150 likes | 290 Views
Spam and The Computer Fraud and Abuse Act. Richard Warner. Liability under the CFAA.
E N D
Spam and The Computer Fraud and Abuse Act Richard Warner
Liability under the CFAA • 1030(a)(2)(C) imposes liability on whoever “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer if the conduct involved an interstate or foreign communication.” • Computers used in “interstate or foreign commerce or communication” are “protected.” 1030(e)(2).
Liability under the CFAA • 1030(a)(5) imposes liability on anyone who • (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; • (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or • (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage.
Liability Under The CFAA • 1030(g): “Any person who suffers damage or loss by reason of a violation of the section, may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.”
Damage Defined • 1030 (e)(8): the term "damage" means any impairment to the integrity or availability of data, a program, a system, or information, that-- • (A) causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals; • (B) modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment, or care of one or more individuals; • (C) causes physical injury to any person; or • (D) threatens public health or safety
Spam and The CFAA • Sending spam can violate the Computer Fraud and Act, 1030 (a)(2)(C) and (a)(5)(C). • See AOL v. LCGM. • One remaining issue: What intent is required under 1030(a)(5) ?
1030(a)(5) • 1030(a)(5) imposes liability on anyone who • (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; • (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or • (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage.
United States v. Morris • Morris was a Cornell university computer science doctoral student. • He released a worm over the Internet. • A worm is a self-replicating computer program designed to spread over the Internet without any further human interaction with the program once it is released.
Purpose of the Morris Worm • Morris did not intend his worm to cause any harm. • As the court notes, “The goal of this program was to demonstrate the inadequacies of current security measures on computer networks by exploiting the security defects that Morris had discovered. The tactic he selected was release of a worm into network computers.”
The Design of the Worm • Morris designed the worm to copy itself from Internet system to Internet system; however, before it copied itself, the worm first asked the computer if it already had a copy of the worm. • Point: multiple copies would slow the computer down and make the computer owner aware of the worm’s presence. • Morris wanted to show that the worm could spread undetected.
The Design of the Worm • The worm did not copy itself if it got a “yes” answer. • However, Morris also worried that system owners who became aware of the worm would stop its spread by programming their computers to answer “yes.” • So he programmed the worm to copy itself every seventh time it received a “yes” from the same computer.
The Error • Morris greatly underestimated the number of times a computer would be asked if it had the worm. • The worm spread with great rapidity over the Internet causing computer slowdowns and shutdowns and imposing on system owners the cost of removing the worm.
Computer Fraud and Abuse Act • Morris was prosecuted criminally under the Computer Fraud and Abuse Act. • Section 2(d) punishes anyone who intentionally accesses [computers] without authorization . . . and damages or prevents authorized use of information in those computers, causing loss of $1,000 or more.
The Issues • The court: “The issues raised are (1) whether the Government must prove not only that the defendant intended to access a federal interest computer, but also that the defendant intended to prevent authorized use of the computer's information and thereby cause loss; and (2) what satisfies the statutory requirement of ‘access without authorization.’”
The Ruling • The court holds that the only intent required is the intent to access the system. • The authorization issue: Morris was authorized to use—in certain ways--the computers he initially accessed. He exceeded his authorized access. Is this enough to make his access unauthorized? • The court answers that it is.