18 USC § 1030 Computer Fraud and Abuse Act

CFAA Enacted in 1986 to separate and expand computer crime laws from the more general Comprehensive Crime Control Act Amended in 1989, 1994, 1996, 2001, 2002, and 2008 Intent: criminalize hacking? Limit federal jurisdiction to gov’t/financial computers and “interstate communication” In practice: applies to almost any internet-connected computer, including smartphones

Letter of the law or spirit? “Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer;” “…knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;” “…intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage;” “…intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss”

Protected computers “the term “protected computer” means a computer— (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or (B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;

MBTA v. Anderson et al. 2008 case against 4 MIT students who were planning to present at DEFCON a vulnerability they had found in the MBTA (Boston’s “BART”) chip card system (Boston’s “Clipper Card”) MBTA claimed that the students “transmitted programs to cause damage to (or attempted to transmit and damage) MBTA computers” by publishing their research through DEFCON Kind of undermined this argument by posting the students’ slides on the district court’s public website as exhibits part of the case

Facebook v. Power Ventures 2009 case against Power Ventures, which aggregated data from social media feeds with user consent The case is pending; Facebook has claims under CFAA, DMCA, Unfair Competition, Trademark, and others Is “scraping” a website making an unauthorized copy? Can Facebook’s ToS prohibit anyone other than you from logging into your account, regardless of your permission? Can we investigate potentially discriminatory practices on Facebook (or other platforms) without violating their ToSes?

Craigslist vs. 3Taps and PadMapper 2013 case in which Craigslist claimed that 3Taps (and by extension PadMapper) violated CFAA by scraping through proxies after IP block If I send you a letter saying “you are not permitted to visit allisonberke.com” and you visit it anyway, you have committed a felony

Sergei Aleynikov 2009 case of Goldman Sachs trader charged with downloading high-frequency trading code he had written while at Goldman Is it illegal to keep a copy of work you produce for your employer (even after you leave that employer)? Should it be?

Case law Current employees cannot be prosecuted under CFAA simply for violating their employer’s computer use policy Violating a website’s terms of service is not on its own supposed to be a violation of CFAA (in practice this is not settled)

Three Felonies a Day – Harvey Silverglate Destroying evidence (obstruction of justice if the company or individual is under investigation) Downloading copyrighted works (ebooks, TV episodes, movies) Giving false statements to a federal official Creating a website for an organization that then links on that website to terrorist speech Telling customers of your former employer about a security vulnerability on that employer’s computer systems