Part 1/4: Introduction to Cyber Crime

The Computer Fraud and Abuse Act

http://scrawford.net/blog/the-computer-fraud-and-abuse-act/1172/

Last Friday's news that Lori Drew (neighbor who posed on MySpace as potential teenage boyfriend) was being indicted under the Computer Fraud and Abuse Act represents yet another cyberlaw constitutional moment. Once again, were pressing laws intended to address X problem into service mending Y dispute. This time, however, the law is more sweeping than we might like to admit. In fact, courts have already read the CFAA to stretch awfully far - including to violations of agreements *not* found in the Terms of Service on a particular web site. The relevant question: Is this appropriate?

Background: As the news reports make clear, the CFAA was originally designed to address hacking of federal computers or financial industry systems. It was broadened in 1984 to add civil remedies (so anyone can use it, not just prosecutors), broadened again in 1996 to cover any protected computer (which essentially means any computer in interstate commerce - so any computer attached to the internet), and then broadened yet again in 2001 to include any computer outside the US that communicates with the US. So this is a statute that has migrated from protecting government computers to protecting all possible computers.

Its a violation of the CFAA to (1) intentionally access a protected computer without authorization and (2) cause damage that adds up to at least $5,000. (Take a look at 18 U.S.C. Sec. 1030(a)(5)(A)(iii).) Its very easy to come up with $5K in damages - you can use fees paid to consultants, or the cost of responding to the offense. Given the attention to the Myspace suicide, the company wont have a problem showing damages. (I know this seems odd, but the damages dont have to be directly related to fixing the actual break-in.)

Whats the break-in? The statute was written with classic hacking behavior in mind - guessing passwords, monkeying with files, etc. But here the hack is (apparently) to intentionally violate the Terms of Service posted by MySpace, which prohibit users from lying to MySpace or using their accounts to harrass other users. Here, the neighbor arguably breached these terms by saying she was a teenage boy and harrassing her teenage neighbor.

This may seem nuts to you. It does to many of us. A civil litigant can paint his/her opponent as a quasi-*criminal* by showing that he/she has violated some form contract on a site. Even odder things have happened under the CFAA.