What is the Computer Fraud and Abuse Act?

Sep 25, 2019


Background

In 1986, Congress enacted the Computer Fraud and Abuse Act, or CFAA. The Act, codified in 18 U.S.C. § 1030, criminalizes unauthorized access of “any protected computer.” A “protected computer” is a “computer used in or affecting interstate or foreign commerce or communication.” 18 U.S.C. § 1030(e)(2)(B).   Notably, the Act is a criminal statute that provides for both criminal and civil liability. 18 U.S.C. § 1030(g). Despite being a criminal statute, civil actions under the CFAA represent the largest number of opinions interpreting the Act. This civil litigation is useful for understanding several key provisions and terms of the Act.
Types of Offenses

This table is adapted from the Department of Justice’s Computer Crimes manual, “Prosecuting Computer Crimes.”

Punishment Under the Computer Fraud and Abuse Act

This table is adapted from the Department of Justice’s Computer Crimes manual, “Prosecuting Computer Crimes.”

Notable Cases, Convictions, and Indictments
 
hiQ Labs, Inc.  V. Linkedin Corporation

In May 2017, LinkedIn sent hiQ a cease-and-desist letter to hiQ, a data analytics company, using publicly available information on LinkedIn to create “people analytics.” “People analytics” refers to a suite of tools hiQ offers to employers – these tools analyze LinkedIn data to identify employees likely to be recruited to another company, as well as employee skill gaps. hiQ Labs, Inc. v. LinkedIn Corp., No. 17-16783, 2019 WL 4251889, at *3 (9th Cir. Sept. 9, 2019). LinkedIn’s letter demanded “that hiQ stop accessing and copying data from LinkedIn’s server,” and warned “if hiQ accessed LinkedIn’s data in the future, it would be violating state and federal law, including the Computer Fraud and Abuse Act…” Id.


In response, hiQ demanded that LinkedIn “recognize hiQ’s right to access LinkedIn’s public pages.” Id. at 4. hiQ further threatened to seek an injunction if LinkedIn denied this request. “A week later, hiQ filed suit, seeking injunctive relief … and a declaratory judgment that LinkedIn could not lawfully invoke the CFAA…” Id. The district court granted the motion, and LinkedIn appealed.
Earlier this month, the Ninth Circuit affirmed the district court’s decision to grant hiQ’s “preliminary injunction forbidding LinkedIn from denying hiQ access to publicly available LinkedIn member profiles.” Id. at 1.
The Ninth Circuit noted that the “pivotal CFAA question … is whether once hiQ received LinkedIn’s cease-and-desist letter, any further scraping and use of LinkedIn’s data was ‘without authorization’ within the meaning of the CFAA and thus a violation of the statute. 18 U.S.C. § 1030(a)(2).” Id. at 10. The Court adopted hiQ’s reasoning that “where access is open to the general public, the CFAA ‘without authorization’ concept is inapplicable.” Id.

U.S. v. Hammond

In 2013, the Southern District of New York’s U.S. Attorney’s Office announced that Jeremy Hammond, or “Anarchaos,” was sentenced to a decade in prison for his role in the 2011 hack of Strategic Forecasting, Inc. (“Stratfor”), a global intelligence firm. In addition, Mr. Hammond was sentenced for his role in hacks into “the Federal Bureau of Investigation’s Virtual Academy, the Arizona Department of Public Safety, the Boston Police Patrolmen’s Association, and the Jefferson County, Alabama, Sheriff’s Office.”  Mr. Hammond “was sentenced in connection with his guilty plea to one count of conspiracy to engage in computer hacking.” After entering his guilty plea, Mr. Hammond said, “Now that I have pleaded guilty it is a relief to be able to say that I did work with Anonymous to hack Stratfor, among other websites.” Anonymous is an international hacktivist organization.

On September 3, 2019, the Washington Post reported that “Jeremy Hammond… has been brought to Virginia to testify before a grand jury … he believes is the panel investigating WikiLeaks and its founder, Julian Assange.”
 
U.S. v. Paige Thompson

In late August, the U.S. Attorney’s Office in the Western District of Washington, announced the indictment of a software engineer “on two counts related to her unauthorized intrusion into stored data of more than 30 different companies.”

The indictment alleges that Ms. Thompson created software that allowed her to find customers of a cloud computing company with misconfigured firewalls, which permitted outside commands to penetrate and access their servers. The indictment continues, stating that she then used this access to steal data, as well as “mine” cryptocurrency.