The term “cybercrime” covers a vast array of acts involving computers and other technologies. The difficulty in defining “cybercrime” can occasionally lead to prosecutions for activities that might not seem particularly criminal but that arguably fit within a statute’s definition of prohibited conduct. The federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, has been a subject of criticism as prosecutors use it in creative ways to pursue alleged cybercriminals. In one recent case, prosecutors charged a former newspaper employee under the CFAA for giving unauthorized access to newspaper servers. He was convicted and sentenced to two years in prison. United States v. Keys, No. 2:13-cr-00082, superseding indictment (E.D. Cal., Dec. 4, 2014). A federal appellate court in another case held that using someone else’s password to access certain computer systems violates the CFAA. United States v. Nosal, No. 14-10037, slip op. (9th Cir., Jul. 5, 2016).
Congress enacted the CFAA in 1986 as an amendment to the Comprehensive Crime Control Act of 1984. It has amended the law several more times, including in 2001 as part of the Patriot Act and most recently in 2008. The law covers a wide range of activities that center on unauthorized access to “protected computers,” defined very broadly as any computer used by a financial institution or the federal government, or used “in or affecting interstate or foreign commerce or communication.” 18 U.S.C. § 1030(e)(2).
The defendant in Key was a journalist and blogger for the Los Angeles Times. Prosecutors alleged that he helped members of the hacker group Anonymous gain access to the newspaper’s servers in late 2010. The hackers used this access to modify a news article posted to the Los Angeles Times’ website. The modified story was only up for about 40 minutes, and it was not clear if either the newspaper or its parent company suffered any financial loss.
Prosecutors charged the defendant under the CFAA with transmission of malicious code, 18 U.S.C. §§ 1030(a)(5)(A), (c)(4)(B); and attempted transmission of malicious code, id.
at § 1030(b). The defendant pleaded not guilty, but a jury convicted him on all of the counts. In April 2016, a judge sentenced him to 24 months’ imprisonment, which was less than the prosecutor’s request for five years.
The Ninth Circuit’s decision in Nosal has led to concern that federal prosecutors could treat password sharing, such as using a friend’s password to watch Netflix movies online, as a violation of the CFAA. The defendant accessed the computer system of his former employer, using the login credentials of a current employee, in order to obtain information he could use at another job. Prosecutors viewed this as theft of trade secrets under the CFAA. 18 U.S.C. § 1030(a)(4). The defendant was convicted and sentenced to one year and one day in prison.
The appellate court affirmed the conviction, the sentence, and most of the restitution award. It rejected arguments raised by the defendant, several amici, and one dissenting judge that the decision criminalized the mere act of sharing a password. The dissent, however, noted that the decision “loses sight of the anti-hacking purpose of the CFAA, and…threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.” Nosal, slip op. at 47 (Reinhardt, J., dissenting).
These blog posts are meant to be illustrative only. Unless expressly stated to the contrary herein, these matters are not the result of any legal work of Michael J. Brown, but are used to communicate a particular point of view. Michael J. Brown does not claim credit for any legal work done by any lawyer or law firm either generally or specifically, with respect to the matters contained in this blog.
Board-certified cybercrime attorney Michael J. Brown advocates for the rights of people facing charges in state and federal courts in West Texas. Contact us today online or at (432) 687-5157 to schedule a confidential consultation.
More Blog Posts:
SEC Files Securities Fraud Claims Against Bitcoin Mining Companies, Texas Criminal Lawyer Blog, April 22, 2016
Operator of “Revenge Porn” Website Sentenced to Two Years in Federal Prison, Texas Criminal Lawyer Blog, March 11, 2016
How Clearing One’s Browser History Might Be a Federal Crime, Texas Criminal Lawyer Blog, January 6, 2016