Why the CFAA is so Difficult to Prosecute

You may have heard about the landmark case against Aaron Schwartz, the hacker who stole files from JSTOR for free distribution. Schwartz argued he was trying to encourage free thought with the exchange of ideas, but the courts saw it differently. Surprisingly, this case is one of the few to both receive national attention and have a reasonable shot at prosecution.

A Brief History of the CFAA

The Computer Fraud and Abuse Act of 1984 was written to try and outline the rules of federal and financial computer use. At the time, the Federal Government saw the opportunity for hackers or users with malicious intent to cause great harm. Passing this law was meant to provide some means to prosecution, but the overly broad language has made acquiring that guilty verdict rather difficult.

Challenges Faced by Prosecutors

Part of the problem with the Computer Fraud and Abuse Act (CFAA) is that the law is evolving. For instance, the CFAA protects against users illegally accessing a “protected computer”, which might imply only a small subset of computers (think secure email servers used by the state department). Recently, through case law, that definition has evolved to include all computers connected to the Internet.

There are also damages to be concerned with. In 1996, when the CFAA was updated to include all computers with access to the Internet as “protected”, there was a specified damage total of $5,000 unless the hacker interfered with health care or posed a threat to national security put into place. If damage doesn’t exceed that amount, courts might not be willing to make concessions for a case to move forward. 

There is also the question of code. Writing malicious code is not illegal, but using that code is. If a third party uses a code created by someone else, who is at fault?

Navigating this legal quagmire has not been easy for the US Supreme Court, and continues to prove a fundamental challenge to the Computer Fraud and Abuse Act.  If you have been charged with any type of Cyber Crime, contact Michael Berg, a Certified Specialist in Criminal Law, certifed by the State Bar of California.