Share on Facebook Share on Twitter Email
Answers.com

Computer Fraud and Abuse Act

 
Computer Desktop Encyclopedia: CFA
Home > Library > Technology > Computer Encyclopedia

(Computer Fraud and Abuse Act of 1986) Signed into law in 1986, the CFA was a significant step forward in criminalizing unauthorized access to computer systems and networks. The Act applies to "federal interest computers" that include any system used by the U.S. government as well as most financial institutions. It says that unauthorized penetration or other damage to such systems is a felony, as is trafficking in password or other access codes.

Violators are subject to fines of up to $250,000 per incident and up to 10 years in prison. Updates to the CFA passed in 1994 extended coverage to dissemination of viruses and worms. For more information, visit www4.law.cornell.edu/uscode/18/1030.html. See also CompactFlash Association.

Download Computer Desktop Encyclopedia to your iPhone/iTouch

Search unanswered questions...

Enter a question here...
Search: All sources Community Q&A Reference topics

Intelligence Encyclopedia: Computer Fraud and Abuse Act of 1986
Top
Home > Library > History, Politics & Society > Intelligence & Security Encyclopedia

The United States Computer Fraud and Abuse Act of 1986 served to define criminal fraud and abuse for computer crimes on the federal level. The act specified a misdemeanor crime for the trafficking and misuse of passwords, and two felony offenses for unauthorized access to federal information systems and private computers deemed to have a "federal interest." The act removed several legal ambiguities that surrounded computer information theft, such as the lack of specific legislation mentioning computers and the slightness of legal precedence in such cases.

Computer data systems of varying sorts had been used by the United States government since the 1960s. In the early 1980s, the first computers for business and home use were available in the marketplace. This expanse of the computer-owning and software-literate population forced the government to begin finding ways to protect data, either through encryption or protective barrier mechanisms around certain files. With the advent of intranets and computer-to-computer communication through telephone lines, hacking, or the breaking into other computer systems, became more commonplace. In 1981, a computer-savvy 24-year-old named Ian Murphy hacked into several government systems, including the White House switchboard. Murphy used the switchboard to order various products before turning his attention to cracking the codes protecting sensitive military files. Murphy was arrested, but prosecutors did not have the legal recourse to try him for computer crimes, as no such laws existed. Murphy was eventually convicted of theft and knowingly receiving stolen goods.

By 1982, Congress began collecting data on computer crime, and gathering testimony from computer fraud victims. Most of the victims were major corporations who did not want their security breeches and vulnerability to become public knowledge. Not only was it easy for random hackers to crack a system, but also corporations could hack into the data systems of rival companies, engaging in corporate espionage. After five years, Congress introduced the Computer Fraud and Abuse Act of 1986. The bill passed decisively. That same session, the Electronic Communication Privacy Act of 1986 was passed, criminalizing the seizure and interception of digital messages and communication signals.

In January of 1989, Herbert Zinn was the first person to be convicted under the Computer Fraud and Abuse Act. As a teenager, Zinn broke into computer systems at the Department of Defense, wreaking havoc with several hundred files. Zinn was sentenced to nine months in prison and fined; he would have possibly received a harsher judgment if he had been over eighteen years-old at the time of the crime.

Since its inception, the Computer Fraud and Abuse Act has weathered changing technology and the development of the Internet. However, computer crime is once again on the rise, and only a fraction of victims report these crimes. Subsequent court proceedings and legislation such as the Compute Abuse Amendments Act of 1994 have provided specific wording criminalizing the promulgation of computer viruses and other damaging code.

Wikipedia: Computer Fraud and Abuse Act
Top
Home > Library > Miscellaneous > Wikipedia
Wiki letter w.svg
 Please help improve this article by expanding it. Further information might be found on the talk page. (December 2008)

The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1984 intended to reduce cracking of computer systems and to address federal computer-related offenses. The Computer Fraud and Abuse Act (codified as 18 U.S.C. § 1030 governs cases with a compelling federal interest, where computers of the federal government or certain financial institutions are involved, where the crime itself is interstate in nature, or computers used in interstate and foreign commerce. It was amended in 1986, 1994, 1996, in 2001 by the USA PATRIOT Act, and in 2008 by the Identity Theft Enforcement and Restitution Act. Subsection (b) of the act punishes anyone who not just commits or attempts to commit an offense under the Computer Fraud and Abuse Act but also those who conspire to do so.

The CFAA has specifically defined “protected computers” under 18 U.S.C. § 1030(e)(2) to mean a computer:

  • exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
  • which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;

Contents

Evolution of the act

PATRIOT Act

The USA PATRIOT Act increased the scope and penalties of this act by:

  • Raising the maximum penalty for violations to 10 years (from 5) for a first offense and 20 years (from 10) for a second offense;
  • Ensuring that violators only need to intend to cause damage generally, not intend to cause damage or other specified harm over the $5,000 statutory damage threshold;
  • Allowing aggregation of damages to different computers over a year to reach the $5,000 threshold;
  • Enhancing punishment for violations involving any (not just $5,000) damage to a government computer involved in criminal justice or the military;
  • Including damage to foreign computers involved in US interstate commerce;
  • Including state law offenses as priors for sentencing; and
  • Expanding the definition of loss to expressly include time spent investigating and responding (this is why it is important for damage assessment and for restoration)

Identity Theft Enforcement and Restitution Act

The Identity Theft Enforcement and Restitution Act enhanced the jurisdiction of the Computer Fraud and Abuse Act by:

  • Eliminating the requirement in 18 U.S.C. § 1030(a)(5) that the defendant’s action must result in a loss exceeding $5,000;
  • Adding a provision to 18 U.S.C. § 1030(c)(4) that makes it a felony to cause damage to ten or more computers;
  • Expanding jurisdiction for cases involving theft of information from computers by eliminating the requirement that information must have been stolen through an interstate or foreign communication;
  • Enhancing prosecution for extortion related to computers by expanding 18 U.S.C. § 1030(a)(7) to criminalize not only explicit threats to cause damage to a computer, but also threats (1) to steal data on a victim’s computer, (2) to publicly disclose stolen data, or (3) to not repair damage the offender already caused to the computer;
  • Amending 18 U.S.C. § 3663(b) to make clear that restitution orders for identity theft cases may include an amount equal to the value of the victim’s time spent remediating the actual or intended harm of the identity theft or aggravated identity theft offense;
  • Creating a criminal offense for conspiring to commit a computer hacking offense under 18 U.S.C. § 1030;
  • Broadening the definition of "protected computer" in 18 U.S.C. § 1030(e)(2)(b) to the full extent of Congress' commerce power by including those computers used in or affecting interstate or foreign commerce or communication;
  • Providing a mechanism for forfeiture of property used in or derived from violations of 18 U.S.C. § 1030.[1][2]

Criminal Offenses Under The Computer Fraud and Abuse Act

  1. Knowingly accessing a computer without authorization in order to obtain national security data
  2. Intentionally accessing a computer without authorization to obtain:
    • Information contained in a financial record of a financial institution, or contained in a file of a consumer reporting agency on a consumer.
    • Information from any department or agency of the United States
    • Information from any protected computer if the conduct involves an interstate or foreign communication
  3. Intentionally accessing without authorization a government computer and affecting the use of the government's operation of the computer.
  4. Knowingly accessing a protected computer with the intent to defraud and there by obtaining anything of value.
  5. Knowingly causing the transmission of a program, information, code, or command that causes damage or intentionally accessing a computer without authorization, and as a result of such conduct, causes damage that results in:
    • Loss to one or more persons during any one-year period aggregating at least $5,000 in value.
    • The modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of one or more individuals.
    • Physical injury to any person.
    • A threat to public health or safety.
    • Damage affecting a government computer system
  6. Knowingly and with the intent to defraud, trafficking in a password or similar information through which a computer may be accessed without authorization.

Decisions referring to this act

  • Theofel v. Farey Jones, 2003 U.S. App. Lexis 17963, decided August 28, 2003 (U.S. Court of Appeals for the Ninth Circuit). Using a civil subpoena which is “patently unlawful”, “bad faith” and “at least gross negligence” to gain access to stored email is a breach of this act and the Stored Communications Act.[3]

References

  1. ^ http://www.govtrack.us/congress/billtext.xpd?bill=h110-5938
  2. ^ http://www.usdoj.gov/criminal/cybercrime/ccmanual/01ccma.html
  3. ^ [1]

See also

External links


This entry is from Wikipedia, the leading user-contributed encyclopedia. It may not have been reviewed by professional editors (see full disclaimer)

 
 

 

Copyrights:

Computer Desktop Encyclopedia. THIS COPYRIGHTED DEFINITION IS FOR PERSONAL USE ONLY.
All other reproduction is strictly prohibited without permission from the publisher.
© 1981-2009 Computer Language Company Inc.  All rights reserved.  Read more
Intelligence Encyclopedia. Encyclopedia of Espionage, Intelligence, and Security. Copyright © 2004 by The Gale Group, Inc. All rights reserved.  Read more
Wikipedia. This article is licensed under the Creative Commons Attribution/Share-Alike License. It uses material from the Wikipedia article "Computer Fraud and Abuse Act" Read more