The Criminalization of Unauthorized Access to Computers

1
The Criminalization of Unauthorized Access to
Computers
Jon Holland, Evan Smith, Kris Gustafson, Brendan
Murphy
2
Computer Fraud and Abuse Act18 USC 1030

• (a) Whoever
• (5)(A)(i)
• Knowingly causes the
• Transmission of a program, information, code, or
  command, and as a result of such conduct,
  Intentionally causes damage
• Without Authorization, to a
• Protected Computer

3
Transmission??

• Transmission Shipment or delivery of a code or
  program to an outside computer.
• Intentional malicious code
• Code shipped via disk through interstate commerce
• Sale of code embodied in software or products
• Intentionally downloading destructive code
• Shaw v. Toshiba America Information Sys, Inc. 91
  F.Supp.2d 926
• Transmission does not include the installation of
  a program onto an individual computer that erases
  material on that computer. (Citrin)

4
1030(a)(5)(A)(ii)

• Intentionally accesses a protected computer
  without authorization, and as a result of such
  conduct, recklessly causes damage

5
1030(a)(5)(A)(iii)

• Intentionally accesses a protected computer
  without authorization, and as a result of such
  conduct, causes damage

6
Damage??

• Damage - any impairment to the integrity or
  availability of data, a program, a system, or
  information. 1030(e)(8)
• Eases the governments burden of proof.

7
1030(a)(5)(B)

• where the conduct described in (i) (ii) or (iii)
  of subparagraph (A), caused
• (i) loss to 1 or more persons during any
  1-year period aggregating at least 5,000.
• Persons includes both natural persons as well as
  business entities (Middleton)
• Loss is determined by considering both damaged
  programs and data as well as the cost to have the
  computer fixed by a professional.

8
1030(a)(5)(B) continued

• (ii) actual or potential modification or
  impairment of the medical examination, diagnosis,
  treatment, or care of 1 or more individuals
• (iii) physical injury to any person,
• (iv) a threat to public health or safety or
• (v) damage affecting a computer system used by or
  for a government entity in furtherance of the
  administration of justice, national defense, or
  national security.

9
Protected Computer??

• Protected Computer A computer(i) that is used
  by the Government or a Financial Institution,
  or(ii) which is used in interstate or foreign
  commerce or communication (connected to the
  internet).1030(e)(2)

10
Legislative History- Expanding the Scope of 1030

• Date
• 1984 - CADCFAL
• 1986 - CFAA
• 1988, 1989, 1990, 1994
• 1996 - NIIPA
• 2001 - PATRIOT Act

• Jurisdiction
• Computers Operated for the Government
• Federal Interest Computer
• Morris standard
• Protected Computer
• financial institution or government
• Protected Computer
• used in interstate or foreign commerce or
  communication includinglocated outside the US
  (which affects commerce of the US).
• Includes nearly every computer on INTERNET-
  even intrastate

11
Other Points to Note..

• 1030(g)- Civil Suit
• If the harm is purely economic under
  (a)(5)(B)(i), damages are also purely economic.
• SOL is 2 years from the date of discovery or act.
  
• It does not allow negligence claims for computer
  hardware, software, etc.
• For examples see
• Shurgard Storage Centers v. Safeguard Self
  Storage, Inc., 119 F.Supp.2d 1121 (W.D.Wash.2000)
• International Airports Centers, LLC. v. Citrin,
  2005 U.S. Dist. LEXIS 3905 (2005)

12
Federal Sentencing Guidelines
13
Federal Sentencing Table
14
Base Offense Level

• Basic Economic OffensesChapter 2
• Base Offense Levelthe location on the sentencing
  table where you begin to calculate the sentence
• Many factors will increase your offense level

15
Base Offense Level
16
(No Transcript)
17
2B1.1 Factors

• Possible Increases Under 2B1.1
• If the offense involved misappropriation of a
  trade secret and the defendant knew or intended
  that the offense would benefit a foreign
  government, foreign instrumentality, or foreign
  agent, increase by 2 levels.

18
(No Transcript)
19
2B1.1 Factors

• (7) If (A) the defendant was convicted of an
  offense under 18 U.S.C.  1037 and (B) the
  offense involved obtaining electronic mail
  addresses through improper means, increase by 2
  levels.
• (10) If the offense involved (A) the possession
  or use of any (i) device-making equipment, or
  (ii) authentication feature (B) the production
  or trafficking of any (i) unauthorized access
  device or counterfeit access device, or (ii)
  authentication feature or (C)(i) the
  unauthorized transfer or use of any means of
  identification unlawfully to produce or obtain
  any other means of identification, or (ii) the
  possession of 5 or more means of identification
  that unlawfully were produced from, or obtained
  by the use of, another means of identification,
  increase by 2 levels. If the resulting offense
  level is less than level 12, increase to level
  12.

20
1030 Specifics

• (14) (A) (Apply the greatest) If the defendant
  was convicted of an offense under
• (i) 18 U.S.C.  1030, and the offense involved
  (I) a computer system used to maintain or operate
  a critical infrastructure, or used by or for a
  government entity in furtherance of the
  administration of justice, national defense, or
  national security or (II) an intent to obtain
  personal information, increase by 2 levels.
• (ii) 18 U.S.C.  1030(a)(5)(A)(i), increase by 4
  levels.
• (iii) 18 U.S.C. 1030, and the offense caused a
  substantial disruption of a critical
  infrastructure, increase by 6 levels.
• (B) If subdivision (A)(iii) applies, and the
  offense level is less than level 24, increase to
  level 24.

21
Chapter 3 Guidelines

• Chapter 3 Guidelineslook to see if certain
  factors are presentadd or subtract from your
  Chapter 2 offense level
• Bit player vs. leader
• Vulnerable victims
• Mitigating Factors Include
• Acceptance of Responsibility
• Cooperation
• etc

22
(No Transcript)
23
Chapter 5-Departures

• Departures- take into account situations
  involving the offender which could cause a
  departure down or up on the guidelines
• The U.S. Sentencing Commission found that
  computer crime defendants receive downward
  departures from the guidelines ranges more
  frequently than other white collar crime
  defendants.

24
Sentencing under 1030

• Morris was ultimately sentenced to three years
  probation, 400 hours of community service, and a
  10,050 fine.
• Congress later enhanced the available penalties
  under 1030.
• Higher sentences for repeat offenders
• PATRIOT Actexpanded repeat offenders to
  include those convicted at the state level
• Increased the maximum sentence for first offenses
  under (a)(5)(A)(i-ii) to 10 years and repeat
  offender

25
Sentencing under 1030

• Enhanced Penalties
• Congress instructed the U.S. Sentencing
  Commission to review the penalties prescribed for
  1030 violations and possibly expand the list of
  criteria used to determine sentences
• Level of sophistication
• Extent of privacy violation
• Malicious intent

26
Effective Statutes and Policy Implications

• How does the legislature identify current trends
  in computer crimes and address them?
• Has the federal legal net been cast too wide?
• Policy implications of access without
  authorization
• Without authorization v. exceeding authorized

27
More Policy Considerations

• How can the courts keep up?
• Example Morris the INTERNET and VIRUS

28
The end.