Important Facts About Computer Fraud and Other Cybercrimes

Introduction to Computer Crime

There is no universally accepted definition of “computer crime” or “cybercrime.” Certainly not every crime committed with a computer or that involves the use of a computer can or should be labeled as such. Indeed, given the almost ubiquitous nature of computers in modern life, if the definition of computer crime simply included the use of a computer then almost all crime could be defined as computer crime. It is generally agreed however, that computers can be used in criminal activity in three ways.

First a computer may be incidental to the crime, for example, where the defendant uses a computer to write a threatening letter or where a drug dealer uses a computer to keep a record of his transactions.  In these instances, a computer may provide law enforcement with valuable evidence of a crime.

Second, a computer may be used as the instrument or tool to offenses that occur in the physical world.  In these instances, the computer is often being used to further some form of more traditional crimes such as fraud, extortion, intellectual property violations, identity theft, child pornography, harassment, mail and wire fraud and various other crimes.  While these are not new crimes, the use of a computer may make the commission of such a crime much more easy and the prosecution more difficult under existing laws.  For example, a criminal can make an infinite number of counterfeit copyrighted works which can be transmitted anywhere in the world instantaneously.  Similarly, a child pornographer no longer has to be concerned about smuggling the illicit images through customs, but can simply download copies of such images from the Internet.

Third, a computer may be viewed as the subject or direct target of criminal activity.  This occurs when a criminal acts to illegally acquire information stored on the target system, to control the target system without authorization or payment, to alter the integrity of data, or to interfere with the availability of or damage the computer, server or communications device.  Examples of such crimes include computer hacking, computer viruses or worms, denial of service attacks, etc.  The individuals committing these crimes range from disgruntled insiders, hackers, organized crime groups, terrorists, foreign intelligence services and foreign militaries.

While it may be argued that this third category does not constitute a new type of crime because, for example, hacking can be analogized to trespass or burglary, this claim does not account for the real differences between the real world and the virtual world. Prior to the invention of the computer and the rise of the Internet, an individual was required to have a physical presence within the country in which the crimes were committed, and the ability to commit a crime was limited by physical constraints such as the amount of property that could be physically carried or the number of houses that could be broken into within a day. With a computer, an enterprising individual can cause tremendous damage to computer systems located anywhere in the world or can download vast amounts of information which may be worth far more than any physical property. Criminals no longer need a physical connection to a particular country to commit a crime in that country. Individuals can commit crimes remotely and anonymously, operating across national borders, leaving evidence of their activities just about anywhere in the world. The crimes that fall under this category are really new types of crimes which cannot easily be prosecuted under traditional criminal statutes. In response, Congress passed in 1986, the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. section 1030, which has been amended numerous times since then. [During my more than five years with the Computer Crime and Intellectual Property Section of the Criminal Division of the United States Department of Justice, I was involved in a number of investigations and prosecutions involving violations of this act.]

Cyber Crimes
Civil
Cyber Crimes

Introduction to Computer Crime

There is no universally accepted definition of “computer crime” or “cybercrime.” Certainly not every crime committed with a computer or that involves the use of a computer can or should be labeled as such. Indeed, given the almost ubiquitous nature of computers in modern life, if the definition of computer crime simply included the use of a computer then almost all crime could be defined as computer crime. It is generally agreed however, that computers can be used in criminal activity in three ways.

First a computer may be incidental to the crime, for example, where the defendant uses a computer to write a threatening letter or where a drug dealer uses a computer to keep a record of his transactions.  In these instances, a computer may provide law enforcement with valuable evidence of a crime.

Second, a computer may be used as the instrument or tool to offenses that occur in the physical world.  In these instances, the computer is often being used to further some form of more traditional crimes such as fraud, extortion, intellectual property violations, identity theft, child pornography, harassment, mail and wire fraud and various other crimes.  While these are not new crimes, the use of a computer may make the commission of such a crime much more easy and the prosecution more difficult under existing laws.  For example, a criminal can make an infinite number of counterfeit copyrighted works which can be transmitted anywhere in the world instantaneously.  Similarly, a child pornographer no longer has to be concerned about smuggling the illicit images through customs, but can simply download copies of such images from the Internet.

Third, a computer may be viewed as the subject or direct target of criminal activity.  This occurs when a criminal acts to illegally acquire information stored on the target system, to control the target system without authorization or payment, to alter the integrity of data, or to interfere with the availability of or damage the computer, server or communications device.  Examples of such crimes include computer hacking, computer viruses or worms, denial of service attacks, etc.  The individuals committing these crimes range from disgruntled insiders, hackers, organized crime groups, terrorists, foreign intelligence services and foreign militaries.

While it may be argued that this third category does not constitute a new type of crime because, for example, hacking can be analogized to trespass or burglary, this claim does not account for the real differences between the real world and the virtual world. Prior to the invention of the computer and the rise of the Internet, an individual was required to have a physical presence within the country in which the crimes were committed, and the ability to commit a crime was limited by physical constraints such as the amount of property that could be physically carried or the number of houses that could be broken into within a day. With a computer, an enterprising individual can cause tremendous damage to computer systems located anywhere in the world or can download vast amounts of information which may be worth far more than any physical property. Criminals no longer need a physical connection to a particular country to commit a crime in that country. Individuals can commit crimes remotely and anonymously, operating across national borders, leaving evidence of their activities just about anywhere in the world. The crimes that fall under this category are really new types of crimes which cannot easily be prosecuted under traditional criminal statutes. In response, Congress passed in 1986, the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. section 1030, which has been amended numerous times since then. [During my more than five years with the Computer Crime and Intellectual Property Section of the Criminal Division of the United States Department of Justice, I was involved in a number of investigations and prosecutions involving violations of this act.]

Civil

Notable Cases Involving the Computer Fraud and Abuse Act


Civil Actions

The single most important federal law that covers computer hacking is the Computer Fraud and Abuse Act (“CFAA”). Although the CFAA is primarily a criminal statute, it provides for a private right of action. Indeed, with varying degrees of success, employers are taking advantage of the CFAA’s civil remedies to sue former employees and their new companies who may be seeking a competitive edge through wrongful use of information from their former employer’s computer system. Further, while many of the civil cases involve “classic” hacking activities, some courts have held that the civil reach of the CFAA, includes instances where a user violates the terms of use of a Web site, for example, by using a scraper program to harvest data from the Website.
In order to prove a civil violation of the CFAA, a plaintiff must, in general, (1) establish that the defendant accessed a protected computer without or in excess of authorization and (2) caused damage or loss to the victim of more than $5,000. Damages are limited to economic damages and most courts have held that damage does not cover the loss of a trade secret, goodwill or reputation, business opportunities revenue or profits or other damages which are unrelated to the damage caused to the plaintiff’s computer system or to damage relating to attempts to resecure a computer system in the wake of a hacking attack. Loss includes the cost of determining the amount of damage caused by defendant’s activities and attempts to restore information and electronic data as well as the cost incurred because of service interruption.
The most heavily litigated civil CFAA issue is whether the defendant accessed a protected computer without authorization or in excess of authorization. There are three general categories of civil CFAA cases and courts have approached each category differently in determining whether the defendant has acted without authorization or in excess of authorization.


The first category of cases involving the meaning of “authorization” has arisen in the context of employee misconduct.

In this area, courts have become increasingly split as to what it means for an employee to access an employer’s computer system without authorization or in excess of authorization.  Under the so-called “broad view,” which has also become a distinctly minority view, courts have concluded that when an employee or former employee accesses an employer’s computer with the intent to misuse the information obtained as a result of such access, then such access was in excess of authorization, even if the employee could otherwise have accessed the information.  The focus of these cases is not on an employee’s later misuse of information, but “on an employee’s initial access of the employer’s computer with the intent to either obtain information or defraud the employer, thereby, obtaining something of value.

The leading case supporting this view is International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006). In this case, Judge Posner, writing for the majority, noted that the difference between “without authorization and exceeding authorized access is paper thin.”  Judge Posner stated that the employee adequately stated a cause of action under the CFAA, where the defendant was an employee of plaintiff and after resigning from the company deleted certain files from his company-issued laptop computer and loaded into the laptop a secure-erasure program that prevented the recovery of the deleted files  The court found that defendant’s resignation from the company terminated his agency relationship, and with it, “his authority to access the laptop because the only basis of his authority had been the relationship.”

Many courts have criticized this approach, holding that the CFAA targets the unauthorized procurement, or alteration of information, not its misuse, and that there is no violation of the CFAA under such circumstances.  For example, one court held that the defendant did not violate the CFAA where it hired several of plaintiff’s employees, including one who had access to the plaintiff’s confidential business plan and other trade secrets and e-mailed them to the defendant.  Lockheed Martin Corp. v. Speed, 2006 WL 2683058 (M.D.Fla. Aug. 1, 2006).  The plaintiff claimed that because the employees accessed the information with the intent to steal and deliver it to a competitor those employees acquired adverse interests, terminated their agency authority, and therefore, the access was “without authorization.”  The court rejected this argument, and pointed out that because the plaintiff permitted the employees to access the precise information at issue, they did not exceed authorized access.  The district court stated that it is clear from the plain meaning of the words that “without authorization means no access and exceeds authorized access means to go beyond the access permitted. While Citrin attempts to stretch without authorization to cover those with access authorization (albeit those with adverse interests), Congress did not so stipulate.”

The district court further found that under Citrin, employers would have a federal cause of action whenever employees access the company computer with “adverse interests,” and such access causes a statutorily recognized injury, which was not Congress’ intent.  Thus, “under Citrin, would checking personal email on company time without express permission and thereby causing, however unintentionally, impairment to the computer in excess of $5,000 give rise to CFAA liability?  It might.”  Finally, the district court held that because the CFAA is primarily a criminal statute, it should be interpreted narrowly.

The second category of cases involves contracts governing the use of computers.

Generally, these cases have arisen where a user violates the terms of use of a Website by, for example using a “scraper” program to harvest data from the Website.  In EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001), the defendant’s vice president was a former vice president of the plaintiff”s who had signed a confidentiality agreement with the plaintiff promising not to disclose any of plaintiff’s “technical, business or financial information, the use or disclosure of which might reasonably be construed to be contrary to the interests of EF.”  When this vice president went to work for defendant as a computer programmer, he developed an automated “scraper” program that could query plaintiff’s Website for information and then send it to the defendant which used it to undercut plaintiff’s prices for tours.  Defendant used this program on two occasions and each occasion involved approximately 30,000 queries.  The district court agreed with plaintiff that this activity constituted a violation of the CFAA reasoning that use of the scraper was so far beyond the “reasonable expectations” of the plaintiff that it was clearly unauthorized.

In affirming the district court’s decision, the First Circuit reasoned that the use of the scraper likely violated the statute because its use implicitly breached the confidentiality agreement that the vice-president had signed with the plaintiff.  The court found that the decision to use the scraper was based on the vice president’s insider knowledge of plaintiff’s Website and business practices and the use of the scraper relied on information obtained in violation of the contractual agreement.  As a result, use of the scraper exceeded authorized access to plaintiff’s computer and violated the CFAA.

The third category of cases involves a claim that a defendant committed common law trespass when it accessed a computer or database without permission from the owner.

To establish a claim for trespass, plaintiff must show that it had a possessory interest in the chattel, and that defendant (1) dispossessed plaintiff of the chattel; and (2) impaired the chattel’s condition, quality, or value; (3) deprived plaintiff of the chattel’s use for a substantial time; or (4) caused bodily harm to plaintiff or to some person or thing which plaintiff had a legally protected interest.  Generally, even an electronic trespass to chattels claim must be based on some link to a physical object.

Several courts have held that even intangible damage to computer servers can constitute a trespass to chattels.  In contrast, other courts have been more reluctant to find a trespass where the intangible damage is speculative or minimal.  For example, one court reversed summary judgment for plaintiff where plaintiff presented no evidence that defendant’s mass emails prevented plaintiff “from using its computers for any measurable length of time” or that plaintiff's system “was slowed or otherwise impaired by the burden of delivering [defendant’s] electronic messages.”

Computer Fraud and Abuse Act

The CFAA seeks to protect the confidentiality, integrity, and availability of data and systems. The CFAA contains seven major provisions that create liability for different types of crimes against “protected computers”–those used in interstate or foreign commerce or communications, and any computer connected to the Internet.

1030(a)(1) Protection of Classified Government Information

Subsection 1030(a)(1) protects against the knowing access of government computers to obtain classified information. This subsection criminalizes transmitting classified government information, to the detriment of the United States or to the benefit of a foreign country that was obtained by accessing government computer files without authority or by exceeding authority. This specifically covers the conduct of a person who deliberately breaks into a computer without authority, or an insider who exceeds authorized access and thereby obtains classified information and then communicates the information to another person, or retains it without delivering it to the proper authorities with the belief that the classified information so obtained could be used to the injury of the United States or to the advantage of any foreign nation.

1030(a)(2) Protection of Financial, Government and Other Computer Information

Subsection 1030(a)(2) is concerned with the protection of information. It prohibits the intentional access of a protected computer (essentially any computer connected to the Internet)without authorization or in excess of authorization for the purpose of obtaining information from financial institutions, the federal government, or private sector computers involved in interstate commerce or foreign communications.

1030(a)(3) Protection of Government Computer Systems

This subsection proscribes the intentional and unauthorized access of a United States department or agency non-public computer even when no information is obtained during such trespasses.  If the computer is not used exclusively by the government or a government agency, the illegal access must affect the government’s use of the computer in order to violate this subsection.

1030(a)(4) Unauthorized Use of Computers

This subsection addresses the access and fraudulent use of a protected computer (essentially any computer connected to the Internet.  It prohibits the unauthorized access of a protected computer, with the intent to defraud and obtain anything of value including use of the computer if the value exceeded $5,000.  This subsection therefore requires more than mere unauthorized use.  It also contains a “computer use” exception that exempts fraudulent conduct to obtain only the use of the computer where the computer use involved is less than $5,000 during any one-year period.

1030(a)(5) Protection from Damage to Computers

Subsection 1030(a)(5) generally applies to whomever knowingly or intentionally causes the transmission of a program, information, code, or command, and as a result of such conduct causes damage without authorization, to a protected computer.  Defendants can damage computers through a wide variety of actions, such as through a “denial of service attack” that prevents legitimate users from accessing the computer or by the transmission of a virus or worm that also makes the system unavailable to legitimate users.  This subsection is intended to address all of these situations.  The level of culpability under this provision depends upon the intent and authorization of the actor.

In particular, subsection 1030(a)(5)(A) criminalizes the knowing transmission of a program, information, code, or command, and as result of such conduct, intentionally causes damage without authorization, to a protected computer.  Thus, this provision requires that the government establish beyond a reasonable doubt that the defendant “knowingly” caused the transmission of a program and “intentionally” cause damage.   This subsection applies to both insiders and outsiders; therefore, authorized users may be culpable for intentional damage to protected computers.  The dual mens rea requirement of 1030(a)(5)(A)  stands in contrast to subsections 1030(a)(5)(B) and (a)(5)(C) that proscribe the intentional access, without authorization of a protected computer, but do not require an intent to cause damage and apply only to outsiders,  those individuals who have no authority to access the computer system.  Subsection 1030(a)(5)(B) requires that the action be reckless, while 1030(a)(5)(C) does not contain any intent on the part of the defendant; therefore, unauthorized users can be culpable even if their transmission was not intentional, but merely caused damage and loss.

1030(a)(6) Trafficking in Passwords

This subsection proscribes trafficking in passwords or other similar information that would permit access, without authorization, either a government computer, or if such trafficking would affect interstate commerce or foreign communications.

1030(a)(7) Protection from Threats Directed Against Computers

This subsection prohibits the transmission of any threat, in interstate or foreign commerce, to cause damage to a protected computer with the intent to extort something of value.  Essentially, this provision criminalizes threats by hackers to crash a system if not given system privileges, money or some other thing of value.

Chapter 7 of my book, Intellectual Property & Computer Crimes (Law Journal Press) provides a detailed analysis of 18 U.S.C. section 1030.  It has been updated twice a year since first being published in 2003.