USA"Computer Fraud and Abuse Act "

[هيثم الفقى]

1. [align=left]
   1. Table 2. Authorized Access and Section 1030
   1. § 1030 Offense
   Without
   Auth. Exceeds
   Auth. Not an
   element (a)(1). Obtaining National Security Information x x (a)(2). Compromising Confidentiality x x (a)(3). Trespassing in a Govt. Computer x (a)(4). Accessing to Defraud and Obtain Value x x (a)(5)(A)(i). Damaging Without Authorization x (a)(5)(A)(ii). Intentionally accessing and recklessly causing damage x (a)(5)(A)(iii). Intentionally accessing and causing damage x (a)(6). Trafficking in Passwords x (a)(7). Extortion Involving Threats to Damage a Computer x
   
   1. As Table 2 illustrates, the ability to charge certain conduct as a violation of the CFAA may turn upon whether or not a defendant can be shown to have acted without authorization, as opposed to having acted in excess of authorized access. The question of whether or not a given access was authorized has been the subject of frequent litigation in both criminal and civil cases under the CFAA. Cases interpreting the authorization elements of CFAA offenses have generally followed the insider/outsider distinction, although not without some deviation. Traditional insider/outsider cases include United States v. Czubinski, 106 F.3d 1069 (1st Cir. 1997), where an Internal Revenue Service employee was found to have exceeded his authorized access to IRS computer systems when he looked at taxpayer records for personal purposes, and United States v. Ivanov, 175 F. Supp. 2d 367 (D. Conn. 2001), where a Russian intruder broke into an American company's customer databases and was found to have acted without authorization.
   2. While the universe of individuals who lack any authorization to access a computer is relatively easy to define, determining whether individuals who possess some legitimate authorization to access a computer have exceeded that authorized access may be more difficult. The term "exceeds authorized access" is defined as follows:
      1. [T]o access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.
   3. 18 U.S.C. § 1030(e)(6).
   4. The scope of any authorization hinges upon the facts of each case. In the simplest of prosecutions, a defendant without authorization to access a computer may intentionally bypass a technological barrier (such as password protection or system privileges) that prevented him from obtaining information on a computer network. However, many cases will involve exceeding authorized access, and establishing the scope of authorized access will be more complicated. The extent of authorization may turn upon the contents of an employment agreement or similar document, a terms of service notice, or a log-on banner outlining the permissible purposes for accessing a computer or computer network. See Southwest Airlines Co. v. Farechase, Inc., 318 F.Supp.2d 435 (N.D. Tex. 2004) (user agreement); EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003) (various site notices); Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238, 253 (S.D.N.Y. 2000) (terms of use notice); America Online, Inc. v. LCGM, Inc., 46 F.Supp.2d 444, 450-51 (E.D. Va. 1998) (terms of service agreement); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001) (employee confidentiality agreement).
   5. In one case, however, an insider (a person with some limited authorization to use a system) strayed so far beyond the bounds of his authorization that the court treated him as having acted without authorization. United States v. Morris, 928 F.2d 504 (2d Cir. 1991). Morris was convicted under a previous version of section 1030(a)(5), which punished "intentionally access[ing] a Federal interest computer without authorization." 18 U.S.C. § 1030(a)(5)(A) (1988). Morris created an Internet program known as a "worm," which spread to computers across the country and caused damage. To enable the worm to spread, Morris exploited vulnerabilities in two processes he was in fact authorized to use: "sendmail" (an email program) and "fingerd" (a program used to find out certain information about the users of other computers on the network). Morris, 928 F.2d. at 509-10.
   6. On appeal, Morris argued that because he had authorization to engage in certain activities, such as sending electronic mail, on some university computers, he had merely exceeded authorized access, rather than having gained unauthorized access.
   7. The Second Circuit rejected Morris' argument on three grounds. First, it held that the fact that the defendant had authorization to use certain computers on a network did not insulate his behavior when he gained access to other computers that were beyond his authorization. "Congress did not intend an individual's authorized access to one federal interest computer to protect him from prosecution, no matter what other federal interest computers he accesses." Id. at 511. Rather, "Congress contemplated that individuals with access to some federal interest computers would be subject to liability under the computer fraud provisions for gaining unauthorized access to other federal interest computers." Id. at 510. Second, the court held that although Morris may have been authorized to use certain generally available functions—such as the email or user query services—on the systems victimized by the "worm," he misused that access in such a way to support a finding that his access was unauthorized. The court wrote that:
      1. Morris did not use either of those features in any way related to their intended function. He did not send or read mail nor discover information about other users; instead he found holes in both programs that permitted him a special and unauthorized access route into other computers.
   8. Id.[FN1] Finally, the court held that even assuming the defendant's initial insertion of the worm simply exceeded his authorized access, evidence demonstrated that the worm was designed to spread to other computers and gain access to those computers without authorization by guessing their passwords.
   9. "Authorized" is a fluid concept. Even when authorization exists, it can be withdrawn or it can lapse. In some instances, a court may invoke agency law to determine whether a defendant possessed or retained authorization to access a computer. See, e.g., Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121, 1124 (W.D. Wash. 2000) (finding that insiders with authorization to use a system can lose that authorization when they act as agents of an outside organization).
   10. In Shurgard, employees were found to have acted "without authorization" when they accessed their employer's computers to appropriate trade secrets for the benefit of a competitor. The court applied principles of agency law, and concluded that the employees' authorized access to the employer's computers ended when they became agents of the competitor. Id. at 1124-25. See International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (holding that an employee's access to data became unauthorized when breach of his duty of loyalty terminated his agency relationship). See also Vi Chip Corp. v. Lee, 438 F.Supp.2d 1087, 1100 (N.D.Ca. 2006) (applying the holding of Citrin to an employee who deleted data after being informed that his employment was to be terminated). But see Lockheed Martin Corp. v. Speed, 2006 WL 2683058 at *5-7 (M.D. Fla. 2006) (criticizing Citrin).
   11. Notably, Shurgard, Citrin, Vi Chip, and Lockheed all involved employees who were accused of abusing—e.g., selling, transferring, or destroying—data to which they had authorized access as part of their jobs. As a result, the plaintiffs were unable to establish that the defendants exceeded authorized access. Instead, in each of these cases the plaintiffs attempted to argue that access became unauthorized when the employee's purpose was not to benefit the employer. Essentially, each argued by reference to the Restatement (Second) of Agency that when the agent's duty of loyalty to his principal was breached, the relationship was terminated and subsequent access was unauthorized. Shurgard, 119 F.Supp.2d at 1124-25; Citrin, 440 F.3d at 420-21; Vi Chip, 438 F.Supp.2d. at 1100; Lockheed, 2006 WL 2683058 at *4. To prevail under this theory, a plaintiff needs to convince the court that the relationship was essentially terminated—i.e., the authorization to access the data was lost—even while the employee was still technically in its employ. The courts in Shurgard, Citrin, and Vi Chip agreed with this rationale, but the court in Lockheed did not. Shurgard, 119 F.Supp.2d at 1124-25; Citrin, 440 F.3d at 420-21; Vi Chip, 438 F.Supp.2d. at 1100; Lockheed, 2006 WL 2683058 at *5- 7. Prosecutors faced with similar facts may want to consider charging an offense that does not contain an authorization requirement, such as section 1030(a)(5)(A)(i).
   12. One court found that insiders acted without authorization when they violated clearly defined computer access policies. See, e.g., America Online, Inc. v. LCGM, Inc., 46 F.Supp.2d 444, 451 (E.D. Va. 1998) (holding that AOL members acted without authorization when they used AOL network to send unsolicited bulk emails in violation of AOL's member agreement). But see America Online, Inc. v. National Health Care Discount, Inc., 121 F.Supp.2d 1255 (N.D. Iowa 2000) (noting that no other published decision contains the same interpretation as America Online, Inc. v. LCGM, Inc. on the issue of unauthorized access).
   13. Typically, however, persons who are employees or licensees of the entity whose computer they used are held liable for exceeding authorized access as opposed to unauthorized access. See EF Cultural Travel, 274 F.3d at 582-84 (holding that a former employee who violated a confidentiality agreement by providing information about accessing a protected computer system could be liable for exceeding authorized access). In SecureInfo Corp. v. Telos Corp., 387 F.Supp.2d 593 (E.D. Va. 2005), the Court dismissed a claim that defendants, who gained access to a protected computer due to breach of a software license by a licensee, either exceeded authorized access or gained unauthorized access. The court believed that the licensee had given the defendants authority to use the computer system, which undercut the plaintiff's unauthorized use claim. Id. at 608-09. Moreover, since it was the licensee and not the defendants who agreed to the terms of the license, the defendants were not bound to the use limitations, and therefore, had not exceeded authorized access. Id. at 609-10. The court noted, however, that had the licensee—as opposed to the persons who gained access to the system via the licensee—been sued for exceeding authorized use, they may have been found liable under theory set forth in EF Cultural Travel. Id. at 609 (citing EF Cultural Travel BV, 274 F.3d at 582).
   14. The SecureInfo decision is troublesome in that it could arguably be read to support the proposition that users who are granted access to a system by an authorized user cannot be found liable under either an unauthorized use or an in excess of authorization theory. Presumably, however, had the third parties used their authorized access to obtain information unavailable to even licensed users, the court would have held them liable. The better reading of this decision is that courts may be reluctant to predicate civil liability, much less criminal liability, under the CFAA solely upon a violation of a software licensing agreement.
   15. In sum, "without authorization" generally refers to intrusions by outsiders, but some courts have also applied the term to intrusions by insiders who access computers other than the computer they are authorized to use, intrusions by insiders acting as agents for outsiders, and intrusions by insiders who violate clearly defined access policies. Section 1030 imposes greater liability on outsiders because their very presence on the computer or network constitutes trespass. Thus, certain subsections (18 U.S.C. §§ 1030(a)(3), (a)(5)(A)(ii), & (a)(5)(A)(iii)) criminalize actions based upon access without authorization, but do not impose the same liability if the access merely exceeds authorization. In any event, it is clear that courts treat the issue of authority to access as a question of fact under the specific circumstances of each case. Prosecutors should consider not only whether the access breached technical security measures (such as passwords), but also employer policies, banners, user agreements, contracts, licenses, or similar items.
2. 1. B. Obtaining National Security Information: 18 U.S.C. § 1030
   2. Summary
   1. Knowingly access computer without or in excess of authorization
   2. obtain national security information
   3. reason to believe the information could injure the U.S. or benefit a foreign nation
   4. willful communication, delivery, transmission (or attempts)
   5. OR
      willful retention of the information
3. 1. The infrequently-used section 1030(a)(1) punishes the act of obtaining national security information without or in excess of authorization and then willfully providing or attempting to provide the information to an unauthorized recipient, or willfully retaining the information.
   2. Any steps in investigating or indicting a case under section 1030(a)(1) require the prior approval of the National Security Division of the Department of Justice, through the Counterespionage Section. See USAM 9-90.020. Please contact them at (202) 514-1187.
   3. Title 18, United States Code, Section 1030(a)(1) provides:
   [/align]

[هيثم الفقى]

<LI class=heading2>

1. E. Accessing to Defraud and Obtain Value: 18 U.S.C. § 1030(a)(4)
2. When deciding how to charge a computer hacking case, prosecutors should consider this section as an alternative to section 1030(a)(2) where evidence of fraud exists, particularly because this section is a felony whereas subsection (a)(2) is a misdemeanor (unless certain aggravating factors apply).
3. Prosecutors may also want to consider charges under the wire fraud statute, 18 U.S.C. § 1343, which requires proof of many elements similar to those needed for section 1030(a)(4), but carries stiffer penalties. For more detail on the comparison, please see page 29. For more discussion about wire fraud, please see page 90.
4. Summary

1. Knowingly access a protected computer without or in excess of authorization
2. with intent to defraud
3. the access furthered the intended fraud
4. obtained anything of value, including use if value exceeded $5000

1. Title 18, United State Code, Section 1030(a)(4) provides:
   1. Whoever
      (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period
      shall be punished as provided in subsection (c) of this section.
   <LI class=heading3>
   1. Knowingly Access Without or In Excess of Authorization
   Please see page 4 for the discussion of the concept of access without or in excess of authorization.
2. 2. With Intent to Defraud
   The phrase "knowingly and with intent to defraud" is not defined by section 1030. Very little case law under section 1030 exists as to its meaning, leaving open the question of how broadly a court will interpret the phrase. On one hand, courts might interpret "intent to defraud" as requiring proof of the elements of common law fraud.[FN2] On the other hand, courts might give more liberal meaning to the phrase "intent to defraud" and allow proof of mere wrongdoing or dishonesty to suffice.
   In examining the phrase "to defraud" in the mail and wire fraud statutes,[FN3] the Supreme Court rejected the notion that every "scheme or artifice that in its necessary consequence is one which is calculated to injure another [or] to deprive him of his property wrongfully" constitutes fraud under the mail fraud provision. Fasulo v. United States, 272 U.S. 620, 629 (1926). In Fasulo, the court stated that "broad as are the words 'to defraud,' they do not include threat and coercion through fear or force." Id. at 628. Instead, the Supreme Court placed emphasis on the central role of deception to the concept of fraud—"the words 'to defraud' ... primarily mean to cheat, ... usually signify the deprivation of something of value by trick, deceit, chicane, or overreaching, and ... do not extend to theft by violence, or to robbery or burglary." Id. at 627 (construing Hammerschmidt v. United States, 265 U.S. 182 (1924)).
   A broader alternative definition can be found in Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121, 1123 (W.D. Wash. 2000), a civil case involving section 1030(a)(4). In that case, the court favored an expansive interpretation of "intent to defraud." In denying the defendant's motion to dismiss, the court held that the word "fraud" as used in section 1030(a)(4) simply means "wrongdoing" and does not require proof of the common law elements of fraud. Id. at 1126 (construing United States v. Czubinski, 106 F.3d 1069, 1078 (1st Cir. 1997)). Thus, the plaintiff stated a sufficient cause of action under section 1030(a)(4) by alleging that the defendant participated in "dishonest methods to obtain the plaintiff's secret information." Id.
   Shurgard does not directly address the Supreme Court decision in Fasulo, but nevertheless provides some basis for interpreting "fraud" in its broadest sense (i.e., finding "fraud" when there is evidence of "wrongdoing," as opposed to requiring proof of "trick, deceit, chicane, or overreaching"). Cf. 132 Cong. Rec. S4072-02, 99th Cong., 2d. Sess. (1986) ("The acts of 'fraud' that we are addressing in proposed § 1030(a)(4) are essentially thefts in which someone uses a [protected computer] to wrongly obtain something of value from another").
   In discussing the creation of section 1030(a)(4), Congress specifically noted that "[t]he scienter requirement for this subsection, 'knowingly and with intent to defraud,' is the same as the standard used for 18 U.S.C. § 1029 relating to credit card fraud." See S. Rep. No. 99-432, at 10, reprinted in 1986 U.S.C.C.A.N. 2479, 2488. Interestingly, despite having specifically discussed the mail and wire fraud statutes in the context of section 1030(a)(4), the Committee did not relate the scienter requirement of the term "to defraud" to the use of the term in the mail and wire fraud statutes, leaving open the question of whether the meaning and proof of "to defraud" is the same for sections 1030(a)(4) and 1029, as it is for the mail and wire fraud statutes. As it is, there are no reported cases discussing the meaning of "to defraud" under section 1029.

<LI class=heading3>

1. 3. Access Furthered the Intended Fraud
2. The defendant's illegal access of the protected computer must "further" a fraud. Accessing a computer without authorization—or, more often, exceeding authorized access—can further a fraud in several ways. For example:
3. This element is met if a defendant alters or deletes records on a computer, and then receives something of value from an individual who relied on the accuracy of those altered or deleted records. In United States v. Butler, 16 Fed. Appx. 99 (4th Cir. 2001) (unpublished disposition), the defendant altered a credit reporting agency's records to improve the credit ratings of his coconspirators, who then used their improved credit rating to make purchases. In United States v. Sadolsky, 234 F.3d 938 (6th Cir. 2000), the defendant used his employer's computer to credit amounts for returned merchandise to his personal credit card.
   

• This element is met if a defendant obtains information from a computer, and then later uses that information to commit fraud. For example, in United States v. Lindsley, 2001 WL 502832 (5th Cir. 2001) (unpublished), the defendant accessed a telephone company's computer without authorization, obtained calling card numbers, and then used those calling card numbers to make free long-distance telephone calls.
  
• This element is met if a defendant uses a computer to produce falsified documents which are later used to defraud. For example, in United States v. Bae, 250 F.3d 774 (D.C. Cir. 2001), the defendant used a lottery terminal to produce back-dated tickets with winning numbers, and then turned those tickets in to collect lottery prizes.
  

1. The term "by means of such conduct" explicitly links the unauthorized accessing of a protected computer to the furthering of the intended fraud. In creating this link, Congress wished to distinguish those cases of computer trespass where the trespass is used to further the fraud (covered by § 1030(a)(4)) from those cases of fraud that involve a computer but the computer is only tangential to the crime (not covered by § 1030(a)(4)). See S. Rep. No. 99-432, at 9, reprinted in 1986 U.S.C.C.A.N. 2479, 2487.
2. In order to fall within section 1030(a)(4), "the use of the computer must be more directly linked to the intended fraud." The section does not apply simply because "the offender signed onto a computer at some point near to the commission or execution of the fraud." Id. More explicitly, a fraudulent scheme does not constitute computer fraud just because a computer was used "to keep records or to add up [the] potential 'take' from the crime." Id.
3. 4. Obtains Anything of Value
   This element is easily met if the defendant obtained money, cash, or a good or service with measurable value. Two more difficult cases arise when the defendant obtains only the use of a computer and when the defendant obtains only information.
   Use of the computer as a thing of value
   The statute recognizes that the use of a computer can constitute a thing of value, but this element is satisfied only if the value of such use is greater than $5,000 in any one-year period.
   This condition will be met only in rare cases. At the time the statute was written, it was common for owners of top-of-the-line supercomputers to rent the right to run programs on their computer by the hour. In 1986, for example, an hour of time on a Cray X-MP/48 supercomputer reportedly cost $1,000. William F. Eddy, Rejoinder, Statistical Science, Nov. 1986, 451, 453. Conceivably, repeated and sustained use of a very expensive modern computer could reach the statutory threshold within one year.
   Data or information as a thing of value
   Aside from the "computer use" exception, subsection (a)(4) has no minimum dollar amount, unlike subsection (a)(5). Still, the legislative history suggests that some computer data or information, alone, is not valuable enough to qualify. See S. Rep. 99-432, at 9, reprinted in 1986 U.S.C.C.A.N. 2479, 2487) ("In intentionally trespassing into someone else's computer files, the offender obtains at the very least information as to how to break into that computer system. If that is all he obtains, the offense should properly be treated as a simple trespass."). In other words, if all that is obtained are the results of port scans, or the names and IP addresses of other servers, it may not count as something of value.
   One case of particular note in this area is United States v. Czubinski, 106 F.3d 1069 (1st Cir. 1997). While the Czubinski case turned on the specific facts, the court's discussion can be instructive in assessing the parameters of the term "something of value." Specifically, Czubinski was employed as a Contact Representative in the Boston office of the Taxpayer Services Division of the Internal Revenue Service (IRS). As part of his official duties, Czubinski routinely accessed taxpayer-related information from an IRS computer system using a valid password provided to Contact Representatives. Despite IRS rules plainly forbidding employees from accessing taxpayer files outside the course of their official duties, Czubinski carried out numerous unauthorized searches of taxpayer records on a number of occasions. Based upon these actions, he was indicted and convicted for wire fraud and computer fraud.
   On appeal, Czubinski argued that his conviction for violating section 1030(a)(4) should be overturned because he did not obtain "anything of value." In reviewing the facts surrounding Czubinski's actions, the First Circuit agreed with Czubinski, stating that "[t]he value of information is relative to one's needs and objectives; here, the government had to show that the information was valuable to Czubinski in light of a fraudulent scheme. The government failed, however, to prove that Czubinski intended anything more than to satisfy idle curiosity." Id. at 1078.
   
   Further elaborating on its holding, the court went on to explain that:
   [t]he plain language of section 1030(a)(4) emphasizes that more than mere unauthorized use is required: the 'thing obtained' may not merely be the unauthorized use. It is the showing of some additional end—to which the unauthorized access is a means—that is lacking here. The evidence did not show that Czubinski's end was anything more than to satisfy his curiosity by viewing information about friends, acquaintances, and political rivals. No evidence suggests that he printed out, recorded, or used the information he browsed. No rational jury could conclude beyond a reasonable doubt that Czubinski intended to use or disclose that information, and merely viewing information cannot be deemed the same as obtaining something of value for the purposes of this statute.