The Text of the Current CFAA

The current text of the CFAA lays out seven types of prohibited activity.

(1)Obtaining national security information


(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it …” [emphasis added]

This section has its roots in the very first version of the CFAA and aims to prosecute the use of computers in espionage. A key concept in this provision is the inclusion of those accessing information from the outside (“without authorization”) as well as those working on the inside (“exceeding authorized access”).

(2)Compromising confidentiality (1030(a)(2))
“(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains— (A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or

(C) information from any protected computer if the conduct involved an interstate or foreign communication …

This section not only defines three types of information that often overlap with each other (mostly due to the ‘catch-all’ factor of part (C)), but it also contains problematic wording. “Obtains” in this section has been deemed to  include mere viewing of the informational – what would be normally considered as a passive act. (See America Online, Inc. v. National Health Care Discount, Inc.,121 F.Supp.2d 1255 (N.D. Iowa 2000).) Special mention of financial institutions also refers back to the original 1984 version’s emphasis on credit card fraud.

(3)Tresspassing in a government computer (1030(a)(3))

(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States 

This overlaps with 1030(a)(2), yet focuses only on “access” as opposed to “obtaining information” (although, since “obtaining information” includes merely viewing information, arguably there is not much difference between “accessing” and “obtaining information”). It has also been deemed that the language “affects the use” means little as any access will affect the use of computers. (See Sawyer v. Department of Air Force, 31 M.S.P.R. 193, 196 (M.S.P.B. 1986)). Because of overlap with 1030(a)(2), which has additional flexibility in increasing sentencing on the first offense due to aggravating factors.

(4)Accessing to defraud and obtain value (1030(a)(4))
4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period

The key words in this section is “with intent to defraud” and “furthers the intended fraud” and “value.” “Defraud” has not been fully defined, so interpretation of the wording could mean anything from the common law definition of fraud to a more general gist of the definition as any sort of wrongdoing. Obtaining something of “value” is also broad wording that has been applied narrowly and liberally. Courts have ruled that obtaining information is something not of value (see United States v. Czubinski, 106 F.3d 1069 (1st Cir. 1997)) and have ruled the other way as well (In re America Online, Inc. 168 F.Supp.2d 1359 (S.D. Fla. 2001).

(5)Damaging a computer or information (1030(a)(5))
(5)(A)(i) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(ii) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(iii) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage; and
(B) by conduct described in clause (i), (ii), or (iii) of subsection (A), caused (or, in the case of an attempted offense, would, if completed, have caused) (i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
(ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(iii) physical injury to any person;
(iv) a threat to public health or safety; or
(v) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security

(5)(A)(i),(ii), and (iii) deal with state of mind and cover knowledge, recklessness, and negligence. This also presents sanctions for certain acts even absent of access/intent. 5(A)(i), for example, punishes creators of worms and trojans who do not access computers themselves but instead merely create software that automatically accesses computers by itself. 5(A)(ii) and (iii) sanctions those who access computers without intent to cause damage as it reaches to negligent causes of damage. This section also makes special mention of computer crimes that cause physical injury, which is an expansion from limiting the CFAA to only financial and national security purposes.

(6)Trafficking in passwords (1030(a)(6))
6) Knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if

  • (A) such trafficking affects interstate or foreign commerce; or
  • (B) such computer is used by or for the Government of the United States.

This first was introduced in the 1986 amendment as a response to “pirate bulletin boards” revealing passwords. Passwords here are also meant to include any number of other mechanisms intended for use to protect a computer.

(7)Threatening to damage a computer (1030(a)(7))
7) With intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer

This section is mostly intended to address use of computers in extortion.


~ by alyssaufl on October 29, 2009.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: