ing] a computer withoutauthorization or in excess of authorization, andthereby obtain[ing] . . . information from anyprotected computer.”

18 U.S.C. § 1030(a)(2)(C).

improper access

Courts have interpreted “obtaining information”

broadly.

Basically any computer connected to the internet is a

“protected computer.”

So the major limiting principle is “authorized.”

development 1

expansive theories of unauthorized

access/exceeding authorized access

Some people have argued that authorization endswhen an employee violates a duty of loyalty to

an employer...

International Airport Centers v. Citrin

LVRC Holdings v. Brekka

Others have gone so far as to argue thatauthorization ends when a person violates a

web site’s terms of use.

United States v. Drew

Facebook v. Power Ventures

United States v. Lowson

The case law in this area recently took a turn for

the worse when an appeals court found that

violating an employer’s computer use policies

“exceeds authorized access.”

United States v. Nosal

The future?

Lee v. PMSI, Inc.

Sony v. Hotz

development 2

attempts to double-count penalties for

unauthorized access

A first-time violation of the “unauthorized

access” provision is generally a misdemeanor.

However, it can be elevated to a felony in certain

circumstances, like when the offense is

committed in furtherance of another crime or

tortious act.

United States v. Drew

Government: felony unauthorized access to a

computer in furtherance of intentionally

inflicting emotional distress.

Jury: no, misdemeanor unauthorized access.

Judge: no, violating terms of service is not

unauthorized access.

United States v. Kernell

Government: felony unauthorized access to a

computer in furtherance of unauthorized access

to email and unauthorized access to a computer.

United States v. Kernell

Government: felony unauthorized access to a

computer in furtherance of unauthorized access

to email and unauthorized access to a computer.

Do over!

United States v. Kernell

Government: felony unauthorized access to acomputer in furtherance of invasion of privacy

and aiding and abetting other unauthorizedaccesses to a computer.

Jury: no, misdemeanor unauthorized access.

United States v. Cioni

Government: felony unauthorized access to a

computer in furtherance of unauthorized access

to email.

Jury: yup, two felonies.

(This is a problem.)

The CFAA prohibits unauthorized access to and

obtaining information from a computer.

(Here, email.)

The Stored Communications Act prohibits

unauthorized access to an electronic communication

service and obtaining stored communications.

(Here, email.)

It’s the same thing.

United States v. Cioni

Government: felony unauthorized access to a

computer in furtherance of unauthorized access

to email.

Jury: yup, two felonies.

Appeals court: no, these are misdemeanors.

The future?

legislative changes

(enhanced penalties?)

questions?

Marcia Hofmann

Senior Staff Attorney, EFF

marcia@eff.org