Computer Fraud and Abuse Act of 1986

All Sources -
Updated Media sources (1) About content Print Topic Share Topic
views updated

Computer Fraud and Abuse Act of 1986

Many years ago, no laws existed to regulate the speed of the revolutionary invention called the "automobile." Likewise, in the early days of computing, no laws existed to regulate the usage of computers. Laws are created to respond to social problems, but, at the early stages of those great inventions, there were no social problems regarding computers that required the creation of laws. In the 1970s and early 1980s, users of business computers were generally operating networked computers in a highly supervised and controlled employment setting. Computer hobbyists and home users were generally limited to computers that were neither as technologically advanced as business computers, nor as interactive or inter-connected with other computers.

By the mid-1980s, however, technological advances brought personal computers into widespread use in homes, high schools, colleges, and businesses. Interconnectivity of computers via telephone lines and modems grew rapidly. Valuable, often confidential, information could now be stored on systems that were increasingly vulnerable to outside interference. The personal computer revolution had reached a stage similar to that achieved by automobiles earlier in the twentieth century: There were now scores of them, they were capable of going fast, and people were starting to speed. Society demanded the creation of rules for the electronic road.

Legislating Computer Activity

The United States Computer Fraud and Abuse Act of 1986 (referred to in this article as the "Act") was an amendment to the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 (the "1984 Act"). It was the first comprehensive legislation in the United States to identify and provide for the prosecution of crimes committed through and against computer systems.

The 1984 Act was limited in scope and provided for only three categories of computer-related crime: (1) unauthorized access to and use of certain federal data; (2) unauthorized access to or use of consumer credit-related information; and (3) unauthorized access to a computer used for, or on behalf of, the U.S. government. Thus, the 1984 Act only addressed crimes related to government computers, as well as government data and consumer credit data. Because of its limited scope, the 1984 Act was amended and superseded in 1986. The new Act was the first comprehensive federal legislation regarding computer crimes that affected non-government computers, as well.

Offenses and Penalties

The centerpiece of the Act was the creation of the concept of the "federal interest computer." Under the Commerce Clause of Article 8 of the U.S. Constitution, the government has the right to regulate commerce between or among the several states. The government exercised this power to make it a crime if an unauthorized act occurred with a "federal interest computer," the definition of which includes one of two or more computers not in the same state, even if the computers and data accessed were not owned by, or related to, the government. This means that, for the first time, unauthorized access to virtually any Internet connected computer could be a federal crime.

It became illegal if someone knowingly or intentionally, and without authorization, attempted to:

  1. Obtain protected information relating to national defense or foreign relations;
  2. Obtain financial information;
  3. Access a government-related computer;
  4. With the intent to defraud, access a federal interest computer and obtain anything of value;
  5. Access a federal interest computer and alter, damage, or destroy information or prevent the authorized use of the computer or information, if the resulting loss is $1,000 or more or if the information relates to medical records;
  6. Traffic in passwords with the intent to defraud.

Penalties for violation of the Act included fines as well as prison terms as long as ten years. Prison terms could more than double for subsequent convictions, which is the result of amendments to the Act as contained in the National Information Infrastructure Protection Act of 1996.

Necessity of the Act

To understand why the Act became necessary, one must study the then-current state of the computer industry. In 1965 Digital Equipment Corporation (DEC) introduced the PDP-8, the first commercially successful "mini-computer," which despite its name was large enough to require its own room and air conditioner. It was marketed to large enterprises, sparking a new era in business computing. In 1977 three mass-market personal computers opened up the consumer market: The Apple II, the Radio Shack TRS-80, and the Commodore PET. These computers were generally affordable but were purchased primarily by hobbyists for games and simple programming activities.

In 1981 IBM Corporation introduced its personal computerthe IBM-PC. Because of IBM's significant size and presence in the marketplace, it was uniquely able to mass-market and mass-produce personal computer hardware and software at a reasonable price. IBM had earned a reputation in the business community for traditional business machines, and other businesses became comfortable following IBM's lead in the new industry. From a technical perspective, and quite importantly, IBM allowed other companies to create products such as software, modems, and printers, that would work with IBM personal computers. This was sometimes called an "open architecture" and thus provided consistent and predictable standards required by the business community. Apple Computer, Inc., by comparison, did not have an open architecture for its computer hardware. By 1986, barely five years after the IBM-PC had been introduced, personal computers were being used for mainstream business purposes, and the computing power that had once been available to large businesses was now accessible to classrooms and homes, as well.

The Act Becomes Law

In the 1980s, because personal computers were so new, knowledge of computer programming techniques was primarily in the hands of people of high school and college age, who were the first to adopt and be formally trained in the new technology. As a result, for the first time, sophisticated computer systems containing sensitive economic, military, and other types of confidential information became uniquely vulnerable to the technological pranks, curiosities, and experiments of relatively young high school and college students. Existing laws were no longer adequate to address the trespassing and theft that could occur with the new technologies: Using a computer, a person could now perform a million crimes in a split-second, take something that is valuable even if it is not tangible, perform the act without actually being there physically or leaving any tangible evidence, and perform the act on any other computer anywhere in the world.

It was time for the U.S. Congress to begin debating the metes and bounds of what would become known as "intellectual property" in the vast new virtual territory called "cyberspace." The result was the U.S. Computer Fraud and Abuse Act of 1986, which continues to provide the foundation for prosecuting those whose actions breach the accepted standards of privacy and security in the world of electronic communication.

The Morris Worm

The first person convicted of violating the Federal Computer Fraud and Abuse Act of 1986 was Robert T. Morris, a Harvard graduate and grad student in Cornell University's computer science Ph.D. program. He was found guilty of distributing an Internet worm. Morris was working on a computer program to demonstrate security flaws on computer networks. On November 2, 1988, he anonymously released a self-replicating computer program, also known as a "worm," on to the Internet from a computer he was authorized to use at the Massachusetts Institute of Technology. The worm was not intended to interfere with normal computer operations. It consisted of two parts: a "probe" and a "corpus." The probe attempted to penetrate computers through flaws in network security systems, and if successful, compiled itself on the host computer and then sent for its corpus.

Despite the precautions Morris tried to build into the worm, which was not intended to cause malicious harm, as many as 6,000 computers (six percent of all computers on the Internet at the time) were infected within hours of the worm's release, causing widespread computer failure. When Morris discovered what was happening, he sent an anonymous message over the Internet instructing programmers how to kill the worm. But, the Internet routes were so clogged by his worm replication that the message did not get through in enough time to be meaningful.

Despite much debate to determine whether Morris intended to cause harm, it was ultimately decided that he intended unauthorized access, and that was enough for a conviction under the Act. Morris was sentenced to three years of probation, fined $10,000 plus the costs of probation, and ordered to perform 400 hours of community service. U.S. Attorney Frederick J. Scullin, Jr. commented: "Among other things, the Morris case should put the would-be hacker on notice that the Department of Justice will seek severe penalties against future computer criminals, whether or not they are motivated by a venal or malicious intent."

see also Association of Computing Machinery; Security.

Gregg R. Zegarelli


Computer Basics. Understanding Computers Series. New York: Time-Life Books, 1989.

Computer Fraud and Abuse Act, P.L. 98473, Title II, Section 2102, 98 Stat. 2190, October 12, 1984, as amended by P.L. 99474, 100 Stat. 1213, October 16, 1986; 18 U.S.C. Chapter 47, Section 1030.

Gemignani, Michael C. Computer Law. Rochester, NY: Lawyers Co-operative Publishing, 1991.

views updated


The Computer Fraud and Abuse Act of 1986 is the primary federal legislation aimed at curtailing computer crime. It especially applies to interstate crimes that fall under federal jurisdiction. The act was designed to strengthen, expand, and clarify the intentionally narrow Computer Fraud and Abuse Act of 1984. It safeguards sensitive data harbored by government agencies and related organizations, covering nuclear systems, financial institutions, and medical records.

The act forbids interference with any federal-interest computer system or any system that spans across state lines. Obviously, the act assumed greater importance as the Internet, World Wide Web, and e-commerce grew in prominence. The law prohibits the unauthorized access of any computer system and the obtainment of classified government information. More specifically, it specifies three categories of unclassified information: information belonging to a financial institution, credit card issuer, or consumer reporting agency; information from a department or agency of the United States; and information from any computer deemed "protected," or used exclusively by a financial institution, the U.S. government, or used in interstate or foreign commerce or communication. In addition, the act aims to safeguard computer system integrity with specific prohibitions against computer vandalism. This includes the transmission of a virus or similar code intended to cause damage to a computer or system; unauthorized access that causes damage recklessly; or unauthorized access of a computer from which damage results, but where malicious intent may not be present.

For purposes of prosecution, the law focuses its attention on the actual damage done to computer systems and the specific economic losses stemming from an act of computer fraud or abuse. For instance, while possession of a code for a computer virus cannot be prosecuted under the law, the loading of such a virus onto a network would be criminal under the Computer Fraud and Abuse Act. Violators are prosecuted for knowingly or recklessly damaging such systems, and can be punished with prison sentences as long as 20 years and fines reaching as high as $250,000. Prosecutors under the law, however, often face the difficult challenge of proving that the defendant knowingly inflicted the damage, thereby establishing intent.


Cantos, Lisa, Chambers, Chad, Fine, Lorin, and Randi Singer. "Internet Security Legislation Introduced in the Senate." Journal of Proprietary Rights. May, 2000.

Conley, John M., and Robert M. Bryan. "A Survey of Computer Crime Legislation in the United States." Information & Communications Technology Law. March, 1999.

Montana, John C. "Viruses and the Law: Why the Law is Ineffective." Information Management Journal. October, 2000.

SEE ALSO: Computer Crime; Fraud, Internet

views updated

Computer Fraud and Abuse Act of 1986


The United States Computer Fraud and Abuse Act of 1986 served to define criminal fraud and abuse for computer crimes on the federal level. The act specified a misdemeanor crime for the trafficking and misuse of passwords, and two felony offenses for unauthorized access to federal information systems and private computers deemed to have a "federal interest." The act removed several legal ambiguities that surrounded computer information theft, such as the lack of specific legislation mentioning computers and the slightness of legal precedence in such cases.

Computer data systems of varying sorts had been used by the United States government since the 1960s. In the early 1980s, the first computers for business and home use were available in the marketplace. This expanse of the computer-owning and software-literate population forced the government to begin finding ways to protect data, either through encryption or protective barrier mechanisms around certain files. With the advent of intranets and computer-to-computer communication through telephone lines, hacking, or the breaking into other computer systems, became more commonplace. In 1981, a computer-savvy 24-year-old named Ian Murphy hacked into several government systems, including the White House switchboard. Murphy used the switchboard to order various products before turning his attention to cracking the codes protecting sensitive military files. Murphy was arrested, but prosecutors did not have the legal recourse to try him for computer crimes, as no such laws existed. Murphy was eventually convicted of theft and knowingly receiving stolen goods.

By 1982, Congress began collecting data on computer crime, and gathering testimony from computer fraud victims. Most of the victims were major corporations who did not want their security breeches and vulnerability to become public knowledge. Not only was it easy for random hackers to crack a system, but also corporations could hack into the data systems of rival companies, engaging in corporate espionage. After five years, Congress introduced the Computer Fraud and Abuse Act of 1986. The bill passed decisively. That same session, the Electronic Communication Privacy Act of 1986 was passed, criminalizing the seizure and interception of digital messages and communication signals.

In January of 1989, Herbert Zinn was the first person to be convicted under the Computer Fraud and Abuse Act. As a teenager, Zinn broke into computer systems at the Department of Defense, wreaking havoc with several hundred files. Zinn was sentenced to nine months in prison and fined; he would have possibly received a harsher judgment if he had been over eighteen years-old at the time of the crime.

Since its inception, the Computer Fraud and Abuse Act has weathered changing technology and the development of the Internet. However, computer crime is once again on the rise, and only a fraction of victims report these crimes. Subsequent court proceedings and legislation such as the Compute Abuse Amendments Act of 1994 have provided specific wording criminalizing the promulgation of computer viruses and other damaging code.


Computer Hackers
Information Security