“Where did the CFAA come from, and where is it going?”

Seth Rosenblatt writes on PARALLA:


“In June 1983, President Ronald Reagan attended a screening at Camp David of WarGames, a movie in which a hacker inadvertently almost starts World War III. Intrigued, the movie star-turned politician asked Gen. John W. Vessey Jr., chairman of the Joint Chiefs of Staff, if the WarGames scenario could become a reality.

A week later, Vessey returned with an answer: Yes, he said, according to new research published in Dark Territory: The Secret History of Cyber War, a book by Fred Kaplan.

Later that year, six antihacking bills began working their way through Congress, as the Reagan administration demanded legislation to address computer security risks suggested in WarGames. By 1986, the president signed into law the regulations he wanted as the Computer Fraud and Abuse Act, an amendment to the existing computer fraud law, the Comprehensive Crime Control Act of 1984.

The CFAA was revolutionary in that it criminalized, for the first time, most forms of computer hacking in the United States, regardless of hackers’ intentions or results. Penalties for computer hacking reached the point at which people convicted on charges of illegal hacking could be locked up with sentences far worse than those of people convicted on charges of aggravated physical assault.” Read more…

Image above © Pinguino Kolb/The Parallax 2016

New Developments: “Feds finally charge man who stole nude photos of celebrities in 2014”

Sarah Kaplan writes on the WASHINGTON POST:

Perhaps you have forgotten about “Celebgate,” when hundreds of nude photos of famous women, including Jennifer Lawrence and Kate Upton, were stolen from their Apple and Gmail accounts and shared across the shadowy back corners of the Internet. We wouldn’t blame you; it was an ugly time.

But federal authorities, it seems, did not forget.

A year and a half after the images made their way online, the U.S. attorney’s office in Los Angeles announced that it has tracked down a man who stole them.” Read more…

Bunny Bytes: Employees + the CFAA = Circuit Split

https://pixabay.com/en/fork-junction-road-caution-forked-32601/In December of 2015, the Second Circuit joined the dispute over whether an employee can be sued under the Computer Fraud and Abuse Act (CFAA) when they use their employer’s computer system in a way that is outside the scope of employment. With the Second Circuit weighing in, seven of the twelve Federal Courts of Appeals have taken up a position in the fight, with four courts on one side of the split and three in opposition. And while the Second Circuit’s interpretation of the disputed part of the CFAA appears sound, the disturbing facts surrounding the case may cause further polarization.

What’s the problem?

The CFAA can be used to prosecute anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” 18 U.S. Code § 1030(a)(2). Under this provision of the statute, several employers have sued their former employees for misappropriating certain information for personal benefit, such as trade secrets or customer contacts. Even though the employee may have had authorized access at the time when they extracted the information, employers argue that authorized access is exceeded when the use of that information falls outside the scope of employment. In other words, the employee may have authorized access for work purposes, but they exceed that authorization when they abuse that access.

Using the CFAA to prosecute former employees in this way makes sense when an employee is surreptitiously collecting confidential information from their current employer with the intent of quitting that job to go work for a competitor. This sort of misappropriation may result in substantial profit loss for the former employer.

However, the same liberal interpretation of the CFAA would also potentially criminalize employees who casually misuse a company computer for personal reasons that is outside the scope of their employment, such as to check their personal email, use social media platforms, or even pay their bills online. The contention among the Circuit courts is whether to employ a broad or narrow interpretation of “exceeding authorized access.”

Continue reading

Bunny Bytes: The CFAA & Trade Secret Litigation— “Undercutting Employee Mobility: The Computer Fraud and Abuse Act in the Trade Secret Context”

The following is a synopsis of Undercutting Employee Mobility: The Computer Fraud and Abuse Act in the Trade Secret Context by Glenn Schieck.

When “rogue employees” misappropriate trade secrets via computer before leaving to work for a competitor, the victim company currently has the option to pursue civil actions against the employee under either the state’s trade secret statute or the CFAA. Glenn Schieck’s article argues that this “reliance on the CFAA threatens to undercut policy considerations of trade secret law.”

The problem is that the CFAA does not accommodate for competitive markets where employees move freely between companies with an accepted risk of some knowledge being compromised, whereas trade secret law does. This article proposes that the CFAA should be amended “to adopt some limited substantive elements of trade secret law” to avoid companies potentially abusing the statute to circumvent trade secret law when it does not accommodate their means.

Schieck explains how the CFAA came to be used in lieu of trade secret litigation after it was drastically amended in 1996 to include all “protected computer[s],” whereas the CFAA was previously limited to protecting computers of “federal interest.” With this amendment, companies found it easier to bring a claim under the CFAA rather than state trade secret law because the latter requires the plaintiff to show that a trade secret exists, there were reasonable efforts to keep that information ‘secret,’ and that there was wrongful appropriation of the information. In contrast, the CFAA only requires that the plaintiff show wrongful appropriation. In addition to lowering the bar for pleading requirements, the CFAA provides federal jurisdiction, unlike state trade secret law, which allows for certain elements of relief that state level jurisdiction may not provide. The CFAA also may allow some plaintiffs to enforce non-compete clauses in states where they would otherwise be unenforceable. Finally, supplemental jurisdiction enables a plaintiff to bring both CFAA and trade secret claims in tandem, occasionally resulting in double recovery for damages.

Schieck’s article proposes legislative amendments to the CFAA to narrow certain interpretations of the statute to avoid the aforementioned contentions with trade secret law. The main issue raised is the CFAA’s broad use of the word “authorization,” which creates liability when an individual’s use of a computer system is either “without authorization or exceeds authorized access.” For now, liability is created when an authorized user of a computer system breaches a written computer use policy, such as an agency agreement between an employer and employee. Schieck supports proposed reform to the CFAA to include an additional barrier to define a breach, such as a physical barrier or possibly a confidentiality/non-compete agreement. He further suggests the addition of a “reasonable efforts” provision that would prevent frivolous claims to be brought against appropriation of information that is not confidential. With these proposed amendments, Schieck believes that the CFAA could be better managed to avoid subverting the policy goals of trade secret law.

Glenn Schieck is a 2014 JD graduate of Brooklyn Law School and is currently an Associate at Harter Screts & Emery LLP in Rochester, New York.

Bunny Bytes: On the Origin of Cyberloquium

The Cyberloquium blog was born out of a legal writing class that, at the time of this post, I am currently taking. The official title of the class is “Public Legal Writing: Blogging and Social Media for Law Students and Lawyers.” Our main project is to create and maintain a legal blog that fills a specific and unique niche. My initial instinct was to write about Internet or cyber law generally, but quickly realized that such a broad topic range would not be an exceptional contribution to the legal blogsphere. So I asked myself, “What exactly is cyberlaw?” If one were to peruse some of the well-known cyberlaw blogs, including the Berkman Center for Internet and Society or the Electronic Frontier Foundation’s Deep Links, they would find articles that range from privacy to copyright issues. Having been an adolescent in the ‘90s, the word ‘cyber,’ in association with other the words ‘law’ or ‘crime,’ possesses heavy connotations to hacking. I perceive ‘cybercriminals’ as unethical hackers who exploit, damage, and steal information on computer systems that they do not legitimately own or have privilege to. However, society has adapted the Internet in a way that almost all human interactions are capable of being conducted via a computer, and therefore the ways in which people may harm one another via computer has grown in tandem. As a natural result, new laws have popped up to deal with this unsavory behavior. Though in my mind, the misappropriation and/or misuse of information, obtained in an illegal manner via computer, remains the essence of cybercrime.

I decided to blog about the Computer Fraud and Abuse Act because when it was enacted in 1984, the CFAA was the first U.S. federal statute to directly address cybercrime. The CFAA encompasses a vast array of illegal activities involving computers, including consumer fraud, copyright violations, and even foreign espionage. This statutory law that is barely one year older than I am is conceivably one of the most important cyberlaws in the United States. Where the CFAA has failed to address certain topics, other laws have been passed to fill in the gaps, but the CFAA largely has remained unchanged in the past thirty-two years, with full potency. Continue reading

New Developments: SCOTUS Upholds CFAA Conviction of Former Executive

“Supreme Court Issues CFAA decision in Michael Musacchio v. United States”

Antony P. Kim, Aravind Swaminathan and Garret G. Rasmussen of Orrick, Herrington & Sutcliffe LLP reported:

“On Monday, January 25th, the Supreme Court issued the most recent Computer Fraud and Abuse Act decision in Michael Musacchio v. United States. After leaving his employer to start his own company, the defendant (a former executive) continued to use his password and login credentials to get access to his now former employer’s computer and e-mail system. The government charged the Musacchio with violating the CFAA for intentionally accessing his former employer’s computer systems without authorization. However, at trial the court instructed the jury incorrectly that a CFAA violation required proof that he gained unauthorized access and exceeded authorized access. The CFAA, however, only requires proof that the individual either “intentionally accesses a computer without authorization or exceeds authorized access.” The Supreme Court upheld his conviction, explaining that “[w]hen a jury finds guilt after being instructed on all elements of the charged crime plus one more element, the jury has made all the findings that due process requires.” Read more…