The Most Recent Amendment to the CFAA and Beyond

The CFAA was most recently amended in 2008 by the Identity Theft Enforcement and Restitution Act [1]. In the same pattern as the previous amendments in1996 and 2001, the 2008 amendment further expanded the CFAA. Now, conspiracy to commit a computer crime was provided for the the CFAA [2], $5000 worth of loss was wavied if 10 or more computers were affected by the damage caused by a hacker [3], and a loophole that allowed purely intra-state attacks to escape prosecution was closed. [4]
The one redeeming quality of the new amendment is a more concrete definition of “damage,” which has been previously defined in broad terms of “any impairment to the availability or integrity of data and systems.” In subsection (a)(7) of the new CFAA, separates “damage” from “obtaining information” and “impairing the confidentiality of information.” This is a significant step as previous ambiguities in damage allowed “damage” to be construed as any access because access could “impair the integrity” of a computer system. (See HUB Group, Inc. v. Clancy, No. 05-2046, 2006 WL 208684, at *3-4 (E.D.Pa. Jan. 25, 2006))

However, the amendment did not address “authorized” and “exceeding authorization,” key terms in determining what constitutes a prohibited act. Who gives “authorization”? Authorization can be problematic with respects to company computers where there are several entities potentially able to give and rescind authorization: an employee user, the company itself, superiors of the employee, etc. In the realm of service providers, authorization is also problematic because of the overlap of who can give authorization. Take for example, “unauthorized” access of another person’s Facebook account. Is it unauthorized because the specific owner of the account does not permit it or is it because Facebook’s Terms of Service doesn’t permit it. And what if one gives authorization but the other does not?

Looking at the overall evolution of the CFAA, there is trend of expanding the reach without concretely cementing down certain definitions. What was originally intended as a measure against harmful hacking that causes harm to financial assets and state security has become a legislative instrument to prosecute individuals warning customers about security problems with his employer’s computer services and to threaten individuals who attained access to public files. What I believe to be the biggest barrier to a narrowly drafted CFAA is the rate at which technology – and computer crimes – progresses and legislators’ fears of leaving anything out. Hopefully, future amendments will start narrowing down the CFAA as understandings of technology and the web sophisticates.


~ by alyssaufl on January 11, 2010.

One Response to “The Most Recent Amendment to the CFAA and Beyond”

  1. […] intentions over time. Orignally intended to combat hackers, the CFAA has now expanded, with each amendment, to reach employees accessing files on company computers and accessing of open wireless access […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: