💻

Understanding the Computer Fraud and Abuse Act

Mar 4, 2025

Notes on the Computer Fraud and Abuse Act (CFAA)

Overview

  • The Computer Fraud and Abuse Act (CFAA) is codified at Title 18, United States Code, Section 1030.
  • It addresses cyber-based crimes and is essential for prosecutors.
  • Consistent application by government attorneys and public understanding of the CFAA is crucial.

Department Policy for CFAA

  • Developed to guide government attorneys in prosecuting CFAA-related cases.

A. Consultation Requirements

1. Introduction

  • CFAA cases are often complex.
  • Requires understanding of technology, information sensitivity, evidence gathering, and victim concerns.
  • Requires coordination with the Computer Crime and Intellectual Property Section (CCIPS).

2. Investigative Consultation

  • Best practice: consult with a Computer Hacking and Intellectual Property Coordinator (CHIP) during important stages.
  • Preliminary steps might precede consultation if evidence is at risk.

3. Charging Consultation

  • Requires consultation with CCIPS on potential issues and case relevance to national priorities.
  • Encourages CHIP participation for consistency.

4. National Security Cases

  • Additional requirements for cases involving terrorism or national security.
  • Possible dual consultation with NSD and CCIPS.

5. Notification to Deputy Attorney General

  • Required if charging decisions contradict CCIPS recommendations.

B. Charging Policy for CFAA

1. Access without Authorization

  • Offenses occur when defendants access protected computers without authorization.
  • Conditions for charging:
    1. No authorization by any authority.
    2. Knowledge of unauthorized access.
    3. Prosecution aligns with CFAA enforcement goals.

2. Exceeding Authorized Access

  • Offenses involve exceeding access limits on protected computers.
  • Conditions for charging:
    1. Division of computer areas by code/configuration.
    2. Conditional area access.
    3. Defendant knowingly exceeded access.
    4. Prosecution aligns with CFAA enforcement goals.

3. Prosecution Goals

  • Promote privacy and cybersecurity.
  • Consider additional factors:
    1. Sensitivity and harm from unauthorized access.
    2. National security and infrastructure concerns.
    3. Criminal endeavor scale and threat level.
    4. Victim impact.
    5. Deterrent value of prosecution.
    6. Community impact.
    7. Jurisdictional prosecution likelihood.
    8. Good-faith security research exemption.

C. Comment

  • Exceeds authorized access cases are limited:
    • Not based on contract/policy violations without total access prohibition.
    • Not on conditions automatically withdrawing access.
  • Prosecution must prove knowing unauthorized access.
  • Technological efforts to secure information often indicate access boundaries.

Updates and Legal Context

  • The section is for internal guidance and does not create enforceable rights.
  • Updated in May 2022.

View note sourcehttps://www.justice.gov/jm/jm-9-48000-computer-fraud