CFAA – Computer Fraud and Abuse Act

View Github Repository Open presentation in a new window

artfuldodger

See all presentation from artfuldodger

CFAA – Computer Fraud and Abuse Act

0 0

cfaa-presentation

Presentation about the Computer Fraud and Abuse Act

On Github artfuldodger / cfaa-presentation

CFAA

Computer Fraud and Abuse Act

What is it?

“Section 1030 of Title 18 of the United States Code”. Title 18 of the US Code is what defines federal crimes and criminal procedure. It's in chapter 47, which deals with, appropriately enough, fraud.

Before the Internet was omnipresent in the workplace; very limited presence in the home.

Violations

intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains— … information from any protected computer

Violations

Whoever conspires to commit or attempts to commit an offense

Does that cover port scanning?

Investigation Authority

The Secret Service

Plus the FBI and whoever else is interested.

“The United States Secret Service shall, in addition to any other agency having such authority, have the authority to investigate offenses under this section.”

"Protected Computer"

Pretty much every computer connected to the Internet

“'protected computer' means a computer … which is used in or affecting interstate or foreign commerce or communication”

What's a computer?

If it can connect to Internet, it probably counts.

“the term “computer” means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;”

Noteworthy Cases

  • United States v. Lori Drew, 2008
  • United States v. Bradley Manning, 2010-
  • United States v. Aaron Swartz, 2011

Lori Drew - Cyber bullying. Judge decided that convicting as an offense under the CFAA due to violating MySpace's terms of use would make it too broad. Hooray. This was by a District Judge, however. Don't believe this has been decided by the Supreme Court yet.

Bradley Manning - Leaked cables to Wikileaks

Aaron Swartz

  • Reddit developer
  • On working group of RSS 1.0 spec when he was 14
  • Helped defeat SOPA/PIPA (founded Demand Progress)

Aaron Swartz

Set up a laptop in an MIT wiring closet to download articles from JSTOR

JSTOR has publicly funded academic articles that aren't publicly available.

Punishment?

AARON SWARTZ, 24, was charged in an indictment with wire fraud, computer fraud, unlawfully obtaining information from a protected computer, and recklessly damaging a protected computer. If convicted on these charges, SWARTZ faces up to 35 years in prison, to be followed by three years of supervised release, restitution, forfeiture and a fine of up to $1 million. Department of Justice press release

Aaron Swartz hanged himself on January 11th.

I believe that Aaron’s death was caused by a criminal justice system that prioritizes power over mercy, vengeance over justice; a system that punishes innocent people for trying to prove their innocence instead of accepting plea deals that mark them as criminals in perpetuity; a system where incentives and power structures align for prosecutors to destroy the life of an innovator like Aaron in the pursuit of their own ambitions. Taren Kate Stinebrickner-Kauffman
I know that there is little I can say to abate the anger felt by those who believe that this office’s prosecution of Mr. Swartz was unwarranted and somehow led to the tragic result of him taking his own life. I must, however, make clear that this office’s conduct was appropriate in bringing and handling this case. The career prosecutors handling this matter took on the difficult task of enforcing a law they had taken an oath to uphold, and did so reasonably. Carmen Ortez, the US attorney in Massachusetts
How do we explain to a young person who hacked their school’s website that they might be imprisoned for five years? Yet if they had physically destroyed the web server with a hammer, they would have faced no more than one year. We Need to Think Beyond the Aaron in ‘Aaron’s Law’

Aaron's Law

How cool is it to see congresspeople and senators actually talking directly with the Internet community about this stuff? Lawrence Lessig chimes in. Neat.

EFF on Aaron's Law

EFF believes that any reform to the computer crime laws must have three crucial elements:

Computer users must not face criminal liability for violating private agreements, policies, or duties. If a computer user is allowed to access information, simply doing it in an innovative way must not be a crime. Penalties need to be proportionate to computer crime offenses.

Source: Aaron's Law 2.0: Major Steps Forward, More Work to Be Done

Rep. Jared Polis

  • The charges were ridiculous and trumped-up
  • Aaron was a martyr

Source: Lawmakers slam DOJ prosecution of Swartz as 'ridiculous, absurd'

Other on-going cases

  • Weev (Andrew Auernheimer)
  • Barrett Brown
  • Bradley Manning

Weev - Utilized a public web service on AT&T's server to get iPad user's e-mail addresses

Barrett Brown (a journalist and self-appointed spokesman of Anonymous) - in addition to doing stupid shit like threatening an FBI agent on video, he's charged with sharing a link in IRC. The link was to a document with stolen credit card information.

Bradley Manning - leaked information to Wikileaks. Also charged under the Espionage Act. Faces life in prison. Most serious charge is "aiding the enemy," which is a capital offense.

Questions?