Editing Computer Fraud and Abuse Act (section)

==Notable cases and decisions referring to the Act==

The Computer Fraud and Abuse Act is both a criminal law and a statute that creates a [[private right of action]], allowing [[Damages|compensation]] and [[injunction|injunctive]] or other [[equitable relief]] to anyone harmed by a violation of this law. These provisions have allowed private companies to sue disloyal employees for damages for the misappropriation of confidential information ([[trade secret]]s).

===Criminal cases===
* ''[[United States v. Morris (1991)]]'', 928 F.2d 504 (2d Cir. 1991), decided March 7, 1991. After the release of the [[Morris worm]], an early [[computer worm]], its creator was convicted under the Act for causing damage and gaining unauthorized access to "federal interest" computers. The Act was amended in 1996, in part, to clarify language whose meaning was disputed in the case.<ref name="usvmorris505">{{cite court |litigants=United States v. Morris (1991) |vol=928 |reporter=F.2d |opinion=504 |pinpoint=505 |court=2d Cir. |date=1991 |url=https://scholar.google.com/scholar_case?case=551386241451639668}}</ref>
* ''[[United States v. Lori Drew]]'', 2009. The [[cyberbullying]] case involving the suicide of a girl harassed on [[MySpace]]. Charges were under 18 USC 1030(a)(2)(c) and (b)(2)(c). Judge Wu decided that using {{uscsub|18|1030|a|2|C}} against someone violating a [[terms of service]] agreement would make the law overly broad. 259 F.R.D. 449 <ref>[https://www.scribd.com/doc/23406419/Governments-Trial-Memo ''U.S. v. Lori Drew''], scribd</ref><ref>[https://wikispaces.psu.edu/display/IST432TEAM24/United+States+v.+Lori+Drew US v Lori Drew, psu.edu] Kyle Joseph Sassman,</ref><ref>{{Cite web|url=https://arstechnica.com/tech-policy/2009/07/myspace-mom-lori-drews-conviction-thrown-out/|title='MySpace mom' Lori Drew's conviction thrown out|last=Staff|first=Ars|date=2009-07-02|website=Ars Technica|language=en-us|access-date=2020-03-31}}</ref>
*''United States v. Rodriguez'', 2010. The [[United States Court of Appeals for the Eleventh Circuit|Eleventh Circuit Court of Appeals]] ruled that a [[Social Security Administration]] employee had violated the CFAA when he used an SSA database to look up information about people he knew personally.<ref>{{Cite web|url=https://caselaw.findlaw.com/us-11th-circuit/1549806.html|title=FindLaw's United States Eleventh Circuit case and opinions.|website=Findlaw|language=en-US|access-date=2020-03-31}}</ref>
* ''[[PayPal 14|United States v. Collins et al]]'', 2011. A group of men and women connected to the collective [[Anonymous (group)|Anonymous]] signed a plea deal to charges of conspiring to disrupt access to the payment website PayPal in response to the payment shutdown to [[WikiLeaks]] over the [[Wau Holland Foundation]] which was part of a wider Anonymous campaign, [[Operation Payback]].<ref>{{cite news |url=http://www.ibtimes.co.uk/articles/528058/20131206/paypal-14-freedom-fighters-plead-guilty-cyber.htm |author=David Gilbert |title=PayPal 14 'Freedom Fighters' Plead Guilty to Cyber-Attack |work=International Business Times |date=December 6, 2013}}</ref><ref>{{cite news |url=http://www.thedailybeast.com/articles/2013/12/05/inside-the-paypal-14-trial.html |author=Alexa O'Brien |title=Inside the 'PayPal 14' Trial |work=The Daily Beast |date=December 5, 2013}}</ref> They later became known under the name PayPal 14.
* ''[[United States v. Aaron Swartz]]'', 2011. [[Aaron Swartz]] allegedly entered an MIT wiring closet and set up a laptop to mass-download articles from [[JSTOR]]. He allegedly avoided various attempts by JSTOR and MIT to stop this, such as [[MAC address spoofing]]. He was indicted for violating CFAA provisions (a)(2), (a)(4), (c)(2)(B)(iii), (a)(5)(B), and (c)(4)(A)(i)(I),(VI).<ref>See [http://bits.blogs.nytimes.com/2011/07/19/reddit-co-founder-charged-with-data-theft/ Internet Activist Charged in M.I.T. Data Theft, By NICK BILTON] ''New York Times'', July 19, 2011, 12:54 PM, as well as the [https://archive.org/details/gov.uscourts.mad.137971 Indictment]</ref> The case was dismissed after Swartz committed [[suicide]] in January 2013.<ref>Dave Smith, [http://www.ibtimes.com/aaron-swartz-case-us-doj-drops-all-pending-charges-against-jstor-liberator-days-after-his-suicide Aaron Swartz Case: U.S. DOJ Drops All Pending Charges Against The JSTOR Liberator, Days After His Suicide], [[International Business Times]], January 15, 2013.</ref>
* ''[[United States v. Nosal]]'', 2011. Nosal and others allegedly accessed a [[protected computer]] to take a database of contacts from his previous employer for use in his own business, violating 1030(a)(4).<ref>[http://www.ca9.uscourts.gov/datastore/opinions/2011/04/28/10-10038.pdf ''U.S. v. Nosal''], uscourts.gov, 2011</ref><ref>[https://www.wired.com/threatlevel/2011/04/no-hacking-required/ Appeals Court: No Hacking Required to Be Prosecuted as a Hacker], By David Kravets, ''Wired'', April 29, 2011</ref> This was a complex case with multiple trips to the Ninth Circuit, which ruled that violating a website's terms of use is not a violation of the CFAA. He was convicted in 2013.<ref>{{cite magazine |url=https://www.wired.com/threatlevel/2013/04/man-convicted-of-hacking-despite-no-hacking/ |magazine=Wired |first=David |last=Kravets |title=Man Convicted of Hacking Despite Not Hacking |date=April 24, 2013}}</ref> In 2016, the Ninth Circuit ruled that he had acted "without authorization" when he used the username and password of a current employee with their consent and affirmed his conviction.<ref>{{Cite web|url=https://cdn.ca9.uscourts.gov/datastore/opinions/2016/07/05/14-10037.pdf|title=Nos. 14-10037, 14-10275}}</ref> The Supreme Court declined to hear the case.<ref>{{Cite web|url=https://www.supremecourt.gov/docket/docketfiles/html/public/16-1344.html|title=Docket for 16-1344|website=www.supremecourt.gov|access-date=2020-03-31}}</ref>
* ''[[Cisco Systems#Antitrust lawsuit|United States v. Peter Alfred-Adekeye]]'' 2011. Adekeye allegedly violated (a)(2), when he allegedly downloaded [[CISCO IOS]], allegedly something that the CISCO employee who gave him an access password did not permit. Adekeye was CEO of [[Multiven]] and had accused CISCO of [[anti-competitive]] practices.<ref>[https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B-VQYa94fZpfZDY4MGQ1YjItYmEyZS00MGI4LWE0N2EtMmMzZmY0NTE5MTdj&hl=en_US&pli=1 US v Adekeye] Indictment. see also [http://www.mercurynews.com/crime-courts/ci_18618018?nclick_check=1 Federal Grand Jury indicts former Cisco Engineer] By Howard Mintz, 08/05/2011, Mercury News</ref>
* ''United States v [[Sergey Aleynikov]]'', 2011. Aleynikov was a programmer at [[Goldman Sachs]] accused of copying code, like [[high-frequency trading]] code, allegedly in violation of 1030(a)(2)(c) and 1030(c)(2)(B)i–iii and 2. This charge was later dropped, and he was instead charged with theft of [[trade secret]]s and transporting stolen property.<ref>[https://www.wired.com/images_blogs/threatlevel/2010/11/Aleynikov-Sergey-Motion-to-Seal.pdf US v Sergey Aleynikov], Case 1:10-cr-00096-DLC Document 69 Filed 10/25/10</ref><ref>[https://www.bloomberg.com/apps/news?pid=newsarchive&sid=a2GvteRoihQE Ex-Goldman Programmer Described Code Downloads to FBI (Update1)], David Glovin and David Scheer. July 10, 2009, Bloomberg</ref>
* ''[[Nada Nadim Prouty|United States v Nada Nadim Prouty]]'', {{circa|2010}}.<ref>[http://www.debbieschlussel.com/archives/hezbospyplea.pdf Plea Agreement], U.S. District Court, Eastern District of Michigan, Southern Division. via debbieschlussel.com</ref> Prouty was an FBI and CIA agent who was prosecuted for having a fraudulent marriage to get US residency. She claims she was persecuted by a U.S. attorney who was trying to gain media coverage by calling her a terrorist agent and get himself promoted to a federal judgeship.<ref name=frogs1>
[http://www.boilingfrogspost.com/tag/podcast-episode/ Sibel Edmond's Boiling Frogs podcast 61]  Thursday, 13. October 2011. Interview with Prouty by Peter B. Collins and Sibel Edmonds</ref>
* ''[[United States v. Neil Scott Kramer]]'', 2011. Kramer was a court case where a cellphone was used to coerce a minor into engaging sex with an adult. Central to the case was whether a cellphone constituted a computer device. Ultimately, the United States Court of Appeals for the Eighth Circuit found that a cell phone can be considered a computer if "the phone perform[s] arithmetic, logical, and storage functions", paving the way for harsher consequences for criminals engaging with minors over cellphones.<ref name="us v neil scott kramer">{{cite web |title=United States of America v. Neil Scott Kramer |url=http://www.ca8.uscourts.gov/opndir/11/02/101983P.pdf |access-date=2012-03-18 |archive-url=https://web.archive.org/web/20110816002424/http://www.ca8.uscourts.gov/opndir/11/02/101983P.pdf |archive-date=2011-08-16 |url-status=dead }}</ref>
* ''[[United States v. Kane]]'', 2011. Exploiting a [[software bug]] in a [[poker machine]] does not constitute hacking <ref>{{cite magazine|url=https://www.wired.com/threatlevel/2013/05/video-poker-hacking-dismissed/ |magazine=Wired |first=Kevin |last=Poulsen |title=Feds Drop Hacking Charges in Video-Poker Glitching Case |date=May 7, 2013}}</ref> because the [[poker machine]] in question failed to constitute a "[[protected computer]]" under the statute (as the [[poker machine]] in question did not demonstrate a tangential relationship to [[interstate commerce]]) and because the sequence of button presses that triggered the bug were considered held to have "not exceed[ed] their authorized access." {{As of|November 2013}} the defendant still faces a regular [[wire fraud]] charge.<ref>[http://newmedialaw.proskauer.com/2013/11/13/no-expansion-of-cfaa-liability-for-monetary-exploit-of-software-bug/ No Expansion of CFAA Liability for Monetary Exploit of Software Bug | New Media and Technology Law Blog<!-- Bot generated title -->]</ref>
*''[[United States v. Valle]]'', 2015. The [[United States Court of Appeals for the Second Circuit|Second Circuit Court of Appeals]] overturned a conviction against a police officer who had used a police database to look up information about women he knew personally.<ref>{{Cite web|url=https://www.eff.org/cases/united-states-v-gilberto-valle|title=United States v. Gilberto Valle|date=2015-03-06|website=Electronic Frontier Foundation|language=en|access-date=2020-03-31}}</ref><ref>{{Cite web|url=https://www.jacksonlewis.com/publication/second-circuit-adopts-narrow-construction-federal-computer-fraud-statute-joins-circuit-split|title=Second Circuit Adopts Narrow Construction of Federal Computer Fraud Statute, Joins Circuit Split|date=2015-12-10|website=Jackson Lewis|language=en|access-date=2020-03-31}}</ref>
*''[[Van Buren v. United States]]'', 2020. A police officer in Georgia was caught in an FBI sting operation using his authorized access to a license plate database to check the identity of a person for cash payment, an "improper purpose". The officer was convicted and sentenced to 18 months under CFAA §1030(a)(2). Though he appealed his conviction on the basis that the "improper purpose" was not "exceeding authorized access", the Eleventh Circuit upheld the conviction based on precedent. The Supreme Court ruled in June 2021 that under CFAA, that a person "exceeds authorized access" of a computer system they otherwise have access to when they access files and other content that are off-limits to the portions of the computer system they were authorized to access. Their opinion restricted CFAA from applying to cases where a person obtains information from areas they do have authorized access to, but uses that information for improper reasons.<ref>{{cite news | url = https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2020/04/24/the-cybersecurity-202-there-s-finally-a-supreme-court-battle-coming-over-the-nation-s-main-hacking-law/5ea1ade6602ff140c1cc5f51/ | title = The Cybersecurity 202: There's finally a Supreme Court battle coming over the nation's main hacking law | first = Joseph | last = Marks | date = April 24, 2020 | access-date = July 15, 2020 | newspaper = [[The Washington Post]] }}</ref><ref>{{cite web | url = https://www.cnn.com/2021/06/03/politics/supreme-court-cybercrime-law-case/index.html | title = Supreme Court sides with police officer who improperly searched license plate database | first1=  Brian | last1 = Fung | first2= Ariane | last2= de Vogue | first3= Devan | last3= Cole | date = June 3, 2021 | accessdate = June 3, 2021 | work = [[CNN]] }}</ref>

===Civil cases===
* ''Theofel v. Farey Jones'', 2003 U.S. App. Lexis 17963, decided August 28, 2003 (U.S. Court of Appeals for the Ninth Circuit), holding that the use of a civil subpoena which is "patently unlawful," "in bad faith," or "at least gross negligence" to gain access to stored email is a breach of both the CFAA and the [[Stored Communications Act]].<ref>{{cite web|url=http://cyberlaw.stanford.edu/packets001500.shtml |title=Ninth Circuit Court of Appeals: Stored Communications Act and Computer Fraud and Abuse Act Provide Cause of Action for Plaintiff |website = Center for Internet and Society |publisher= Stanford University |access-date=|date =September 22, 2003|first =  Lauren |last =Gelman }}</ref>
* ''[[International Airport Centers, L.L.C. v. Citrin]]'', 2006, {{uscsub|18|1030|a|5|A|i}}, in which the [[United States Court of Appeals for the Seventh Circuit|Seventh Circuit Court of Appeals]] ruled that Jacob Citrin had violated the CFAA when he [[Data erasure|deleted files]] from his company computer before he quit, in order to conceal alleged bad behavior while he was an employee.<ref>[http://openjurist.org/440/f3d/418/international-airport-centers-llc-v-citrin US v Jacob Citrin], openjurist.org</ref>
* ''[[LVRC Holdings v. Brekka]]'', 2009 1030(a)(2), 1030(a)(4), in which LVRC sued Brekka for allegedly taking information about clients and using it to start his own competing business. The Ninth Circuit ruled that an employee accesses a company computer to gather information for his own purposes does not violate the CFAA merely because that personal use was adverse to the interests of the employer.<ref>[https://www.wired.com/images_blogs/threatlevel/2009/09/brekka.pdf ''U.S. v Brekka''] 2009</ref><ref>[https://www.wired.com/threatlevel/2009/09/disloyalcomputing/ Kravets, David, ''Court: Disloyal Computing Is Not Illegal''], ''Wired'', September 18, 2009.</ref>
* ''[[Craigslist v. 3Taps]]'', 2012. 3Taps was accused by [[Craigslist]] of breaching CFAA by circumventing an [[IP address blocking|IP block]] in order to access Craigslist's website and [[Web scraping|scrape]] its classified ads without consent. In August 2013, US federal judge found 3Taps's actions violated CFAA and that it faces civil damages for "unauthorized access". Judge [[Charles R. Breyer|Breyer]] wrote in his decision that "the average person does not use "[[anonymous proxies]]" to bypass an IP block set up to enforce a banning communicated via personally-addressed [[cease-and-desist letter]]".<ref>{{cite magazine|url=https://www.wired.com/threatlevel/2013/08/ip-cloaking-cfaa/ |magazine=Wired |first=David |last=Kravets |title=IP Cloaking Violates Computer Fraud and Abuse Act, Judge Rules |date=August 20, 2013}}</ref><ref>[http://www.dmlp.org/threats/craigslist-v-3taps Craigslist v. 3taps |Digital Media Law Project<!-- Bot generated title -->]</ref> He also noted "Congress apparently knew how to restrict the reach of the CFAA to only certain kinds of information, and it appreciated the public v. nonpublic distinction—but [the relevant section] contains no such restrictions or modifiers."<ref>[http://www.law360.com/articles/465944 3Taps Can't Shake Unauthorized Craigslist Access Claims – Law360<!-- Bot generated title -->]</ref>
* ''[[Lee v. PMSI, Inc.]]'', 2011. PMSI, Inc. sued former employee Lee for violating the CFAA by browsing Facebook and checking personal email in violation of the company's [[acceptable use policy]]. The court found that breaching an employer's acceptable use policy was not "unauthorized access" under the act and, therefore, did not violate the CFAA.
* ''[[Sony Computer Entertainment America v. George Hotz]]'' and ''Hotz v. SCEA'', 2011. SCEA sued "Geohot" and others for [[Privilege escalation|jailbreaking]] the PlayStation 3 system. The lawsuit alleged, among other things, that Hotz violated {{uscsub|18|1030|a|2|c}} ([by] taking info from any [[protected computer]]). Hotz denied liability and contested the Court's exercise of personal jurisdiction over him.<ref>[http://www.groklaw.net/staticpages/index.php?page=SonyHotz#c167a_02 See the links to the original lawsuit documents which are indexed here]</ref> The parties settled out of court. The settlement caused Geohot to be unable to legally [[Hack (computer security)|hack]] the [[PlayStation 3]] system furthermore.
* ''[[Pulte Homes, Inc. v. Laborers' International Union]]'' 2011. [[Pulte Homes]] brought a CFAA suit against the [[Laborers' International Union of North America]] (LIUNA). After Pulte fired an employee represented by the [[labor union|union]], LIUNA urged members to [[Telephone call|call]] and send [[email]] to the company, expressing their opinions. As a result of the increased traffic, the company's [[Email server|email system]] [[Crash (computing)|crashed]].<ref>[http://www.techdirt.com/articles/20110809/03492415447/court-says-sending-too-many-emails-to-someone-is-computer-hacking.shtml techdirt.com] 2011 8 9, Mike Masnick, "Sending Too Many Emails to Someone Is Computer Hacking"</ref><ref>[http://www.employerlawreport.com/2011/08/articles/labor-relations/sixth-circuit-decision-in-pulte-homes-leaves-employers-with-few-options-in-response-to-union-high-tech-tactics/#axzz2JEeJ24GX Hall, Brian, ''Sixth Circuit Decision in Pulte Homes Leaves Employers With Few Options In Response To Union High Tech Tactics'', Employer Law Report, 3 August 2011.] Retrieved 27 January 2013.</ref> The [[Sixth Circuit]] ruled that the LIUNA's instruction to call and email "intentionally caused damage," reversing the lower court's decision.<ref>https://www.employerlawreport.com/files/2013/09/Pulte-Homes.pdf {{Bare URL PDF|date=August 2024}}</ref>
*''Facebook v. Power Ventures and Vachani'', 2016. The Ninth Circuit Court of Appeals ruled that the CFAA was violated when Facebook's servers were accessed despite an IP block and [[cease and desist]] order.<ref>{{Cite web|url=https://arstechnica.com/tech-policy/2016/07/startup-that-we-all-forgot-gets-small-win-against-facebook-on-appeal/|title=Startup that we all forgot gets small win against Facebook on appeal|last=Farivar|first=Cyrus|date=2016-07-12|website=Ars Technica|language=en-us|access-date=2020-03-31}}</ref>
*[[HiQ Labs v. LinkedIn]], 2019. The Ninth Circuit Court of Appeals ruled that [[Web scraping|scraping]] a public website without the approval of the website's owner is not a violation of the CFAA.<ref>{{Cite web|url=https://arstechnica.com/tech-policy/2019/09/web-scraping-doesnt-violate-anti-hacking-law-appeals-court-rules/|title=Web scraping doesn't violate anti-hacking law, appeals court rules|last=Lee|first=Timothy B.|date=2019-09-09|website=Ars Technica|language=en-us|access-date=2020-03-31}}</ref> LinkedIn petitioned for the Supreme Court to review the decision and the court remanded the case based on its [[Van Buren v. United States]] decision. The Ninth Circuit ultimately affirmed its original decision.
*''Sandvig v. Barr'', 2020. The [[United States District Court for the District of Columbia|Federal District Court of D.C.]] ruled that the CFAA does not criminalize the violation of a website's terms of service.<ref>{{Cite web|url=https://arstechnica.com/tech-policy/2020/03/court-violating-a-sites-terms-of-service-isnt-criminal-hacking/|title=Court: Violating a site's terms of service isn't criminal hacking|last=Lee|first=Timothy B.|date=2020-03-30|website=Ars Technica|language=en-us|access-date=2020-03-31}}</ref>