The CFAA and Aarons Law

T H E C O M P U T E R F R A U D A N D A B U S E A C T, & ‘ A A R O N ’ S L AW ’
I N T R O D U C T I O N
To understand the significance of the Computer Fraud and Abuse Act, we must consider its
history, the use, scope, and function of the Internet at the time of the Act’s inception, and the
recurring nature which Congress amended the Act in order to keep up with the advancements of
computer and computer-based communications.
We must also consider the evolution of precedence over the course of its history with respect
to charges under the Act.
Further, we must address the root cause of the contentious nature of this Act as written, and
look to other industry models which can assist in amending the Act according to contemporary
use of computers, and the modern Internet.
T H E C O M P U T E R F R A U D A N D A B U S E A C T O F 1 9 8 4
History of the CFAA
The Computer Fraud and Abuse Act of 1984 was originally born as the Counterfeit Access
Device and Computer Fraud and Abuse Act (Counterfeit Access Device Act) in 1984. The law
was preempted by an increase in computer crime activity, notably hacking and fraud, which led
Congress to address the nuisance under a single federal statute. Keep in mind that the “Internet”
in this time period was not yet public, and only available to certain Defense or other federal
agencies, select Universities, and/or government contract corporations.
The Counterfeit Access Device Act was extraordinarily narrow in its scope of applicability
because it only addressed “federal interest computers” - generally those owned or operated by
the federal government or financial institutions. However, because the Counterfeit Access Device
Act only applied to select types of confidential information, it immediately fell subject to harsh
criticism from legislators, industry leaders, and law enforcement officials. Additionally, the law
was deemed too vague and difficult to use. In fact, only one person was ever indicted under the
1984 Counterfeit Access Device Act. (Galbraith, 2004)
The following sections review, discuss, and even outline how this law has morphed since its
inception, and where appropriate, displays or opines the resultant detriment to the concern of
many. The last sections outline the current criminal offenses in this continuously expansive law,
and also address the constitutional problems that occur when a law expands to such a breadth as
a result of its vagueness.
Thomas Jones: Syracuse University School of Information Studies, Spring 2013

Computer Fraud and Abuse Act of 1986
In response to these unfortunate facts, Congress amended the law in 1986 to become the
Computer Fraud and Abuse Act of 1984 (CFAA, otherwise known as the Act). This amendment
clarified the vagueness and added definitions that even today, still cloud the applicability and
enforcement of the Act. This amendment to the Act broadened the scope of applicability, and
added three additional types of computer crimes: 1. a computer fraud offense patterned after the
federal mail and wire fraud statutes; 2. an offense for the alteration, damage, or destruction of
information contained in a federal interest computer; and 3. an offense for the trafficking of
unauthorized computer passwords in certain circumstances. (Galbraith, 2004) Specifically, the
1986 amendment defined “Federal interest computers” as:
(A) exclusively for the use of a financial institution or the United States
Government, or, in the case of a computer not exclusively for such use, used by or
for a financial institution or the United States Government and the conduct
constituting the offense affects the use of the financial institution’s operation or
the Government’s operation of such computer; or
(B) which is one of two or more computers used in committing the offense, not all
of which are located in the same State. (Kerr, 2009)
The Violent Crime Control and Law Enforcement Act of 1994
To close further loopholes by unexpected ‘hacker” activity, as the Internet or its equivalent in
that time grew in popularity, Congress again amended the Act with a more comprehensive
omnibus crime bill entitled The Violent Crime Control and Law Enforcement Act of 1994. This
amendment extended the Act to include transmission of worms and viruses. (Galbraith,
2004)Further, the amendment, specifically known as the Computer Abuse Amendments Act of
1994, expanded the computer damage statute applying to computer damage incurred
accidentally, even without negligence. The statute also added a civil provision to allow victims of
§ 1030(a)(5) crimes to recover damages against wrongdoers. (Kerr, 2009)
Economic Espionage Act of 1996
Two years later in 1996 the Act was amended once more, specifically by Title II of the above
title, named the National Information Infrastructure Protection Act of 1996. This expanded the
Act’s reach to all computers used in interstate commerce - effectively every computer that
touches the Internet in its entirety. Consider this point carefully, and take light of the fact that this
time period is generally considered the birth of the (commercial) Internet.

This came as a result of extenuating concerns of financial loss due to computer security
breaches. This amendment is notable in that it acknowledged that computer crime had
substantive and adverse economic impacts. The intent of this amendment, consistent with the
legislative history of the Act at this point in history, was to further protect the confidentiality of
computer data, as well as the systems upon which the data resided. It also was designed to
safeguard the privacy of information, which the amendment’s sponsors hoped would also help
ensure the public’s faith in the security of computer networks. (Galbraith, 2004)
To grasp how dramatic this amendment’s expansion was to the Act, Orin S. Kerr, Professor of
Law at George Washington University School of Law, and pro-bono counsel to Lori Drew,
outlines its expansion in three different ways:
The first change vastly expanded the scope of § 1030(a)(2), which was originally
limited to unauthorized access that obtained financial records from financial
institutions, card issuers, or consumer reporting agencies. The 1996 amendments
expanded the prohibition dramatically to prohibit unauthorized access that
obtained any information of any kind so long as the conduct involved an interstate
or foreign communication.
Second, the 1996 amendments added new provisions to the computer damage
prohibition, added a new felony enhancement to § 1030(a)(2), and added a
computer extortion statute at § 1030(a)(7). The new computer damage section
expanded the list of harm that counted as damage: beyond monetary damage
(raised to $5,000 from $1,000) and impairing a medical diagnosis or treatment,
the law added causing “physical injury to any person” or “threaten[ing] public
health or safety” to the list. The felony enhancements to § 1030(a)(2) turned a
misdemeanor violation into a felony if the offense was conducted in furtherance
of any crime or tortious act, if it was conducted for purposes of financial gain, or
if the value of the information obtained exceeded $5,000.
Finally, the 1996 amendments expanded the statute dramatically by replacing the
decade-old category of “Federal interest” computers with the new category of
“protected computer.” As enacted in 1996, a protected computer was defined as a
computer:
(A) exclusively for the use of a financial institution of the United States
constituting the offense affects that use by or for the financial institution or the
Government; or
(B) which is used in interstate or foreign commerce or communication.

... The critical difference between a “Federal interest” computer and a “protected
computer” was that the former required computers in two or more states, while
the latter merely required a machine “used” in interstate commerce.
However, the change in the definition changed the scope of the statute
dramatically. Because every computer connected to the Internet is used in
interstate commerce or communication, it seems that every computer connected to
the Internet is a “protected computer” covered by 18 U.S.C. § 1030. (Kerr, 2009)
The USA Patriot Act of 2001
The amendment appears in section 814 of the Act, labeled “Deterrence and Prevention of
Cyberterrorism.” The Patriot Act amended the Act in two major ways according to Kerr:
The most significant amendment to the scope of § 1030 in the Patriot Act was the
expanded definition of “protected computer” to include computers located outside
the United States. Specifically, the amendment added those computers “located
outside the United States that [are] used in a manner that affects interstate or
foreign commerce or communication of the United States.” The amendment
effectively extended the CFAA to as many foreign computers as the Commerce
Clause allows.
... The Act added damage to any computer “used by or for a government entity in
furtherance of the administration of justice, national defense, or national security”
to the list of harms that, if caused, trigger the felony computer damage provisions
of § 1030(a)(5). (Kerr, 2009)
Identity Theft Enforcement and Restitution Act of 2008
Subtitled under the Former Vice President Protection Act, this amendment included more
subtle changes, but changes that have been described to have had a “surprisingly large
impact.” (Kerr, 2009)
Professor Kerr outlines three of the most notable of these subtly described changes.
First, the statute once again expanded the scope of § 1030(a)(2) by removing the
requirement of an interstate communication. Under the new § 1030(a)(2)(C), any
unauthorized access to any protected computer that retrieves any information of
any kind, interstate or intrastate, is punishable by the statute.

The statute also once again expanded the reach of § 1030(a)(5), creating
misdemeanor liability for harms under $5,000 and adding once again to the list of
felony triggers—this time, harming ten or more computers, designed to cover
cases of botnets.
The third significant expansion is the most subtle but the most far-reaching. The
2008 amendments once again expanded the definition of “protected computer.”
Therefore, the present definition includes any computer that is:
(A) exclusively for the use of a financial institution or the United States
constituting the offense affects that use by or for the financial institution or the
Government; or
(B) which is used in or affecting interstate or foreign commerce or
communication, including a computer located outside the United States that is
used in a manner that affects interstate or foreign commerce or communication of
the United States.
It is easy to miss the change. Congress added “or affecting” in the first phrase of §
1030(e)(2)(B), replacing the definition that included computers “used in interstate
or foreign commerce or communication” with computers “used in or affecting
interstate or foreign commerce or communication.”
To surmise, this in effect merges the Act with the jurisdiction of the Commerce Clause. It
further eludes to how broad the “protected computer” term has become, and applies, to any
computer that the federal government has power to regulate. This alarms many computer and
Internet users, and rightly so - wouldn't any use of the modern Internet be inherently “Interstate
Commerce”? Professor Kerr asserts that it is possible that with the aforementioned expansion in
the Act, it is feasible hat a “protected computer” would now simply be considered any, or “a
computer.”
Void for Vagueness Doctrine
Under constitutional law, a statute is “void for vagueness” and therefore unenforceable if said
statute is so vague as to not be understood by the average citizen. It is a mechanism that
encourages clearly defined provisions so that a person can know what is regulated, what is
prohibited, and what punishment is resultant from violating the statute. Currently there is wide
judicial discretion with respect to what access, authorization, or the excess of either means.
Professor Kerr argues that this forces the courts to adopt a narrower interpretation of the
aforementioned. He goes on to state:

The basic argument has two stages. First, courts must adopt a clear theory of what
makes access unauthorized to provide sufficient notice as to what is prohibited.
The interpretation must make clear to potential wrongdoers what is prohibited so
they can do more than merely guess at the meaning of the statute. Second, courts
must adopt a narrow theory to avoid encouraging discriminatory enforcement.
The remarkable breadth of this statute requires courts to adopt a clear and narrow
interpretation of unauthorized access to provide fair warning to individuals and to
limit government discretion.
Otherwise the public has no certainty what conduct constitutes “unauthorized access”, for
example. And if there literally is no (judicial) consensus on what is or is not illegal, the law is
subsequently unconstitutional, and unenforceable.
Current Criminal offenses under the Act
Cornell University’s Legal Information Institute provides the following current criminal
offenses in the CFAA of 1984 as:
(a) Whoever—
(1) having knowingly accessed a computer without authorization or exceeding authorized
access, and by means of such conduct having obtained information that has been determined by
the United States Government pursuant to an Executive order or statute to require protection
against unauthorized disclosure for reasons of national defense or foreign relations, or any
restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with
reason to believe that such information so obtained could be used to the injury of the United
States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or
causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver,
transmit or cause to be communicated, delivered, or transmitted the same to any person not
entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee
of the United States entitled to receive it;
(2) intentionally accesses a computer without authorization or exceeds authorized access,
and thereby obtains—
(A) information contained in a financial record of a financial institution, or of a card issuer
as defined in section 1602 (n) of title 15, or contained in a file of a consumer reporting agency
on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et
seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;

(3) intentionally, without authorization to access any nonpublic computer of a department or
agency of the United States, accesses such a computer of that department or agency that is
exclusively for the use of the Government of the United States or, in the case of a computer not
exclusively for such use, is used by or for the Government of the United States and such conduct
affects that use by or for the Government of the United States;
(4) knowingly and with intent to defraud, accesses a protected computer without
authorization, or exceeds authorized access, and by means of such conduct furthers the intended
fraud and obtains anything of value, unless the object of the fraud and the thing obtained
consists only of the use of the computer and the value of such use is not more than $5,000 in any
1-year period;
(5)
(A) knowingly causes the transmission of a program, information, code, or command, and as
a result of such conduct, intentionally causes damage without authorization, to a protected
computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such
conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such
conduct, causes damage and loss.
(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password
or similar information through which a computer may be accessed without authorization, if—
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States;
(7) with intent to extort from any person any money or other thing of value, transmits in
interstate or foreign commerce any communication containing any—
(A) threat to cause damage to a protected computer;
(B) threat to obtain information from a protected computer without authorization or in excess
of authorization or to impair the confidentiality of information obtained from a protected
computer without authorization or by exceeding authorized access; or
(C) demand or request for money or other thing of value in relation to damage to a protected
computer, where such damage was caused to facilitate the extortion;
shall be punished as provided in subsection (c) of this section.

(b) Whoever conspires to commit or attempts to commit an offense under subsection (a) of
this section shall be punished as provided in subsection (c) of this section. (Legal Information
Institute, n.d.)
E N T E R P R I S E A R C H I T E C T U R E
The Enterprise Architecture (EA3) Cube model is a framework that establishes a relationship
between strategy, business, and technology. It does so over five different areas in the architecture
- Goals and Initiatives, Products and Services, Data and Information, Systems and Applications,
Networks and Infrastructure - each layer dependent on the one that precedes it. For example, a
corporation has an overall strategy of how it fits into any given market, this defines its goals and
initiatives, which then dictates is products and services, which further develops how data and
information are used, leading to which systems and applications are conducive for enterprise use,
which then defines the requirements for the underlying network and infrastructure the enterprise
needs to operate successfully. This approach is taken across each line of business a corporation
has, depending upon its portfolio diversification. However, this model addresses what tools are
used to provide the function(s) the company needs to achieve its business plan. It does not
necessarily consider how to to secure what tools have been identified for use. This is the purpose
of the Enterprise Information Security Architecture (EISA) model which aligns well with the
EA3 model.
As applied in practice, as typically seen in enterprise or corporate IT departments, we must
strive to understand the posture of the IT systems and services which the Act is intended to
protect. We must further strive to understand how a corporate entity qualifies and quantifies its
network posture, security measures, and/or policies to protect itself under the law, but also
enables its exertion under the Act. The corresponding five EISA layers respective to the EA3
model include IS Governance, Operations and Personnel Security, Dataflow and Application
Development Security, Systems Security, and Infrastructure and Physical Security.
Aligned with the business context in the EA3 model mentioned above, the EISA model
applies an information security context to the business structure of the corporate entity. The
information system governance (business drivers) dictate the operations and personnel security
(products and services), which feeds into the dataflow and application development security
(data and information), which defines parameters for systems security (systems and
applications), which then define requirements for infrastructure and physical security (networks
and infrastructure). This provides a comprehensive and contextual model for enterprise
information security, and when compounded with the EA3 approach, is contextually relevant to
the corporation’s business purpose.
E N T E R P R I S E I N F O R M AT I O N S E C U R I T Y A R C H I T E C T U R E

Enterprise Information Security Architecture is a framework composed of 5 layers which
include Information Security Governance, Operations and Personnel Security, Dataflow and
Application Development Security, Systems Security, and Infrastructure and Physical Security.
As in Enterprise Architecture, each of these layers precedes the other which provides an
increasingly contextually defined framework, which can address any company’s security posture,
respective to any given market. To understand how this framework does so we must look briefly
at each layer as explained by Dr. Scott Bernard of Syracuse University’s School of Information
Studies.
Information Security Governance defines security strategies, policies, standards and
guidelines for the enterprise from an organizational viewpoint. This results in various outputs
such as policy statements, access policies, information practices, security lifecycle charts, etc. -
obviously not an all-inclusive list but one that provides general direction, and enables lower
layers of the framework to add further specificity. It is this layer where we see policy formation
and evaluation, assurance standards, law and legislation, among other common organizational
policies. This is arguably one of the major components of the Act commonly brought under
question. It is also one of the more frequently contested due to the vagueness Congress has either
willingly, or negligently structured into the language of the Act. This issue is discussed further in
this paper under Agency-based and Contract-based interpretations of the Act.
The next layer in the framework is Operations and Personnel Security. The purpose of the
Operations Security component is to define or dictate the behavioral and operational
requirements as they relate to access to the company’s IT data, systems, and services. Outputs of
this layer consider and include Risk Assessment, Authorization Models, Access Control User
Requirements, Business Impact Analysis, and Disaster Recovery & Business Resumption
Planning.
The Personnel Security component extends the aforementioned requirements not to just the
protection of the company’s data, systems, and services, but to or for the protection of its
leadership and employees thus further protecting the company. Expanding further, the purpose of
Personnel Security is to ensure the enterprise’s personnel are accessing and utilizing its
information and technology services safely, securely, and in accordance with their predefined
roles and responsibilities of their job functions, through proper access control plans and detection
of employee anomalous behavior. The resultant outputs of this behavior shares similarities with
Operations Security, but focuses further on components such as authentication, role-based access
control, awareness training, desktop security policies, and procedural training. Operations and
Personnel Security are major pillars of the Act revolving around whether a person, employee or
not, accessed a computer “without authorization”, or “exceeded authorized access”. As discussed
later in this paper, this layer of EISA is most strongly correlated with the Code-based
interpretation, one which some prominent legal scholars argue should be the default
interpretation, sometimes compounded with an employment law context.
The Information and Dataflow Security layer focuses not on addressing data or access
thereto, but rather information - the meaning of data. More explicitly, the purpose here is to

identify and classify information and data as it moves through the enterprise in order to justify
adequate security controls. The data needs to be valued from a quantitative and qualitative aspect
and classified into levels depending on the risks of and to data loss, repudiation, competition, and
availability. This layer is where we begin to see output or processes outlined that are dedicated to
the design of dataflow, categorical treatment or segregation of information, and the logical and
associative access controls to it. In some of the case studies below, we see this layer used in
Agency, Contract, and Code-based interpretations.
The Application Development Security layer addresses in more specific and technical detail,
how the Information and Dataflow Security layer is to be implemented and/or safeguarded. more
specifically, architect the authentication, authorization and accounting (AAA) components into
the applications used in the enterprise; and to enforce the application process flow thru ought the
enterprise; and to ingrain security in the systems development lifecycle. The outputs seen, but
not all inclusive to, are design and development, application development security (such as
sandboxing), application gateways, and application security placement. This layer aligns strongly
with Code-based interpretations of the Act.
The next layer is Systems Security. This layer is used to protect or safeguard sensitive
applications, sometimes resultant from the previous layer of Application Development Security.
More concisely the purpose of this layer is to protect sensitive applications running on the
systems and provide granularity of access controls to sensitive resources. Examples of outputs
from this layer include, but are not limited to, user account management & privileges, certificate
request management, password stores & management, remote access, authorization models, file
system hardening procedures, patching, and security repositories. This layer aligns strongly with
Code-based interpretations of the Act, central to the intended meaning of “authorization” to
access a computer.
These layers rest upon the final EISA layer of Infrastructure Security. The infrastructure is
the physical medium consisting of (network) appliances which all the preceding layers traverse.
This layer must meet and facilitate the holistic totality of security requirements from all
preceding layers, and provide safeguarding against current or future attacks. Outputs typically
seen from this layer include but are not limited to network segregation or partitioning, VLAN’s,
Firewalls, Intrusion Prevention and Detection, Load Balancers, PKI architectures, network,
cellular, and telecommunication circuits, VPN’s, and a variety of SSL methods or
implementations. This layer is intriguing because it is in fact a result of the culmination of
requirements from all the above layers. It also has a unique place in the Aaron Swartz case, and
the spirit of MIT’s open network. This does align most strongly with a Code-Based
interpretation, and as seen below, ultimately code is law.
A P P LY I N G T H E C FA : C A S E S T U D I E S

The application of the CFAA in the courts today has revolved around three distinct
approaches. These approaches result from vague language in the Act of what “authorization”
means. More specifically what it means to access a computer “without authorization”, or
“exceeds authorized access”. This is especially problematic when, employers bring rogue
employees into court, arguing under the rather (vague) general language in the CFAA, that the
employee was without authorization or exceeded his authorization to access the company
computer system when he did so to obtain proprietary company information for devious non-
business purposes. (Field, 2009)
This has led to courts adopting one or more of the following interpretations: Agency-Based
Interpretation, Contract-Based interpretation, and a Code-based interpretation.
Agency-Based Interpretation
In an agency-based interpretation, authorization is based on common-law principles. The
employee-employer relationship imposes “special duties on the part of both the employer and the
employee which are not present in the performance of other types of contracts”. In short the
employee owes a duty to his employer, which requires him to act solely for the benefit of the
employer or company. Moreover, the employee’s authority to act on behalf of the employer
terminates when he obtains an interest adverse to the employer - for example if he begins to
work for a competitor. Thus applying the aforementioned under the CFAA, an employee’s
authorization is implicitly revoked when he accesses a computer for the purposes that do not
further his employer’s interests. (Field, 2009)
One notable example of this approach is found in International Airport Centers v. Citrin:
In 2006, the Seventh Circuit was the first appellate court to wade into the
“without authorization” debate that had been ongoing among the district courts
for more than five years. In International Airport Centers, L.L.C. v. Citrin, the
defendant, was employed by the plaintiff to look for and help acquire real estate.
Citrin decided to quit working for International Airport Centers (IAC) and start
his own business. Prior to leaving IAC, Citrin erased all the data on a laptop
computer provided by IAC, some of which would have shown he had engaged in
improper conduct and none of which IAC had any additional copies. Citrin
installed and used a secure-erase program to do this, which meant that the data
were truly unrecoverable. IAC sued under the CFAA's civil provision, § 1030(g),
claiming Citrin had violated § 1030(a)(5)(A)(i), which provides that such
violation occurs when one “knowingly causes the transmission of a program,
information, code, or command, and as a result of such conduct, intentionally
causes damage without authorization, to a protected computer.”

The court, citing congressional intent that the CFAA should reach internal as well
as external actors, readily settled on a broad definition of what constitutes a
transmission. While not quite holding that pressing the delete key constitutes a
transmission, the court nevertheless determined that installing the secure-erase
program—whether installed remotely or by an actor with direct physical access—
constituted a transmission in accordance with the CFAA.37
The court next turned to the authorization element of § 1030(a)(5). Here, the court
applied principles of agency law and determined that Citrin's authorization to
access the laptop computer ended at the moment he violated his employment
contract by deciding to act contrary to IAC's interests, i.e., before he erased the
data on the computer's hard drive. That authorization, the court said, was granted
through the agency relationship Citrin had with his employer and implicitly ended
when he violated his duty of loyalty to that employer.
However, a recent opinion from the Ninth Circuit in LVRC Holdings, L.L.C. v.
Brekka rejected the Seventh Circuit’s approach and held that authorization is
granted by the employer and, therefore, that authorization ends when the
employer rescinds it. This split in authority raises questions about how broadly or
narrowly the CFAA should be applied—or whether it should be applied at all—in
the context of an employee’s disloyal computer use. (Pollaro, 2010)
Contract-Based Interpretation
This interpretation is much more straight forward than an agency-based approach, but not as
concrete as a code-based approach.
This interpretation requires the computer user to violate a contract before that user’s access
can be found to be unauthorized. This then requires the existence of an explicit or implicit
contract that defines the authorization of a particular user. As such this interpretation is often
used in cases involving internet or website providers where there is a contract or terms of service
(TOS) agreement between the two parties, or in an employment dispute where a case arises
between former employers and employees where there is an employment contract (non-
disclosures for example) or handbook. (Field, 2009)
The Lori Drew case is one of the most notable cases involving the CFAA using a contract-
based interpretation. Aaron Swartz is another but also includes code-based interpretation upon
which charges were filed. Aaron committed suicide before his court date which obviously
prevented these issues from being addressed once more by the courts.
Lori Drew, the Missouri woman accused of creating a fake MySpace profile in order to
“cyberbully” her daughter’s former friend, who, subsequently committed suicide was charged

with felony crimes under the CFAA. The facts of the case are listed by Drew co-counsel
Nicholas Johnson. They are as follows:
In 2005, Megan Meier, then a 13-year-old seventh-grader from Dardenne Prairie,
Missouri, established an on-again, off-again friendship with Lori Drew’s daughter.
Tina Meier, Megan’s mother, described Megan’s transition into seventh grade as
“a mess,” and noted that her daughter was sensitive about her weight and “[tried]
desperately to fit in.” Megan and Lori Drew’s daughter would go on “jags of
companionship,” but eventually ended their friendship. In September 2006,
Megan’s parents allowed her to sign up for a MySpace account, despite the fact
that, at age 13, she was technically too young to have one. And shortly thereafter,
Megan received a friendship request from “Josh Evans,” a muscular, attractive 16
year old boy with blue eyes and wavy brown hair.
What Megan did not know when she readily accepted Josh’s friend request was
that he was a fictional character. Nonetheless, the pair was soon communicating
back and forth. Drew’s pre-trial motions go out of their way to note that the
profile of Josh Evans was open for only 29 days, and for 28 of those 29 days
“nothing negative was communicated.” The government’s indictment reveals
some PG language of the sort one might expect flirtatious eighth-graders to talk
about: Josh allegedly sent a message telling Megan that she was “sexi” [sic], as
well as a separate invitation to touch his “snake.”
However, the relationship between Megan and Josh deteriorated rapidly on
October 16, 2005, when an “insult war” broke out between the two. The
conversation ended “in substance, that the world would be a better place without
[Megan] in it.” Shortly after that argument, Megan committed suicide. The
government alleged in its indictment that Lori Drew learned of Megan Meier’s
suicide that same day, immediately deleted the Josh Evans account, and told one
of her alleged co-conspirators to “keep her mouth shut” about it. (Johnson, 2009)
Drew was charged with three felony counts of “accessing protected computers without
authorization to obtain information” under 18 U.S.C. § 1030(a)(2)(C) and § 1030(c)(B)(ii) of the
Computer Fraud and Abuse Act. (Johnson, 2009)
Counts two through four – accessing a protected computer without authorization under the
CFAA – constitutes the root of the prosecution’s theory of Drew’s liability. Section 1030(a)(2)(C)
prohibits obtaining information from a “protected computer” by means of intentional,
unauthorized access. Use of the MySpace website is governed by its Terms of Use, which
constitute a contract between MySpace and its users. Those Terms of Use requires that users,
inter alia, “provide truthful and accurate registration information” and “refrain from using any
information obtained from MySpace services to harass, abuse, or harm other people.” (Johnson,
2009)

Because Lori Drew’s conduct was in express violation of MySpace’s user contract, Drew
therefore acted either without authorization or in excess of authorized access when she
communicated with Megan Meier through MySpace’s protected servers. (Johnson, 2009)
Professor Kerr adds that the defense argued two main points: TOS does not govern authorization,
and that committing unauthorized access by violating TOS would render the statute void for
vagueness, thus the Act had to be interpreted more narrowly to exclude TOS violations. (Kerr,
2009)
The defense also pointed out that even the cofounder of MySpace, Tom Anderson, violated
the TOS in creating his profile. In late 2007, it was revealed that Anderson’s profile
misrepresented his age in an apparent effort to seem younger. Professor Kerr opines that the
larger point is that no one really treats TOS as if they govern access rights. He states that because
they are written so broadly, most Internet users violate them regularly. Violating the TOS is the
norm, complying with them the exception. Few people bother to read them, much less follow
them. Internet users routinely click through such agreements on the assumption that they are
legal mumbo jumbo that don’t impact what users are allowed to do. As a result, criminalizing
TOS violations would for the most part give the government the ability to arrest anyone who
regularly uses the Internet. Agents could set up a webpage, dontvisithere.gov, announce that no
one could visit the webpage, and then swoop in and arrest anyone who did. (Kerr, 2009)
Judge Wu, presiding over the Drew case, partly agreed with the defense stating that:
It is unclear that every intentional breach of a website’s terms of service would be
or should be held to be equivalent to an intent to access the site without
authorization or in excess of authorization. This is especially the case with
MySpace and similar Internet venues which are publicly available for access and
use. However, if every such breach does qualify, then there is absolutely no
limitation or criteria as to which of the breaches should merit criminal
prosecution. All manner of situations will be covered from the more serious (e.g.
posting child pornography) to the more trivial (e.g. posting a picture of friends
without their permission). All can be prosecuted. Given the “standardless sweep”
that results, federal law enforcement entities would be improperly free “to pursue
their personal predilections.” (Kerr, 2009)
Johnson goes on to further elaborate on the disparity between MySpace being regulated by
code or by contract. To surmise, the MySpace website is a public website regulated by contract,
not a private website regulated by code - you must affirmatively agree to TOS prior to being
allowed access to use the site. It goes on to explain that the username and password
authentication requirement may appear as code-based protection, but it indeed is not. It is
explained as merely a method of access because the username or password system place no
physical controls on access to the site. In the registration process Drew inputs a name and valid
email address and then she, not MySpace, chooses her own username and password to the site
before clicking the “I agree” button for access. Johnson provides the analogy that this is like a

bank allowing customers to mint their own key to the safe when they sign up for a checking
account.
Code-based Interpretation
Code-based interpretation of the Act is fundamentally predispositioned on the functional
operation of a computer. Access thereto would be unauthorized if the code-based protections,
designed to limit a persons use of the computer itself were bypassed. This can occur by using
password crackers, injection attacks, exploits in software or computer protocols, and a host of
other tactics, techniques, and procedures granting access to a computer system the user would
otherwise not be privy to.
The code-based interpretation can be traced back to the earliest CFAA cases involving
authorization questions. For example, United States v. Morris invoked a close analogue to the
code-based interpretation with its "intended function" test. In Morris, the Second Circuit held
that a graduate student violated the CFAA by accessing computers without authorization because
he used email and other programs in a manner not related to their intended function; his use
instead located holes in the programs, giving him a special and unauthorized access route into
other computers. Thus, the intended function test asks whether a user violated the intended
function of a network or program to gain access not intended by the programmer or network
administrator. The test is similar to a code-based interpretation of authorization because violation
of the intended function is often done through technical means, such as by finding holes in
programs, or bypassing passwords or other protection systems. (Field, 2009)
Enter the case of Internet prodigy Aaron Swartz, one of the most prominent Internet activists
of modern times. Much of the discussion of the Swartz case was resultant from Aaron’s suicide.
Arguably so, many postulate his suicide was a result of prosecutorial overreach - a result from
the very vague wording of not only the law, but the criminal triggers which allow one to be
charged under the law. Swartz was facing more than thirty-five years in jail by trial, or six
months in jail by plea bargain. This alone raised eyebrows in the legal community.
There is much to this story about who Aaron was, his intentions and involvement in the Open
Access movement, and his famous “Guerilla Open Access Manifesto”. Aaron had arguably done
more by the age of 26 than many IT Professionals, Internet activists, hackers, or otherwise will
do in their entire lifetimes. If we fast forward through Aaron’s life from being the co-creator of
RSS, one of the co-creators of Reddit, to helping start the Creative Commons, Open Library,
Watchdog.net, Progressive Change Campaign Committee, founder of Demand Progress which
successfully stopped two Internet Censorship bills, SOPA (Stop Online Privacy Act) and PIPA
(Protect IP Act), we then arrive at a point and time where Aaron was chiefly concerned with
access to information - the empirical theme in the Open Access movement. Aaron’s “Guerilla
Open Access Manifesto” sets the tone for the actions that led to his arrest and indictment under
the Act. It reads in full:

Information is power. But like all power, there are those who want to keep it for
themselves. The world’s entire scientific and cultural heritage, published over
centuries in books and journals, is increasingly being digitized and locked up by a
handful of private corporations. Want to read the papers featuring the most
famous results of the sciences? You’ll need to send enormous amounts to
publishers like Reed Elsevier.
There are those struggling to change this. The Open Access Movement has fought
valiantly to ensure that scientists do not sign their copyrights away but instead
ensure their work is published on the Internet, under terms that allow anyone to
access it. But even under the best scenarios, their work will only apply to things
published in the future. Everything up until now will have been lost.
That is too high a price to pay. Forcing academics to pay money to read the work
of their colleagues? Scanning entire libraries but only allowing the folks at
Google to read them? Providing scientific articles to those at elite universities in
the First World, but not to children in the Global South? It’s outrageous and
unacceptable.
“I agree,” many say, “but what can we do? The companies hold the copyrights,
they make enormous amounts of money by charging for access, and it’s perfectly
legal — there’s nothing we can do to stop them.” But there is something we can,
something that’s already being done: we can fight back.
Those with access to these resources — students, librarians, scientists — you have
been given a privilege. You get to feed at this banquet of knowledge while the rest
of the world is locked out. But you need not — indeed, morally, you cannot —
keep this privilege for yourselves. You have a duty to share it with the world. And
you have: trading passwords with colleagues, filling download requests for
friends.
Meanwhile, those who have been locked out are not standing idly by. You have
been sneaking through holes and climbing over fences, liberating the information
locked up by the publishers and sharing them with your friends.
But all of this action goes on in the dark, hidden underground. It’s called stealing
or piracy, as if sharing a wealth of knowledge were the moral equivalent of
plundering a ship and murdering its crew. But sharing isn’t immoral — it’s a
moral imperative. Only those blinded by greed would refuse to let a friend make a
copy.
Large corporations, of course, are blinded by greed. The laws under which they
operate require it — their shareholders would revolt at anything less. And the

politicians they have bought off back them, passing laws giving them the
exclusive power to decide who can make copies.
There is no justice in following unjust laws. It’s time to come into the light and, in
the grand tradition of civil disobedience, declare our opposition to this private
theft of public culture.
We need to take information, wherever it is stored, make our copies and share
them with the world. We need to take stuff that’s out of copyright and add it to the
archive. We need to buy secret databases and put them on the Web. We need to
download scientific journals and upload them to file sharing networks. We need to
fight for Guerrilla Open Access.
With enough of us, around the world, we’ll not just send a strong message
opposing the privatization of knowledge — we’ll make it a thing of the past. Will
you join us?
This, ultimately, led to an incident in building 16 on MIT’s campus. As described by a press
release from the U.S. Attorneys Office in the District of Massachusetts, Aaron Swartz:
was charged in an indictment with wire fraud, computer fraud, unlawfully
obtaining information from a protected computer, and recklessly damaging a
protected computer.
The indictment alleges that between September 24, 2010, and January 6, 2011,
Swartz contrived to break into a restricted computer wiring closet in a basement at
MIT and to access MIT’s network without authorization from a computer switch
within that closet. He is charged with doing this in order to download a major
portion of JSTOR’s archive of digitized academic journal articles onto his
computers and hard drives. JSTOR is a not-for-profit organization that has
invested heavily in providing an online system for archiving, accessing, and
searching digitized copies of over 1,000 academic journals. It is alleged that
Swartz avoided MIT’s and JSTOR’s security efforts in order to distribute a
significant proportion of JSTOR’s archive through one or more file-sharing sites.
The indictment alleges that Swartz’s repeated automatic downloads impaired
JSTOR’s computers, brought down some of its servers, and deprived various
computers at MIT from accessing JSTOR’s research. Even after JSTOR and MIT
worked to block Swartz’s computers, Swartz allegedly returned with new methods
for accessing JSTOR and downloading articles.
The indictment alleges that Swartz exploited MIT’s computer system to steal over
four million articles from JSTOR, even though Swartz was not affiliated with
MIT as a student, faculty member, or employee. In fact, during these events,

Swartz was allegedly a fellow at a Boston-area university, through which he could
have accessed JSTOR’s services and archive for legitimate research.
The press release goes on to note: United States Attorney Carmen M. Ortiz said (in defense
of her actions), “Stealing is stealing whether you use a computer command or a crowbar, and
whether you take documents, data or dollars. It is equally harmful to the victim whether you sell
what you have stolen or give it away.” Professor Lessig quips that this is insulting to both
computers and crowbars, neither of which this particular attorney is able to discern. With respect
to harm done by both, Lessig opines, and rightly so, that computers are sometimes harmful
whereas crowbars are always harmful. This is the essence of the digital divide.
Most pertinent to the Enterprise Information Security Architecture model, a review of the
technical facts is not just warranted, but necessary. Keep in mind, even though Aaron’s actions
were arguably and convincingly part of an effort to free information, he was not charged with
copyright crimes respective to said information, but rather under the Act which considers if one
accessed a computer or system without authorization, or exceeded authorized access of a
computer system.
Alex Stamos, the highly regarded security professional, and expert witness for the defense of
Aaron Swartz conducted a neutral investigation. He reported his findings in a blog post titled
“The Truth about Aaron Swartz’s ‘Crime.’” His findings on the technical facts from the charges
Aaron was indicted on under the Act read:
1. MIT operates an extraordinarily open network. Very few campus networks
offer you a routable public IP address via unauthenticated DHCP and then lack
even basic controls to prevent abuse. Very few captured portals on wired networks
allow registration by any visitor, nor can they be easily bypassed by just assigning
yourself an IP address. In fact, in my 12 years of professional security work I have
never seen a network this open.
2. In the spirit of the MIT ethos, the Institute runs this open, unmonitored and
unrestricted network on purpose. Their head of network security admitted as
much in an interview Aaron’s attorneys and I conducted in December. MIT is
aware of the controls they could put in place to prevent what they consider abuse,
such as downloading too many PDFs from one website or utilizing too much
bandwidth, but they choose not to.
3. MIT also chooses not to prompt users of their wireless network with terms of
use or a definition of abusive practices.
4. At the time of Aaron’s actions, the JSTOR website allowed an unlimited
number of downloads by anybody on MIT’s 18.x Class-A network. The JSTOR
application lacked even the most basic controls to prevent what they might
consider abusive behavior, such as CAPTCHAs triggered on multiple downloads,

requiring accounts for bulk downloads, or even the ability to pop a box and warn
a repeat downloader.
5. Aaron did not “hack” the JSTOR website for all reasonable definitions of
“hack”. Aaron wrote a handful of basic python scripts that first discovered the
URLs of journal articles and then used curl to request them. Aaron did not use
parameter tampering, break a CAPTCHA, or do anything more complicated than
call a basic command line tool that downloads a file in the same manner as right-
clicking and choosing “Save As” from your favorite browser.
6. Aaron did nothing to cover his tracks or hide his activity, as evidenced by his
very verbose .bash_history, his uncleared browser history and lack of any
encryption of the laptop he used to download these files. Changing one’s MAC
address (which the government inaccurately identified as equivalent to a car’s
VIN number) or putting a mailinator email address into a captured portal are not
crimes. If they were, you could arrest half of the people who have ever used
airport wifi.
7. The government provided no evidence that these downloads caused a negative
effect on JSTOR or MIT, except due to silly overreactions such as turning off all
of MIT’s JSTOR access due to downloads from a pretty easily identified user
agent.
8. I cannot speak as to the criminal implications of accessing an unlocked closet
on an open campus, one which was also used to store personal effects by a
homeless man. I would note that trespassing charges were dropped against Aaron
and were not part of the Federal case.
Stamos concludes that:
In short, Aaron Swartz was not the super hacker breathlessly described in the
Government’s indictment and forensic reports, and his actions did not pose a real
danger to JSTOR, MIT or the public. He was an intelligent young man who found
a loophole that would allow him to download a lot of documents quickly. This
loophole was created intentionally by MIT and JSTOR, and was codified
contractually in the piles of paperwork turned over during discovery. If I had
taken the stand as planned and had been asked by the prosecutor whether Aaron’s
actions were “wrong”, I would probably have replied that what Aaron did would
better be described as “inconsiderate”. In the same way it is inconsiderate to write
a check at the supermarket while a dozen people queue up behind you or to check
out every book at the library needed for a History 101 paper. It is inconsiderate to
download lots of files on shared wifi or to spider Wikipedia too quickly, but none
of these actions should lead to a young person being hounded for years and
haunted by the possibility of a 35 year sentence.

Lawrence Lessig also offers unique perspective in a talk at Harvard Law School titled
“‘Aarons Laws’ - Law and Justice in a Digital Age”. Regarding Aaron’s case, Lessig opines this
matter is a different source of restriction regarding access and/or authorization - code vs law.
With the former (code) you break code restrictions through “hacking”, with the later you break
contract restrictions through terms of service violations (law). US v. Nosal clarified that,
“exceeds authorized access” in the CFAA is limited to violations of restrictions on access to
information, and not restrictions on its use.
As Lessig articulates this disparity in his “Cyberlaw geek mode”, consider that a website
owner publishes on a webpage (in html code): <H1> By using this site, you agree not to use the
print screen command</H1>, and say you do in fact go and use the print screen command, you
will have not committed a felony. You have merely violated the terms of service, which in the
case of US v Nosal, the Judge pointed out that a website owner reserves the right to change the
terms of service at any time for any reason. This would result in everyday common Internet
usage subject to felony indictments at virtually any time.
However if the webmaster uses a script - automated code to prevent or disable such a print
screen command, an example provided by Lessig that reads:
function blockError(){
window.location.reload(true);
return true;|
</script>
</head>
<body onload=”setClipBoardData();”>
YOU TRY TO COPY AND PASTE THIS SCREEN AND ALL THE ACTICE
SCREENS
</body>
</html>
And you then hack around this code which enables you to use the print screen command, you
have then committed a felony.
The Nosal case led the prosecutors in Aaron’s case to drop the claim of “exceeded authorized
access” with a superseded indictment. This left the question of if Aaron had “unauthorized
access” to the computer system, or use of MIT’s network. In this instance as Lessig rightly points
out, there is no case of traditional hacking here - also reinforced by Alex Stamos.
The short story to this saga is that when JSTOR implemented code restrictions to deny the
MAC address of Aaron’s computer, and Aaron subsequently spoofed his MAC address - created
a fake MAC address to mask the one included on the network card of his computer - which is
actually common best practice computer security for the protection of computer systems, he was
then alleged to have broken the law in violation of the Act. Unfortunately this precedent was
never able to be settled in court due to the suicide of Aaron Swartz. Aaron’s actions in this case

were not obviously legal, but they were also not obviously illegal according to Lessig. These are
the two critical questions which needed to be addressed, and the inherent vagueness of the Act
built in by Congress is not advantageous to resolving either.
This case raises many contemporary issues regarding the laws of cyberspace, the nature of
cyberspace, and the intent of a company’s network in its role to whether the security posture in
itself is, at the very least, complicit in allowing access to its resources that its policy may intend
to restrict, but its code does not.
Do you ever have unauthorized access, physically or digitally, to a network that it is intended
by its very design to be open to the public - even to the point of wiring closet doors not being
locked? What about the ambiguous nature of “harm” in cyberspace? Is the effect of “hacking”
kinetic or non-kinetic? Does it have a measurable, physical impact or detriment? What would
that even mean? What kind of harm is done, and what of the circumstance where there is no
harm? Does liberating information cause harm, especially in absence of copyright violations?
Lessig surmises in shocking similarity with the progressive elaboration structure found in
both the EA and EISA models that, “The harm in this case is ambiguous, leading the statute to be
ambiguous, meaning the prosecutors have to tie the prosecution to the intent” (of Aaron’s alleged
illegal actions under the Act).
This is the exact structure the EA and EISA models are built around, and in fact, by design
intended to address. Recall that the EA and EISA are designed to provide a singular framework
to address requirements for each line of business in a corporation. Adopting this approach to the
Act, or any law, the EA and EISA models would address these contextual issues across each
subsection, provision, or charge. To a limited extent the basic EA structure is in place with
Congress providing the strategy, the courts establishing precedence thereby declaring the
“business objectives”, and the prosecutors and defenders creating new ways to charge or clear
people of crimes (technical solutions to company problems) according to the judicial precedent
(or within the scope of business goals). This eco system changes of course when Congress
amends the law as it has done several times with the Act, and after careful reading of the detailed
history of the Act, this has been done with striking similarity to an ITIL lifecycle, which is
considered a micro-process within the EISA model itself.
A A R O N S L AW
The larger frustration with this entire ordeal in Aaron’s prosecution was the obliviousness of
the prosecutors. The obliviousness to actions in cyberspace which sometimes cause harm as
opposed to actions in the real world which always cause harm. Prosecutors who can tell the
difference between actions in cyberspace and discern the ambiguity of what harm means in that
environment. Aaron’s law attempts to address just this issue.

Aaron’s law was proposed by Representative Zoe Lofgren that would remove terms of
service violations from the Act and from the Wire Fraud statute. Indeed TOS violations have
been a major point of contestation and confusion throughout the history of the Act. The
difference between what I say you cannot do, and that which I impose upon you, through code or
system security mechanisms, that which you cannot do. This is an issue the EA and EISA model,
if applied, could help address tremendously.
The Electronic Frontier Foundation (EFF) even argues that, while they endorse Aaron’s Law,
it does not go far enough. The EFF proposes reform in three “crucial elements” outlined below:
1. Computer users must not face criminal liability for violating private
agreements, policies, or duties.
Put simply, there should be no criminal penalties for violating the fine print
written by a website or service. Users may face civil liability for violating those
terms, or even criminal liability if they go on to do worse things like destroy data.
But it is dangerous for a private one-sided contract to be enforceable upon
punishment of severe criminal penalties at a prosecutor's whim.
2. If a computer user is allowed to access information, simply doing it in an
innovative way must not be a crime.
As the CFAA is written today, users can expose themselves to criminal liability if
they are authorized to access data, but do so while engaging in commonplace
"circumvention" techniques like changing IP addresses, MAC addresses, or
browser User Agent headers. But these "circumvention" activities can have great
benefits: they can help protect privacy, ensure anonymity, and aid in testing
security. Furthermore, technical barriers are sometimes put into place not to
protect data or computers from intrusion at all. Quite often they are an accidental
result of misconfigured servers or network equipment.
Apart from these accidents, technological barriers increasingly serve purposes far
removed from preventing computer intrusion, such as giving people in one
location a better price than people in another and blocking competitors from
seeing information otherwise available to the general public. EFF's proposal
would clarify that if access to data is already authorized, gaining that access in a
novel or automated way is not a crime.
3. Penalties need to be proportionate to computer crime offenses.
As a general principle, minor violations of the CFAA should be punishable with
minor penalties. As the law is currently written, first-time offenses can be too
easily charged as felonies instead of misdemeanors. Our proposal would fix that.

Furthermore, several sections of the CFAA are redundant with other parts of the
law, which lets prosecutors "double dip" to pursue multiple offenses based on the
same behavior. And the stiff penalties for "repeat" offenses can be used to dole out
harsher punishment for multiple convictions based on the same conduct. Our
proposal would ensure that prosecutors can't count the same actions more than
once to ratchet up the pressure for a plea bargain by threatening a defendant with
decades of jail time.
Indeed whatever balance is struck if any, between Representative Lofgren’s proposal and the
EFF community’s efforts, they must work to enforce a much narrower interpretation of the law,
restore the balance of computer crime away from corporations or overzealous prosecutors, and
address obliviousness plaguing entire legal system. It cannot be clearer or more warranted that
more context is needed under the Act or its subsequent amendments. Further research as to the
effect of the EA or EISA models on effective cyber-lawmaking appears to be a viable solution
deserving genuine consideration and considerable analysis.
Field, K. M. (2009). Agency, Code, or Contract: Determining Employees' Authorization Under
the Computer Fraud and Abuse Act. Michigan Law Review.
Galbraith, C. (2004). Access Denied: Improper Use of the Computer Fraud and Abuse Act to
Control Information on Publicly Accessible Internet Websites. Maryland Law Review.
Johnson, N. R. (2009). “ I Agree” to Criminal Liability: Lori Drew's Prosecution under § 1030
(a)(2)(C) of the Computer Fraud and Abuse Act, and Why Every Internet User Should
Care.
Kerr, O. S. (2009). Vagueness Challenges to the Computer Fraud and Abuse Act. Minnesota Law
Review.
Legal Information Institute. (n.d.). 18 USC § 1030 - Fraud and related activity in connection with
computers. law.cornell.edu. Retrieved April 30, 2013, from http://www.law.cornell.edu/
uscode/text/18/1030

Pollaro, G. (2010). Disloyal Computer Use and the Computer Fraud and Abuse Act: Narrowing
the Scope. Duke Law & Technology Review.

The CFAA and Aarons Law

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (19)

Destaque

Destaque (8)

Semelhante a The CFAA and Aarons Law

Semelhante a The CFAA and Aarons Law (20)

Último

Último (20)

The CFAA and Aarons Law