2 min read

The Computer Fraud and Abuse Act (CFAA)

From an article about the court case against weev (yes he’s a creep, but he still has rights) is an apt, consise definition of the Computer Fraud and Abuse Act (CFAA) and how it’s being used/abused today.

“… the CFAA, a law passed 30 years ago before every home — indeed, every person’s pocket or purse — held a computer. The CFAA is an anti-hacking statute that makes it a crime to obtain information from a computer “without authorization.” Since lawmakers never spelled out exactly what they meant by that, prosecutors have, over the years, stretched the law to encompass all sorts of harmless activities. Violate a website’s terms of service by lying about your identity, for example, and you could be charged under the Act. Same goes for misusing your employer’s computer at work.”

While Wikipedia points out that, “The Act has been amended a number of times—in 1989, 1994, 1996, in 2001 by the USA PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act”, it’s important to undstand that:

The only computers, in theory, covered by the CFAA are defined as “protected computers”. They are defined under section 18 U.S.C. § 1030(e)(2) to mean a computer:

  • exclusively for the use of a financial institution or the United States Government, or any computer, when the conduct constituting the offense affects the computer’s use by or for the financial institution or the Government; or
  • which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States…

In practice, any ordinary computer has come under the jurisdiction of the law, including cellphones, due to the inter-state nature of most internet communication.

Simply stated, this is a law that could ensnare anyone that is online that’s ever fudged their birthdate, or mis-represented themselves when signing up for something simply because they don’t want to get more spam - or perhaps if they (shutter) want to protect their privacy. Really, the CFAA is something that needs to be overturned/updated for today’s computer usage.