In this week’s class, we spoke John Draper, aka Captain Crunch. The guest speakers are interesting, but as far as I can tell, don’t line up with the course material. Unfortunately, I do not have a list of our upcoming guest speakers.
I can, however, present you with the reading for the week:
1.Computer Fraud and Abuse Act
1.2. CFAA: What is “access”?
1.2.1. U.S. v. Czubinski, 106 F.3d 1069 (1st Cir. 1997)
1.2.2. State v. Allen, 917 P.2d 848, 260 Kan. 107 (Kan. 1996)
1.3. CFAA: What is “unauthorized access”?
1.3.1. Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238 (S.D.N.Y. 2000)
1.3.2. Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000)
1.3.3. EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001)
1.3.4. Condux Intern., Inc. v. Haugum, 2008 WL 5244818 (D. Minn. 2008)
We spend three weeks on the CFAA, so if you want a complete overview of the statute, you are going to have to wait or go to another source. The EFF has a complete section of CFAA Reform. Considering they want to reform the law, you can see what they think of it, at least as a broad level. For a different view, you can check out the US Justice Department’s manuals on prosecuting computer and intellectual property crimes.
While the private contract law leading to criminal sanctions part of the CFAA clearly can cause problems, at least at answering the question of “access” courts seem to do a pretty decent job.
- browsing is not access.
- sitting at a login screen and not attempting to login is not access
The browsing principle is not quite as simple as I state above. While my professor stated that principle in class, the case he uses to say that doesn’t really seem to say exactly that. He knows much more than me, so I assume there are other cases out there. What U.S. v. Czubinski says is that browsing is not a thing of value. This, as I read the cases, is a slightly different inquiry than whether there is access.
The part of the CFAA in question is known as 18 USC § 1030(a)(4) and it reads:
Whoever…knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
Despite the copious pages spilled in regards to cases, they almost always seem to me to really boil down to one thing. Here its that “No evidence suggests that he printed out, recorded, or used the information he browsed.” It is worth noting that the 2nd Circuit (New York and surrounding areas) declined to follow Czubinski in U.S. v. Rybicki and 7 other courts have distinguished cases from Czubinski, so this may not be quite as cut and dry as it is being presented early in the semester.
That said, whether it is “access” or “value” that is truly at issue, it should be comforting that there is occasionally some sanity in the law.
In the coming days, perhaps tomorrow, we are going to have a piece on the world’s loss of Aaron Swartz (I know, we are late to the wake). Considering the CFAA was at issue in Aaron’s case, I leave all the prosecutors and would-be prosecutors out there with this admonition from the First Circuit:
We add a cautionary note. The broad language of the mail and wire fraud statutes are both their blessing and their curse. They can address new forms of serious crime that fail to fall within more specific legislation. On the other hand, they might be used to prosecute kinds of behavior that, albeit offensive to the morals or aesthetics of federal prosecutors, cannot reasonably be expected by the instigators to form the basis of a federal felony. The case at bar falls within the latter category. Also discomforting is the prosecution’s insistence, before trial, on the admission of inflammatory evidence regarding the defendant’s membership in white supremacist groups purportedly as a means to prove a scheme to defraud, when, on appeal, it argues that unauthorized access in itself is a sufficient ground for conviction on all counts. Finally, we caution that the wire fraud statute must not serve as a vehicle for prosecuting only those citizens whose views run against the tide, no matter how incorrect or uncivilized such views are. (emphasis added, citations omitted)
