Spam and The Computer Fraud and Abuse ActRichard Warner

Liability under the CFAA 1030(a)(2)(C) imposes liability on whoever

“intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer if the conduct involved an interstate or foreign communication.” Computers used in “interstate or foreign

commerce or communication” are “protected.” 1030(e)(2).

Liability under the CFAA 1030(a)(5) imposes liability on anyone who

(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or

(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage.

Liability Under The CFAA 1030(g): “Any person who suffers damage or

loss by reason of a violation of the section, may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.”

Damage Defined 1030 (e)(8): the term "damage" means any

impairment to the integrity or availability of data, a program, a system, or information, that-- (A) causes loss aggregating at least $5,000 in value during

any 1-year period to one or more individuals; (B) modifies or impairs, or potentially modifies or

impairs, the medical examination, diagnosis, treatment, or care of one or more individuals;

(C) causes physical injury to any person; or (D) threatens public health or safety

Spam and The CFAA Sending spam can violate the Computer Fraud

and Act, 1030 (a)(2)(C) and (a)(5)(C). See AOL v. LCGM. One remaining issue: What intent is required

under 1030(a)(5) ?

1030(a)(5) 1030(a)(5) imposes liability on anyone who

(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or

(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage.

United States v. Morris Morris was a Cornell university computer

science doctoral student. He released a worm over the Internet.

A worm is a self-replicating computer program designed to spread over the Internet without any further human interaction with the program once it is released.

Purpose of the Morris Worm Morris did not intend his worm to cause any

harm. As the court notes, “The goal of this program

was to demonstrate the inadequacies of current security measures on computer networks by exploiting the security defects that Morris had discovered. The tactic he selected was release of a worm into network computers.”

The Design of the Worm Morris designed the worm to copy itself from

Internet system to Internet system; however, before it copied itself, the worm first asked the computer if it already had a copy of the worm.

Point: multiple copies would slow the computer down and make the computer owner aware of the worm’s presence.

Morris wanted to show that the worm could spread undetected.

The Design of the Worm The worm did not copy itself if it got a “yes”

answer. However, Morris also worried that system

owners who became aware of the worm would stop its spread by programming their computers to answer “yes.”

So he programmed the worm to copy itself every seventh time it received a “yes” from the same computer.

The Error Morris greatly underestimated the number of

times a computer would be asked if it had the worm.

The worm spread with great rapidity over the Internet causing computer slowdowns and shutdowns and imposing on system owners the cost of removing the worm.

Computer Fraud and Abuse Act Morris was prosecuted criminally under the

Computer Fraud and Abuse Act. Section 2(d) punishes anyone who

intentionally accesses [computers] without authorization . . . and damages or prevents authorized use of information in those computers, causing loss of $1,000 or more.

The Issues The court: “The issues raised are (1) whether

the Government must prove not only that the defendant intended to access a federal interest computer, but also that the defendant intended to prevent authorized use of the computer's information and thereby cause loss; and (2) what satisfies the statutory requirement of ‘access without authorization.’”

The Ruling The court holds that the only intent required is

the intent to access the system. The authorization issue: Morris was

authorized to use—in certain ways--the computers he initially accessed. He exceeded his authorized access. Is this enough to make his access unauthorized?

The court answers that it is.