Computer Fraud and Abuse Act
Norm | |
---|---|
Norm title | Computer Fraud and Abuse Act of 1986 |
Type of norm | Act |
Issuing body | United States Congress |
Geographic scope | National |
Country |
|
Status | Amended |
Official text | https://www.govinfo.gov/content/pkg/STATUTE-100/pdf/STATUTE-100-Pg1213.pdf |
Related Norms | Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 |
Language | English |
The Computer Fraud and Abuse Act (CFAA) is the short title of Pub. L. 99–474, enacted on October 16, 1986. It substantially amended 18 U.S.C. § 1030 (Counterfeit Access Device and Computer Fraud and Abuse Act), originally enacted in 1984, by revising mental‑state requirements, adding new offenses (including password trafficking), defining "Federal interest computer", and clarifying "exceeds authorized access". [1] [2]
What the 1986 Act changed
Two years after the Counterfeit Access Device and Computer Fraud and Abuse Act, the Congress significantly expanded the computer crime statute by passing the Computer Fraud and Abuse Act ("CFAA"). The original text was directed at protecting classified information, financial records, and credit information on governmental and financial institution computers. With the CFAA, Congress intended to prohibit unauthorized access to "federal interest" computers. The amendment provided additional penalties for fraud and related activities in connection with access devices and computers, as well as additional protection for federal interest computers. Congress attempted to limit federal jurisdiction over computer crimes to those cases involving a compelling federal interest (i.e. where computers of the federal government or certain financial institutions are involved or where the crime itself is interstate in nature).[3]
Particularly:
- Replaced the term "knowingly" with "intentionally" in § 1030(a)(2) and "exceeds authorized access" with "having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend".
- Created new offenses:
- § 1030(a)(4): prohibited unauthorized access access to a Federal interest computer with intent to defraud;
- § 1030(a)(5): prohibited accessing a Federal interest computer without authorization and altering, damaging, or destroying information;
- § 1030(a)(6): prohibiting password trafficking affecting interstate/foreign commerce or U.S. Government computers.[1] [3]
- Added definitions including "Federal interest computer" and the statutory definition of "exceeds authorized access"
- Added a law‑enforcement/intelligence activities exception (now codified at § 1030(f)).[1]
Early application
A prominent early conviction under the post‑1986 framework was United States v. Morris (2d Cir. 1991), arising from the 1988 "Morris worm", under then‑§ 1030(a)(5)(A).[4]
Relationship to later amendments
- 1994: Computer Abuse Amendments Act (Pub. L. 103‑322): added the private "civil cause of action" at § 1030(g).[3]
- 1996: National Information Infrastructure Protection Act (Pub. L. 104‑294): replaced "Federal interest computer" with "protected computer", expanded coverage, revised § 1030(a)(5), and added extortion via computer § 1030(a)(7).[5] [6]
- Subsequent amendments in 2001, 2002, and 2008 broadened scope and penalties; for an overview of the amendment history and present structure, see the CRS primer and the USSC primer.[7] [8]
Interpretive developments
- Van Buren v. United States (2021): Supreme Court narrowed the reading of "exceeds authorized access."[9]
- DOJ charging policy (May 19, 2022): instructs declining prosecution for "good‑faith security research" under the CFAA.[10]
References
- ↑ 1.0 1.1 1.2 U.S. Government: PUBLIC LAW
- ↑ Cornell Law School: 18 U.S. Code § 1030 - Fraud and related activity in connection with computers
- ↑ 3.0 3.1 3.2 NACDL: CFAA Background
- ↑ Justia: United States of America, Appellee, v. Robert Tappan Morris, Defendant-appellant, 928 F.2d 504 (2d Cir. 1991)
- ↑ US Government: ECONOMIC ESPIONAGE ACT OF 1996
- ↑ Congress: S.982 - National Information Infrastructure Protection Act of 1996
- ↑ Congress: Cybercrime and the Law - Primer on the Computer Fraud and Abuse Act and Related Statutes
- ↑ Primer: Computer Crimes
- ↑ Supreme Court of the United States: VAN BUREN v. UNITED STATES
- ↑ EFF: DOJ’s New CFAA Policy is a Good Start But Does Not Go Far Enough to Protect Security Researchers
ICANNWiki resources: Content Guide | Documentation | Development || Maintenance: Articles needing attention | Candidates for deletion || Projects: Internet & Digital Governance Library