The Computer Fraud and Abuse Act (CFAA) – History and Introduction

In this series of blog posts, I will be examining the Computer Fraud and Abuse Act (CFAA). I will first explore the history and text of the act itself and then take a look at the act’s shortcomings or overbreadth with regards to certain topics in computer crime.

The CFAA has its roots in the 80s when cybercrime was just beginning to enter into the nation’s conscience. Concern about computer crime was first formalized in the Comprehensive Crime Control Act of 1984, where Congress discussed a bill entitled “Counterfeit Access Device and Computer Fraud and Abuse Act of 1984.” (HR rep 98-894) This establishes the CFAA as 18 U.S.C. § 1030, although it will later be amended several times. As indicated by the title, this early rendition of the CFAA was mainly concerned with credit card fraud and the illegal use of computers in obtaining financial gain or classified information (id. at 12). Hackers are also specially mentioned within the report as a reason for legislation (id. at 10).

In the house report, Congress recognized that there were no present laws to cover computer crime at the time (that time being 1984).  It mentioned two cases of computer crime that had to be prosecuted under mail fraud (19 U.S.C. 1341) or wire fraud (18 U.S.C. 1343), and were only prosecuted under such because the defendants in both cases made calls across state lines. (HR rep 98-894 at 6.) Although Congress could have simply added provisions regarding computer crime to existing statutes, the proposal of separate piece of legislation (mostly) dedicated to computer crime showed Congress’ foresight in assessing the future importance of technology. It is interesting to note that the report specifically mentions that statutes need to move away from “’tangible property’ and credit and debit instruments” to “’information’ and ‘access to information,” (id. at 4) showing an early awareness of a paradigm shift in conceptualizing crime. The report also categorizes computer crime as white-collar crime and specially differentiates it from violent crime (id. at 4-5).

The first CFAA only addressed credit card fraud (“use, production and trafficking in ‘counterfeit’ access devices and device-making equipment”) and unauthorized computer access (1) to classified information for national defense or foreign relation purposes (2) that results in $5,000 in illegal gains over one year (id. at 12). It set up three types of misdemeanors directly related to computer crimes: (1) access to information on computers protected by the Right to Financial Privacy Act of the Fair Credit Reporting act (2) access to a computer if there is a gain to the defendant or loss to another that is $5,000 or more within one year (3) modification, disclosure or use of information or prevention of authorized use of a computer owned or operated for the U.S. Government (id.).  Notably, these aim at protecting financial assets and state secrets and make no mention of other possible abuses.

Two years later, in 1986, 18 U.S.C. § 1030 received an amendment. (S. Rep. 99-432) After continued hearings on the matter of computer crime, Congress additionally criminalized theft of property via a computer in an attempt to defraud and also a provision to punish those who alter, damage, or destroy data of others, showing an increased sophistication in the understanding of computer crime. The Senate report also mentions concern about overstepping federal powers in creating comprehensive computer crime laws and mentions “limiting” jurisdiction to only cases with “compelling Federal interest” such as crimes dealing with government computers or interstate crimes (id. at 4). This new report also first hints at computer crime capable of physically harming individuals, yet does not add any special language specifically related to physical harm.

The CFAA will be amended several more times since the 1986 amendment, mostly with minor changes to language. The two most significant changes (the National Information Infrastructure Protection Act of 1996 and the USA PATRIOT Act of 2001) will be discussed later.


~ by alyssaufl on October 29, 2009.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: