Computer Fraud and Abuse Act

Computer Fraud and Abuse Act
Great Seal of the United States
Major amendments
USA Patriot Act
United States Supreme Court cases

The Computer Fraud and Abuse Act of 1986 (CFAA) is a United States cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law (18 U.S.C. § 1030), which had been included in the Comprehensive Crime Control Act of 1984. [1] Prior to computer-specific criminal laws, computer crimes were prosecuted as mail and wire fraud, but the applying law was often insufficient.[2]

The original 1984 bill was enacted in response to concern that computer-related crimes might go unpunished.[3] The House Committee Report to the original computer crime bill included a statement by a representative of GTE-owned Telenet that characterized the 1983 techno-thriller film WarGames—in which a young teenager (played by Matthew Broderick) from Seattle breaks into a U.S. military supercomputer programmed to predict possible outcomes of nuclear war and unwittingly almost starts World War III—as "a realistic representation of the automatic dialing and access capabilities of the personal computer."[4]

The CFAA was written to extend existing tort law to intangible property, while, in theory, limiting federal jurisdiction to cases "with a compelling federal interest—i.e., where computers of the federal government or certain financial institutions are involved or where the crime itself is interstate in nature", but its broad definitions have spilled over into contract law (see "Protected Computer", below). In addition to amending a number of the provisions in the original section 1030, the CFAA also criminalized additional computer-related acts. Provisions addressed the distribution of malicious code and denial-of-service attacks. Congress also included in the CFAA a provision criminalizing trafficking in passwords and similar items.[1]

Since then, the Act has been amended a number of times—in 1989, 1994, 1996, in 2001 by the USA PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act. With each amendment of the law, the types of conduct that fell within its reach were extended. In 2015, President Barack Obama proposed expanding the CFAA and the RICO Act.[5] DEF CON organizer and Cloudflare researcher Marc Rogers, Senator Ron Wyden, and Representative Zoe Lofgren stated opposition to this on the grounds it would make many regular internet activities illegal.[6] In 2021, the Supreme Court ruled in Van Buren v. United States to provide a narrow interpretation of the meaning of "exceeds authorized access".[7]

  1. ^ a b Jarrett, H. Marshall; Bailie, Michael W. (2010). "Prosecution of Computer" (PDF). justice.gov. Office of Legal Education Executive Office for United States Attorneys. Retrieved June 3, 2013.
  2. ^ "Who's Responsible? - Computer Crime Laws | Hackers | FRONTLINE | PBS". www.pbs.org. Retrieved November 13, 2021.
  3. ^ Schulte, Stephanie (November 2008). "The WarGames Scenario". Television and New Media. 9 (6): 487–513. doi:10.1177/1527476408323345. S2CID 146669305.
  4. ^ A representative of GTE Telenet (November 10, 1983). "Hearing". Subcommittee on Crime. Transcribed in: House Committee on the Judiciary (July 24, 1984). House Report No. 98-894. pp. 10–11. Accompanies H.R. 5616. Metadata on Congress.gov. Could become available on GovInfo. Reproduced in: United States Code Congressional and Administrative News (U.S.C.C.A.N.). Vol. 4 (98th Congress—Second Session 1984 ed.). St. Paul, Minn.: West Publishing Co. 1984. pp. 3689–3710 (whole report), particularly pp. 3695–3696 (specific pages with statement from hearing).
  5. ^ "Securing Cyberspace – President Obama Announces New Cybersecurity Legislative Proposal and Other Cybersecurity Efforts". whitehouse.gov. January 13, 2015. Retrieved January 30, 2015 – via National Archives.
  6. ^ "Democrats, Tech Experts Slam Obama's Anti-Hacking Proposal". Huffington Post. January 20, 2015. Retrieved January 30, 2015.
  7. ^ Geller, Eric; Gerstein, Josh (June 3, 2021). "Supreme Court narrows scope of sweeping cybercrime law". Politico. Retrieved June 3, 2021.