The First Federal Computer Crime Statute
In 1984, Congress passed the Comprehensive Crime Control Act, which included the first federal computer crime statute, later codified at 18 U.S.C. § 1030. When enacted, this new statute only set forth three new federal crimes. These crimes covered certain conduct by a person who “knowingly accesses a computer without authorization, or having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend[.]” The crimes also added requirements that collectively limited the statute to three specific scenarios tailored to particular government interests—computer misuse to obtain national security secrets, computer misuse to obtain personal financial records, and hacking into government computers.
The Computer Fraud & Abuse Act (CFAA)
Just two years later, Congress significantly expanded the computer crime statute by passing the Computer Fraud and Abuse Act (“CFAA”). The original CFAA was directed at protecting classified information, financial records, and credit information on governmental and financial institution computers. Technically speaking, the CFAA was the 1986 amendment to 18 U.S.C. § 1030; however, 18 U.S.C. § 1030 in its entirety is commonly referred to as the Computer Fraud and Abuse Act and vice versa.
With the CFAA, Congress intended to prohibit unauthorized access to “federal interest” computers. The amendment provided additional penalties for fraud and related activities in connection with access devices and computers, as well as additional protection for federal interest computers. Congress attempted to limit federal jurisdiction over computer crimes to those cases involving a compelling federal interest (i.e. where computers of the federal government or certain financial institutions are involved or where the crime itself is interstate in nature). The CFAA also added three new prohibitions—section 1030(a)(4) prohibiting unauthorized access with intent to defraud; section 1030(a)(5) prohibiting accessing a computer without authorization and altering, damaging, or destroying information; and section 1030(a)(6) prohibiting trafficking in computer passwords.
The 1994 Amendments
Until it was amended in 1994, the CFAA only provided criminal penalties for engaging in prohibited conduct. At that point, Congress added a civil cause of action for CFAA violations that afforded private parties the ability to obtain compensatory damages, injunctive relief, and/or other equitable relief.
Congress expanded the CFAA to cover several other computer-related acts including: theft of property via computer that occurs as part of a scheme to defraud; intentional alteration, damage, or destruction of data belonging to others; distribution of malicious code and denial of service; and trafficking in passwords and similar items. Section 1030(a)(5) was amended to further protect computers and computer networks from damage incurred accidentally and even without any negligence. It was extended to both outsiders gaining unauthorized access, and to insiders, who intentionally damage a computer.
Finally, the 1994 amendments broadened the proscribed scope of conduct to include transmissions (section 1030(a)(5)(A) specifically prohibiting “knowingly caus[ing] the transmission of a program, information, code, or command” which “intentionally causes damage without authorization”). With these amendments, the focus of the statute shifted from a technical concept of computer access and authorization, to the defendant’s malicious intent and resulting harm.
The Ever-Expanding CFAA
Congress has continuously broadened the scope and coverage of the CFAA through subsequent amendments in 1996, 2001, 2002, and 2008.
In 1996, title II of the Economic Espionage Act dramatically expanded the statute in three different ways. First, the scope of section 1030(a)(2) was expanded. Originally limited to unauthorized access that obtains financial records from financial institutions, card issuers, or consumer reporting agencies, the 1996 amendments expanded the prohibition to unauthorized access that obtains any information of any kind so long as the conduct involved an interstate or foreign communication. Legislative history highlights the enormous reach of this new amendment by clarifying that obtaining information includes simply reading it.
Second, the 1996 amendments added new provisions to the computer damage prohibition, added a new felony enhancement to § 1030(a)(2), and added a computer extortion statute at § 1030(a)(7). The felony enhancement at § 1030(a)(2) turned a misdemeanor violation into a felony if the offense was conducted in furtherance of any crime or tortious act, if it was conducted for purposes of financial gain, or if the value of the information obtained exceeded $5,000.
Finally, the third significant change that the 1996 amendments made was replacing the category of “federal interest” computers with the new category of “protected computers.” The latter category now merely required a machine “used” in interstate commerce; as opposed to the former, which required computers used in two or more states. It is worth noting that the statute did not specify whether “used” in interstate commerce referred to use in the context of the charged offense or rather use in the general sense. Since every computer connected to the Internet is used in interstate commerce or communication, it is a conceivable interpretation that every computer connected to the Internet is a “protected computer” covered by 18 U.S.C. § 1030.
After the attack of the World Trade Center on September 11, 2001, Congress passed the next expansion of the CFAA through the USA Patriot Act. The most significant change was the expanded definition of “protected computer” to include computers located outside the United States; specifically, those computers “located outside the United States that [are] used in a manner that affects interstate or foreign commerce or communications of the United States.” The Patriot Act also added new triggers for the felony violations of § 1030(a)(5)—adding damage to any computer “used by or for a government entity in furtherance of the administration of justice, national defense, or national security” to the list of harms that trigger the damage provision.
The most recent expansion of the CFAA came in 2008 when Congress:
- Expanded 18 U.S.C. § 1030(a)(7) to criminalize not only explicit threats to cause damage to a computer, but also threats to (1) steal data on a victim's computer, (2) publicly disclose stolen data, or (3) not repair damage the offender already caused to the computer.
- Created a criminal offense for conspiring to commit a computer hacking offense under section 1030.
- Established a mechanism for civil and criminal forfeiture of property used in or derived from § 1030 violations.
- Broadened the definition of “protected computer” in 18 U.S.C. § 1030(e)(2) to the full extent of Congress’s commerce power by including those computers used in or affecting interstate or foreign commerce or communication.
The phrase “affecting interstate commerce” is a term of art that signals congressional intent to cover as far as the Commerce Clause will allow, and the modern Commerce Clause doctrine gives the federal government the power to “regulate purely local activities that are part of an economic ‘class of activities’ that have a substantial effect on interstate commerce.” This excursion into Commerce Clause doctrine explains just how broad the current version of “protected computer” has become, and by extension, just how far the CFAA reaches.
Problematic State of Affairs
Federal litigation under the CFAA has addressed a variety of issues, including constitutional vagueness and the proper interpretation of particular terms, such as “protected computer,” “access,” “without authorization,” “exceeds authorization,” and “damage.” Courts have also dealt with construction and application of particular provisions of the CFAA, such as the provision against intentionally accessing computers to gain information in general or as it related to financial information; the prohibition on accessing nonpublic governmental computers; the intent to defraud element; the prohibitions on knowingly causing transmission of code damaging to protected computer(s); and the provision on intentionally accessing and causing damage to protected computer(s). Courts have also explored the preclusive effect of the CFAA on the applicability of other statutes used in the prosecution of computer related crimes, and the availability of vicarious liability under the CFAA.
The furious pace of technological advancement marked by increasing computerization, coupled with years of continuous expansion through congressional amendments, has rendered the CFAA one of the most far-reaching criminal laws in the federal code. This brief history of the CFAA provides a glimpse into Congress’ willingness to expand criminal liability in areas of developing technology, and demonstrates a clear trend of spiraling expansion. Broad interpretations of the CFAA are contrary to due process and deprive individual Internet users of sufficient notice as to what conduct is prohibited, while simultaneously failing to provide clear guidelines to govern law enforcement. In the wake the remarkably broad discretion afforded to prosecutors in this area, many advocates and scholars are calling for courts to step in and adopt narrow interpretations to limit the CFAA's scope and for Congress to pass legislation doing the same.