Abstract
The Computer Fraud and Abuse Act describes different computer crimes and how the offender can be penalized for going against this law. There are many reasons why this act should be reformed. The Computer Fraud and Abuse Act was written before computers became popular or accessible within homes and although there have been amendments to this act, it still has flaws. The act has instances of unclear language which makes it hard for the courts to come to a mutual decision based on the act. The case of Aaron Swartz shows how the Computer Fraud and Abuse Act is flawed and how the penalties for this law are unjust.
Historical Background and Description
In 1984, Congress enacted the Computer Fraud and Abuse Act, 18 U.S.C. 1030, and since the passing of the act, it has been amended a few times (Taylor, Fritsch, Liederbach, Saylor, & Tafoya, 2018). The original Computer Fraud and Abuse Act only had three categories of computer crime (Computer Fraud and Abuse Act of 1986, 2013). These crimes described were access without authorization to and use of federal data and consumer credit-related information as well as the unauthorized usage of United States government computers (Computer Fraud and Abuse Act of 1986, 2013). This is because computers were not available for use in businesses and homes until the mid 1980s, and therefore made the government want to protect their data from the public (Computer Fraud and Abuse Legislation, 2016). But, even then, the ability to commit computer crimes required a set of skills that were very sophisticated (Curtiss, 2016). Later on, this led to an amendment being added just two years later in 1986, which added computers that are not owned or used by or for the United States government or its employees to the list of computer crimes (Computer Fraud and Abuse Act of 1986, 2013). The 1996 amendment changed the words “federal interest computer” in the previous amendment to “protected computer” which was later expanded on to say “affecting interstate commerce” in 2008 (Curtiss, 2016).
Herbert Zinn, who was 16 at the time, hacked into the Department of Defense’s computer systems where he was able to create chaos within hundreds of files (Computer Fraud and Abuse Legislation, 2016). This was the first use of the Computer Fraud and Abuse Act to convict someone in January of 1989. He was fined and sentenced to prison for nine months (Computer Fraud and Abuse Legislation, 2016). Violation of the Computer Fraud and Abuse Act could lead to a penalty for up to 10 years of prison time and/or fines (Computer Fraud and Abuse Act of 1986, 2013).
Violations and Penalties
The Computer Fraud and Abuse Act, under subsection 1030(a), makes it a crime to trespass or hack into computers owned by the government, which is known as paragraph 1030(a)(3) (Doyle, 2014). The Computer Fraud and Abuse Act also makes it a crime to expose information that relates to the government, foreign relations, the United States national defenses, or any type of financial institutions which is known as paragraph 1030(a)(2) (Doyle, 2014). Under paragraph 1030(a)(5) of the Computer Fraud and Abuse Act, it also states that it is illegal for an individual to do damage to any of these types of computers (Doyle, 2014). These include damaged resulting from any type of cybercrime, cyberterrorism or cyberattacks, such as the use of worms, viruses, denial of service attacks as well as many others (Doyle, 2014). This act also prohibits an individual to commit fraud that involves accessing computers which are or can be used in or affect interstate or foreign commerce, as well as computers used by the government or banks without proper authorization, also referred to as paragraph 1030(a)(4) (Doyle, 2014). It is also unlawful for someone to threaten to cause damage to any of these types of computers, which is also known as paragraph 1030(a)(7) (Doyle, 2014). Under paragraph 1030(a)(6), dealing or trading government computer passwords is also illegal (Doyle, 2014). Paragraph 1030(a)(1) outlaws committing espionage using a computer (Doyle, 2014). Conspiring or attempting to engage in any of these criminal offences has been made a crime under the subsection 1030(b) (Doyle, 2014).
The penalties for the first offense of violating, conspiring to violate, or attempting to violate paragraph 1030(a)(3) include fines that can be up to $100,000 or imprisonment that should not exceed one year (Doyle, 2014). For any additional violations, the penalties are up to ten years in prison or fines that can be up to $250,000 (Doyle, 2014). Paragraph 1030(a)(2) has three tiers of sentencing for violations (Doyle, 2014). Simple violations of this crime are a misdemeanor, less than one year of imprisonment, or up to $100,000 in fines (Doyle, 2014). The penalties for the second tier are imprisonment that does not exceed 5 years, or fines of no more than $250,000 (Doyle, 2014). If a person has committed this crime multiple times, they will go to the third tier where they will be punished with up to 10 years in prison or fines up to $250,000 (Doyle, 2014). For paragraph(a)(5), the punishment can be imprisonment for any length of time, including life, or fines up to 250,000, if the defendant causes death to occur while committing this offense (Doyle, 2014). If the defendant causes bodily injury, this can result in imprisonment for up to 20 years or fines that are not to exceed $250,000 (Doyle, 2014). If the defendant causes any physical injury, causes loss of $5,000 or more over a year, threatens the safety or health of the public, affects any computer for justice, national security, or national defense, or a minimum of ten or more protected computers within a year’s time are affected by the offender, they can receive a punishment of 5 years or less in prison or fines that are not to exceed $250,000 (Doyle, 2014).
Is the Computer Fraud and Abuse Act Fair?
The Computer Fraud and Abuse Act was created in a time where the threat to critical infrastructure and government computers were the focus of computer crime (Curtiss, 2016). This act has also had some controversy when being applied to civil cases as well as criminal cases in court (Curtiss, 2016). When applying this act, most of the problems stem from the way in which an individual may use technology instead of the amendments that were added to the Computer Fraud and Abuse Act itself (Curtiss, 2016). With the advances in technology and the everyday usage of computers, this act seems outdated considering it was created over thirty years ago and has only had slight amendments over the years. These amendments are not enough for the act to keep up with modern day computer usage. This act was originally made to more easily prosecute those who had committed a computer crime because before its creation computer crimes were prosecuted under already existing laws, such as trespassing and theft (Curtiss, 2016).
The language within the Computer Fraud and Abuse Act is unclear and vague (Curtiss, 2016). The improper usage of a computer offense is a misdemeanor but can cross over to a felony when the offender uses the information for to gain advantage, financial benefit, or another crime has been or was intended to be committed (Curtiss, 2016). Although the offense may not seem to be severe, the sentencing for the offense could be more severe due to the vagueness of the Computer Fraud and Abuse Act (Curtiss, 2016). The Eighth Amendment rules against harsh or excessive fines or bail and cruel and unusual punishment, which was taken from the English Declaration of Rights which states that the magnitude of the crime must have a fitting or proportional punishment (Curtiss, 2016). Although, the Supreme Court ruled that this only applies to offenses which are noncapital (Curtiss, 2016).
In July of 2011, Aaron Swartz was indicted for the attempted download of all of the articles on JSTOR on a computer network at Massachusetts Institute of Technology (Curtiss, 2016). He had previously done this to while working with Harvard, where he downloaded 4.8 million articles, which he never shared with anybody (Curtiss, 2016). Many believed that he would use these files to research civil disobedience because Swartz believed that the public should have access to research publications that are publicly funded (Curtiss, 2016). Swartz committed suicide in 2013 while he was facing federal trial (Curtiss, 2016). He was facing a maximum of one million dollars in fines as well as 35 years in federal prison and after his death, there were many calls for the Computer Fraud and Abuse Act to be reformed (Curtiss, 2016). In 2013, Aaron’s Law was introduced by Ron Wyden, Rand Paul, and Zoe Lofgren which was intended to resolve the split of the circuit (Curtiss, 2016).