A hacker’s perspective on the computer fraud and abuse act


Let’s say you work in an office for a company and decide, for whatever reason, to access the computer system of a coworker without being given permission. Regardless of the intent, if you know you are unauthorized to access it, you may find yourself ostensibly violating the Computer Fraud and Abuse Act (CFAA), at least according to an overzealous judge.

I had my own run-in with the CFAA when I was 25, but I had it coming. However, its broad interpretation in my hacking case, which led to my conviction on two counts under the CFAA for installing 'malicious code' on computer systems at a private clinic, including an industrial control system used for climate control, sent the media into hysterics.

When you think of ‘malicious code,’ what’s the first thing that comes to mind? If you guessed malware, you’re correct. Contrary to virtually every media article covering my case, I was never formally accused of installing malware on this industrial control system. That involved a completely different computer system within the same building.

ADVERTISEMENT

However, whether it was malware or commercial remote access software doesn’t matter. That’s because the CFAA interprets concepts like “malware” and commercial remote access software like LogMeIn as being one and the same when the intent is to gain unauthorized access. However, the media and the general public do not know this.

justinasv Stefanie adi Neilc
Don’t miss our latest stories on Google News

While I should have been charged with one count of “malicious code” and two counts of “unauthorized access” to a protected computer system, interpreting the CFAA can be as volatile as interpreting the meaning behind religious texts.

You see, the CFAA has undergone a series of amendments since its inception in 1986, with its most recent amendment in 2008. The dynamic between users and unauthorized access continues to evolve and assume different forms, although earlier iterations demonstrated a limited understanding of how technology would change as time went on.

It was created by lawmakers, not IT people. The scope was designed to prevent various forms of computer hacking by protecting digital information from intentional unauthorized access. The problem is the ambiguous nature of the CFAA has long been a subject of legal discussions due to its vague language.

This has given the court of law unrealistic flexibility to interpret terms like “unauthorized access” and “exceeding authorized access,” which has led to inconsistent rulings and potential criminalization of everyday digital activities, such as minor policy violations of personal use of work systems.

Criminalizing journalism

We don’t have to look too far to see just how the CFAA can be used to overstep legal thresholds. In fact, the notorious cases of Aaron Swartz and independent journalist Barrett Brown are often the first cases that come to mind. While these cases are in common discussions revolving around the scope of the CFAA, I wanted to share some others that paint a picture of how contradictory and confusing the CFAA actually is.

ADVERTISEMENT

Knowing how a case is going to be interpreted by it is the equivalent of trying to catch a bouncing football. You never know which way it’s going to bounce.

In the case of Barrett Brown, he did what most security journalists do- obtain evidence of data leaks with the intent to publish them for public information transparency. When the data within a breach has been dumped into the public domain, it is historically common to report on it.

The hacktivists LulzSec responsible for the 2011 data breach of government contractor HBGary consisted of a trove of emails. As the story continues, Brown used crowdsourcing to analyze and review the data and emails taken from an additional government contractor, Stratfor.

It’s curious to note that the contents of those records consisted of millions of emails detailing opportunities to commit secret criminal actions like assassinations and attempts to overthrow journalists, political parties, and foreign leaders. Rather than the courts issuing arrest warrants to apprehend these treasonous actors, Brown did not receive a Nobel Peace Prize. Instead, he was promptly arrested.

In what seemed like a personal reprisal, Brown’s own prosecutor, Assistant US Attorney Candina Sharon Heath, pushed the court to hand down the absolute maximum sentence possible, a draconianally insane 105-year prison sentence, despite Brown's relatively minor role in the actual hacking itself. Although she managed to evade prosecutorial misconduct charges, Brown was sentenced in 2015 to 63 months.

“The fact is, while discussions have been going on for decades, nobody seems to really want to put a panel together of IT professionals and lawmakers to offer an answer to what a computer crime is and what it is not.”

The CFAA is all over the place

Let’s go down this rabbit hole together. In the case of United States v. Drew (2008), Lori Drew, a 49-year-old woman from Dardenne Prairie, Missouri, was charged under the CFAA for creating a fictitious MySpace account to harass a teenage girl, which eventually contributed to the girl taking her own life.

Criminal charges were filed against Lori Drew for violating the terms of service (ToS) of MySpace.

Read that again.

ADVERTISEMENT

Although Drew was originally convicted of a misdemeanor under the CFAA, the court ultimately dismissed the conviction because it realized that criminalizing ToS violations went beyond the scope of the CFAA by making it overly broad and would set a dangerous precedence-criminalizing everyday internet behavior.

Since Drew couldn’t be retried under existing harassment and stalking laws without it being classified as Double Jeopardy, which means you cannot be charged for the same crime twice, that was the end of the matter.

Exceeding access interpretations contradict

A common way employees find themselves on the receiving end of the CFAA is by exceeding their authorized access, such as by using their authorized access to company resources for personal use.

For example, in the United States v. Rodriguez (2010) case, Roberto Rodriguez, who worked for the Social Security Administration, accessed the SSA database to inquire about the personal information of women he was romantically interested in.

He was convicted under the CFAA for exceeding authorized access, but the 11th Circuit upheld the conviction because it interpreted the company policy violations as exceeding access under the CFAA.

Conversely, in the case of United States v. Nosal (2012), a former employee accessed the company’s database using credentials given to him by colleagues to help develop a rival business. Although the employees violated company policies by sharing their passwords, the 9th Circuit court ruled that the CFAA does not criminalize violations of a company’s local policies.

It gets even more convoluted the more you compare different court rulings from various circuits. To drive this point home, if we take a look at the infamous United States v. Valle (2015) “Cannibal Cop” case, you will see that there is seemingly no standard for determining whether these cases fall under the CFAA or should be tried under other existing laws.

Gilberto Valle was a New York City police officer who used his access to a law enforcement database to look up personal information about women he fantasized about kidnapping and harming. Initially, he was charged with violating the CFAA for accessing the database for personal use.

However, the 2nd Circuit dropped the conviction, ruling that misuse of access does not equate to unauthorized access under the CFAA since he had authorized access to the system. Furthermore, he was not retried on the most serious charges because he did not meet the criteria for criminal conspiracy or kidnapping charges since they involved online speech and fantasy and lacked evidence of intent.

ADVERTISEMENT

Even though the court found his online speech dark and disturbing, it lacked any proof of a plan to enact them in real life. However, this case raised significant questions about how laws like the CFAA should apply to cases involving a person’s behavior and fantasies in contrast to actual criminal intent.

The fact is, while discussions have been going on for decades, nobody seems to really want to put a panel together of IT professionals and lawmakers to offer an answer to what a computer crime is and what it is not.

Until then, judges will continue to rely on their own understanding—or lack thereof—regarding the complicated nature of technology and, most importantly, what constitutes a computer crime since the interpretation remains vague and undefinable by aging judges out of touch with today’s technology.