Computer Fraud And Abuse Act (Cfaa) Prosecutions

30 Sep 2025 --
0 Comments

1. Overview of the Computer Fraud and Abuse Act (CFAA)

The CFAA, codified at 18 U.S.C. § 1030, is a U.S. federal statute originally enacted in 1986 to combat hacking and computer-based fraud. Over time, it has been amended several times to cover broader forms of unauthorized access and computer misuse.

Key Provisions of the CFAA

Unauthorized access to computers

Section 1030(a)(2): Accessing a computer without authorization or exceeding authorized access to obtain information.

Typical cases: hacking into corporate or government systems, stealing trade secrets or personal data.

Fraud and related activity

Section 1030(a)(4): Knowingly executing a scheme to defraud that involves a protected computer.

Damage to computers

Section 1030(a)(5): Intentionally causing damage to a protected computer (e.g., malware, ransomware, DDoS attacks).

Trafficking in passwords or access

Section 1030(a)(6): Trafficking in passwords or access credentials to facilitate computer fraud.

Threats / extortion using computers

Section 1030(a)(7): Threatening to damage a computer to extort money or something of value.

Protected computers: This includes computers used in or affecting interstate or foreign commerce, essentially covering almost all internet-connected computers in the U.S.

Penalties: Fines and imprisonment (from 1 year to 20 years or more for repeated or severe offenses).

2. Key CFAA Prosecutions and Case Law

Case 1: United States v. Aaron Swartz (2011–2013)

Facts:

Aaron Swartz, a prominent internet activist, downloaded millions of academic articles from JSTOR using MIT’s network by circumventing computer access controls.

Prosecutors argued this constituted “unauthorized access” under the CFAA.

Legal Issues:

Did Swartz “exceed authorized access” when he used JSTOR credentials in a way the platform did not intend?

Scope of CFAA: Does violating terms of service count as “exceeding authorized access”?

Outcome:

Prosecutors initially charged Swartz with multiple felony counts, potentially carrying up to 35 years in prison.

Swartz committed suicide before the case was resolved.

Significance: Sparked a national debate about the CFAA’s overbreadth and whether terms-of-service violations should be criminalized.

Legal principle: Courts later interpreted “exceeding authorized access” narrowly in cases such as Van Buren v. United States (2021).

Case 2: United States v. Nosal (2012–2016)

Facts:

David Nosal, a former employee of a recruiting firm, recruited friends to use current employees’ login credentials to access company databases and steal client lists for a new business.

Legal Issues:

Did using an authorized employee’s credentials for unauthorized purposes violate the CFAA?

Difference between “unauthorized access” and “exceeding authorized access.”

Outcome:

The Ninth Circuit held that employees who are authorized to access a computer but use that access for improper purposes do not violate the CFAA.

Nosal was eventually convicted of conspiracy and theft, but the ruling narrowed the scope of the CFAA for employees.

Significance:

Defined limits on employer misuse of CFAA claims against employees.

Prevented CFAA from criminalizing simple policy or terms-of-use violations by employees.

Case 3: United States v. Morris (1989) – The Morris Worm Case

Facts:

Robert Tappan Morris created a self-replicating worm that infected approximately 6,000 computers connected to the Internet, causing significant damage.

Legal Issues:

Did the worm constitute “unauthorized access” and “damage” under the CFAA?

Outcome:

Morris was convicted under the CFAA and sentenced to 3 years probation, 400 hours of community service, and a fine of $10,050.

Significance:

First criminal conviction under the CFAA.

Established precedent for computer worms, malware, and accidental spread being prosecuted as CFAA violations.

Case 4: United States v. Lori Drew (2009) – Cyberbullying / Emotional Distress

Facts:

Lori Drew created a fake MySpace account to harass a teenager who later committed suicide.

Prosecutors attempted to use the CFAA to charge Drew for violating MySpace’s terms of service.

Legal Issues:

Does violating website terms of service amount to “unauthorized access”?

Outcome:

The jury convicted Drew on minor CFAA charges, but the conviction was later overturned by the appellate court, stating that using the CFAA for terms-of-service violations was too broad.

Significance:

Reinforced that the CFAA should not criminalize ordinary internet activity unless it involves hacking or bypassing security measures.

Case 5: United States v. Van Buren (2021)

Facts:

Nathan Van Buren, a Georgia police officer, accepted money to look up a license plate in a law enforcement database for personal purposes.

Legal Issue:

Whether an employee who has authorized access but uses it for an improper purpose violates the CFAA’s “exceeds authorized access” provision.

Outcome:

Supreme Court ruled 6–3 that exceeding authorized access does not cover employees who misuse information they are otherwise allowed to access.

Significance:

Narrowed the CFAA’s application, protecting employees and users from criminal liability for violating workplace policies or terms-of-service.

Case 6: United States v. Levandowski (2017) – Theft of Trade Secrets

Facts:

Anthony Levandowski, former Google engineer, downloaded thousands of confidential files related to autonomous vehicle technology before leaving to start his own company (Uber subsidiary).

Legal Issues:

Charged under CFAA for theft of trade secrets and unauthorized access to Google’s systems.

Outcome:

Pleaded guilty to one count of trade secret theft; sentenced to 18 months in prison.

Significance:

Showed CFAA’s application in corporate espionage and theft of proprietary data.

Demonstrated that downloading confidential information for competitive advantage can lead to severe federal penalties.

3. Key Takeaways from CFAA Prosecutions

Scope of “Unauthorized Access”

Courts distinguish between hacking (circumventing passwords or security measures) and mere misuse of authorized access.

Van Buren and Nosal narrowed CFAA scope, making it harder to prosecute employees for policy violations.

Fraud and Theft Under CFAA

CFAA prosecutions often involve financial or proprietary gain (Levandowski, Morris).

Cybersecurity & Malware

Malware, worms, ransomware, and DDoS attacks are classic CFAA violations (Morris case).

Terms-of-Service Issues Are Risky

Courts generally reject CFAA claims based solely on ToS violations (Drew, Van Buren).

Severe Penalties

Convictions under the CFAA can carry years of imprisonment, significant fines, and forfeiture of assets if fraud or damage occurs.

4. Conclusion

The CFAA has been central to U.S. federal cybercrime prosecutions for decades. Key points:

Early cases: Morris established criminal liability for malware and worms.

Employee misuse: Nosal and Van Buren limited CFAA liability for internal misuse.

High-profile theft/fraud cases: Swartz and Levandowski illustrate both the potential overreach and legitimate enforcement applications.

Policy debates: Many argue the CFAA is overbroad, especially regarding terms-of-service violations.

The CFAA remains one of the most important tools in the federal arsenal against hacking, cyber fraud, and computer-related theft — but courts have increasingly refined its scope to prevent abuse.