Kasad 1

Dallas Kasad
Professor Fisher
ENG123
13 September 2015
The Effects of the Computer Fraud and Abuse Act on Mass Incarceration
An Annotated Bibliography
Chung, Cyrus Y. "The Computer Fraud And Abuse Act: How Computer Science Can Help With
The Problem Of Overbreadth." Harvard Journal Of Law & Technology 24.1 (2010): 233256. Academic Search Premier. Web. 13 Sept. 2015.
Chung in the beginning brings up the case with Lori Drew and the various
theories for interpreting the Computer Fraud and Abuse Act (CFAA), all information that
was given by other articles. At his third point, The Code-Based Theory of
Interpretation, Chung gives a technical, computer-savvy answer to the question, How do
you interpret the CFAA? The Code-Based theory was proposed by Professor Orin Kerr
who saw the flaw of the Agency interpretation as encompassing anything that was not
work-related on an employers computer as a crime and contract as too much power in
the hands of the private actors to determine liability. It encourages the user to protect
their own privacy by their means instead of by contract, emphasizes that a fraudulent
work-around should be considered a criminal activity and that criminalizing the
circumvention of code-based restrictions is more justifiable and finally that the codebased theory avoids constitutional issues and vagueness of current laws.

Kasad 2

"Computer Fraud And Abuse Act Reform." Electronic Frontier Foundation. N.p., n.d. Web. 13
September 2015.
This article explains the details of the Computer Fraud and Abuse Act (CFAA),
and further changes ushered in by the death of Aaron Swartz called Aarons Law. The
federal act makes accessing another computer in a way than it is otherwise intended
illegal, gives a disputable explanation for what without authorization or exceeds
authorized access means, leaving the law open to interpretation by the courts. The
broadness of the CFAA coupled with the substantial penalties, such as up to five years in
prison for the first offense and ten for repeat offenses plus fines. Aarons Law seeks to
eliminate prison time for simply violating a Terms of Service contract, protect those
who access already accessible data in a new method or fashion, and most important of all
make sure the punishment fits the crime. The grounds in which it makes these claims is
that it hinders various Cyber-security firms, and white-hat hackers from doing their
jobs, it does not allow innovations like we are used to today (GPS, social networking,
etc.), and suggests that efforts in anonymity and personal privacy should not be
considered federal crimes.
Galicki, Alexander, Drew Havens, and Alden Pelker. "Computer Crimes." American Criminal
Law Review 51.4 (2014): 875-922. Academic Search Premier. Web. 13 Sept. 2015.
Galicki in this article initially takes the view of the Department of Justices view
of what constitutes a computer crime: any violations of criminal law that involves a
knowledge of computer science. He then goes into detail about the various weapons
anyone can use maliciously on the internet from spam responsible for 97% of all emails sent in 2009, to logic bombs which are malicious programs set to go off at a

Kasad 3

specific time or event. The next issue Galicki poses is the Constitutional problems that
arise between the First and Fourth amendments when trying to charge cybercrimes. Since
the internet is mostly speech, how does the court address the First Amendment during a
cybercrime case? The Fourth Amendment protects the people from unreasonable searches
and seizures, but does a search and seizure happen without invading the individuals
privacy located somewhere else on the computer in question?
Galicki then brings the point to the table concerning child pornography and how
are the people that take part in it now be brought to justice? To this question Galicki
brings up the details of the Communications Decency Act of 1996, the Child
Pornography Prevention Act of 1996, and the Computer Fraud and Abuse Act in working
together, but recognizes the vagueness of the CFAA in enforcing the prohibition of
cybercrimes as the issue. Towards the end of his article he goes into detail about what is
being done world-wide to solve the problems mentioned in the article, the Council of
Europes Treaty on Cybercrime. While we are dealing with a problem on American soil,
it will not hold any ground if other countries are not compliant, as the internet is bigger
than America. The Treaty enforced the need to establish laws against cybercrime, ensure
that law enforcement has all they need to prosecute and that each country under the treaty
needs to cooperate with each other.
Hanna, Paul, and Matthew Leal. "The Computer Fraud And Abuse Act: An Attractive But Risky
Alternative To Texas Trade Secret Law." St. Mary's Law Journal 45.3 (2014): 491-534.
Academic Search Premier. Web. 12 September 2015.
Mr. Hanna uses the Computer Fraud and Abuse Act (CFAA) as a supplement to
the Uniform Trade Secret Act and attempts to unbiasedly explain the pros and cons of

Kasad 4

using the CFAA as a usable alternative to the example of Texas Laws referring to the Act.
It further describes the problem the CFAA poses over the definition of unauthorized
access and how far is too far for an employee of a company. He describes a trade secret
as any information that one could not have learned on their own that gets money for those
ideas or training. This focuses on information that the company gives their employees to
do their jobs and grow the company such as clients, formulas or any specific business
models or techniques unique to the employer. It needs to be proven that something is a
trade secret, that the ex-employee breached a confidentiality contract, that he employee
used the mentioned trade secret for a benefit outside of the business, and then the
damages of this action need to be assessed before a charge can be formed. The CFAA
reliance would not require proving these things for it to be a trade secret. The growing
want by, in this article, Texas businessmen and litigators to rely on the CFAA builds the
argument.
Jakopchek, Kevin. "Obtaining" The Right Result: A Novel Interpretation Of The Computer Fraud
And Abuse Act That Provides Liability For Insider Theft Without Overbreadth." Journal
Of Criminal Law & Criminology 104.3 (2014): 605-633. Academic Search Premier. Web.
12 September 2015.
Jakopchek takes the positive approach to the Computer Fraud and Abuse Act
(CFAA), but points out its flaws that make it hard for interpretation. Through the broad
interpretation, there are two theories that deal directly with the issue: the Agency
Theory and the Contract Theory. The agency theory, through International Airport
Centers, L.L.C. v. Citrin, speaks of a loyalty an employee has to their employer. When
the employee becomes destructive or works in countering the loyalty to their employer,

Kasad 5

then, in the case for cybercrimes, they are considered to not have the proper authorization
and they can be brought up on charges concerning the CFAA. The contract theory, as is
seen in the case EF Cultural Travel v. Explorica Inc., the employee made an effort in
communicating sensitive information to the employers competitor against the contract
signed upon acceptance into the job. This is an obvious breach and demonstration that the
employee did not have authorization to give that information.
With the broad interpretation, there is a narrow interpretation. In LVRC Holdings
LLC v. Brekka the question becomes no longer the use of the information, but if the
employee has access to the information in the first place. The current employee took
information from the business to then use in competition with the business.
The original reason for the CFAA was the growing threat of the theft of digital
information and the many personas it can take. For this reason it should be extended to
cover only the acquisition of stolen information. The act came into effect in 1984 to
protect the information stored on government computers. Throughout the years it has
been changed as technology grows and the need for change arises, but it should still be
used to protect sensitive information.
Murray, Ryan Patrick. Myspace-ing is Not a Crime: Why Breaching Terms of Service
Agreements Should Not Implicate the Computer Fraud and Abuse Act. Loyola of Los
Angeles Entertainment Law Review (2009). Web. 13 September 2015.
Critical Article. The article displays the case United States v. Drew. Megan Meier
was a 13 year old, who under her parents discretion was allowed to talk to a Josh
Evans who was really the mother of her friend down the street, Lori Drew. Mrs. Drew,
under her false username, then began cyber-bullying young Megan, which then led to

Kasad 6

her suicide moments after. The public was enraged by this and looked to the government
to prosecute. The U.S. Attorney then looked to Mrs. Drews violation of Myspaces
Terms of Service section that prohibits the creation of a false identity. Based on this
very minimal clause to a seemingly useless contract, the court was then allowed to
prosecute under the CFAA. While the terrible circumstances that caused the death of
Megan Meier were more than enough reason to pursue prosecution, the way in which it
was handled now makes millions of people guilty under the CFAA. The view of the act is
extremely broad, pertaining to any protected computer which is defined as a computer
used for interstate commerce or communication; any computer connected to the internet.
The realization of what this court case means for the nation is scary, that anyone who
oversteps a simple, un-read term that was agreed upon at the initiation of an account to
any certain website, can now end in up to 5 years in prison for the first offense.
Sauter, Molly. "Online Activism and Why the Computer Fraud and Abuse Act Must Die." Boing
Boing. N.p., 26 Sept. 2014. Web. 13 Sept. 2015.
In what could be seen as a radical article, strongly against the Computer Fraud
and Abuse Act (CFAA), Sauter goes on an educated rant about the problems of the act
and singles out the United States as one of the few countries that will not acknowledge
the validity of Distributed Denial of Service (DDoS) attacks as simple a internet
equivalent of a protest. She speaks of the harsh punishments had by DDoS actions made
against something that is protested physically. Sauter goes on to give examples of typical
charges that seem far worse that receive less punishment than what the court considers
cybercrimes. For example resisting arrest can lead to a two and one-half year sentence
and up to a $500 fine, Operation Payback in a DDoS strike against PayPal, fourteen

Kasad 7

individuals received two felony counts which could have resulted in 15 years in prison
and up to $500,000 in fines. One of these individuals was a minor. She proceeds to
demonstrate the differences of what the government is allowed to do and what the people
are allowed to do as a means of justifying her argument.
Skibell, Reid. "Cybercrimes & Misdemeanors: A Reevaluation of the Computer Fraud and Abuse
Act." Berkeley Technology Law Journal 18.3 (2003): 909-44. JSTOR. Web. 13 September
2015.
This talks about the history of the Computer Fraud and Abuse Act (CFAA) and
displays its blurred lines in terms easier understood. It talks about Script-monkeys are
those that receive (download) malicious software to deface a website, gain access into a
website or cause a limited amount of problems. While the problems can range from minor
to major, the monkey has a very limited knowledge of computer code. A Hacker is
someone who is more knowledgeable of computer code, and actively interacts with it to
gain access to places the populace are not allowed to go on the internet, to which they
tend to take for themselves proof that they did it as simply a trophy. They do not seek to
cash in their newly found information. A Cracker is basically a hacker that cashes in.
They use their knowledge to further their finances and for personal wealth. It goes into
detail about how under the CFAA all of these individuals are subject to the same
treatment. The article parallels two different cases that show how the times have changed,
how any of the three types of cybercriminal are subject to the same charges and how the
business in the end has the say if an individual is breaking the law according to the
CFAA. The 1990 case The United States v. Riggs Craig Neirdorf was charged with
causing $80,000 worth of harm in releasing information sensitive to AT&T to the public

Kasad 8

via a website. Charges were dropped as more sensitive information could be received at
the time from the company by simply paying a $13 fee. The parallel is the case of Kevin
Mitnick, who broke into the company Sun Microsystems and downloaded their new
operating system software, as a trophy. He plead guilty so the CFAA was not a direct
weapon, but still served a harsh penalty as Sun Microsystems stated they paid $80 million
to build the operating system, to which they sold for $100 a copy shortly after the breach.
Wellborn, Paul F. "Undercover Teachers" Beware: How That Fake Profile On Facebook Could
Land You In The Pokey." Mercer Law Review 63.2 (2012): 697-713. Academic Search
Premier. Web. 13 Sept. 2015.
Wellborn in this article give another instance similar to the Lori Drew incident,
where teachers are finding out about the lives of their students through fake accounts on
social networking websites. The article warns teachers that they could be subject to
prison time if they are caught in the act of doing this. It describes the scenario of a mother
in Tennessee posting on her Facebook about the mess her sons leave in their rooms each
weekend, which led to the school receiving information that the students were not living
up to their district residency requirements. This article shows the distinct blurring of the
line between cybercrime and invasion of privacy. With incidents like the mother and her
sons or the Lori Drew issue, the court is developing a rational for solving these cases that
is a scary route for them to follow. There needs to be reform before the issue gets out of
hand.
Xiang, Li. "Hacktivism And The First Amendment: Drawing The Line Between Cyber Protests
And Crime." Harvard Journal Of Law & Technology 27.1 (2013): 301-330. Academic
Search Premier. Web. 13 Sept. 2015.

Kasad 9

Xiang gives a very interesting viewpoint in this article concerning the growth of
various internet activist groups, or hacktivists. While under the Computer Fraud and
Abuse Act (CFAA), anyone who tampers with anything in a way that it is not designed
can be charged with fraud and sentenced to prison and subject to massive fines. Xiang
brings up the use of internet in the average American day, and how it has become an
essential part of American life. She states that with this new way-of-life there will be the
want to protest and a right under the First Amendment to protest. The question is then
brought up, How do the various forms of protest appear online? She gives lists of
Online individuals who, at the transgressive stage, would all be charged with identical
charges under the CFAA and serve harsher penalties than their Offline counterparts
(Boycotts, Sit-ins, Barricades, etc.).
The article has a focus on the loosely-associated hacktivist group Anonymous
who have their marks in history based on their actions following the prosecutorial
overreach in the case of Aaron Swartz, and the planned picketing of the Westboro
Baptist Church. The group in this article is focused on their petition that was submitted to
the White House entitled We the People that asks for recognition that distributed
denial-of-service (DDoS) attacks are a valid form of protesting, which would be
protected under the First Amendment.