Kasad 1

Dallas Kasad
Professor Fisher
ENG123
18 September 2015
Computer Fraud and Abuse Act: A Literature Review
The internet is a world-wide phenomenon that grows exponentially every day. Thanks to
many websites, you can do anything, from buying your groceries, to connecting with long lost
relatives. The accounts you create on these websites could put you in prison for a long time if
you choose to overstep your bounds set out by the private company in charge of the website.
There are many different opinions on the topic and many interpretations of the same law, which
makes it too broad and in desperation of clarification. The events that brought about Aarons
Law, the case of cyber-bullying by Lori Drew, and the rise of internet activists are only a few
instances that this law working in coordination with the prison system can put nearly anyone into
the incarceration system.
The original reason for the CFAA was the growing threat of the theft of digital
information and the many personas it can take (Jakopchek). For this reason it should be
extended to cover only the acquisition of stolen information. The act came into effect in 1984 to
protect the information stored on government computers (Jakopchek). Throughout the years it
has been changed as technology grows and the need for change arises, but it should still be used
to protect sensitive information (Jakopchek).

Kasad 2

The Electronic Frontier Foundation explains the details of the Computer Fraud and
Abuse Act (CFAA), and the further changes ushered in by the suicide of Aaron Swartz, who
was receiving a hefty sentencing for the cybercrimes he committed, referred to as Aarons Law
(Computer Fraud and Abuse Act Reform). The federal act makes accessing another computer
in a way than it is otherwise intended illegal, and gives a disputable explanation for what
without authorization or exceeds authorized access means, leaving the law open to
interpretation by the courts. The broadness of the CFAA coupled with the substantial penalties
(up to five years in prison for the first offense and ten for repeat offenses with large fines), leads
to a situation where anyone is subject to punishment. Aarons Law seeks to eliminate prison time
for simply violating a Terms of Service contract, protect those who access already accessible
data in a new method or fashion, and most important of all make sure the punishment fits the
crime (Computer Fraud and Abuse Act Reform). The grounds in which it makes these claims is
that the CFAA hinders various Cyber-security firms, and white-hat hackers (responsible for
testing the security of major websites) from doing their jobs, it does not allow innovations like
we are used to today (GPS, social networking, etc.), and suggests that efforts in anonymity and
personal privacy should not be considered federal crimes (Computer Fraud and Abuse Act
Reform).
Paul Hanna and Matthew Leal use the Computer Fraud and Abuse Act (CFAA) as a
replacement to the Uniform Trade Secret Act that is in use in Texas. They describes a trade
secret as any information that one could not have learned on their own, which earns income for
those ideas, information or training (client information, formulas, etc.) (Hanna). It needs to be
proven that something is a trade secret, that the ex-employee has breached a confidentiality
contract, that the employee used the mentioned trade secret for a benefit outside of the business,

Kasad 3

and then the damages of this action need to be assessed before a charge can be formed (Hanna).
The CFAA reliance would not require proving these things for it to be a trade secret and thus
becomes the smarter choice for businessmen and litigators to get issues over with quickly
(Hanna).
Kevin Jakopchek explains the broad and narrow theories of interpretation with the
Agency, Contract and Narrow theories of interpretation. The agency theory, through
International Airport Centers, L.L.C. v. Citrin, speaks of a loyalty an employee has to their
employer (Jakopchek). When the employee becomes destructive or works in countering the
loyalty to their employer, then they can be brought up on charges for their actions (Jakopchek).
The contract theory, as is seen in the case EF Cultural Travel v. Explorica Inc., is where the
employee made an effort in communicating sensitive information to the employers competitor
against the contract signed when they started the job, allowing for charges to be filed
(Jakopchek). The narrow theory of interpretation is where the question of the use of information
becomes irrelevant and the employees original access of the information is what comes into play
(Jakopchek). In LVRC Holdings LLC v. Brekka the current employee took information from the
business to then use in competition with the business, justified by information learned is
information owned (Jakopchek). Cyrus Y. Chung brings up the the Code-Based Theory of
Interpretation, where Chung gives a technical, computer-savvy answer to the question, How do
you interpret the CFAA? The Code-Based theory was proposed by Professor Orin Kerr who
saw the flaw of the Agency interpretation as encompassing anything that was not work-related on
an employers computer as a crime and the Contract interpretation as too much power in the
hands of the private actors (someone who is not a government employee, but works in the
direction of one) to determine liability (Chung). The theory encourages the user to protect their

Kasad 4

own privacy by their means instead of by contract, emphasizes that a fraudulent circumvention
should be considered a criminal activity and that criminalizing the work-around of code-based
restrictions is more justifiable and finally that the code-based theory avoids constitutional issues
and vagueness of current laws (Chung).
Based on this need for laws to govern actions are governed on the internet on an
international level, the Council of Europes Treaty on Cybercrime was formed (Galicki). While
we are dealing with problems on American soil, it will not hold any ground if other countries are
not compliant, as the internet is bigger than America. The Treaty enforced the need to establish
international laws against cybercrime, ensure that law enforcement has all they need to prosecute
and that each country under the treaty needs to cooperate with each other (Galicki).
Reid Skibell explains the different categories internet criminals fall under: Scriptmonkeys, Hackers and Crackers. Script-monkeys are those that receive (download)
malicious software to deface a website, gain access into a website or cause a small amount of
problems using a very limited knowledge of computer code (Skibell). A Hacker is someone
who is more knowledgeable of computer code, and actively interacts with it to gain access to
places the populace are not allowed to go on the internet, to which they tend to take for
themselves proof that they did it as simply a trophy; they do not seek to cash in their newly
found information (Skibell). A Cracker is basically a hacker that cashes in (Skibell). Under
the laws put in place by the CFAA, all of these individuals are subject to the same treatment. The
1990 case The United States v. Riggs Craig Neirdorf was charged with causing $80,000 worth of
harm in releasing information sensitive to AT&T to the public via a website. Charges were
dropped as more sensitive information could be received at the time from the company by simply
paying a $13 fee (Skibell). The parallel is the case of Kevin Mitnick, who broke into the

Kasad 5

company Sun Microsystems and downloaded their new operating system software, as a trophy
(Skibell). He plead guilty so the CFAA was not used as direct weapon, but still served a harsh
penalty as Sun Microsystems stated they paid $80 million to build the operating system. After the
trial they later sold for $100 a copy after the breach (Skibell).
Alexander Galicki, Drew Havens and Alden Pelker speak of the various weapons anyone
can use maliciously on the internet from spam (responsible for 97% of all e-mails sent in
2009), to logic bombs which are malicious programs set to go off at a specific time or event
(Galicki). The next issue they pose is the Constitutional problems that arise between the First and
Fourth amendments when trying to charge cybercrimes. Since the internet is mostly speech, that
makes its way through the individuals fingers, thus becoming code, how does the court
address the First Amendment during a cybercrime case (Galicki)? The Fourth Amendment
protects the people from unreasonable searches and seizures, but how does a search and seizure
happen without invading the individuals privacy on a computer?
Paul Wellborn brings the blurred line between cybercrime and invasion of privacy into
focus. He proceeds to warn teachers of the problems that can come from being false on the
internet. He is referring to a mother in Tennessee who talks about how messy her sons rooms
were once they left for the week on a popular social networking website. The school received
this information and the boys were in trouble for violating their district residency requirements
(Wellborn). A more severe case is United States v. Drew. Megan Meier, a 13 year old, was
allowed to talk to a new friend on Myspace, Josh Evans under her parents discretion
(Murray). It was later found out that it was the mother of her friend down the street, Lori Drew
(Murray). Mrs. Drew, under her false username, then began cyber-bullying young Megan,
which then led to her suicide moments after (Murray). The U.S. Attorney looked to Mrs. Drews

Kasad 6

violation of Myspaces Terms of Service section that prohibits the creation of a false identity to
look for something to charge Mrs. Drew with and calm the public (Murray). Based on this very
minimal clause to a seemingly useless contract, the court was then allowed to prosecute under
the CFAA. While the terrible circumstances that caused the death of Megan Meier were more
than enough reason to pursue prosecution, the way in which it was handled now makes millions
of people guilty under the CFAA. The view of the act is extremely broad, pertaining to any
protected computer which is defined as a computer used for interstate commerce or
communication; any computer connected to the internet (Murray). The realization of what this
court case means for the nation is scary, that anyone who oversteps a simple, un-read term that
was agreed upon at the initiation of an account to any certain website, can now end in up to 5
years in prison for the first offense (Murray).
Li Xiang speaks of the growth of various internet activist groups, or hacktivists. While
under the Computer Fraud and Abuse Act (CFAA), anyone who tampers with anything in a way
that it is not designed can be charged with fraud and sentenced to prison and subject to massive
fines. Xiang brings up the use of internet in the average American day, and how it has become an
essential part of American life. She states that with this new way-of-life there will be the want to
protest and a right under the First Amendment to protest. The question is then brought up, How
do the various forms of protest appear online? She gives a list of Online individuals who, at
the transgressive stage, would all be given identical sentences under the CFAA and serve harsher
penalties than their Offline counterparts (Boycotts, Sit-ins, Barricades, etc.).
The loosely-associated hacktivist group Anonymous brings a strong presence
regarding the gray-area of the internet laws (Xiang). They have made their marks on history
based on their actions following the prosecutorial overreach (courts overbearing power) in the

Kasad 7

case of Aaron Swartz, the planned picketing of the Westboro Baptist Church (Xiang) and the
recent declaration of cyber-war on the Islamic State (Howell). The group in this article is focused
on their petition that was submitted to the White House entitled We the People that asks for
recognition that distributed denial-of-service (DDoS) attacks are a valid form of protesting,
which would be protected under the First Amendment (Xiang). The petition failed to achieve the
100,000 signature threshold to be considered ("Make, Distributed Denial-of-service (DDoS), a
Legal Form of Protesting.").
Molly Sauter take the radical approach, strongly against the Computer Fraud and Abuse
Act (CFAA). Ms. Sauter goes on an educated rant about the problems of the act and singles out
the United States as one of the only countries that will not acknowledge the validity of
Distributed Denial of Service (DDoS) attacks as simple an internet equivalent of a protest. She
speaks of the harsh punishments had by DDoS actions made against something that is protested
physically. Sauter goes on to give examples of typical charges that seem far worse that receive
less punishment than what the court considers cybercrimes. For example resisting arrest can lead
to a two and one-half year sentence and up to a $500 fine, Operation Payback in a DDoS strike
against PayPal, fourteen individuals received two felony counts which could have resulted in 15
years in prison and up to $500,000 in fines (Sauter). One of these individuals was a minor. She
proceeds to demonstrate the differences of what the government is allowed to do and what the
people are allowed to do to illustrate the how unfair the power the courts wield on the subject
(Sauter).
The Computer Fraud and Abuse Act is a new law that is extremely broad and allows for
many people who interact with the internet to be subject to incarceration and harsh penalties to
follow. It is proving that as technology grows around us the law is failing to keep up. Due to this

Kasad 8

lack of clarity to the law, people are going to prison on harsh terms for minimal charges and
rebellion is the growing voice against these laws, and the ammunition to fulfill their end goals
are easily accessible through the internet. While these groups intend on upholding good in the
nation and the world, they still feel the reach of the CFAA and will end up paying for their
actions, good or bad, old or young.

Kasad 9

Works Cited
Chung, Cyrus Y. "The Computer Fraud And Abuse Act: How Computer Science Can Help With
The Problem Of Overbreadth." Harvard Journal Of Law & Technology 24.1 (2010): 233256. Academic Search Premier. Web. 13 Sept. 2015.
"Computer Fraud And Abuse Act Reform." Electronic Frontier Foundation. N.p., n.d. Web. 13
September 2015.
Galicki, Alexander, Drew Havens, and Alden Pelker. "Computer Crimes." American Criminal
Law Review 51.4 (2014): 875-922. Academic Search Premier. Web. 13 Sept. 2015.
Hanna, Paul, and Matthew Leal. "The Computer Fraud And Abuse Act: An Attractive But Risky
Alternative To Texas Trade Secret Law." St. Mary's Law Journal 45.3 (2014): 491-534.
Academic Search Premier. Web. 12 September 2015.
Howell, Kellan. "Anonymous Hackers List 9,200 ISIS Twitter Accounts, Enlist Other Hackers in
Cyberwar." Washington Times. The Washington Times, 17 Mar. 2015. Web. 19 Sept.
2015.
Jakopchek, Kevin. "Obtaining" The Right Result: A Novel Interpretation Of The Computer Fraud
And Abuse Act That Provides Liability For Insider Theft Without Overbreadth." Journal
Of Criminal Law & Criminology 104.3 (2014): 605-633. Academic Search Premier. Web.
12 September 2015.
"Make, Distributed Denial-of-service (DDoS), a Legal Form of Protesting." Make, Distributed
Denial-of-service (DDoS), a Legal Form of Protesting. N.p., 07 Jan. 2013. Web. 19 Sept.
2015.

Kasad 10

Murray, Ryan Patrick. Myspace-ing is Not a Crime: Why Breaching Terms of Service
Agreements Should Not Implicate the Computer Fraud and Abuse Act. Loyola of Los
Angeles Entertainment Law Review (2009). Web. 13 September 2015.
Sauter, Molly. "Online Activism and Why the Computer Fraud and Abuse Act Must Die." Boing
Boing. N.p., 26 Sept. 2014. Web. 13 Sept. 2015.