A study of Cyber Law regarding
the Federal Computer Fraud and Abuse Act
It is safe to assume that the most popular forms of legal issues have had thousands of cases in which some have populated several baseline precedents. These precedents are created over decades or even hundreds of years. This statement, however, most certainly does not apply to the nearly four-decade-old world of cyber law. Thus, this article takes a small scratch into a few cases; the Computer Fraud and Abuse Act has brought the American justice system.
The legal world of Cyber Law, infantile as it may be, composes of many subsections and one section is Cyber Crime. Several types of Cyber Crime can be hacking, theft, distinct cyberstalking, identity theft, and child abuse. This article f on the legal development regarding the ‘Federal Computer Fraud and Abuse Act.’ The act states: “Computer hacking is the act of knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and employing such conduct furthers the intended fraud and obtains anything of value.” Over the decades of its existence, this act has allowed the prosecution of would-be hackers, cyber thieves, and black-market extortionists.
In 1982 there was no such thing as the ‘Internet.’ There was ARPANET, TELENET, an email-based system called PhoneNet, and several others that all connected the modern-day computers. Most of these networks were for private institutions and the military. Though most networks were for large and well-funded entities, purchasing a computer was available to anyone with the cash to buy one. Enter four young boys in Milwaukee, Wisconsin. Eventually, to be known as the 414s, these boys broke into several banking, laboratory, and hospital networks for the fun and thrill of it. Unlike most current events, the hackers had zero intention of malicious harm, but they were still caught via a wiretap and brought into questioning by the FBI. The charges were dropped, but this event sparks the creation of the Federal Computer Fraud and Abuse Act. This act will be the platform with which prosecutors will stand on to bring down future malicious computer abusers.
First case: U.S v. Elaine Cioni, №09–4321 (Apr. 20, 2011).
Elaine Cioni was convicted of two misdemeanor offenses regarding hacking into an unauthorized email account. Under the CFAA first time offenses are considered misdemeanors, so long as they do not further a larger crime and will be held as such in most cases. The federal government, however, chose to stack the two misdemeanor offenses as a felony. Cioni appealed her case in the 4th circuit with the National Association of Criminal Defense creating an argument stating her actions were not committed “in furtherance of” a CFAA offense and that both offenses were based on the same “conduct.” The federal government’s attempt to stack these two offenses together was claimed as a violation of the double jeopardy law. The appellate court found this claim to be true and sent the case back down for the punishment to be revised under a misdemeanor, no longer a federal crime. In the year 2011, the CFAA was modified six times since its inception; thus, it can be inferred that the development of the CFAA act has kept in mind the rights of the American citizens that it prosecutes.
Second Case: U.S v. John, №597 (Jan. 2010).
Dimetriace Eva Lavon John presented herself in the Northern District of Texas and was convicted of conspiracy to commit access device fraud and exceeding authorized access to her employer’s computer internal system. In situational terms, Ms. John was employed at a financial institution and had access to financial records of her employers’ clients. She obtained these financial records and sold them to affiliates who in turn used the stolen records to make unauthorized purchases. The fraudulent charges were traced back to Ms. John, and she was arrested. After her initial conviction in northern Texas, she had her case appealed. Unlike the previously mentioned case, this appellate court upheld the conviction. The appellate court stated that she exceeded her “authorized access.” Moreover, though she could access the information, it was not within her authorization to pass such information along to anyone without the consent of higher authority within her place of employment. The court also stated that she either knew what she was doing (breaking authorization) or she should have known. In my opinion, this is a logical and understandable reason for the appellate court to use to uphold the initial conviction.
Third Case: LVRC Holding LLC v. Brekka, №581 (September 2009) contrasting to International Airport Centers, L.L.C v. Citrin, №440 (March 2006).
These two cases have similar outlining issues, regarding the authorization of handling data. In the first case, LVRC Holding LLC v. Brekka, a current employee was brought to court for emailing himself company trade secrets before he left the company. The trial jury held that Brekka was, in fact, breaching his authorization and that he had no right to transfer company data to his personal computer. The verdict was appealed and the 9th circuit court of appeals dealt with the concept of authorization. They overturned the verdict stating, Brekka still had full authorization to access company data because he was still employed.
On the other hand, and three years prior, International Airport Centers, L.L.C v. Citrin, had a different answer from the 7th circuit court of appeals in 2006. Jacob Citrin was employed by International Airport Centers to evaluate the value of possible land acquisitions. He was given a laptop to perform the job. Jacob became self-employed and broke his contract with the former employers. The management team demanded he turn over the company laptop; the company got their laptop back, but only after Jacob deleted all the information on the laptop.
When the issue went to trial, the jury found Jacob Citrin not guilty. The district court’s logic was based off a provision within the CFAA stating, “anyone knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer violates this act.” This aligned with Jacob’s defense which proclaimed he initiated no such “transmission.” The ruling was appealed in the 7th circuit court and eventually overturned. The appellate judge made two important statements: First, the term “transmission” did not have to mean a remote transmission. In the logic of the judge, Jacob transmitted orders to the computer so that all data would be wiped. Thus, he did breach the CFAA stature. Second: Jacob no longer had the authorization to access or modify company data once he breached his loyalty to the company. This second point is a stark contrast to the result of the first case that will happen only three years later. The results of both cases can most likely be chalked up to the classic question: “How good is your lawyer?”
Fourth Case: U.S v. Ancheta, №06–051 (May 2006).
James Ancheta made history when he was caught in an elaborate sting operation by the FBI because of the ‘botnet’ operation he was conducting. A ‘botnet’ is a multitude of infected computers that all report to a ‘bot-master.’ Using this ‘botnet,’ James disrupted private networks and released large quantities of spam email across the nation. His actions made history because he was the first individual to go through the American justice system for the malicious use of a ‘botnet.’ The federal prosecutors utilized the CFAA, citing how he and others “knowingly caused the transmission of a program, information, code, or command and caused damage without authorization as a result. The court found him guilty, and James was sentenced to 5 years in federal prison.
Written by: Nicholas A. Koval
Chief Operations Officer of STL-Website-Development