The Computer Fraud and Abuse Act: Van Buren

Explore the implications of the Computer Fraud and Abuse Act through the lenses of Van Buren, Sloan, and Warner. Understand the legal framework, challenges, and applications of this significant legislation in the digital age.

• Computer law
• Cybersecurity
• Digital legislation
• Legal perspectives

agab Follow

Uploaded on Mar 03, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. The Computer Fraud and Abuse Act: Van Buren Robert H. Sloan Richard Warner

2. Information relevant to national security? Yes No Obtaining information? Without authorization 1030(a)(1) Yes No 1030(a)(3) 1030(a)(2) Governmental computer? Yes No 1030(a)(3) Without or exceeds authorization Intent to defraud? Yes No 1030(a)(4) Intentionally & causing damage? Yes No 1030(a)(5)(A) Recklessly & causing damage? Yes No Causing damage? Yes 1030(a)(5)(B) No 1030(a)(5)(C) A bit more

3. Before Van Buren Exceeds authorization = only: 1 Have some amount of permission to access a computer; 2. the computer contains information that the individual is not entitled to obtain or alter, either in a certain manner or at all; 3. the individual accesses the machine to obtain or alter information in a prohibited manner. Without authorization = accessing a computer without permission to access any information on that computer. For: 9th, 2nd, 3rd, 4th. Opposed: 1st, 5th, 7th, and 11th.

4. Shurgard v. Safegard Shurgard claims: (1) Safegard was trying to hire away key Shurgard employees in order to obtain trade secrets. (2) some of these employees, while still working for Shurgard, used its computers to send trade secrets to Safegard via e- mail. Our question: Does (2) violate the CFAA under 1030(a)(C)(2)? Criminal and civil liability for whoever (a) intentionally accesses a computer (b) without authorization . . , and (c) thereby obtains ... information from any protected computer.

5. Unauthorized? The Shurgard employees had been authorized by Shurgard to access the information. So how is their access unauthorized? The court treats the employees as agents accessing data on behalf of their employer. Agent = someone authorized to act on behalf of another (the principal). Agents lose their authority when without knowledge of the principal, they acquires adverse interests or if they are otherwise guilty of a serious breach of loyalty to the principal. Restatement (Second) of Agency 112 (1958). The court concludes that the employees lost their authority when they switched their loyalty to Safegard.

6. The Cite to Morris See United States v. Morris, 928 F.2d 504, 510 (2d Cir.1991) (holding that a computer user, with authorized access to a computer and its programs, was without authorization when he used the programs in an unauthorized way).

7. Exceeding AuthorizationTwo Views You exceed authorized access if you (1) obtain or alter information in a prohibited manner, or, (2) having obtained in a permitted manner, you use it for an improper purpose.

8. What Van Buren Holds Van Burenlimits exceeds authorized access to cases in which one is authorized to access certain areas of a computer or network files, folders, databases, for example but then accesses areas to which that authorization does not extend. So the extent of authorization is determined by the areas one is granted permission to access.

9. Why It Holds That The Court thinks that is what this provision means: 1030e(6): the term exceeds authorized access means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter. Other courts have found the provision ambiguous between access in a certain manner, and Access in a certain manner or for a certain purpose.

10. Consequences Expands scope beyond computer hacking. (1) Excess power: a website would be free to revoke authorization with respect to any person, at any time, for any reason, and invoke the CFAA for enforcement, potentially subjecting an Internet user to criminal, as well as civil, liability. (2) Anticompetitive effects: Companies could prevent competitors or consumer groups from visiting their websites to learn about their products or analyze pricing. (3) Stifle state experimentation: A broad reading of the CFAA could stifle the dynamic evolution and incremental development of state and local laws addressing the delicate balance between open access to information and privacy all in the name of a federal statute enacted in 1984 before the advent of the World Wide Web.

11. DIRECTIVE 2013/40/EU on attacks against information systems Article 3 Illegal access to information systems when committed intentionally, the access without right, to . . . an information system, is punishable as a criminal offence . . . at least for cases which are not minor. Compare 18 U.S.C. 1030(a)(2)(C). Article 4 Illegal system interference ensure that seriously hindering or interrupting the functioning of an information system by inputting computer data, by transmitting, damaging, deleting, deteriorating, altering or suppressing such data, or by rendering such data inaccessible, intentionally and without right, is punishable as a criminal offence, at least for cases which are not minor. Same under the CFAA

12. DIRECTIVE 2013/40/EU on attacks against information systems Article 5 Illegal data interference ensure that deleting, damaging, deteriorating, altering or suppressing computer data on an information system, or rendering such data inaccessible, intentionally and without right, is punishable as a criminal offence, at least for cases which are not minor. Same under the CFAA. Article 6 Illegal interception to ensure that intercepting, by technical means, non-public transmissions of computer data to, from or within an information system, including electromagnetic emissions from an information system carrying such computer data, intentionally and without right, is punishable as a criminal offence, at least for cases which are not minor. Same under the CFAA.