Upload
marion
View
50
Download
0
Embed Size (px)
DESCRIPTION
Computer Fraud and Abuse Act (CFAA). Preventing the Destruction of eDocuments Team 8 – Jason Conrad, Ben Sweeney, Jeff Woodward. Background on CFAA. Originally passed in 1984 as a way to protect classified information on government systems - PowerPoint PPT Presentation
Citation preview
Computer Fraud and Abuse ActComputer Fraud and Abuse Act(CFAA)(CFAA)
Preventing the Destruction of eDocumentsPreventing the Destruction of eDocuments
Team 8 – Jason Conrad, Ben Sweeney, Jeff Team 8 – Jason Conrad, Ben Sweeney, Jeff WoodwardWoodward
Background on CFAABackground on CFAA
Originally passed in 1984 as a way to protect Originally passed in 1984 as a way to protect classified information on government systemsclassified information on government systems
In 1996 – the act was expanded from In 1996 – the act was expanded from “government” computers to “protected” “government” computers to “protected” computerscomputers
Protected means any machine that engages in interstate Protected means any machine that engages in interstate commercecommerce
In 2000 – through Shurgard Storage Centers v. In 2000 – through Shurgard Storage Centers v. Safeguard Self Storage – demonstrated the Safeguard Self Storage – demonstrated the meaning of “protected” computer and meaning of “protected” computer and “authorization”“authorization”
The Shurgard Case – Defining a The Shurgard Case – Defining a “Protected Computer”“Protected Computer”
Mr. T, an employee of Safeguard, came to the Mr. T, an employee of Safeguard, came to the company after leaving his previous employer, company after leaving his previous employer, ShurgardShurgard
Sent messages containing trade secret Sent messages containing trade secret information while still employed by Shurgardinformation while still employed by Shurgard
Relevance of this case: the judge essentially Relevance of this case: the judge essentially said that “almost all computer use has become said that “almost all computer use has become interstate in nature” and that “Shurgard’s interstate in nature” and that “Shurgard’s computers were indeed protected computers” computers were indeed protected computers” within the scope of the CFAAwithin the scope of the CFAA
Summary: all computers connected to the Summary: all computers connected to the Internet are within the scope of the CFAAInternet are within the scope of the CFAA
International Airports v. CitrinInternational Airports v. Citrin The case: Citrin, a managing director at International Airports The case: Citrin, a managing director at International Airports
removed company files from a computer upon leaving the companyremoved company files from a computer upon leaving the company Company sued for violation of anti-hacking (CFAA)Company sued for violation of anti-hacking (CFAA) Judge threw out case and said that removing files does not violate Judge threw out case and said that removing files does not violate
CFAA since he was an employee of the company and “was CFAA since he was an employee of the company and “was authorized”authorized”
When appealed, Judge Posner said that Citrin’s termination of When appealed, Judge Posner said that Citrin’s termination of employment meant that his authorization ended – he deleted files employment meant that his authorization ended – he deleted files without authorization as an internal entitywithout authorization as an internal entity
In this case, appellate interpretations of the CFAA hold that In this case, appellate interpretations of the CFAA hold that permanently erasing files from an employer’s computer could trigger permanently erasing files from an employer’s computer could trigger federal liabilityfederal liability
Federal liability = you’re in troubleFederal liability = you’re in trouble CFAA requires that the “knowing transmission of a program, code or CFAA requires that the “knowing transmission of a program, code or
command intentionally damages, without authorization, a protected command intentionally damages, without authorization, a protected computer” in order to be enforcedcomputer” in order to be enforced
Now, according to this case, this violation can occur externally as Now, according to this case, this violation can occur externally as well as internallywell as internally
United States v. MitraUnited States v. Mitra Mitra, student at University of Wisconsin, transmitted radio signal Mitra, student at University of Wisconsin, transmitted radio signal
that disabled communications for police, fire, ambulance, etc.that disabled communications for police, fire, ambulance, etc. Argued that he never hacked into any computers because he used Argued that he never hacked into any computers because he used
a radio frequency – not a computera radio frequency – not a computer 77thth Circuit opinion – a “computer” is an electronic device, which Circuit opinion – a “computer” is an electronic device, which
includes radios that contain chips for high speed data processingincludes radios that contain chips for high speed data processing Ruled that his disabling of the communications was actually Ruled that his disabling of the communications was actually
“hacking” because it was hampering a “protected” interstate “hacking” because it was hampering a “protected” interstate communicationcommunication
Mitra argued that if his radio is a computer, then isn’t everything a Mitra argued that if his radio is a computer, then isn’t everything a computer? iPods, cell phone, cell tower, etc. – so doesn’t this give computer? iPods, cell phone, cell tower, etc. – so doesn’t this give the government too much control according to CFAA?the government too much control according to CFAA?
Any use of radio frequency is considered interstate commerce because it is Any use of radio frequency is considered interstate commerce because it is governed by the FCCgoverned by the FCC
CFAA does not give government too much power – there are limitations, CFAA does not give government too much power – there are limitations, damage must be intentional, at least $5,000, or a threat to public safetydamage must be intentional, at least $5,000, or a threat to public safety
In summary: a “protected computer” could be anything but is In summary: a “protected computer” could be anything but is necessary in order to protect vital communication and business necessary in order to protect vital communication and business systemssystems
Thank YouThank You
Questions?Questions?
Do you think the scope of the CFAA and Do you think the scope of the CFAA and the definition of protected computers is too the definition of protected computers is too wide, even though it protects interstate wide, even though it protects interstate commerce and security? …team 7 does…commerce and security? …team 7 does…