4. Penalties A violation of section 1030(a)(7) is punishable by a fine and up to five years in prison. 18 U.S.C. § 1030(c)(3)(A). If the defendant has a previous conviction under section 1030, the maximum sentence increases to 10 years' imprisonment. 18 U.S.C. § 1030(c)(3)(B).
<LI class=heading3>5. Relation to Other Statutes The elements of section 1030(a)(7) generally parallel the elements of a Hobbs Act (18 U.S.C. § 1951, interference with commerce by extortion) violation with some important differences. First, the intent to extort from any person money or other thing of value is the same under section 1030(a)(7) and under section 1951. However, in contrast to section 1951, section 1030(a)(7) does not require proof that the defendant delayed or obstructed commerce. Proving that the threat was transmitted in interstate or foreign commerce is sufficient.
At least one case has recognized the similarities between the two statutes. In United States v. Ivanov, 175 F.Supp.2d 367 (D. Conn. 2001), the defendant hacked into the victim's network and obtained root access to the victim's servers. He then proposed that the victim hire him as a "security expert" to prevent further security breaches, including the deletion of all of the files on the server. Without much discussion, the court determined that the analysis under section 1030(a)(7) was the same as that for the Hobbs Act. See id. at 372.
<LI class=heading3>6. Historical Notes
Congress added section 1030(a)(7) to the CFAA in 1996 to fill perceived gaps in the application of existing anti-extortion statutes:
These cases, although similar in some ways to other cases involving extortionate threats directed against persons or property, can be different from traditional extortion cases in certain respects. It is not entirely clear that existing extortion statutes, which protect against physical injury to persons or property, will cover intangible computerized information.
For example, the "property" protected under existing laws, such as the Hobbs Act, 18 U.S.C. § 1951 (interference with commerce by extortion) or 18 U.S.C. § 875(d) (interstate communication of a threat to injure the property of another), does not clearly include the operation of a computer, the data or programs stored in a computer or its peripheral equipment, or the decoding keys to encrypted data. S. Rep. No. 104-357, at 12 (1996), available at 1996 WL 492169.
<LI class=heading2>I. Legislative History
From 1996 until the passage of the USA PATRIOT Act in 2001, Section 1030(e)(8) had defined "damage" to mean:
any impairment to the integrity or availability of data, a program, a system, or information, that (A) causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals; (B) modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment, or care of one or more individuals; (C) causes physical injury to any person; or (D) threatens public health or safety ....
Under that version of the statute—the version that was in effect at the time of the Shurgard decision—a violation of section 1030(a)(5) required that damage be proved in one of four ways; proving loss in excess of $5,000 was one of the ways of proving damage.
An earlier version of the statute that was in effect between 1994 and 1996, required proof of both "damage" and "loss" to show a violation of section 1030.[FN11] Congress amended the statute in 1996 to the version that was in effect at the time of the Shurgard decision. The 1996 amendments changed the definition of "damage" as set forth above to mean impairment that causes loss or other harms. As the Shurgard opinion noted, in the 1996 amendments Congress equated damage and loss to address situations wherein monetary loss might be demonstrated but other forms of damage might be difficult to demonstrate. In the Senate Report accompanying the 1996 amendments to the statute, Congress gave the following example as justification for the change:
The 1994 amendment required both "damage" and "loss," but it is not always clear what constitutes "damage." For example, intruders often alter existing log-on programs so that user passwords are copied to a file which the intruders can retrieve later. After retrieving the newly created password file, the intruder restores the altered log-on file to its original condition. Arguably, in such a situation, neither the computer nor its information is damaged. Nonetheless, this conduct allows the intruder to accumulate valid user passwords to the system, requires all system users to change their passwords, and requires the system administrator to devote resources to securing the system. Thus, although there is arguably no "damage," the victim does suffer "loss." If the loss to the victim meets the required monetary threshold, the conduct should be criminal, and the victim should be entitled to relief.
The bill therefore defines "damage" in new subsection 1030(e)(8), with a focus on the harm that the law seeks to prevent.
Shurgard, 119 F.Supp.2d at 1126 (citing S. Rep. No. 104-357, at 11 (1996), available at 1996 WL 492169 ) (emphasis added).
According to this view, Congress wanted to recognize a criminal or civil cause of action when a victim incurred significant response costs as a result of an intrusion, even where no data was changed and the computer functioned as before. Accordingly, Congress defined "damage" to include the causation of loss in excess of a certain threshold amount ($5,000) or other special harms, such as physical injury to any person. With this understanding, the password sniffer example in the Senate Report, as well as the community college intrusion example discussed on page 36, were each likely subject to prosecution from 1996 through 2001 provided the $5,000 monetary threshold of "loss" was met.
Effective September 26, 2008, 18 U.S.C. § 1030 was amended by the Identity theft Enforcement and Restitution Act, Pub. Law 110-326, 122 Stat. 3560. Among other things, the law eliminated the requirement in 18 U.S.C. 1030(a)(5) that the defendant’s action must result in a loss exceeding $5,000 and adding a provision to 18 U.S.C. § 1030(c)(4) that makes it a felony to cause damage to ten or more computers. It also:
- Expanded jurisdiction for cases involving theft of information from computers by eliminating the requirement in 18 U.S.C. § 1030(a)(2)(C) that information must have been stolen through an interstate or foreign communication;
- Enhanced prosecution for extortion related to computers by expanding section 1030(a)(7) to criminalize not only explicit threats to cause damage to a computer, but also threats (1) to steal data on a victim’s computer, (2) to publicly disclose stolen data, or (3) to not repair damage the offender already caused to the computer;
- Amended 18 U.S.C. § 3663(b) to make clear that restitution orders for identity theft cases may include an amount equal to the value of the victim’s time spent remediating the actual or intended harm of the identity theft or aggravated identity theft offense;
- Created a criminal offense for conspiring to commit a computer hacking offense under 18 U.S.C. § 1030;
- Broadened the definition of "protected computer" in 18 U.S.C. § 1030 to the full extent of Congress' commerce power by including those computers used in or affecting interstate or foreign commerce or communication;
- Provided a mechanism for forfeiture of property used in or derived from section 1030 violations;
- Directed the Sentencing Commission to review sentencing for violations of 18 U.S.C. § § 1028, 1028A, 1030, 2511, and 2701.
Pending revision of the Prosecuting Computer Crimes Manual, please ensure that you are using the most current version of 18 U.S.C. § 1030. A redline version showing the changes made by the ITERA is available here.
FN 1. Gauging whether an individual has exceeded authorized access based upon whether the defendant used the technological features of the computer system as "reasonably expected" was criticized by one court as too vague an approach. EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003) (in a civil case under § 1030(a)(4), involving whether use of a web scraper exceeded authorized access, rejected inferring "reasonable expectations" test in favor of express language on the part of the plaintiff).
FN 2. The elements of common law fraud are: "(1) a false representation (2) in reference to a material fact (3) made with knowledge of its falsity (4) and with intent to deceive (5) with action taken in reliance upon the representation." United States v. Kiefer, 228 F.2d 448 (D.C. Cir. 1955).
FN 3. Identical standards apply to the "scheme to defraud" under both the mail and the wire fraud statutes. See United States v. Antico, 275 F.3d 245 (3d Cir. 2001).
FN 4. Czubinski has been incorrectly cited for the proposition that it is not enough to temporarily download information just long enough to view it on a computer display to satisfy the "of value" prong of § 1030(a)(4). See United States v. Ivanov, 175 F.Supp.2d 367, 371 (D. Conn. 2001) ("In order for Ivanov to violate § 1030(a)(4), it was necessary that he do more than merely access OIB's computers and view the data.") (citing Czubinski, 106 F.3d at 1078). A careful reading of Czubinski, however, illustrates that the court's discussion of printing out or downloading information was meant only as an example of how the government might have proven that Czubinski had accessed the information to further his fraud and thereby obtain something of value; in other words, that his accessing of information was not done merely to satisfy his idle curiosity. Indeed, if a defendant were to access and view information from a protected computer, without or in excess of authorization, and then use that information to engage in identity theft, that defendant could likely be prosecuted for violating § 1030(a)(4) even if the defendant merely memorized the information and never downloaded or printed it out. This reading would likewise be consistent with the interpretation of the word "obtains" in the context of § 1030(a)(2) violations, which does not require copying or "asportation." Please see page 16 for the discussion of "Obtained Information" under § 1030(a)(2).
FN 5. The earliest versions of § 1030(a)(5) did not establish levels of culpability based on the mental state of the actor vis-…-vis the damage element. The pre-1994 version of the statute, for example, did not require any proof of mental state with respect to the damage caused. See United States v. Sablan, 93 F.3d 865, 868-69 (9th Cir. 1996); United States v. Morris, 928 F.2d 504, 509 (2d Cir. 1991). As amended in 1994, however, Congress established the mental state test with different treatment for intentional, reckless, and negligent damage. The amendments in 1996 combined these two factors—criminal intent and authority to access—to create a comprehensive scheme. For further discussion of this point, please refer to http://www.cybercrime.gov/1030analysis.html.
FN 6. Congress later amended § 1030 so that "no [civil] action may be brought ... for the negligent design or manufacture of computer hardware, computer software, or firmware." 18 U.S.C. § 1030(g).
FN 7. This theory has not been applied in a criminal case. In civil cases, the plaintiff must prove damage under one of the factors in § 1030(a)(5)(B). See page 38 for a list of these factors. Civil plaintiffs do not have § 1030(a)(2) available to them. Therefore, the flexibility courts have shown toward the definition of damage in civil cases may not apply to criminal cases. Further, the trade-secret aspect of Shurgard may limit its applicability.
FN 8. Prior to 2001, because the definition of damage contained the "enumerated harms" (now found in § 1030(a)(5)(B)), an argument could be made that the crime required, for example, proof of the intent to cause $5,000 in loss or a threat to public health or safety. By moving these subsections out of the definition of damage, Congress clarified that the government must prove the actor's mental state with respect to damage and not with respect to loss or other harms.
FN 9. Prior to the 2001 amendments, numerous courts struggled with the question of whether and how loss to several victims could be aggregated to meet the $5,000 loss requirement. See, e.g., Chance v. Avenue A., Inc., 165 F.Supp.2d 1153, 1158 (W.D. Wash. 2001); Thurmond v. Compaq Computer Corp., 171 F.Supp.2d 667, 680 (E.D. Tex. 2001); In re America Online, Inc., 168 F.Supp.2d 1359, 1372-73 (S.D. Fla. 2001); In re Doubleclick Inc. Privacy Litigation, 154 F.Supp.2d. 497, 520-25 (S.D.N.Y. 2001). In 2001, Congress clearly settled this issue—at least for criminal proceedings—by amending § 1030(a)(5)(B)(I) to allow aggregation of loss "resulting from a related course of conduct affecting 1 or more other protected computers."
FN 10. Prior statutory language arguably left open the question of whether a corporation or other legal entity could suffer "loss" for purposes of meeting the $5,000 loss threshold. See United States v. Middleton, 231 F.3d 1207, 1213 (9th Cir. 2000) (rejecting defendant's argument that "individuals" did not include corporations). In 2001, Congress changed the word "individuals" to "persons" and added a broad definition of "person" that includes corporations, government agencies, and any "legal or other entity." 18 U.S.C. § 1030(e)(12).
FN 11. In 1995, 18 U.S.C. § 1030(a)(5) (emphasis added) read as follows:
Whoever
- (A) through means of a computer used in interstate commerce or communications, knowingly causes the transmission of a program, information, code, or command to a computer or computer system if—
- (i) the person causing the transmission intends that such transmission will
- (I) damage, or cause damage to, a computer, computer system, network, information, data, or program; or
- (II) withhold or deny, or cause the withholding or denial, of the use of a computer, computer services, system or network, information, data or program; and
- (ii) the transmission of the harmful component of the program, information, code, or command—
- (I) occurred without the authorization of the persons or entities who own or are responsible for the computer system receiving the program, information, code, or command; and
- (II)
- (aa) causes loss or damage to one or more other persons of value aggregating $1,000 or more during any 1-year period; or
- (bb) modifies or impairs, or potentially modifies or impairs, the medical examination, medical diagnosis, medical treatment, or medical care of one or more individuals ....
رد مع اقتباس
المفضلات