1.
Codifying the Harm of Cybercrime
Injecting zemiology in the US’ Computer Fraud and Abuse Act (CFAA)
and UK’s Computer Misuse Act (CMA).
Gillian Cafiero1
March, 2015
Abstract
This work is a brief reflection on the ‘ambiguous nature of harms in Cyberspace’2. It seeks to evaluate how
harm is coded in cyber-regulations paying particular attention to the political momentum around the UK’s
Computer Misuse Act (CMA) and the US’s Computer Fraud and Abuse Act (CFAA). Its intention is to inject an
element of zemiology into political discourse and advance a codification of cybercrime that can maximize
cyber-prosecutorial effectiveness and enhance the rule of law through transparency and coherence.
© by Tech and Law Center – www.techandlaw.net 1
1 Gillian is an MSc Criminal Justice Policy student at the London School of Economics and Political Science. She is the Editor of the Technology section of
The Beaver, LSESU's official newspaper, and has experience working for several private and public institutions including the United Nations. Her research is
primarily concerned with issues of data protection and cybersecurity.
2 Lessig, L (2013) Aaron's Laws - Law and Justice in a Digital Age https://www.youtube.com/watch?v=9HAw1i4gOU4

2.
The New Year has been marked by a political de-
sire to reform the rules that govern cyberspace.
Last week, the UK’s government passed the Seri-
ous Crime Act 2015, which amends the existing
Computer Misuse Act 1990 (CMA)3. In January,O-
bama’s Administration, introduced a proposal to
amend the Computer Fraud and Abuse Act
(CFAA)4 . The pace of legislative change is wel-
come because the laws that govern cyberspace
are in dire need of reform. However, are the new
legislations taking us in the right direction?
Following Aaron Swartz’s death in 2013, Laurence
Lessing gave a lecture at Harvard Law School
where he emphasized the need to address the
‘ambiguous nature of harms in Cyberspace’5. By
this, he meant the need to distinguish between the
illegal uses of technology that result in serious
harm and those that do not; in other words, he
was calling for the identification of a taxonomy of
harm in cyberspace.
Classifying different degrees of cybercrime accord-
ing to the harm they cause could be a useful exer-
cise for several reasons, for example: it would spur
law enforcement agencies to target their limited
resources more accurately, and it would
strengthen the rule of law by enhancing the trans-
parency and coherence of legislative measures.
The current legal frameworks, particularly the
CFAA and the CMA do not incentivise a classifica-
tion of harm. The controversial reactions to the
conviction of Barrett Brown- the activist/journalist
who was prosecuted for (amongst other things)
sharing links to hacked information- were a recent
demonstration that there is still a strong disso-
nance between the penalties pursued for ‘cyber-
crimes’ and the level of harm that the public per-
ceives them to have caused6.
The changes in the US and the UK show some
promise of including a taxonomy of harm within
cyber-regulation but they fall short of defining key
parameters of it. Obama’s proposal addresses an
evaluation of the harm caused by cybercrimes in
two ways. The first is by setting standards for the
prosecution of contract-based violations of
computer-system access. The current law on the
subject is contradictive; some circuits7 hold that
violations of terms and conditions fall outside the
scope the of CFAA while others consider all viola-
tions of contractual access rights as a violation of
the statute. The reform criminalises violations of
terms of use but limits liability to instances where:
(a) the individual violates a restriction on a gov-
ernment computer; (b) where an individual obtains
information worth more than $5000 from violation
of access rights; and (c) where the individual vio-
lates the access rights in furtherance of a state or
federal felony8. At face value, these measures are
a valid attempt at restricting the impact of the
CFAA to cases where the breach of contractual
access rights has seriously harmful conse-
quences. However, the wording of the legislation
remains fairly open-ended and exposed to broad,
ell-encompassing, prosecutorial interpretation9.
The second way in which Obama’s proposal ad-
dresses the notion of harm in cyberspace relates
to violations of technological access barriers (in
other words, code-based-hacks).The current
CFAA classifies certain types of technological ac-
cess violations as misdemeanours but others as 5-
year-maximum felonies. The proposed reform
would make all violations of technological access
barriers 3-year-felonies, which could be raised up
to a 10-year-felony if enhancements apply. The
underlying assumption is that all unauthorized vio-
lations of technological barriers cause a significant
enough degree of harm to be considered criminal.
However, it is recognized that some deserve sig-
© by Tech and Law Center – www.techandlaw.net! 2
3 Serious Crimes Act 2015 http://www.legislation.gov.uk/ukpga/2015/9/pdfs/ukpga_20150009_en.pdf
4 Kerr, O. (2015)Obama’s Proposed Changes to the Computer Hacking Statute A Deep Dive
http://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/01/14/obamas-proposed-changes-to-the-computer-hacking-statute-a-deep-dive/
5 Lessig, L. (2013)Aaron's Laws - Law and Justice in a Digital Agehttps://www.youtube.com/watch?v=9HAw1i4gOU4
6 Norton, Q. (2015) We Should All Step Back from Security Journalism: I’ll Go First
https://medium.com/message/we-should-all-step-back-from-security-journalism-e474cd67e2fa
7 United States of America v NosalCr 08-0237 (N.D. Cal, Mar 12, 2013)
8 For a more in depth analysis refer to Orin Kerr’s article
http://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/01/14/obamas-proposed-changes-to-the-computer-hacking-statute-a-deep-dive/
9 ibid

3.
nificantly higher penalties than others.
The contrast between (a) the new limitations im-
posed on the prosecution of contract-based hacks,
and (b) the proposal for the universal criminalisa-
tion of code-based hacks, warrants some consid-
eration. In my view, the distinction between code
based violations and contract based violations is
somewhat abstract. Ultimately both are violations
of words10, be they in a terms and conditions
document or in a code script. Both types of viola-
tions can result in equally grave consequences
and both can have little to no impact. Therefore,
drafting the rules that govern these two types of
access violations in such different waysappears to
be a drive away from a harm-based legislation of
cyberspace.
In the UK, a similar trend is taking place. The Seri-
ous Crimes Act 2015, which was introduced last
week, adds a new clause to the Computer Misuse
Act 1990 (CMA) designed to deal with cybercrimes
that cause ‘serious’ harms. The new section (s.
3ZA) covers “unauthorised acts causing, or creat-
ing risk of, serious damage”. The aggravated of-
fences carry a 14-year maximum prison term,
while in the current CMA offences carry a max-10-
year imprisonment term11. Fundamentally, the at-
tempt to differentiate instances where cyber-
attacks have grave consequences is laudable.
However,the wording of the new section is rather
broad, and risks opening the floodgates for prose-
cutions of all violations of computer systems as
serious offences12.
According to the new legislation a computer crime
is serious, if it causes damage of a material kind.
Damage of “a material kind” is that which affects
“human welfare”, “the environment”, “the
economy”and/or “national security”. Interestingly,
the definition of human welfare in the Act includes
the “disruption of a system of communication”13;
presumably this refers to an assumption that,
where any system of communication is disrupted,
material damage is rendered to human welfare.In
my view, all unauthorized access to computer sys-
tems, regardless of the harm that it causes, could
be considered a “disruption of a system of com-
munication”. This is because any unauthorized
access is a violation, on some level, of what Prof.
Andrew Murray of the LSE calls identity “proxi-
es”14. These proxies, things like user rights, pass-
words or IP addresses, are the foundation of trust
in cyberspace and violating them, by implication, is
a disruption of our prized cyber-communication.
While all system access violations cause “disrup-
tion to a system of communication”, I am not per-
suaded that they all impact “human welfare” in the
way the term is commonly understood. It is my
understanding that, the association of human wel-
fare with any “disruption to a system of communi-
cation” in the Serious Crimes Act, creates a broad-
brush penalty that departs from a nuanced taxon-
omy of the harms that cybercrimes can cause.
Thelegislative reforms undertaken in the US and
the UK fall short of resolving the ambiguity of the
role of harm in cyber-regulation. Perhaps more
importantly though, they start a motion of change
that can be built on to develop a cyber-regulatory
sphere that is attuned to the harms caused by cy-
bercrimes. To do this, the question that we as a
cyber-society need to address is:how can we inject
our cyber-regulatory reforms witha taxonomy of
harm that will deliver a better prosecutorial model?
Several scholars have put forth the notion of a
public interest defence for offences like those out-
lined in the CFAA and the CMA. The lawyers and
academics that promote this concept, like Greg
Callus, create a parallel between violating cyber-
legislation and violating data protection legisla-
tion15. Their arguments are based on the notion
that the violation of both these types of legislation
can lead to the discovery of information that is ul-
timately beneficial to the general public. Where
this is the case, they argue, the violations of cyber-
regulations should be defensible through public
interest in the same way that data protection viola-
tions can be protected.
I think the ground for a public interest defence to
cybercrimes should be handled cautiously. Firstly,
cybercrime usually happens on an international
scale and I am not persuaded that any human-
indeed judges, lawyers and prosecutors- can
overcome the challenges of assessing a universal
“public interest”. Secondly, I am conscious that
prosecutors already face enormous challenges
when trying to investigate cybercrimes that, of-
ten,have serious consequencesfor individuals,
companies or nations. My concern is that including
a public interest defence in the CFAA and the CMA
might discourage investigations into cybercrime
even when serious harm is being incurred. Finally,
I am conscious that the inconsistency with which
the “public interest defence” has been applied in
© by Tech and Law Center – www.techandlaw.net! 3
10 Lessig, L. (2013)Aaron's Laws - Law and Justice in a Digital Age https://www.youtube.com/watch?v=9HAw1i4gOU4
11 Serious Crime Act 2015 http://www.legislation.gov.uk/ukpga/2015/9/pdfs/ukpga_20150009_en.pdf
12 The IT Law Community (2014) Computer Misuse Amendments http://www.scl.org/site.aspx?i=ne37488
13 2(3)(d) Serious Crimes Act 2015 (Part. II) http://www.legislation.gov.uk/ukpga/2015/9/pdfs/ukpga_20150009_en.pdf
14 Murray, D (2013) Information Technology Law. OUP: Oxford. p.390
15 Callus, G. (2012) A Typo in the Constitution http://gregcallus.tumblr.com/post/20539847136/theres-no-public-interest-defence-to-computer

4.
other areas of the law, like data protection, would
be detrimental to rendering cyber-regulation more
transparent and coherent.
While I have yet to understand how a functional
taxonomy of cybercrime harms can be structured, I
am entirely convinced that there is an urgent need
for it to be created. Only once we attempt to map
the degrees of harm in cyberspace will we witness
cyber-prosecutorial resources engaged efficiently,
a strong rule of (cyber)law and a fair distribution of
penalties across cybercrimes. To this end, I urge
you all to consider cyber-harm and share your vi-
sion of it.
© by Tech and Law Center – www.techandlaw.net! 4