Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act (CFAA) is a United States cybersecurity bill that was enacted in 1984 as an amendment to existing computer fraud law (18 U.S.C. § 1030), which had been included in the Comprehensive Crime Control Act of 1984. The law prohibits accessing a computer without authorization, or in excess of authorization.[1] Prior to computer-specific criminal laws, computer crimes were prosecuted as mail and wire fraud, but the applying law was often insufficient.

The original 1984 bill was enacted in response to concern that computer-related crimes might go unpunished.[2] The House Committee Report to the original computer crime bill characterized the 1983 techno-thriller film WarGames—in which a young Matthew Broderick breaks into a U.S. military supercomputer programmed to predict possible outcomes of nuclear war and unwittingly almost starts World War III—as "a realistic representation of the automatic dialing and access capabilities of the personal computer."[3]

The CFAA was written to extend existing tort law to intangible property, while, in theory, limiting federal jurisdiction to cases "with a compelling federal interest-i.e., where computers of the federal government or certain financial institutions are involved or where the crime itself is interstate in nature.", but its broad definitions have spilled over into contract law. (see "Protected Computer", below). In addition to amending a number of the provisions in the original section 1030, the CFAA also criminalized additional computer-related acts. Provisions addressed the distribution of malicious code and denial of service attacks. Congress also included in the CFAA a provision criminalizing trafficking in passwords and similar items.[1]

Since then, the Act has been amended a number of times—in 1989, 1994, 1996, in 2001 by the USA PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act. With each amendment of the law, the types of conduct that fell within its reach were extended.

In January 2015 Barack Obama proposed expanding the CFAA and the RICO Act in his Modernizing Law Enforcement Authorities to Combat Cyber Crime proposal.[4] DEF CON organizer and Cloudflare researcher Marc Rogers, Senator Ron Wyden, and Representative Zoe Lofgren have stated opposition to this on the grounds it will make many regular Internet activities illegal, and moves further away from what they were trying to accomplish with Aaron's Law.[5][6]

Protected computers

The only computers, in theory, covered by the CFAA are defined as "protected computers". They are defined under section 18 U.S.C. § 1030(e)(2) to mean a computer:

  • exclusively for the use of a financial institution or the United States Government, or any computer, when the conduct constituting the offense affects the computer's use by or for the financial institution or the government; or
  • which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States ...

In practice, any ordinary computer has come under the jurisdiction of the law, including cellphones, due to the interstate nature of most Internet communication.[7]

Criminal offenses under the Act

(a) Whoever—

(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;
(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.
(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if—
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States;
(7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—
(A) threat to cause damage to a protected computer;
(B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or
(C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion[8]

Specific sections

Notable cases and decisions referring to the Act

The Computer Fraud and Abuse Act is both a criminal law and a statute that creates a private right of action, allowing compensation and injunctive or other equitable relief to anyone harmed by a violation of this law. These provisions have allowed private companies to sue disloyal employees for damages for the misappropriation of confidential information (trade secrets).

Criminal cases

  • United States v. Morris (1991), 928 F.2d 504, decided March 7, 1991. After the release of the Morris worm, an early computer worm, its creator was convicted under the Act for causing damage and gaining unauthorized access to "federal interest" computers. The Act was amended in 1996, in part, to clarify language whose meaning was disputed in the case.[9]
  • United States v. Lori Drew, 2008. The cyberbullying case involving the suicide of a girl harassed on myspace. Charges were under 18 USC 1030(a)(2)(c) and (b)(2)(c). Judge Wu decided that using 18 U.S.C. § 1030(a)(2)(C) against someone violating a terms of service agreement would make the law overly broad. 259 F.R.D. 449 [10][11]
  • United States v. Collins et al, 2011. A group of men and women connected to the collective Anonymous signed a plea deal to charges of conspiring to disrupt access to the payment website PayPal in response to the payment shutdown to WikiLeaks over the Wau Holland Foundation which was part of a wider Anonymous campaign, Operation Payback.[12][13] They later became known under the name PayPal 14.
  • United States v. Aaron Swartz, 2011. Aaron Swartz allegedly entered an MIT wiring closet and set up a laptop to mass-download articles from JSTOR. He allegedly avoided various attempts by JSTOR and MIT to stop this, such as MAC address spoofing. He was indicted for violating CFAA provisions (a)(2), (a)(4), (c)(2)(B)(iii), (a)(5)(B), and (c)(4)(A)(i)(I),(VI).[14] The case was dismissed after Swartz committed suicide in January 2013.[15]
  • United States v. Nosal, 2011. Nosal and others allegedly accessed a protected computer to take a database of contacts from his previous employer for use in his own business, violating 1030(a)(4)[16][17] This is a complex case with two trips to the Ninth Circuit, and another seen as likely after the latest conviction in 2013.[18]
  • United States v. Peter Alfred-Adekeye 2011. Adekeye allegedly violated (a)(2), when he allegedly downloaded CISCO IOS, allegedly something that the CISCO employee who gave him an access password did not permit. Adekeye was CEO of Multiven and had accused CISCO of anti-competitive practices.[19]
  • United States v Sergey Aleynikov, 2011. Aleynikov was a programmer at Goldman Sachs accused of copying code, like high-frequency trading code, allegedly in violation of 1030(a)(2)(c) and 1030(c)(2)(B)i-iii and 2. This charge was later dropped, and he was instead charged with theft of trade secrets and transporting stolen property.[20][21]
  • United States v Nada Nadim Prouty, circa 2010.[22] Prouty was an FBI and CIA agent who was prosecuted for having a fraudulent marriage to get US residency. She claims she was persecuted by a U.S. attorney who was trying to gain media coverage by calling her a terrorist agent and get himself promoted to a federal judgeship.[23]
  • United States v. Neil Scott Kramer, 2011. Kramer was a court case where a cellphone was used to coerce a minor into engaging sex with an adult. Central to the case was whether a cellphone constituted a computer device. Ultimately, the United States Court of Appeals for the Eighth Circuit found that a cell phone can be considered a computer if "the phone perform[s] arithmetic, logical, and storage functions", paving the way for harsher consequences for criminals engaging with minors over cellphones.[24]
  • United States v. Kane, 2011. Exploiting a software bug in a poker machine does not constitute hacking[25] because the poker machine in question was not a "protected computer" under the statute (not being connected to the Internet it was judged not to qualify as "protected computer" affecting interstate commerce) and because the sequence of button presses that triggered the bug were considered "not exceed their authorized access." As of November 2013 the defendant still faces a regular wire fraud charge.[26]

Civil cases


There have been criminal convictions for CFAA violations in the context of civil law, for breach of contract or terms of service violations. Many common and insignificant online acts, such as password-sharing and copyright infringement, can transform a CFAA misdemeanor into a felony. The punishments are severe, similar to sentences for selling or importing drugs, and may be disproportionate. Prosecutors have used the CFAA to protect private business interests and to intimidate free-culture activists, deterring undesirable, yet legal, conduct.[37]

Tim Wu called the CFAA "the worst law in technology".[38]

Aaron Swartz

In the wake of the prosecution and subsequent suicide of Aaron Swartz (who used a script to download scholarly research articles in excess of what JSTOR terms of service allowed), lawmakers proposed amending the Computer Fraud and Abuse Act. Representative Zoe Lofgren drafted a bill that would help "prevent what happened to Aaron from happening to other Internet users".[39] Aaron's Law (H.R. 2454, S. 1196[40]) would exclude terms of service violations from the 1984 Computer Fraud and Abuse Act and from the wire fraud statute, despite the fact that Swartz was not prosecuted based on terms of service violations.[41]

In addition to Lofgren's efforts, Representatives Darrell Issa and Jared Polis (also on the House Judiciary Committee) raised questions about the government's handling of the case. Polis called the charges "ridiculous and trumped up," referring to Swartz as a "martyr."[42] Issa, chair of the House Oversight Committee, announced an investigation of the Justice Department's prosecution.[42][43]

By May 2014, Aaron's Law was stalled in committee, reportedly due to tech company Oracle's financial interests.[44]

Aaron's Law was reintroduced in May 2015 (H.R. 2454, S. 1030[45]) and again stalled.

Amendments history


  • Eliminated the requirement that information must have been stolen through an interstate or foreign communication, thereby expanding jurisdiction for cases involving theft of information from computers;
  • Eliminated the requirement that the defendant's action must result in a loss exceeding $5,000 and created a felony offense where the damage affects ten or more computers, closing a gap in the law;
  • Expanded 18 U.S.C. § 1030(a)(7) to criminalize not only explicit threats to cause damage to a computer, but also threats to (1) steal data on a victim's computer, (2) publicly disclose stolen data, or (3) not repair damage the offender already caused to the computer;
  • Created a criminal offense for conspiring to commit a computer hacking offense under section 1030;
  • Broadened the definition of "protected computer" in 18 U.S.C. § 1030(e)(2) to the full extent of Congress's commerce power by including those computers used in or affecting interstate or foreign commerce or communication; and
  • Provided a mechanism for civil and criminal forfeiture of property used in or derived from section 1030 violations.

See also


  1. ^ a b c Jarrett, H. Marshall; Bailie, Michael W. (2010). "Prosecution of Computer" (PDF). Office of Legal Education Executive Office for United States Attorneys. Retrieved June 3, 2013.
  2. ^ Schulte, Stephanie (November 2008). "The WarGames Scenario". Television and New Media. 9 (6): 487–513. doi:10.1177/1527476408323345.
  3. ^ H.R. Rep. 98-894, 1984 U.S.C.C.A.N. 3689, 3696 (1984).
  4. ^ "SECURING CYBERSPACE - President Obama Announces New Cybersecurity Legislative Proposal and Other Cybersecurity Efforts". January 13, 2015. Retrieved January 30, 2015.
  5. ^ "Democrats, Tech Experts Slam Obama's Anti-Hacking Proposal". Huffington Post. January 20, 2015. Retrieved January 30, 2015.
  6. ^ "Obama, Goodlatte Seek Balance on CFAA Cybersecurity". U.S. News & World Report. January 27, 2015. Retrieved January 30, 2015.
  7. ^ Varma, Corey (2015-01-03). "What is the Computer Fraud and Abuse Act". Retrieved 10 June 2015.
  8. ^ Legal Information Institute, Cornell University Law School. "18 USC 1030".
  9. ^ United States v. Morris (1991), 928 F.2d 504, 505 (2d Cir. 1991).
  10. ^ U.S. v. Lori Drew, scribd
  11. ^ US v Lori Drew, KYLE JOSEPH SASSMAN,
  12. ^ David Gilbert (December 6, 2013). "PayPal 14 'Freedom Fighters' Plead Guilty to Cyber-Attack". International Business Times.
  13. ^ Alexa O'Brien (December 5, 2013). "Inside the 'PayPal 14' Trial". The Daily Beast.
  14. ^ See Internet Activist Charged in M.I.T. Data Theft, By NICK BILTON New York Times, July 19, 2011, 12:54 PM, as well as the Indictment
  15. ^ Dave Smith, Aaron Swartz Case: U.S. DOJ Drops All Pending Charges Against The JSTOR Liberator, Days After His Suicide, International Business Times, January 15, 2013.
  16. ^ U.S. v. Nosal,, 2011
  17. ^ Appeals Court: No Hacking Required to Be Prosecuted as a Hacker, By David Kravets, Wired, April 29, 2011
  18. ^ Kravets, David (April 24, 2013). "Man Convicted of Hacking Despite Not Hacking". Wired.
  19. ^ US v Adekeye Indictment. see also Federal Grand Jury indicts former Cisco Engineer By Howard Mintz, 08/05/2011, Mercury News
  20. ^ US v Sergey Aleynikov, Case 1:10-cr-00096-DLC Document 69 Filed 10/25/10
  21. ^ Ex-Goldman Programmer Described Code Downloads to FBI (Update1), David Glovin and David Scheer - July 10, 2009, Bloomberg
  22. ^ Plea Agreement, U.S. District Court, Eastern District of Michigan, Southern Division. via
  23. ^ Sibel Edmond's Boiling Frogs podcast 61 Thursday, 13. October 2011. Interview with Prouty by Peter B. Collins and Sibel Edmonds
  24. ^ "United States of America v. Neil Scott Kramer" (PDF).
  25. ^ Poulsen, Kevin (May 7, 2013). "Feds Drop Hacking Charges in Video-Poker Glitching Case". Wired.
  26. ^ No Expansion of CFAA Liability for Monetary Exploit of Software Bug | New Media and Technology Law Blog
  27. ^ "Ninth Circuit Court of Appeals: Stored Communications Act and Computer Fraud and Abuse Act Provide Cause of Action for Plaintiff | Stanford Center for Internet and Society". Retrieved September 10, 2010.
  28. ^ US v Jacob Citrin,
  29. ^ U.S. v Brekka 2009
  30. ^ Kravets, David, Court: Disloyal Computing Is Not Illegal, Wired, September 18, 2009.
  31. ^ Kravets, David (August 20, 2013). "IP Cloaking Violates Computer Fraud and Abuse Act, Judge Rules". Wired.
  32. ^ Craigslist v. 3taps |Digital Media Law Project
  33. ^ 3Taps Can't Shake Unauthorized Craigslist Access Claims - Law360
  34. ^ See the links to the original lawsuit documents which are indexed here
  35. ^ 2011 8 9, Mike Masnick, "Sending Too Many Emails to Someone Is Computer Hacking"
  36. ^ Hall, Brian, Sixth Circuit Decision in Pulte Homes Leaves Employers With Few Options In Response To Union High Tech Tactics, Employer Law Report, 3 August 2011. Retrieved 27 January 2013.
  37. ^ Curtiss, Tiffany (2016), "Computer Fraud and Abuse Act Enforcement: Cruel, Unusual, and Due for Reform", Washington Law Review, 91 (4)
  38. ^ Christian Sandvig and Karrie Karahalios (2006-07-01). "Most of what you do online is illegal. Let's end the absurdity". The Guardian.
  39. ^ a b Reilly, Ryan J. (January 15, 2013). "Congresswoman Introduces 'Aaron's Law' Honoring Swartz". Huffington Post.
  40. ^ H.R. 2454 at; H.R. 2454 at GovTrack; H.R. 2454 Archived November 12, 2013, at the Wayback Machine at OpenCongress. S. 1196 at; S. 1196 at GovTrack; S. 1196 Archived November 12, 2013, at the Wayback Machine at OpenCongress.
  41. ^
  42. ^ a b Sasso, Brendan (2013-01-16). "Lawmakers slam DOJ prosecution of Swartz as 'ridiculous, absurd'". The Hill. Retrieved 2013-01-16.
  43. ^ Reilly, Ryan J. (January 15, 2013). "Darrell Issa Probing Prosecution Of Aaron Swartz, Internet Pioneer Who Killed Himself". Retrieved 2013-01-16.
  44. ^ Dekel, Jonathan (May 1, 2014). "Swartz doc director: Oracle and Larry Ellison killed Aaron's Law". Postmedia.
  45. ^ H.R. 1918 at Congress.govS. 1030 at

External links

Computer fraud

Computer fraud is the act of using a computer to take or alter electronic data, or to gain unlawful use of a computer or system. In the United States, computer fraud is specifically proscribed by the Computer Fraud and Abuse Act, which criminalizes computer-related acts under federal jurisdiction. Types of computer fraud include:

Distributing hoax emails

Accessing unauthorized computers

Engaging in data mining via spyware and malware

Hacking into computer systems to illegally access personal information, such as credit cards or Social Security numbers

Sending computer viruses or worms with the intent to destroy or ruin another party's computer or system.Phishing, social engineering, viruses, and DDoS attacks are fairly well-known tactics used to disrupt service or gain access to another's network, but this list is not inclusive.

Computer trespass

Computer trespass is a computer crime in the United States involving unlawful access to computers. It is defined under the Computer Fraud and Abuse act. (U.S.C 18 § 1030)

Craigslist Inc. v. 3Taps Inc.

Craigslist Inc. v. 3Taps Inc., 942 F.Supp.2d 962 (N.D. Cal. 2013) was a Northern District of California Court case in which the court held that sending a cease-and-desist letter and enacting an IP address block is sufficient notice of online trespassing, which a plaintiff can use to claim a violation of the Computer Fraud and Abuse Act.

3Taps and PadMapper were companies that partnered to provide an alternative user interface for browsing Craigslist's housing ads. In doing so, they scraped Craigslist's site for data, which Craigslist did not approve of. Craigslist sent both companies a cease-and-desist letter and blocked their IP addresses, but this did not stop 3Taps from scraping through other IP addresses. Craigslist then sued, resulting in this case.

In pre-trial motions 3Taps moved to dismiss on multiple grounds. In response, the court issued an order that set precedent on whether online hosts can use the CFAA to protect public data. The court held that sending a cease and desist letter and blocking a client's IP address are sufficient to qualify as notice under the Computer Fraud and Abuse Act. 3Taps should have known that Craigslist was revoking its authorization to access the site. The motion to dismiss was granted in part, and denied in part.

On June 26, 2015, Craigslist came to separate settlements with 3Taps and Padmapper. Both settlements required the defendants to permanently stop taking content from Craigslist, directly or indirectly. 3taps paid $1,000,000 which Craigslist will donate to the EFF over ten years. Press coverage said that 3Taps would shut down, but as of June 29 it was still active with content from other sites.

Demand Progress

Demand Progress is an internet activist-related entity encompassing a 501(c)4 arm sponsored by the 1630 Fund and a 501(c)3 arm sponsored by the New Venture Fund. It specializes in online-intensive and other grassroots activism to support Internet freedom, civil liberties, transparency, and human rights, and in opposition to censorship and corporate control of government. The organization was founded through a petition in opposition to the Combating Online Infringement and Counterfeits Act, sparking the movement that eventually defeated COICA's successor bills, the Stop Online Piracy Act and the PROTECT IP Act, two highly controversial pieces of United States legislation.The organization has continued to fight for such causes in the wake of the successful shelving of these two acts. Demand Progress has also played key roles in forwarding the passage of net neutrality rules, blocking expansion of the Computer Fraud and Abuse Act, under which co-founder Aaron Swartz was indicted, and other key legislative efforts.

Estimated membership numbers in early 2015 weigh in at over two million. As of late 2013, the organization encompasses the Demand Progress, Rootstrikers and wings/brands.

Hibnick v. Google, Inc.

Eva Hibnick v Google was a class action suit brought by Eva Hibnick, a Harvard Law School graduate, against Google in 2010. The suit accused Google of breaching several electronic communications laws with the launch of their new product Google Buzz. Google Buzz was a social media network that automatically plugged into Gmail.

Hibnick v Google was filed in the United States District Court, Northern District of California and accused Google of being in breach of the Federal Electronic Communications Privacy Act and the Computer Fraud and Abuse Act. Google Buzz shared private information by revealing Gmail users’ contacts and automatically opted all Gmail users into using Google Buzz.The lawsuit settled for $8.5 million, 30% of which went to the attorneys.

In re DoubleClick

In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001) ("DoubleClick"), had Internet users initiate proceedings against DoubleClick, alleging that DoubleClick's placement of web cookies on computer hard drives of Internet users who accessed DoubleClick-affiliated web sites constituted violations of three federal laws: The Stored Communications Act, the Wiretap Statute and the Computer Fraud and Abuse Act.

The court held that DoubleClick was not liable under any of the three federal laws because it fell within the consent exceptions under the Stored Communications Act and the Wiretap Statute. DoubleClick was not excluded from the consent exception of the Wiretap Statute because it did not intercept the communications for criminal or tortious purposes. DoubleClick was also not liable under the Computer Fraud and Abuse Act because the plaintiffs had failed to meet the statutory threshold of $5,000 in losses. The court established that damages under the Computer Fraud and Abuse Act may only be aggregated for the unauthorized access of each cookie.

International Airport Centers, L.L.C. v. Citrin

In International Airport Centers, L.L.C. v. Citrin, the Seventh Circuit Court of Appeals evaluated the dismissal of the plaintiffs' lawsuit for failure to state a claim based upon the interpretation of the word "transmission" in the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. Jacob Citrin had been employed by IAC, who had lent him a laptop for use while under their employment. Upon leaving IAC, he deleted the data on the laptop before returning it to IAC. The Court of Appeals decided to reverse the decision and reinstated IAC's lawsuit.

LVRC Holdings LLC v. Brekka

LVRC Holdings v. Brekka 581 F.3d 1127, 1135 (9th Cir. 2009) is a Ninth Circuit Court of Appeals Decision that deals with the scope of the concept of "authorization" in the Computer Fraud and Abuse Act. The major finding of this case is that even if an employee accesses a computer for an improper purpose, such as one that violates the duty of loyalty to their employer, the employee remains authorized to access the computer until the employer revokes the employee's access. The findings of this case were upheld by another Ninth Circuit decision in United States v. Nosal, 676 F.3d 854 (9th Cir.2012) (en banc) and are the current law in this circuit.

This case is noteworthy because the court differentiated itself from the Seventh's Circuit interpretation of "authorization" by assessing whether the employer made the computer system available to the employee during the employee's access, instead of examining the subjective intent the employee had when accessing the system. Since this decision limited the scope of when an employee could access a computer "without authorization" than the Seventh Circuit did in a similar case, this case defined a circuit split of authority on the scope of the term "authorization." This issue could be settled by the Supreme Court in the future, although no case is currently pending that would allow the decision to be determined.

Leandro Aragoncillo

Leandro Aragoncillo (born 1960) is a former FBI intelligence analyst and a retired United States Marine Corps gunnery-sergeant who was convicted of spying against the United States Government in 2007. A naturalized Filipino-American, he was charged with espionage and with leaking classified information to the regime of a former Filipino president.

The FBI labeled Aragoncillo the first known case of espionage within the history of the White House. For over thirty-one months, from 1999 to 2001, Aragoncillo was assigned under Vice President Al Gore and then later under Vice President Dick Cheney.

Hired to work for the FBI at the Army's Ft. Monmouth base in New Jersey in July 2004, Aragoncillo began sending classified documents in January 2005, according to a federal complaint.

On October 5, 2005, Aragoncillo was indicted and arrested in New Jersey for espionage. Federal agents accused him of stealing classified information, including details about the current President of the Philippines, Gloria Macapagal-Arroyo and then passing that information onto opposition leaders in the Philippines.

According to reports compiled by Filipino intelligence professionals, there were indications of a link between Aragoncillo and the French intelligence service, Direction générale de la sécurité extérieure. Frequent visits by Aragoncillo to Manila allegedly were interspersed with clandestine meetings between identified, French operatives and several "illegals" (i.e. unregistered agents) around 2002 to 2004.

Statutes used against Aragoncillo:

Count 1: 18 U.S.C. § 794(a) & c - Espionage Act of 1917

Count 2: 18 U.S.C. § 793(e) - Espionage Act of 1917 / McCarran Internal Security Act 1950

Count 3: 18 U.S.C. § 1030(a)(1) & 2 - Comprehensive Crime Control Act 1984 / Computer Fraud and Abuse Act 1986 / The National Information Infrastructure Protection Act 1996 / USA Patriot Act 2001 / etc.Michael Ray Aquino, a former deputy director of the Philippines National Police who lived in New York City, was arrested also and was charged. He was accused of receiving documents. He pleaded guilty to unlawful possession of secret, U.S. government documents. He faced a jail sentence of between 70 and 87 months plus a fine of $250,000. On July 17, 2007, he was sentenced to six years and four months.Leandro Aragoncillo, on the other hand, was sentenced on July 18, 2007, in New Jersey by U.S. District Judge William H. Walls to ten years in prison. Under a proposed plea agreement, Aragoncillo had faced up to twenty years in prison.

Lee v. PMSI, Inc.

Lee v. PMSI, Inc., No. 10-2094 (M.D. Florida January 13, 2011), was a case in the United States District Court for the Middle District of Florida about whether the Computer Fraud and Abuse Act (CFAA) makes it illegal for an employee to violate an employer's acceptable use policy. The court ruled that violating an employer's policy did not "exceed authorization" as defined by the CFAA and was not illegal under the act.

Massachusetts Bay Transportation Authority v. Anderson

Massachusetts Bay Transportation Authority v. Anderson, et al., Civil Action No. 08-11364, was a challenge brought by the Massachusetts Bay Transportation Authority (MBTA) to prevent three Massachusetts Institute of Technology (MIT) students from publicly presenting a security vulnerability they discovered in the MBTA's Charlie Card automated fare collection system. The case concerns the extent to which the disclosure of a computer security flaw is a form of free speech protected by the First Amendment to the United States Constitution.

The MBTA claimed that the MIT students violated the Computer Fraud and Abuse Act (CFAA) and on August 9, 2008, was granted a temporary restraining order (TRO) against the students to prevent them from presenting information to DEFCON conference attendees that could have potentially been used to defraud the MBTA of transit fares. The MIT students contended that submitting their research for review and approval by a government agency before publication is unconstitutional prior restraint.

The case garnered considerable popular and press attention when the injunction unintentionally became a victim of the Streisand effect, increasing the dissemination of the sensitive information of the students' presentation because the slides had been both distributed to conference organizers in the weeks before the injunction as well as inadvertently posted to the district court's public website as exhibits to the MBTA's original complaint.

On August 19, the judge rejected the MBTA's request to extend the restraining order and the TRO likewise expired, thus granting the students the right to discuss and present their findings.

Morris worm

The Morris worm or Internet worm of November 2, 1988, was one of the first computer worms distributed via the Internet, and the first to gain significant mainstream media attention. It also resulted in the first felony conviction in the US under the 1986 Computer Fraud and Abuse Act. It was written by a graduate student at Cornell University, Robert Tappan Morris, and launched on November 2, 1988, from the computer systems of the Massachusetts Institute of Technology.

Protected computer

Protected computers is a term used in Title 18, Section 1030 of the United States Code, (the Computer Fraud and Abuse Act) which prohibits a number of different kinds of conduct, generally involving unauthorized access to, or damage to the data stored on, "protected computers". The statute, as amended by the National Information Infrastructure Protection Act of 1996, defines "protected computers" (formerly known as "federal interest computers") as:

a computer—(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or

(B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.

The law prohibits unauthorized obtaining of "information from any protected computer if the conduct involved an interstate or foreign communication," and makes it a felony to intentionally transmit malware to a protected computer if more than $5000 in damage (such as to the integrity of data) were to result.

Pulte Homes, Inc. v. Laborers' International Union

Pulte Homes, Inc. v. Laborers' International Union of North America, 648 F.3d 295 (6th Cir. 2011), is a Sixth Circuit Court of Appeals case that reinstated a Computer Fraud and Abuse Act ("CFAA") claim brought by an employer against a labor union for "bombarding" the company's phone and computer systems with emails and voicemail, making it impossible for the company to communicate with customers. It held that causing a transmission that diminishes a plaintiff's ability to use its systems and data constitutes "causing damage" in violation of the CFAA.

Robert Tappan Morris

Robert Tappan Morris (born November 8, 1965) is an American computer scientist and entrepreneur. He is best known for creating the Morris Worm in 1988, considered the first computer worm on the Internet.Morris was prosecuted for releasing the worm, and became the first person convicted under the then-new Computer Fraud and Abuse Act.

He went on to co-found the online store Viaweb, one of the first web-based applications, and later the funding firm Y Combinator—both with Paul Graham.

He later joined the faculty in the department of Electrical Engineering and Computer Science at the Massachusetts Institute of Technology, where he received tenure in 2006.

Trailblazer Project

Trailblazer was a United States National Security Agency (NSA) program intended to develop a capability to analyze data carried on communications networks like the Internet. It was intended to track entities using communication methods such as cell phones and e-mail.NSA employees J. Kirk Wiebe, William Binney, Ed Loomis, and House Permanent Select Committee on Intelligence staffer Diane Roark complained to the Department of Defense's Inspector General (IG) about waste, fraud, and abuse in the program, and the fact that a successful operating prototype existed. The complaint was accepted by the IG and an investigation began that lasted until mid-2005 when the final results were issued. The results were largely hidden, as the report given to the public was heavily (90%) redacted, while the original report was heavily classified, thus restricting the ability of most people to see it.

The people who filed the IG complaint were later raided by armed Federal Bureau of Investigation (FBI) agents. While the Government threatened to prosecute all who signed the IG report, it ultimately chose to pursue an NSA Senior Executive Thomas Andrews Drake who helped with the report internally to NSA and who had spoken with a reporter about the project. Drake was later charged under the Espionage Act of 1917. His defenders claimed this was retaliation. The charges against him were later dropped, and he agreed to plead guilty to having committed a misdemeanor under the Computer Fraud and Abuse Act, something that Jesselyn Radack of the Government Accountability Project (which helped represent him) called an "act of civil disobedience".

United States v. John (2010)

In United States v. John, 597 F.3d 263 (2010)

United States Court of Appeals for the Fifth Circuit interpreted the term "exceeds authorized access" in the Computer Fraud and Abuse Act 18 U.S.C. §1030(e)(6) and concluded that access to a computer may be exceeded if the purposes for which access has been given are exceeded.In particular, the court ruled that an employee would exceed authorized access to a protected computer if he or she used that access to obtain or steal information as part of criminal scheme.This case addresses the issue of the distinction between authorized access to information and subsequent use of information obtained through an authorized access for the purposes of CFAA.

United States v. Morris (1991)

United States v. Morris was an appeal of the conviction of Robert Tappan Morris for creating and releasing the Morris worm, one of the first Internet-based worms. This case resulted in the first conviction under the Computer Fraud and Abuse Act. In the process, the dispute clarified much of the language used in the law, which had been heavily revised in a number of updates passed in the years after its initial drafting. Also clarified was the concept of "unauthorized access," which is central in the United States' computer security laws. The decision was the first by a U.S. court to refer to "the Internet", which it described simply as "a national computer network."

United States v. Nosal

United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) was a United States Court of Appeals for the Ninth Circuit decision dealing with the scope of criminal prosecutions of former employees under the Computer Fraud and Abuse Act (CFAA). The Ninth Circuit's first ruling (Nosal I) established that employees have not "exceeded authorization" for the purposes of the CFAA if they access a computer in a manner that violates the company's computer use policies—if they are authorized to access the computer and do not circumvent any protection mechanisms.

On April 24, 2013, U.S. Attorney Melinda Haag announced that Nosal was convicted by a federal jury of all charges contained in a six-count indictment. Nosal appealed his conviction to the Ninth Circuit. On July 5, 2016, a three-judge panel held 2-1 that Nosal had acted "without authorization" and affirmed his conviction. In this second decision (Nosal II), the Ninth Circuit attempted to clarify the meaning of "without authorization" in the context of the CFAA.

This page is based on a Wikipedia article written by authors (here).
Text is available under the CC BY-SA 3.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.