- Id.[FN4]
- The parameters of what constitutes a "thing of value" were further explored in In re America Online, Inc., 168 F.Supp.2d 1359 (S.D. Fla. 2001). Specifically, America Online (SSOL) was sued by computer users and competitor Internet service providers, alleging that AOL's software had caused damage to users' computers and had blocked utilization of competitors' software by potential users. Id. In moving to dismiss the section 1030(a)(4) allegation, AOL argued that the plaintiffs could not make out an actionable claim because they had failed to plead that AOL had deprived them of "anything of value." Id. at 1379. In response, the plaintiffs asserted that AOL's actions had deprived them of their subscribers "custom and trade" and that this interest constituted a "thing of value." Id.
- In distinguishing the case from Czubinski, the America Online court noted that "AOL allegedly has been motivated by more than the mere satisfaction of its curiosity [as was allegedly the sole motivation of the defendant in Czubinski]. AOL's alleged end is to obtain a monopoly, or at least secure its stronghold, as an ISP." America Online, at 1379-80. Noting that the "typical item of value" in cases brought under the CFAA is usually data, the court observed that "in other areas of the law, customers have been found to be a thing of value." Id. at 1380. The court therefore found that "damage to an ISP's goodwill and reputation is actionable under the CFAA" and that "[b]ecause [the plaintiff] has alleged that AOL's actions have interfered with its relationships with its existing customers and potential subscribers, it has alleged that AOL has obtained something of value within the meaning of 18 U.S.C. § 1030(a)(4)." Id.<LI class=heading3>5. Statutory Penalties A violation of section 1030(a)(4) is punishable by a fine and up to five years in prison, unless the individual has been previously convicted of a section 1030 offense, in which case the punishment increases to a maximum of ten years in prison. 18 U.S.C. § 1030(c)(3).
<LI class=heading3>6. Relation to Other Statutes In appropriate cases, prosecutors may also want to consider charges under the wire fraud statute, 18 U.S.C. § 1343, which requires proof of many elements similar to those needed for section 1030(a)(4). Unlike section 1030(a)(4), however, which is punishable by a maximum of 5 years in prison (assuming the defendant does not have other prior § 1030 convictions), wire fraud carries stiffer penalties and is punishable by a maximum of 20 years in prison, or 30 years if the violation affected a financial institution. Compare 18 U.S.C. § 1030(a)(3) with 18 U.S.C. § 1343.
<LI class=heading3>7. Historical Notes Although section 1030(a)(4) bears similarities to the federal mail fraud statute (18 U.S.C. § 1341) and wire fraud statute (18 U.S.C. § 1343), section 1030(a)(4) does not have the same broad jurisdictional sweep as the mail and wire fraud statutes. See S. Rep. No. 99-432, at 9 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2487 ("It has been suggested that the Committee approach all computer fraud in a manner that directly tracks the existing mail fraud and wire fraud statutes. However, the Committee was concerned that such an approach might permit prosecution under this subsection of acts that do not deserve classification as 'computer fraud'."). The specific concern expressed was "that computer usage that is wholly extraneous to an intended fraud might nevertheless be covered by this subsection if the subsection were patterned directly after the current mail fraud and wire fraud laws." Id.
<LI class=heading2>F. Damaging a Computer or Information: 18 U.S.C. § 103(a)(5) Criminals can cause harm to computers in a wide variety of ways. For example, an intruder who gains unauthorized access to a computer can send commands that delete files or shut the computer down. Alternatively, intruders can initiate a "denial of service attack" that floods the victim computer with useless information and prevents legitimate users from accessing it. In a similar way, a virus or worm can use up all of the available communications bandwidth on a corporate network, making it unavailable to employees. In addition, when a virus or worm penetrates a computer's security, it can delete files, crash the computer, install malicious software, or do other things that impair the computer's integrity. Prosecutors can use section 1030(a)(5) to charge all of these different kinds of acts.
Section 1030(a)(5) criminalizes a variety of actions that cause computer systems to fail to operate as their owners would like them to operate. Damaging a computer can have far-reaching effects. For example, a business may not be able to operate if its computer system stops functioning or it may lose sales if it cannot retrieve the data in a database containing customer information. Similarly, if a computer that operates the phone system used by police and fire fighters stops functioning, people could be injured or die as a result of not receiving emergency services. Such damage to a computer can occur following a successful intrusion, but it may also occur in ways that do not involve the unauthorized access of a computer system.
Title 18, United State Code, Section 1030(a)(5) provides: Whoever
(5)(A)(i) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(ii) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(iii) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage; and
(B) by conduct described in clause (i), (ii), or (iii) of subsection (A), caused (or, in the case of an attempted offense, would, if completed, have caused) (i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
(ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(iii) physical injury to any person;
(iv) a threat to public health or safety; or
(v) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security
shall be punished as provided in subsection (c) of this section.
[IMG]http://www****doj.gov/criminal/cybercrime/ccmanual/1f.jpg[/IMG] The differences between the conduct criminalized by the three subsections of section 1030(a)(5)(A) are important to note. That section criminalizes three different types of conduct, based on mental state and authority to access. In basic terms, subsection (5)(A)(i) prohibits anyone from knowingly damaging a computer (without authorization) while subsection (5)(A)(ii) prohibits unauthorized users from causing damage recklessly and subsection (5)(A)(iii) from causing damage negligently.
The latter two subsections require that the defendant "access" the computer without authorization. These criminal prohibitions hold intruders accountable for any damage they cause while intentionally trespassing on a computer, even if they did not intend to cause that damage. See S. Rep. No. 104-357, at 11 (1996), available at 1996 WL 492169 (noting that "anyone who knowingly invades a system without authority and causes significant loss to the victim should be punished ... even when the damage caused is not intentional").
By contrast, section 1030(a)(5)(A)(i) requires proof only of the knowing transmission of something to damage a computer without authorization. The government does not need to prove "access." Because it is possible to damage a computer without "accessing" it, this element is easier to prove (except for the mental state requirement). For example, most worms and trojans spread though self-replication, without personally accessing the affected systems. - 1. The Access Element
Subsection (a)(5)(A)(i): Knowingly causing the transmission of a program, information, code, or command to a protected computer
Section 1030(a)(5)(A)(i) prohibits knowingly causing the transmission of a "program, information, code, or command" and as a result of such conduct, intentionally causing damage to a protected computer.[FN5] This subsection applies regardless of whether the offenders were authorized to use the victim computer system (an "insider"), not authorized to use it (an "outsider"), or even those who have never accessed the system at all.
The term "program, information, code, or command" broadly covers all transmissions that are capable of having any effect on a computer's operation. This includes software code, software commands, and network packets designed to exploit system vulnerabilities.
Courts have considered the question of what constitutes knowingly causing the "transmission" of a program, information, code, or command. In the ordinary case where the attacker releases a worm or initiates a denial of service attack, the government should easily meet this element of the crime. On the other hand, this subsection does not apply to "physical" acts that shut down a computer, such as flipping a switch to cut of the electrical supply, as they do not involve transmission of a program or command. Other criminal statutes may cover such conduct, however.
An attacker need not directly send the required transmission in order to violate this statute. In one case, a defendant inserted malicious code into a software program he wrote to run on his employer's computer network. See United States v. Sullivan</I>, 40 Fed. Appx. 740 (4th Cir. 2002) (unpublished). After lying dormant for four months, the malicious code activated and downloaded certain other malicious code to several hundred employee handheld computers, making them unusable. See id. at 741. The court held that the defendant knowingly caused transmission of code in violation of the statute. See id. at 743.
In the civil context, courts have taken the idea of transmission of code even further. In International Airport Centers, L.L.C. v. Citrin, the Seventh Circuit held that a civil complaint stated a claim when it alleged that the defendant copied a secure-erasure program to his (company-issued) laptop, and even said in dicta that it made no difference if the defendant copied the program over an Internet connection, from an external disk drive, or an internal disk drive. International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 419-20 (7th Cir. 2006). Similarly, in Shaw v. Toshiba America Information Systems, Toshiba manufactured computers with faulty software that improperly deleted data on diskettes used in their floppy drives, and Toshiba shipped the computers in interstate commerce. Shaw v. Toshiba America Information Systems, 91 F.Supp.2d 926, 931 (E.D. Tex. 1999). In that case, the court found that the shipment of the software by itself constituted its transmission for purposes of the statute. See id.[FN6]
Subsections (a)(5)(A)(ii) or (iii): Intentionally accessed a protected computer without authorization
Subsections 1030(a)(5)(A)(ii) and (iii) require proof that the defendant intentionally accessed a protected computer without authorization. These subsections do not include the phrase "exceeds authorized access." Compare 18 U.S.C. § 1030(a)(2) & (a)(4) with 18 U.S.C. § 1030(a)(5)(A)(ii) & (iii). Thus, these subsections do not apply to authorized users of a computer who exceed their authorization ("insiders").
Courts have examined the question of what constitutes unauthorized access for purposes of subsections (a)(5)(A)(ii) and (iii). In many situations the unauthorized access is obvious, such as where an intruder exploits a vulnerability in the security of another person's computer and directly sends commands that cause damage. The courts have also held, however, that an actor may gain "unauthorized access" to a computer by indirect means, such as by releasing an automated, self-replicating program that penetrates the defenses of others' computers. See United States v. Morris, 928 F.2d 504, 509-10 (2d Cir. 1991) (defendant obtained "unauthorized access" to computers by releasing a "worm" that copied itself onto many thousands of computers by exploiting security vulnerabilities and guessing passwords).
In ruling on civil suits under section 1030(a)(5), some courts have expanded the idea of "unauthorized access" even further. For example, in one case, a company created an automated program to access its competitor's web server—a publicly available computer—in violation of the competitor's terms of use. See Register.com, Inc. v. Verio, Inc., 126 F.Supp.2d 238 (S.D.N.Y. 2000), aff'd, 356 F.3d 393 (2d Cir. 2004). Surprisingly, even though the company that created the automated program did not circumvent any security feature and could lawfully have accessed the site if it did so without using automated programs, the court held that this activity constituted "unauthorized access" for purposes of section 1030(a)(5). Id. at 251-52.
Please see page 4 for the discussion of the concept of access without authorization. - 2. Cause Damage to the Protected Computer Section 1030(a)(5) prohibits damaging a computer system. 18 U.S.C. § 1030(a)(5)(A). The statute requires only that the defendant's conduct "cause" damage in a computer. It is not necessary to prove that the damaged protected computer was the same computer that the defendant accessed.
"Damage" is defined as "any impairment to the integrity or availability of data, a program, a system, or information." 18 U.S.C. § 1030(e)(8). Although this definition is broad and inclusive, as the use of the word "any" suggests, the definition differs in some ways from the idea of damage to physical property. This definition contains several concepts that allow section 1030(a)(5) to apply to a wide variety of situations.
First, "damage" occurs when an act impairs the "integrity" of data, a program, a system, or information. This part of the definition would apply, for example, where an act causes data or information to be deleted or changed, such as where an intruder accesses a computer system and deletes log files or changes entries in a bank database.
Similarly, "damage" occurs when an intruder changes the way a computer is instructed to operate. For example, installing keylogger software on a home computer can constitute damage. Damage also occurs if an intruder alters the security software of a victim computer so that it fails to detect computer trespassers. For example, in United States v. Middleton, part of the damage consisted of a user increasing his permissions on a computer system without authorization. United States v. Middleton, 231 F.3d 1207, 1213-14 (9th Cir. 2000).
In addition to the impairment of the integrity of information or computer systems, the definition of damage also includes acts that simply make information or computers "unavailable." Intruders have devised ways to consume all of a computer's computational resources, effectively making it impossible for authorized users to make use of the computer even though none of the data or software has been modified. Similarly, a "denial of service attack" floods a computer's Internet connection with junk data, preventing legitimate users from sending or receiving any communications with that computer. See YourNetDating v. Mitchell, 88 F.Supp.2d 870, 871 (N.D. Ill. 2000) (granting temporary restraining order where defendant installed code on plaintiff's web server that diverted certain users of plaintiff's website to pornography website). Example 1: Prior to the annual football game between rival schools, an intruder from one high school gains access to the computer system of a rival school and defaces the football team's website with graffiti announcing that the intruder's school was going to win the game.
In this example, the intruder has caused damage—the integrity of the information on the website has been impaired because viewers of the site will not see the information that the site's designers put there. Example 2: An attacker configures several thousand computers to access the washingtonpost.com website at the same time in a coordinated denial of service attack. As a consequence, the site is jammed, and for approximately 45 minutes, ordinary web surfers find that the site will not load when they type its URL in their browsers.
This example also shows damage as defined by the CFAA. The attacker has, via a code or command, impaired the availability of the data on the website to its normal users.
In the computer network world, an intrusion—even a fairly noticeable one—can amount to a kind of trespass that causes no readily discoverable impairment to the computers intruded upon or the data accessed. Even so, such "trespass intrusions" often require that substantial time and attention be devoted to responding to them. In the wake of seemingly minor intrusions, the entire computer system is often audited, for instance, to ensure that viruses, back-doors, or other harmful codes have not been left behind or that data has not been altered or copied. Even adding false information to a computer can impair its integrity. In addition, holes exploited by the intruder are sometimes patched, and the network generally is resecured through a rigorous and time-consuming technical effort. This process can be costly and time- consuming. Example 3: The system administrator of a local community college reviews server logs one morning and notes an unauthorized intrusion that occurred through a backdoor at about 3:30 in the morning. It appears to the administrator that the intruder accessed a student database that listed students' home addresses, phone numbers, and social security numbers. After calling the FBI, she and her staff spend several hours reviewing what occurred, devising patches for the vulnerabilities that were exploited, and otherwise trying to prevent similar intrusions from occurring again. Still, the result of the technical review is that no offending code can be found, and the network appears to function as before. In the two months after the intrusion, staff at the community college report no known alterations or errors in the student database. The cost of the employee time devoted to the review totaled approximately $7,500.
Although the intruder apparently did not make any alterations to the database and the system seems to work as it did before, in a few civil cases, courts have held that accessing and copying private data may cause damage to the data under the CFAA.[FN7] See Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121, 1126-27 (W.D. Wash. 2000).
[/align]
رد مع اقتباس
المفضلات