What is the Computer Fraud and Abuse Act (CFAA)?
The Computer Fraud and Abuse Act (CFAA) of 1986 is United States legislation that imposes criminal penalties on individuals who intentionally access a protected computer without proper authorization or whose access exceeds their authorization. The law was enacted as an amendment to the Comprehensive Crime Control Act of 1984 to address growing concerns about computer hacking. Since its introduction, the CFAA has been amended multiple times, including a provision for civil liability.
Expanding the CFAA
The CFAA was originally designed to protect computer systems operated by the U.S. government and some financial institutions, but changes to the law since then have continuously expanded its scope. In 1994, Congress amended the law to broaden how it could be applied and to incorporate civil penalties along with criminal penalties.
Under the new rules, a plaintiff can bring a claim against an individual if that individual committed or attempted to commit a computer-related offense that led to one of the following results:
- Aggregated financial loss of at least $5,000.
- Impairment to medical treatment or care.
- Physical injury to any individual.
- Threat to public health or safety.
The 1994 amendment paved the way for private corporations to sue current and former employees suspected of revealing trade secrets and other proprietary information to competitors.
In 1996, Congress further expanded the CFAA's scope by amending the definition of protected computers to include any computer used in interstate or foreign commerce or communication. As a result of this change, the law can be applied to just about any computer, including smartphones or tablets, given their inherent dependance on internet communication.
Following the 2001 terrorist attacks, the U.S. Patriot Act amended the CFAA again, changing the following:
- Extended the Federal Bureau of Investigation's reach.
- Permitted search and seizure of internet service provider (ISP) records.
- Expanded the list of protected computers to include those in foreign countries that affected interstate or foreign commerce or communication in the U.S.
The Patriot Act also amended the list of civil damage provisions to include computers used by the U.S. government to administer justice, national defense or national security.
More changes came to the CFAA in 2008 with the passage of the Identity Theft Enforcement and Restitution Act. The act stiffened penalties and broadened the definition of protected computers to include any computer that is used in or affecting interstate or foreign commerce or communication. The addition of the phrase "or affecting" extended the law's reach to include local computing activity that could be connected in any way to interstate commerce or communication.
Concerns over the CFAA
The CFAA came under increased scrutiny when the U.S. Department of Justice (DOJ) charged defendant Lori Drew in 2008 under CFAA law. She was alleged to have violated the MySpace terms of service by creating an account with a false identity, which was used to bully a teenager who later committed suicide. The defendant was found guilty of a misdemeanor because she exceeded her authorization to use MySpace, a CFAA violation. However, a federal judge overturned this conviction, concluding that the charge exceeded the legal authority of the CFAA.
Although the conviction was overturned, the legal action demonstrated the potential for the CFAA to be used to prosecute internet users believed to have violated a company's terms of service (ToS), potentially turning many people into misdemeanor criminals. The CFAA was introduced before the web even existed, and many claimed that it had not kept up with technology's rapid changes.
In September 2011, U.S. Sen. Patrick Leahy introduced the Personal Data Privacy and Security Act of 2011 to address some of the concerns about the CFAA's scope, including those raised in response to the Lori Drew charges. Under the new bill, internet users would not be prosecuted or held civilly liable under the CFAA for violating a company's ToS, and employees would not be prosecuted or held civilly liable under the CFAA for violating an AUP issued by a nongovernment employer. The bill never made it out of the Senate.
Concerns about the CFAA hit the spotlight again in January 2013 when internet activist and programmer Aaron Swartz hanged himself in his Brooklyn, New York home. Many believed his suicide was the result of two years of legal troubles resulting from federal criminal charges, which could lead to massive fines and land him in prison for decades.
In 2011, federal prosecutors indicted Swartz on 13 counts of felony hacking and wire fraud for violating the CFAA. He was alleged to have used the Massachusetts Institute of Technology's network to download millions of academic journal articles from JSTOR. Although Swartz died before his case went to trial, backlash erupted after his death on a variety of fronts, generating strong calls for CFAA reform. In July 2013, U.S. Representative Zoe Lofgren introduced the Aaron's Law Act of 2013 into the House. The law aimed to implement several CFAA reforms, but it stalled in committee and never made it to the floor.
Small steps forward for the CFAA
Although there is still widespread belief that the CFAA needs to be reformed, there has been little progress since the changes enacted in 2008. Some attribute this to lobbying efforts by special interests. Concern over cybercrime has also been at the forefront, making it difficult to move forward on reform.
To help address some of the uncertainty around the CFAA, the DOJ released a set of recommendations for prosecutors to follow when invoking the CFAA. The recommendations clarify how prosecutors should interpret the clauses "without authorization" and "exceeding authorized access." The recommendations also include numerous factors to take into account when determining whether to pursue a CFAA prosecution.
In June 2021, the Supreme Court also weighed in on the CFAA when it took up the case Van Buren v. United States. The defendant, former Georgia police sergeant Nathan Van Buren, had been charged with using "his patrol-car computer to access a law enforcement database to retrieve information about a particular license plate number in exchange for money." Although Van Buren used his own, valid credentials to access the database, his conduct was alleged to have violated department policy, and he was charged with a felony under the CFAA.
At stake in the court case was how to interpret the clause "exceeds authorized access," an important governing principle defined in the CFAA. Until the case reached the Supreme Court, the legal system was split on how to interpret this clause. A jury had convicted Van Buren for exceeding authorized access, but he appealed the case all the way up to the Supreme Court, arguing that the clause "applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have."
The Supreme Court agreed with Van Buren, ultimately. Because he was fully authorized to access the data, he had not violated the CFAA. This decision narrowed the CFAA's broad scope. Employers can no longer invoke the CFAA to go after employees who might have used their business computers in a way that violated company policy, such as sending a personal email or reading a news clipping online. The decision also narrows the options available to employers that take actions against employees who sell confidential information or trade secrets to competitors.
Learn about the principle of least privilege in computer security, and see how to develop a cybersecurity strategy. Explore 13 common types of cyber attacks and how to prevent them, and learn what a computer emergency response team is and why it is important.