6
Computer Fraud and Abuse Computer Fraud and Abuse Act Act (CFAA) (CFAA) Preventing the Destruction of Preventing the Destruction of eDocuments eDocuments Team 8 – Jason Conrad, Ben Team 8 – Jason Conrad, Ben Sweeney, Jeff Woodward Sweeney, Jeff Woodward

Computer Fraud and Abuse Act (CFAA)

  • Upload
    marion

  • View
    50

  • Download
    0

Embed Size (px)

DESCRIPTION

Computer Fraud and Abuse Act (CFAA). Preventing the Destruction of eDocuments Team 8 – Jason Conrad, Ben Sweeney, Jeff Woodward. Background on CFAA. Originally passed in 1984 as a way to protect classified information on government systems - PowerPoint PPT Presentation

Citation preview

Page 1: Computer Fraud and Abuse Act (CFAA)

Computer Fraud and Abuse ActComputer Fraud and Abuse Act(CFAA)(CFAA)

Preventing the Destruction of eDocumentsPreventing the Destruction of eDocuments

Team 8 – Jason Conrad, Ben Sweeney, Jeff Team 8 – Jason Conrad, Ben Sweeney, Jeff WoodwardWoodward

Page 2: Computer Fraud and Abuse Act (CFAA)

Background on CFAABackground on CFAA

Originally passed in 1984 as a way to protect Originally passed in 1984 as a way to protect classified information on government systemsclassified information on government systems

In 1996 – the act was expanded from In 1996 – the act was expanded from “government” computers to “protected” “government” computers to “protected” computerscomputers

Protected means any machine that engages in interstate Protected means any machine that engages in interstate commercecommerce

In 2000 – through Shurgard Storage Centers v. In 2000 – through Shurgard Storage Centers v. Safeguard Self Storage – demonstrated the Safeguard Self Storage – demonstrated the meaning of “protected” computer and meaning of “protected” computer and “authorization”“authorization”

Page 3: Computer Fraud and Abuse Act (CFAA)

The Shurgard Case – Defining a The Shurgard Case – Defining a “Protected Computer”“Protected Computer”

Mr. T, an employee of Safeguard, came to the Mr. T, an employee of Safeguard, came to the company after leaving his previous employer, company after leaving his previous employer, ShurgardShurgard

Sent messages containing trade secret Sent messages containing trade secret information while still employed by Shurgardinformation while still employed by Shurgard

Relevance of this case: the judge essentially Relevance of this case: the judge essentially said that “almost all computer use has become said that “almost all computer use has become interstate in nature” and that “Shurgard’s interstate in nature” and that “Shurgard’s computers were indeed protected computers” computers were indeed protected computers” within the scope of the CFAAwithin the scope of the CFAA

Summary: all computers connected to the Summary: all computers connected to the Internet are within the scope of the CFAAInternet are within the scope of the CFAA

Page 4: Computer Fraud and Abuse Act (CFAA)

International Airports v. CitrinInternational Airports v. Citrin The case: Citrin, a managing director at International Airports The case: Citrin, a managing director at International Airports

removed company files from a computer upon leaving the companyremoved company files from a computer upon leaving the company Company sued for violation of anti-hacking (CFAA)Company sued for violation of anti-hacking (CFAA) Judge threw out case and said that removing files does not violate Judge threw out case and said that removing files does not violate

CFAA since he was an employee of the company and “was CFAA since he was an employee of the company and “was authorized”authorized”

When appealed, Judge Posner said that Citrin’s termination of When appealed, Judge Posner said that Citrin’s termination of employment meant that his authorization ended – he deleted files employment meant that his authorization ended – he deleted files without authorization as an internal entitywithout authorization as an internal entity

In this case, appellate interpretations of the CFAA hold that In this case, appellate interpretations of the CFAA hold that permanently erasing files from an employer’s computer could trigger permanently erasing files from an employer’s computer could trigger federal liabilityfederal liability

Federal liability = you’re in troubleFederal liability = you’re in trouble CFAA requires that the “knowing transmission of a program, code or CFAA requires that the “knowing transmission of a program, code or

command intentionally damages, without authorization, a protected command intentionally damages, without authorization, a protected computer” in order to be enforcedcomputer” in order to be enforced

Now, according to this case, this violation can occur externally as Now, according to this case, this violation can occur externally as well as internallywell as internally

Page 5: Computer Fraud and Abuse Act (CFAA)

United States v. MitraUnited States v. Mitra Mitra, student at University of Wisconsin, transmitted radio signal Mitra, student at University of Wisconsin, transmitted radio signal

that disabled communications for police, fire, ambulance, etc.that disabled communications for police, fire, ambulance, etc. Argued that he never hacked into any computers because he used Argued that he never hacked into any computers because he used

a radio frequency – not a computera radio frequency – not a computer 77thth Circuit opinion – a “computer” is an electronic device, which Circuit opinion – a “computer” is an electronic device, which

includes radios that contain chips for high speed data processingincludes radios that contain chips for high speed data processing Ruled that his disabling of the communications was actually Ruled that his disabling of the communications was actually

“hacking” because it was hampering a “protected” interstate “hacking” because it was hampering a “protected” interstate communicationcommunication

Mitra argued that if his radio is a computer, then isn’t everything a Mitra argued that if his radio is a computer, then isn’t everything a computer? iPods, cell phone, cell tower, etc. – so doesn’t this give computer? iPods, cell phone, cell tower, etc. – so doesn’t this give the government too much control according to CFAA?the government too much control according to CFAA?

Any use of radio frequency is considered interstate commerce because it is Any use of radio frequency is considered interstate commerce because it is governed by the FCCgoverned by the FCC

CFAA does not give government too much power – there are limitations, CFAA does not give government too much power – there are limitations, damage must be intentional, at least $5,000, or a threat to public safetydamage must be intentional, at least $5,000, or a threat to public safety

In summary: a “protected computer” could be anything but is In summary: a “protected computer” could be anything but is necessary in order to protect vital communication and business necessary in order to protect vital communication and business systemssystems

Page 6: Computer Fraud and Abuse Act (CFAA)

Thank YouThank You

Questions?Questions?

Do you think the scope of the CFAA and Do you think the scope of the CFAA and the definition of protected computers is too the definition of protected computers is too wide, even though it protects interstate wide, even though it protects interstate commerce and security? …team 7 does…commerce and security? …team 7 does…