With the vast developments in technology, “cybercrime” now covers a large array of acts involving computers, smartphones, and other devices. As convenient as it is to have access to so much new new technology, our legal system is struggling to respond to and define “cybercrime.” This can cause problems when prosecutors attempt to argue that an activity fits within a statute’s definition of prohibited conduct when it really might not seem criminal in the first place.
Computer Fraud and Abuse Act
Therefore, the federal Computer Fraud and Abuse Act (CFAA) has received much criticism in that it allows prosecutors to use the statute in creative ways to prosecute alleged cybercriminals. In 1986, Congress enacted the CFAA as an amendment to the Comprehensive Crime Control Act of 1984. Since then, Congress has amended the law multiple times, such as in 2001 as part of the Patriot Act and again in 2008. The law covers a wide range of activities dealing with unauthorized access to “protected computers.” These are also defined broadly as any computer used by a financial institution or the federal government or used in or affecting interstate or foreign commerce or communication. Because of this broad language, more activities are able to be included as illegal cybercrimes.
The Case of United States v. Nosal
A recent case gained criticism for its application of this broad language while other applauded the broad language for its ability to punish acts that can harm the greater good. In United States v. Nosal the defendant, David Nosal, worked at the executive search firm Korn/Ferry International when he decided to start a competitor company along with a couple of coworkers. But before leaving Korn/Ferry, Nosal’s colleagues began downloading confidential information from the company’s database to use at their new venture. These colleagues were authorized to access the database as current employees but their downloads on behalf of Nosal violated the company’s confidentiality and computer use policies. The issue on appeal was whether or not Nosal violated access to a protected computer “without authorization” under the CFAA and trade secret theft under the Economic Espionage Act.
In affirming the conviction, the Court noted that Korn/Ferry revoked Nosal’s computer access credentials after he left the company and took the same precautions with his accomplices. Even so, Nosal continued to access the database using the credentials of his former executive assistant. The Court stated “a person uses a computer without authorization under the CFAA when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” This principle embodies the ordinary meaning of “without authorization.”
Losing Sight of the Anti-Hacking Purpose of the CFAA
It is important to note that the dissent in Nosal argued that the decision “loses sight of the anti-hacking purpose of the CFAA, and…threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.” This is the concern that federal prosecutors could treat password sharing, like using a friend’s Hulu or Netflix password to watch shows online, as a violation of the CFAA.
If you or someone you know have been charged with a cybercrime, please contact the experienced attorneys at Shein & Brandenburg. Our team with work with you to dissect this evolving type of law and how it relates to your case.