Counterfeit Access Device and Computer Fraud and Abuse Act of 1984
Counterfeit Access Device and Computer Fraud and Abuse Act of 1984
Ellen S. Podgor
The Counterfeit Access Device and Computer Fraud and Abuse Act (1984, P.L. 98-473, 98 Stat. 2190) was the first piece of federal legislation to focus directly on computer abuses. Enacted on October 12, 1984, it provides federal prosecutors with a specific crime titled, "Fraud and related activity in connection with computers" to prosecute criminal computer activity. The act, which can be found in title 18, section 1030 of the United States Code, initially focused on improper computer access. Because it was extremely limited in the conduct it made criminal, amendments to the statute were forthcoming, including a significant amendment in 1986 that broadened its scope to include other forms of computer abuses, and a 1990 amendment that allowed civil actions to be brought under the statute. Section 1030 now criminalizes seven different types of computer activity. Although Congress has enacted other criminal statutes related to computers since 1984, section 1030 remains the key basis for prosecuting federal computer crimes.
Prior to the act's passage in 1984, federal prosecutors had no specific legislation to prosecute computer crimes. They typically used federal statutes such as the wire fraud statute to reach criminal activity. Congress passed the Counterfeit Access Device and Computer Fraud and Abuse Act to provide a "clearer statement of proscribed activity." In advocating for the passage of this act, the U.S. Department of Justice provided two computer abuse cases that demonstrated the need for legislation in this area. Had these cases not involved telephone calls that crossed state lines, the government maintained that the wire fraud statute could not have been applied, and prosecution of criminal conduct could not have occured. To rectify this problem, the new legislation allowed for prosecution absent an interstate telephone call.
Advocates for the passage of this legislation stressed the significant increase in computer activity. Although the extent of computer crime could not be quantified, a 1984 house report noted that "there is every indication that presently it is a substantial problem and the potential in the future is immense." Specific reference was made to increased activity by "hackers," individuals who could "trespass into both private and public computer systems, sometimes with potentially serious results."
When initially passed in 1984, the Counterfeit Access Device and Computer Fraud and Abuse Act permitted prosecution of three forms of computer activity. It focused primarily on computer use related to:
- Improper accessing of government information protected for national defense or foreign relations,
- improper accessing of certain financial information from financial institutions, and
- improper accessing of information on a government computer.
The legislation required that the criminal conduct affect interstate commerce, and as such, the constitutional basis for this act was found in the U.S. Constitution, Article I, section 8, the Commerce Clause.
Amendments Many commentators criticized the 1984 act for its vague language and limited coverage, and Congress adopted the Computer Fraud and Abuse Act of 1986 to correct these problems. Congress made changes to the statutory language, such as substituting "exceeds authorized access" for "having accessed a computer without authorization ... for purposes to which such authorization does not extend," replacing the term "knowingly" with "intentionally," and removing a specific conspiracy provision from the original 1984 act. The 1986 act also added new forms of criminality, including a criminal provision to punish "thefts of property via computer trespass that occur as part of an intent to defraud." As stated by Representative William J. Hughes, the need for this legislation was based upon expanded technology which allowed improper conduct by "the technologically sophisticated criminal who breaks into computerized data files."
Congress adopted additional amendments in 1988, 1989, and 1990, but all were mostly technical in nature, such as grammatical corrections and additions. The 1994 amendments, however, were more significant, adding a civil provision allowing private individuals to sue for damages and injunctive relief.
There were also amendments made to section 1030 in 1996, 2001, and 2002. For example, in 1996 Congress substituted the words "protected computer" for "Federal interest computer." The definition of these terms was extended in the "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot Act) Act of 2001" to include protected computers located outside the United States. Also in 1996, as part of the National Information Infrastructure Protection Act of 1996 (which, in turn, is Title II of the Economic Espionage Act of 1996), a subsection was added to section 1030 to cover extortion conduct threatening damage to a protected computer.
Section 1030 Congress has significantly expanded section 1030 since the initial passage of the Counterfeit Access Device and Computer Fraud and Abuse Act in 1984. It now includes seven different types of computer related conduct. Where the initial act focused on computer accessing, the modern statute includes other forms of computer crime.
Among the section's seven provisions are electronic espionage and intentional accessing without authorization or exceeding authorization of certain financial information. Section 1030 also prohibits conduct related to browsing in a government computer, theft from protected computers, and causing damage by an improper transmission, trafficking in passwords, and extortion conduct related to a protected computer.
Each of the seven variants of conduct include specific legal terminology setting forth the requirements for a prosecution premised on that section of the statute. Subsection (a)(5) is further divided to include three different levels of intent that can accompany the specified conduct. The penalty provisions vary depending upon the specific act committed and the level of intent.
Court Interpretation Although only a few federal cases interpret the Counterfeit Access Device and Computer Fraud and Abuse Act, three of the decisions are significant and have been important in helping to define the contours of the legislation.
The first federal appellate decision to interpret section 1030, United States v. Morris (1991), resulted from the conduct of a graduate student who placed a "worm" into the Internet not realizing the extent of the damage it might cause. The court was faced with deciding whether the word "intentionally" in the statute referred only to "intentionally accessing" or also required that the defendant "intentionally caused" the damage. Looking to the changes made in the Computer Fraud and Abuse Act from its inception in 1984 to its modifications in 1986, the court concluded it was not necessary for the government to prove the defendant intended to cause the damage.
The court found that the word "intentionally" in the statute only applied to accessing, not damages. Therefore the defendant's conviction for violating the computer statute was upheld. The court also found the defendant had violated the accessing portion of the statute, rejecting the defendant's argument that, at most, he had merely exceeded authorized access. Referring back to the legislative history of the statute, the court stated, "Congress contemplated that individuals with access to some federal interest computers would be subject to liability under the computer fraud provisions for gaining unauthorized access to other federal interest computers."
Another court decision involved an Internal Revenue Service employee who the government charged with wire and computer fraud for allegedly browsing in a government computer. He was accused of using a government computer to obtain personal information on individuals, such as the "tax returns of two individuals involved in the David Duke presidential campaign." In United States v. Czubinski (1997) the court found that the employee had not obtained "anything of value," and there was no violation of the Computer Fraud and Abuse Act. The court stated that "[t]he government failed" to prove the accused "intended anything more than to satisfy idle curiosity."
A third case that provided significant interpretation involves the civil provisions of section 1030. In Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., an employee allegedly used the company computer to transmit secret trade information to a future employer. In a motion seeking the dismissal of this civil action, the defendants argued that the case was not within the computer fraud statute. In rejecting these arguments, the court held that the statute was not limited to "outsiders" and could apply to "insiders" or employees of a company who might be improperly accessing information on a computer. The court also held that the civil provision was not limited to situations where the accessing involved the "national economy." The court stated that the statute "prohibits the obtaining of information from any protected computer if the conduct involved an interstate or foreign communication."
With technological advances and increased computer use, this area is clearly still developing. Future modifications and court interpretations will likely play a crucial role in the advancement of the provisions in the Computer Fraud and Abuse Act.
Baker, Glen D. "Trespassers Will Be Prosecuted: Computer Crime in the 1990s." Computer Law Journal 12, no. 61 (1993).
Best, Reba A. and D. Cheryn Picquet. Computer Law and Software Protection: A Bibliography of Crime, Liability, Abuse and Security, 1984–1992. London: McFarland, 1993.
Buckman, Deborah F. "Validity, Construction, and Application of Computer Fraud and Abuse Act." American Law Reports 174, no. 101 (2001).
Podgor, Ellen S. and Jerold H. Israel. White Collar Crime in a Nutshell, 2nd ed. St. Paul, MN: West, 1997.
Computer Crime and Intellectual Property Section (CCIPS) of the Criminal Division of the Department of Justice. <http://www.usdoj.gov/criminal/cybercrime/index.html>.