One of the most common and rapidly growing forms of computer crimes is computer fraud. Computer fraud – also referred to as internet fraud – is the use of information technology to commit fraud. It is the crime of using electronic resources to present fraudulent or misrepresented information as a means of deception. According to the Department of Justice, it can include “any type of fraud scheme that uses one or more components of the Internet-such as chat rooms, e-mail, message boards, or Web sites to present fraudulent transactions, or to transmit the proceeds of fraud to financial institutions or to others connected with the scheme.” Computer fraud can take a variety of different forms.

In the United States, computer fraud is primarily proscribed by the Federal Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, though a number of other laws are applicable in certain situations. The Federal Computer Fraud and Abuse Act protects federal computers, bank computers and any computer involved in interstate commerce.

Substantively, the CFAA essentially states that whoever intentionally accesses a protected computer without authorization or exceeds authorized access, and thereby obtains information shall be punished under the Act. Subsection 1030(b) makes it a crime to attempt or conspire to commit any of these offenses. Subsection 1030(c) outlines the penalties for committing them. These penalties can range from imprisonment for not more than a year for simple cyberspace trespassing to a maximum of life imprisonment when death results from intentional computer damage.

While the CFAA is primarily a criminal law intended to reduce the instances of malicious interferences with computer systems and to address federal computer offenses, an amendment in 1994 allows civil actions to brought under the statute, as well. This civil cause of action for the victims of these crimes is located in Subsection 1030(g) of the act.

While there are a number of chapters in the CFAA, probably the most important and commonly used chapter in the CFAA is 18 U.S.C. 1030(a)(4). The chapter reads,

(a) Whoever … (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period … shall be punished as provided in subsection (c) of this section.

Broken down, the elements consist of:

  • knowingly and with intent to defraud;
  • accessing a protected computer without authorization, or exceeding authorization;
  • thereby furthering a fraud and obtaining anything of value (other than a minimal amount of computer time, i.e., more than $5,000 over the course of a year).

Unauthorized Access

For the most part, courts have been unable to agree on the meaning of “without authorization” or “exceeds authorized access” as used in paragraph 1030(a)(2) and the other paragraphs of 18 U.S.C. 1030, even though the statute supplies a specific definition of the term “exceeds authorized access.” Some courts have applied the terms to access by authorized employees who use their access in any unauthorized manner or for unauthorized purposes and to outsiders who have been granted access subject to explicit reservations. Others have concluded that “a person who ‘intentionally accesses a computer without authorization’ §§1030(a)(2) and (4), accesses a computer without any permission at all, while a person who ‘exceeds authorized access,’ id., has permission to access the computer, but accesses information on the computer that the person is not entitled to access.” One court concluded that the conscious breach of MySpace’s terms of service could “potentially constitute accessing the MySpace computer/server without authorization and/or in excess of authorization.” The court, however, went on to find the section unconstitutionally vague under such a construction, “if any conscious breach of a website’s terms of service is held to be sufficient by itself to constitute intentionally accessing a computer without authorization or in excess of authorization, the result will be that section 1030(a)(2)(C) becomes a law ‘that affords too much discretion to the police and too little notice to citizens who wish to use the [Internet].’”

The federal computer fraud and abuse statute, 18 U.S.C. 1030 is not intended to be a comprehensive statute. Instead, it fills gaps in protection provided by other state and federal criminal laws. It has been amended and supplemented repeatedly over the last three decades to bolster the uncertain coverage of the more general federal trespassing, threat, malicious mischief, fraud and espionage statutes. There are other laws that address the subject of crime and computers. The Computer Fraud and Abuse Act deals with computers as victims; other laws deal with computers as arenas for crime or as repositories of the evidence of crime or from some other perspective. These other laws—laws relating to identity theft generally, obscenity, pornography, gambling, inter alia—are beyond the scope of this report.

Protected Computer

Paragraph 1030(a)(4) outlaws fraud against “protected computers,” that is, computers used in or affecting interstate or foreign commerce, those used by or for “the United States Government,” or those used by or for a financial institution.

Originally “protected computers” were computers from financial institutions and the government. Gradually this definition has been expanded to include all networked computers, inside the U.S. or outside. 18 U.S.C. § 1030(e)(2)(B). See US v Trotter, No 05-4202 (8th Cir. Feb. 23, 2007) (ruling that Salvation Army’s computers are protected computers as they are engaged in interstate communications connected to the Internet). Thus, in the highly networked modern world, most computers are considered to be “affecting interstate commerce” for the purposes of the CFAA.

Conclusion

The CFAA is the main federal law protecting against computer crimes, but it is not the only law utilized. In some instances other general federal laws are a more successful method of prosecuting these crimes.

Resources:


Contact an attorney in this area