Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The CFAA and Aarons Law


Published on

To understand the significance of the Computer Fraud and Abuse Act, we must consider its history, the use, scope, and function of the Internet at the time of the Act’s inception, and the recurring nature which Congress amended the Act in order to keep up with the advancements of computer and computer-based communications.

We must also consider the evolution of precedence over the course of its history with respect to charges under the Act.

Further, we must address the root cause of the contentious nature of this Act as written, and look to other industry models which can assist in amending the Act according to contemporary use of computers, and the modern Internet.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

The CFAA and Aarons Law

  1. 1. T H E C O M P U T E R F R A U D A N D A B U S E A C T, & ‘ A A R O N ’ S L AW ’I N T R O D U C T I O NTo understand the significance of the Computer Fraud and Abuse Act, we must consider itshistory, the use, scope, and function of the Internet at the time of the Act’s inception, and therecurring nature which Congress amended the Act in order to keep up with the advancements ofcomputer and computer-based communications.We must also consider the evolution of precedence over the course of its history with respectto charges under the Act.Further, we must address the root cause of the contentious nature of this Act as written, andlook to other industry models which can assist in amending the Act according to contemporaryuse of computers, and the modern Internet.T H E C O M P U T E R F R A U D A N D A B U S E A C T O F 1 9 8 4History of the CFAAThe Computer Fraud and Abuse Act of 1984 was originally born as the Counterfeit AccessDevice and Computer Fraud and Abuse Act (Counterfeit Access Device Act) in 1984. The lawwas preempted by an increase in computer crime activity, notably hacking and fraud, which ledCongress to address the nuisance under a single federal statute. Keep in mind that the “Internet”in this time period was not yet public, and only available to certain Defense or other federalagencies, select Universities, and/or government contract corporations.The Counterfeit Access Device Act was extraordinarily narrow in its scope of applicabilitybecause it only addressed “federal interest computers” - generally those owned or operated bythe federal government or financial institutions. However, because the Counterfeit Access DeviceAct only applied to select types of confidential information, it immediately fell subject to harshcriticism from legislators, industry leaders, and law enforcement officials. Additionally, the lawwas deemed too vague and difficult to use. In fact, only one person was ever indicted under the1984 Counterfeit Access Device Act. (Galbraith, 2004)The following sections review, discuss, and even outline how this law has morphed since itsinception, and where appropriate, displays or opines the resultant detriment to the concern ofmany. The last sections outline the current criminal offenses in this continuously expansive law,and also address the constitutional problems that occur when a law expands to such a breadth asa result of its vagueness.Thomas Jones: Syracuse University School of Information Studies, Spring 2013
  2. 2. Computer Fraud and Abuse Act of 1986In response to these unfortunate facts, Congress amended the law in 1986 to become theComputer Fraud and Abuse Act of 1984 (CFAA, otherwise known as the Act). This amendmentclarified the vagueness and added definitions that even today, still cloud the applicability andenforcement of the Act. This amendment to the Act broadened the scope of applicability, andadded three additional types of computer crimes: 1. a computer fraud offense patterned after thefederal mail and wire fraud statutes; 2. an offense for the alteration, damage, or destruction ofinformation contained in a federal interest computer; and 3. an offense for the trafficking ofunauthorized computer passwords in certain circumstances. (Galbraith, 2004) Specifically, the1986 amendment defined “Federal interest computers” as:(A) exclusively for the use of a financial institution or the United StatesGovernment, or, in the case of a computer not exclusively for such use, used by orfor a financial institution or the United States Government and the conductconstituting the offense affects the use of the financial institution’s operation orthe Government’s operation of such computer; or(B) which is one of two or more computers used in committing the offense, not allof which are located in the same State. (Kerr, 2009)The Violent Crime Control and Law Enforcement Act of 1994To close further loopholes by unexpected ‘hacker” activity, as the Internet or its equivalent inthat time grew in popularity, Congress again amended the Act with a more comprehensiveomnibus crime bill entitled The Violent Crime Control and Law Enforcement Act of 1994. Thisamendment extended the Act to include transmission of worms and viruses. (Galbraith,2004)Further, the amendment, specifically known as the Computer Abuse Amendments Act of1994, expanded the computer damage statute applying to computer damage incurredaccidentally, even without negligence. The statute also added a civil provision to allow victims of§ 1030(a)(5) crimes to recover damages against wrongdoers. (Kerr, 2009)Economic Espionage Act of 1996Two years later in 1996 the Act was amended once more, specifically by Title II of the abovetitle, named the National Information Infrastructure Protection Act of 1996. This expanded theAct’s reach to all computers used in interstate commerce - effectively every computer thattouches the Internet in its entirety. Consider this point carefully, and take light of the fact that thistime period is generally considered the birth of the (commercial) Internet.Thomas Jones: Syracuse University School of Information Studies, Spring 2013
  3. 3. This came as a result of extenuating concerns of financial loss due to computer securitybreaches. This amendment is notable in that it acknowledged that computer crime hadsubstantive and adverse economic impacts. The intent of this amendment, consistent with thelegislative history of the Act at this point in history, was to further protect the confidentiality ofcomputer data, as well as the systems upon which the data resided. It also was designed tosafeguard the privacy of information, which the amendment’s sponsors hoped would also helpensure the public’s faith in the security of computer networks. (Galbraith, 2004)To grasp how dramatic this amendment’s expansion was to the Act, Orin S. Kerr, Professor ofLaw at George Washington University School of Law, and pro-bono counsel to Lori Drew,outlines its expansion in three different ways:The first change vastly expanded the scope of § 1030(a)(2), which was originallylimited to unauthorized access that obtained financial records from financialinstitutions, card issuers, or consumer reporting agencies. The 1996 amendmentsexpanded the prohibition dramatically to prohibit unauthorized access thatobtained any information of any kind so long as the conduct involved an interstateor foreign communication.Second, the 1996 amendments added new provisions to the computer damageprohibition, added a new felony enhancement to § 1030(a)(2), and added acomputer extortion statute at § 1030(a)(7). The new computer damage sectionexpanded the list of harm that counted as damage: beyond monetary damage(raised to $5,000 from $1,000) and impairing a medical diagnosis or treatment,the law added causing “physical injury to any person” or “threaten[ing] publichealth or safety” to the list. The felony enhancements to § 1030(a)(2) turned amisdemeanor violation into a felony if the offense was conducted in furtheranceof any crime or tortious act, if it was conducted for purposes of financial gain, orif the value of the information obtained exceeded $5,000.Finally, the 1996 amendments expanded the statute dramatically by replacing thedecade-old category of “Federal interest” computers with the new category of“protected computer.” As enacted in 1996, a protected computer was defined as acomputer:(A) exclusively for the use of a financial institution of the United StatesGovernment, or, in the case of a computer not exclusively for such use, used by orfor a financial institution or the United States Government and the conductconstituting the offense affects that use by or for the financial institution or theGovernment; or(B) which is used in interstate or foreign commerce or communication.Thomas Jones: Syracuse University School of Information Studies, Spring 2013
  4. 4. ... The critical difference between a “Federal interest” computer and a “protectedcomputer” was that the former required computers in two or more states, whilethe latter merely required a machine “used” in interstate commerce.However, the change in the definition changed the scope of the statutedramatically. Because every computer connected to the Internet is used ininterstate commerce or communication, it seems that every computer connected tothe Internet is a “protected computer” covered by 18 U.S.C. § 1030. (Kerr, 2009)The USA Patriot Act of 2001The amendment appears in section 814 of the Act, labeled “Deterrence and Prevention ofCyberterrorism.” The Patriot Act amended the Act in two major ways according to Kerr:The most significant amendment to the scope of § 1030 in the Patriot Act was theexpanded definition of “protected computer” to include computers located outsidethe United States. Specifically, the amendment added those computers “locatedoutside the United States that [are] used in a manner that affects interstate orforeign commerce or communication of the United States.” The amendmenteffectively extended the CFAA to as many foreign computers as the CommerceClause allows.... The Act added damage to any computer “used by or for a government entity infurtherance of the administration of justice, national defense, or national security”to the list of harms that, if caused, trigger the felony computer damage provisionsof § 1030(a)(5). (Kerr, 2009)Identity Theft Enforcement and Restitution Act of 2008Subtitled under the Former Vice President Protection Act, this amendment included moresubtle changes, but changes that have been described to have had a “surprisingly largeimpact.” (Kerr, 2009)Professor Kerr outlines three of the most notable of these subtly described changes.First, the statute once again expanded the scope of § 1030(a)(2) by removing therequirement of an interstate communication. Under the new § 1030(a)(2)(C), anyunauthorized access to any protected computer that retrieves any information ofany kind, interstate or intrastate, is punishable by the statute.Thomas Jones: Syracuse University School of Information Studies, Spring 2013
  5. 5. The statute also once again expanded the reach of § 1030(a)(5), creatingmisdemeanor liability for harms under $5,000 and adding once again to the list offelony triggers—this time, harming ten or more computers, designed to covercases of botnets.The third significant expansion is the most subtle but the most far-reaching. The2008 amendments once again expanded the definition of “protected computer.”Therefore, the present definition includes any computer that is:(A) exclusively for the use of a financial institution or the United StatesGovernment, or, in the case of a computer not exclusively for such use, used by orfor a financial institution or the United States Government and the conductconstituting the offense affects that use by or for the financial institution or theGovernment; or(B) which is used in or affecting interstate or foreign commerce orcommunication, including a computer located outside the United States that isused in a manner that affects interstate or foreign commerce or communication ofthe United States.It is easy to miss the change. Congress added “or affecting” in the first phrase of §1030(e)(2)(B), replacing the definition that included computers “used in interstateor foreign commerce or communication” with computers “used in or affectinginterstate or foreign commerce or communication.”To surmise, this in effect merges the Act with the jurisdiction of the Commerce Clause. Itfurther eludes to how broad the “protected computer” term has become, and applies, to anycomputer that the federal government has power to regulate. This alarms many computer andInternet users, and rightly so - wouldnt any use of the modern Internet be inherently “InterstateCommerce”? Professor Kerr asserts that it is possible that with the aforementioned expansion inthe Act, it is feasible hat a “protected computer” would now simply be considered any, or “acomputer.”Void for Vagueness DoctrineUnder constitutional law, a statute is “void for vagueness” and therefore unenforceable if saidstatute is so vague as to not be understood by the average citizen. It is a mechanism thatencourages clearly defined provisions so that a person can know what is regulated, what isprohibited, and what punishment is resultant from violating the statute. Currently there is widejudicial discretion with respect to what access, authorization, or the excess of either means.Professor Kerr argues that this forces the courts to adopt a narrower interpretation of theaforementioned. He goes on to state:Thomas Jones: Syracuse University School of Information Studies, Spring 2013
  6. 6. The basic argument has two stages. First, courts must adopt a clear theory of whatmakes access unauthorized to provide sufficient notice as to what is prohibited.The interpretation must make clear to potential wrongdoers what is prohibited sothey can do more than merely guess at the meaning of the statute. Second, courtsmust adopt a narrow theory to avoid encouraging discriminatory enforcement.The remarkable breadth of this statute requires courts to adopt a clear and narrowinterpretation of unauthorized access to provide fair warning to individuals and tolimit government discretion.Otherwise the public has no certainty what conduct constitutes “unauthorized access”, forexample. And if there literally is no (judicial) consensus on what is or is not illegal, the law issubsequently unconstitutional, and unenforceable.Current Criminal offenses under the ActCornell University’s Legal Information Institute provides the following current criminaloffenses in the CFAA of 1984 as:(a) Whoever—(1) having knowingly accessed a computer without authorization or exceeding authorizedaccess, and by means of such conduct having obtained information that has been determined bythe United States Government pursuant to an Executive order or statute to require protectionagainst unauthorized disclosure for reasons of national defense or foreign relations, or anyrestricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, withreason to believe that such information so obtained could be used to the injury of the UnitedStates, or to the advantage of any foreign nation willfully communicates, delivers, transmits, orcauses to be communicated, delivered, or transmitted, or attempts to communicate, deliver,transmit or cause to be communicated, delivered, or transmitted the same to any person notentitled to receive it, or willfully retains the same and fails to deliver it to the officer or employeeof the United States entitled to receive it;(2) intentionally accesses a computer without authorization or exceeds authorized access,and thereby obtains—(A) information contained in a financial record of a financial institution, or of a card issueras defined in section 1602 (n) of title 15, or contained in a file of a consumer reporting agencyon a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 etseq.);(B) information from any department or agency of the United States; or(C) information from any protected computer;Thomas Jones: Syracuse University School of Information Studies, Spring 2013
  7. 7. (3) intentionally, without authorization to access any nonpublic computer of a department oragency of the United States, accesses such a computer of that department or agency that isexclusively for the use of the Government of the United States or, in the case of a computer notexclusively for such use, is used by or for the Government of the United States and such conductaffects that use by or for the Government of the United States;(4) knowingly and with intent to defraud, accesses a protected computer withoutauthorization, or exceeds authorized access, and by means of such conduct furthers the intendedfraud and obtains anything of value, unless the object of the fraud and the thing obtainedconsists only of the use of the computer and the value of such use is not more than $5,000 in any1-year period;(5)(A) knowingly causes the transmission of a program, information, code, or command, and asa result of such conduct, intentionally causes damage without authorization, to a protectedcomputer;(B) intentionally accesses a protected computer without authorization, and as a result of suchconduct, recklessly causes damage; or(C) intentionally accesses a protected computer without authorization, and as a result of suchconduct, causes damage and loss.(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any passwordor similar information through which a computer may be accessed without authorization, if—(A) such trafficking affects interstate or foreign commerce; or(B) such computer is used by or for the Government of the United States;(7) with intent to extort from any person any money or other thing of value, transmits ininterstate or foreign commerce any communication containing any—(A) threat to cause damage to a protected computer;(B) threat to obtain information from a protected computer without authorization or in excessof authorization or to impair the confidentiality of information obtained from a protectedcomputer without authorization or by exceeding authorized access; or(C) demand or request for money or other thing of value in relation to damage to a protectedcomputer, where such damage was caused to facilitate the extortion;shall be punished as provided in subsection (c) of this section.Thomas Jones: Syracuse University School of Information Studies, Spring 2013
  8. 8. (b) Whoever conspires to commit or attempts to commit an offense under subsection (a) ofthis section shall be punished as provided in subsection (c) of this section. (Legal InformationInstitute, n.d.)E N T E R P R I S E A R C H I T E C T U R EThe Enterprise Architecture (EA3) Cube model is a framework that establishes a relationshipbetween strategy, business, and technology. It does so over five different areas in the architecture- Goals and Initiatives, Products and Services, Data and Information, Systems and Applications,Networks and Infrastructure - each layer dependent on the one that precedes it. For example, acorporation has an overall strategy of how it fits into any given market, this defines its goals andinitiatives, which then dictates is products and services, which further develops how data andinformation are used, leading to which systems and applications are conducive for enterprise use,which then defines the requirements for the underlying network and infrastructure the enterpriseneeds to operate successfully. This approach is taken across each line of business a corporationhas, depending upon its portfolio diversification. However, this model addresses what tools areused to provide the function(s) the company needs to achieve its business plan. It does notnecessarily consider how to to secure what tools have been identified for use. This is the purposeof the Enterprise Information Security Architecture (EISA) model which aligns well with theEA3 model.As applied in practice, as typically seen in enterprise or corporate IT departments, we muststrive to understand the posture of the IT systems and services which the Act is intended toprotect. We must further strive to understand how a corporate entity qualifies and quantifies itsnetwork posture, security measures, and/or policies to protect itself under the law, but alsoenables its exertion under the Act. The corresponding five EISA layers respective to the EA3model include IS Governance, Operations and Personnel Security, Dataflow and ApplicationDevelopment Security, Systems Security, and Infrastructure and Physical Security.Aligned with the business context in the EA3 model mentioned above, the EISA modelapplies an information security context to the business structure of the corporate entity. Theinformation system governance (business drivers) dictate the operations and personnel security(products and services), which feeds into the dataflow and application development security(data and information), which defines parameters for systems security (systems andapplications), which then define requirements for infrastructure and physical security (networksand infrastructure). This provides a comprehensive and contextual model for enterpriseinformation security, and when compounded with the EA3 approach, is contextually relevant tothe corporation’s business purpose.E N T E R P R I S E I N F O R M AT I O N S E C U R I T Y A R C H I T E C T U R EThomas Jones: Syracuse University School of Information Studies, Spring 2013
  9. 9. Enterprise Information Security Architecture is a framework composed of 5 layers whichinclude Information Security Governance, Operations and Personnel Security, Dataflow andApplication Development Security, Systems Security, and Infrastructure and Physical Security.As in Enterprise Architecture, each of these layers precedes the other which provides anincreasingly contextually defined framework, which can address any company’s security posture,respective to any given market. To understand how this framework does so we must look brieflyat each layer as explained by Dr. Scott Bernard of Syracuse University’s School of InformationStudies.Information Security Governance defines security strategies, policies, standards andguidelines for the enterprise from an organizational viewpoint. This results in various outputssuch as policy statements, access policies, information practices, security lifecycle charts, etc. -obviously not an all-inclusive list but one that provides general direction, and enables lowerlayers of the framework to add further specificity. It is this layer where we see policy formationand evaluation, assurance standards, law and legislation, among other common organizationalpolicies. This is arguably one of the major components of the Act commonly brought underquestion. It is also one of the more frequently contested due to the vagueness Congress has eitherwillingly, or negligently structured into the language of the Act. This issue is discussed further inthis paper under Agency-based and Contract-based interpretations of the Act.The next layer in the framework is Operations and Personnel Security. The purpose of theOperations Security component is to define or dictate the behavioral and operationalrequirements as they relate to access to the company’s IT data, systems, and services. Outputs ofthis layer consider and include Risk Assessment, Authorization Models, Access Control UserRequirements, Business Impact Analysis, and Disaster Recovery & Business ResumptionPlanning.The Personnel Security component extends the aforementioned requirements not to just theprotection of the company’s data, systems, and services, but to or for the protection of itsleadership and employees thus further protecting the company. Expanding further, the purpose ofPersonnel Security is to ensure the enterprise’s personnel are accessing and utilizing itsinformation and technology services safely, securely, and in accordance with their predefinedroles and responsibilities of their job functions, through proper access control plans and detectionof employee anomalous behavior. The resultant outputs of this behavior shares similarities withOperations Security, but focuses further on components such as authentication, role-based accesscontrol, awareness training, desktop security policies, and procedural training. Operations andPersonnel Security are major pillars of the Act revolving around whether a person, employee ornot, accessed a computer “without authorization”, or “exceeded authorized access”. As discussedlater in this paper, this layer of EISA is most strongly correlated with the Code-basedinterpretation, one which some prominent legal scholars argue should be the defaultinterpretation, sometimes compounded with an employment law context.The Information and Dataflow Security layer focuses not on addressing data or accessthereto, but rather information - the meaning of data. More explicitly, the purpose here is toThomas Jones: Syracuse University School of Information Studies, Spring 2013
  10. 10. identify and classify information and data as it moves through the enterprise in order to justifyadequate security controls. The data needs to be valued from a quantitative and qualitative aspectand classified into levels depending on the risks of and to data loss, repudiation, competition, andavailability. This layer is where we begin to see output or processes outlined that are dedicated tothe design of dataflow, categorical treatment or segregation of information, and the logical andassociative access controls to it. In some of the case studies below, we see this layer used inAgency, Contract, and Code-based interpretations.The Application Development Security layer addresses in more specific and technical detail,how the Information and Dataflow Security layer is to be implemented and/or safeguarded. morespecifically, architect the authentication, authorization and accounting (AAA) components intothe applications used in the enterprise; and to enforce the application process flow thru ought theenterprise; and to ingrain security in the systems development lifecycle. The outputs seen, butnot all inclusive to, are design and development, application development security (such assandboxing), application gateways, and application security placement. This layer aligns stronglywith Code-based interpretations of the Act.The next layer is Systems Security. This layer is used to protect or safeguard sensitiveapplications, sometimes resultant from the previous layer of Application Development Security.More concisely the purpose of this layer is to protect sensitive applications running on thesystems and provide granularity of access controls to sensitive resources. Examples of outputsfrom this layer include, but are not limited to, user account management & privileges, certificaterequest management, password stores & management, remote access, authorization models, filesystem hardening procedures, patching, and security repositories. This layer aligns strongly withCode-based interpretations of the Act, central to the intended meaning of “authorization” toaccess a computer.These layers rest upon the final EISA layer of Infrastructure Security. The infrastructure isthe physical medium consisting of (network) appliances which all the preceding layers traverse.This layer must meet and facilitate the holistic totality of security requirements from allpreceding layers, and provide safeguarding against current or future attacks. Outputs typicallyseen from this layer include but are not limited to network segregation or partitioning, VLAN’s,Firewalls, Intrusion Prevention and Detection, Load Balancers, PKI architectures, network,cellular, and telecommunication circuits, VPN’s, and a variety of SSL methods orimplementations. This layer is intriguing because it is in fact a result of the culmination ofrequirements from all the above layers. It also has a unique place in the Aaron Swartz case, andthe spirit of MIT’s open network. This does align most strongly with a Code-Basedinterpretation, and as seen below, ultimately code is law.A P P LY I N G T H E C FA : C A S E S T U D I E SThomas Jones: Syracuse University School of Information Studies, Spring 2013
  11. 11. The application of the CFAA in the courts today has revolved around three distinctapproaches. These approaches result from vague language in the Act of what “authorization”means. More specifically what it means to access a computer “without authorization”, or“exceeds authorized access”. This is especially problematic when, employers bring rogueemployees into court, arguing under the rather (vague) general language in the CFAA, that theemployee was without authorization or exceeded his authorization to access the companycomputer system when he did so to obtain proprietary company information for devious non-business purposes. (Field, 2009)This has led to courts adopting one or more of the following interpretations: Agency-BasedInterpretation, Contract-Based interpretation, and a Code-based interpretation.Agency-Based InterpretationIn an agency-based interpretation, authorization is based on common-law principles. Theemployee-employer relationship imposes “special duties on the part of both the employer and theemployee which are not present in the performance of other types of contracts”. In short theemployee owes a duty to his employer, which requires him to act solely for the benefit of theemployer or company. Moreover, the employee’s authority to act on behalf of the employerterminates when he obtains an interest adverse to the employer - for example if he begins towork for a competitor. Thus applying the aforementioned under the CFAA, an employee’sauthorization is implicitly revoked when he accesses a computer for the purposes that do notfurther his employer’s interests. (Field, 2009)One notable example of this approach is found in International Airport Centers v. Citrin:In 2006, the Seventh Circuit was the first appellate court to wade into the“without authorization” debate that had been ongoing among the district courtsfor more than five years. In International Airport Centers, L.L.C. v. Citrin, thedefendant, was employed by the plaintiff to look for and help acquire real estate.Citrin decided to quit working for International Airport Centers (IAC) and starthis own business. Prior to leaving IAC, Citrin erased all the data on a laptopcomputer provided by IAC, some of which would have shown he had engaged inimproper conduct and none of which IAC had any additional copies. Citrininstalled and used a secure-erase program to do this, which meant that the datawere truly unrecoverable. IAC sued under the CFAAs civil provision, § 1030(g),claiming Citrin had violated § 1030(a)(5)(A)(i), which provides that suchviolation occurs when one “knowingly causes the transmission of a program,information, code, or command, and as a result of such conduct, intentionallycauses damage without authorization, to a protected computer.”Thomas Jones: Syracuse University School of Information Studies, Spring 2013
  12. 12. The court, citing congressional intent that the CFAA should reach internal as wellas external actors, readily settled on a broad definition of what constitutes atransmission. While not quite holding that pressing the delete key constitutes atransmission, the court nevertheless determined that installing the secure-eraseprogram—whether installed remotely or by an actor with direct physical access—constituted a transmission in accordance with the CFAA.37The court next turned to the authorization element of § 1030(a)(5). Here, the courtapplied principles of agency law and determined that Citrins authorization toaccess the laptop computer ended at the moment he violated his employmentcontract by deciding to act contrary to IACs interests, i.e., before he erased thedata on the computers hard drive. That authorization, the court said, was grantedthrough the agency relationship Citrin had with his employer and implicitly endedwhen he violated his duty of loyalty to that employer.However, a recent opinion from the Ninth Circuit in LVRC Holdings, L.L.C. v.Brekka rejected the Seventh Circuit’s approach and held that authorization isgranted by the employer and, therefore, that authorization ends when theemployer rescinds it. This split in authority raises questions about how broadly ornarrowly the CFAA should be applied—or whether it should be applied at all—inthe context of an employee’s disloyal computer use. (Pollaro, 2010)Contract-Based InterpretationThis interpretation is much more straight forward than an agency-based approach, but not asconcrete as a code-based approach.This interpretation requires the computer user to violate a contract before that user’s accesscan be found to be unauthorized. This then requires the existence of an explicit or implicitcontract that defines the authorization of a particular user. As such this interpretation is oftenused in cases involving internet or website providers where there is a contract or terms of service(TOS) agreement between the two parties, or in an employment dispute where a case arisesbetween former employers and employees where there is an employment contract (non-disclosures for example) or handbook. (Field, 2009)The Lori Drew case is one of the most notable cases involving the CFAA using a contract-based interpretation. Aaron Swartz is another but also includes code-based interpretation uponwhich charges were filed. Aaron committed suicide before his court date which obviouslyprevented these issues from being addressed once more by the courts.Lori Drew, the Missouri woman accused of creating a fake MySpace profile in order to“cyberbully” her daughter’s former friend, who, subsequently committed suicide was chargedThomas Jones: Syracuse University School of Information Studies, Spring 2013
  13. 13. with felony crimes under the CFAA. The facts of the case are listed by Drew co-counselNicholas Johnson. They are as follows:In 2005, Megan Meier, then a 13-year-old seventh-grader from Dardenne Prairie,Missouri, established an on-again, off-again friendship with Lori Drew’s daughter.Tina Meier, Megan’s mother, described Megan’s transition into seventh grade as“a mess,” and noted that her daughter was sensitive about her weight and “[tried]desperately to fit in.” Megan and Lori Drew’s daughter would go on “jags ofcompanionship,” but eventually ended their friendship. In September 2006,Megan’s parents allowed her to sign up for a MySpace account, despite the factthat, at age 13, she was technically too young to have one. And shortly thereafter,Megan received a friendship request from “Josh Evans,” a muscular, attractive 16year old boy with blue eyes and wavy brown hair.What Megan did not know when she readily accepted Josh’s friend request wasthat he was a fictional character. Nonetheless, the pair was soon communicatingback and forth. Drew’s pre-trial motions go out of their way to note that theprofile of Josh Evans was open for only 29 days, and for 28 of those 29 days“nothing negative was communicated.” The government’s indictment revealssome PG language of the sort one might expect flirtatious eighth-graders to talkabout: Josh allegedly sent a message telling Megan that she was “sexi” [sic], aswell as a separate invitation to touch his “snake.”However, the relationship between Megan and Josh deteriorated rapidly onOctober 16, 2005, when an “insult war” broke out between the two. Theconversation ended “in substance, that the world would be a better place without[Megan] in it.” Shortly after that argument, Megan committed suicide. Thegovernment alleged in its indictment that Lori Drew learned of Megan Meier’ssuicide that same day, immediately deleted the Josh Evans account, and told oneof her alleged co-conspirators to “keep her mouth shut” about it. (Johnson, 2009)Drew was charged with three felony counts of “accessing protected computers withoutauthorization to obtain information” under 18 U.S.C. § 1030(a)(2)(C) and § 1030(c)(B)(ii) of theComputer Fraud and Abuse Act. (Johnson, 2009)Counts two through four – accessing a protected computer without authorization under theCFAA – constitutes the root of the prosecution’s theory of Drew’s liability. Section 1030(a)(2)(C)prohibits obtaining information from a “protected computer” by means of intentional,unauthorized access. Use of the MySpace website is governed by its Terms of Use, whichconstitute a contract between MySpace and its users. Those Terms of Use requires that users,inter alia, “provide truthful and accurate registration information” and “refrain from using anyinformation obtained from MySpace services to harass, abuse, or harm other people.” (Johnson,2009)Thomas Jones: Syracuse University School of Information Studies, Spring 2013
  14. 14. Because Lori Drew’s conduct was in express violation of MySpace’s user contract, Drewtherefore acted either without authorization or in excess of authorized access when shecommunicated with Megan Meier through MySpace’s protected servers. (Johnson, 2009)Professor Kerr adds that the defense argued two main points: TOS does not govern authorization,and that committing unauthorized access by violating TOS would render the statute void forvagueness, thus the Act had to be interpreted more narrowly to exclude TOS violations. (Kerr,2009)The defense also pointed out that even the cofounder of MySpace, Tom Anderson, violatedthe TOS in creating his profile. In late 2007, it was revealed that Anderson’s profilemisrepresented his age in an apparent effort to seem younger. Professor Kerr opines that thelarger point is that no one really treats TOS as if they govern access rights. He states that becausethey are written so broadly, most Internet users violate them regularly. Violating the TOS is thenorm, complying with them the exception. Few people bother to read them, much less followthem. Internet users routinely click through such agreements on the assumption that they arelegal mumbo jumbo that don’t impact what users are allowed to do. As a result, criminalizingTOS violations would for the most part give the government the ability to arrest anyone whoregularly uses the Internet. Agents could set up a webpage,, announce that noone could visit the webpage, and then swoop in and arrest anyone who did. (Kerr, 2009)Judge Wu, presiding over the Drew case, partly agreed with the defense stating that:It is unclear that every intentional breach of a website’s terms of service would beor should be held to be equivalent to an intent to access the site withoutauthorization or in excess of authorization. This is especially the case withMySpace and similar Internet venues which are publicly available for access anduse. However, if every such breach does qualify, then there is absolutely nolimitation or criteria as to which of the breaches should merit criminalprosecution. All manner of situations will be covered from the more serious (e.g.posting child pornography) to the more trivial (e.g. posting a picture of friendswithout their permission). All can be prosecuted. Given the “standardless sweep”that results, federal law enforcement entities would be improperly free “to pursuetheir personal predilections.” (Kerr, 2009)Johnson goes on to further elaborate on the disparity between MySpace being regulated bycode or by contract. To surmise, the MySpace website is a public website regulated by contract,not a private website regulated by code - you must affirmatively agree to TOS prior to beingallowed access to use the site. It goes on to explain that the username and passwordauthentication requirement may appear as code-based protection, but it indeed is not. It isexplained as merely a method of access because the username or password system place nophysical controls on access to the site. In the registration process Drew inputs a name and validemail address and then she, not MySpace, chooses her own username and password to the sitebefore clicking the “I agree” button for access. Johnson provides the analogy that this is like aThomas Jones: Syracuse University School of Information Studies, Spring 2013
  15. 15. bank allowing customers to mint their own key to the safe when they sign up for a checkingaccount.Code-based InterpretationCode-based interpretation of the Act is fundamentally predispositioned on the functionaloperation of a computer. Access thereto would be unauthorized if the code-based protections,designed to limit a persons use of the computer itself were bypassed. This can occur by usingpassword crackers, injection attacks, exploits in software or computer protocols, and a host ofother tactics, techniques, and procedures granting access to a computer system the user wouldotherwise not be privy to.The code-based interpretation can be traced back to the earliest CFAA cases involvingauthorization questions. For example, United States v. Morris invoked a close analogue to thecode-based interpretation with its "intended function" test. In Morris, the Second Circuit heldthat a graduate student violated the CFAA by accessing computers without authorization becausehe used email and other programs in a manner not related to their intended function; his useinstead located holes in the programs, giving him a special and unauthorized access route intoother computers. Thus, the intended function test asks whether a user violated the intendedfunction of a network or program to gain access not intended by the programmer or networkadministrator. The test is similar to a code-based interpretation of authorization because violationof the intended function is often done through technical means, such as by finding holes inprograms, or bypassing passwords or other protection systems. (Field, 2009)Enter the case of Internet prodigy Aaron Swartz, one of the most prominent Internet activistsof modern times. Much of the discussion of the Swartz case was resultant from Aaron’s suicide.Arguably so, many postulate his suicide was a result of prosecutorial overreach - a result fromthe very vague wording of not only the law, but the criminal triggers which allow one to becharged under the law. Swartz was facing more than thirty-five years in jail by trial, or sixmonths in jail by plea bargain. This alone raised eyebrows in the legal community.There is much to this story about who Aaron was, his intentions and involvement in the OpenAccess movement, and his famous “Guerilla Open Access Manifesto”. Aaron had arguably donemore by the age of 26 than many IT Professionals, Internet activists, hackers, or otherwise willdo in their entire lifetimes. If we fast forward through Aaron’s life from being the co-creator ofRSS, one of the co-creators of Reddit, to helping start the Creative Commons, Open Library,, Progressive Change Campaign Committee, founder of Demand Progress whichsuccessfully stopped two Internet Censorship bills, SOPA (Stop Online Privacy Act) and PIPA(Protect IP Act), we then arrive at a point and time where Aaron was chiefly concerned withaccess to information - the empirical theme in the Open Access movement. Aaron’s “GuerillaOpen Access Manifesto” sets the tone for the actions that led to his arrest and indictment underthe Act. It reads in full:Thomas Jones: Syracuse University School of Information Studies, Spring 2013
  16. 16. Information is power. But like all power, there are those who want to keep it forthemselves. The world’s entire scientific and cultural heritage, published overcenturies in books and journals, is increasingly being digitized and locked up by ahandful of private corporations. Want to read the papers featuring the mostfamous results of the sciences? You’ll need to send enormous amounts topublishers like Reed Elsevier.There are those struggling to change this. The Open Access Movement has foughtvaliantly to ensure that scientists do not sign their copyrights away but insteadensure their work is published on the Internet, under terms that allow anyone toaccess it. But even under the best scenarios, their work will only apply to thingspublished in the future. Everything up until now will have been lost.That is too high a price to pay. Forcing academics to pay money to read the workof their colleagues? Scanning entire libraries but only allowing the folks atGoogle to read them? Providing scientific articles to those at elite universities inthe First World, but not to children in the Global South? It’s outrageous andunacceptable.“I agree,” many say, “but what can we do? The companies hold the copyrights,they make enormous amounts of money by charging for access, and it’s perfectlylegal — there’s nothing we can do to stop them.” But there is something we can,something that’s already being done: we can fight back.Those with access to these resources — students, librarians, scientists — you havebeen given a privilege. You get to feed at this banquet of knowledge while the restof the world is locked out. But you need not — indeed, morally, you cannot —keep this privilege for yourselves. You have a duty to share it with the world. Andyou have: trading passwords with colleagues, filling download requests forfriends.Meanwhile, those who have been locked out are not standing idly by. You havebeen sneaking through holes and climbing over fences, liberating the informationlocked up by the publishers and sharing them with your friends.But all of this action goes on in the dark, hidden underground. It’s called stealingor piracy, as if sharing a wealth of knowledge were the moral equivalent ofplundering a ship and murdering its crew. But sharing isn’t immoral — it’s amoral imperative. Only those blinded by greed would refuse to let a friend make acopy.Large corporations, of course, are blinded by greed. The laws under which theyoperate require it — their shareholders would revolt at anything less. And theThomas Jones: Syracuse University School of Information Studies, Spring 2013
  17. 17. politicians they have bought off back them, passing laws giving them theexclusive power to decide who can make copies.There is no justice in following unjust laws. It’s time to come into the light and, inthe grand tradition of civil disobedience, declare our opposition to this privatetheft of public culture.We need to take information, wherever it is stored, make our copies and sharethem with the world. We need to take stuff that’s out of copyright and add it to thearchive. We need to buy secret databases and put them on the Web. We need todownload scientific journals and upload them to file sharing networks. We need tofight for Guerrilla Open Access.With enough of us, around the world, we’ll not just send a strong messageopposing the privatization of knowledge — we’ll make it a thing of the past. Willyou join us?This, ultimately, led to an incident in building 16 on MIT’s campus. As described by a pressrelease from the U.S. Attorneys Office in the District of Massachusetts, Aaron Swartz:was charged in an indictment with wire fraud, computer fraud, unlawfullyobtaining information from a protected computer, and recklessly damaging aprotected computer.The indictment alleges that between September 24, 2010, and January 6, 2011,Swartz contrived to break into a restricted computer wiring closet in a basement atMIT and to access MIT’s network without authorization from a computer switchwithin that closet. He is charged with doing this in order to download a majorportion of JSTOR’s archive of digitized academic journal articles onto hiscomputers and hard drives. JSTOR is a not-for-profit organization that hasinvested heavily in providing an online system for archiving, accessing, andsearching digitized copies of over 1,000 academic journals. It is alleged thatSwartz avoided MIT’s and JSTOR’s security efforts in order to distribute asignificant proportion of JSTOR’s archive through one or more file-sharing sites.The indictment alleges that Swartz’s repeated automatic downloads impairedJSTOR’s computers, brought down some of its servers, and deprived variouscomputers at MIT from accessing JSTOR’s research. Even after JSTOR and MITworked to block Swartz’s computers, Swartz allegedly returned with new methodsfor accessing JSTOR and downloading articles.The indictment alleges that Swartz exploited MIT’s computer system to steal overfour million articles from JSTOR, even though Swartz was not affiliated withMIT as a student, faculty member, or employee. In fact, during these events,Thomas Jones: Syracuse University School of Information Studies, Spring 2013
  18. 18. Swartz was allegedly a fellow at a Boston-area university, through which he couldhave accessed JSTOR’s services and archive for legitimate research.The press release goes on to note: United States Attorney Carmen M. Ortiz said (in defenseof her actions), “Stealing is stealing whether you use a computer command or a crowbar, andwhether you take documents, data or dollars. It is equally harmful to the victim whether you sellwhat you have stolen or give it away.” Professor Lessig quips that this is insulting to bothcomputers and crowbars, neither of which this particular attorney is able to discern. With respectto harm done by both, Lessig opines, and rightly so, that computers are sometimes harmfulwhereas crowbars are always harmful. This is the essence of the digital divide.Most pertinent to the Enterprise Information Security Architecture model, a review of thetechnical facts is not just warranted, but necessary. Keep in mind, even though Aaron’s actionswere arguably and convincingly part of an effort to free information, he was not charged withcopyright crimes respective to said information, but rather under the Act which considers if oneaccessed a computer or system without authorization, or exceeded authorized access of acomputer system.Alex Stamos, the highly regarded security professional, and expert witness for the defense ofAaron Swartz conducted a neutral investigation. He reported his findings in a blog post titled“The Truth about Aaron Swartz’s ‘Crime.’” His findings on the technical facts from the chargesAaron was indicted on under the Act read:1. MIT operates an extraordinarily open network. Very few campus networksoffer you a routable public IP address via unauthenticated DHCP and then lackeven basic controls to prevent abuse. Very few captured portals on wired networksallow registration by any visitor, nor can they be easily bypassed by just assigningyourself an IP address. In fact, in my 12 years of professional security work I havenever seen a network this open.2. In the spirit of the MIT ethos, the Institute runs this open, unmonitored andunrestricted network on purpose. Their head of network security admitted asmuch in an interview Aaron’s attorneys and I conducted in December. MIT isaware of the controls they could put in place to prevent what they consider abuse,such as downloading too many PDFs from one website or utilizing too muchbandwidth, but they choose not to.3. MIT also chooses not to prompt users of their wireless network with terms ofuse or a definition of abusive practices.4. At the time of Aaron’s actions, the JSTOR website allowed an unlimitednumber of downloads by anybody on MIT’s 18.x Class-A network. The JSTORapplication lacked even the most basic controls to prevent what they mightconsider abusive behavior, such as CAPTCHAs triggered on multiple downloads,Thomas Jones: Syracuse University School of Information Studies, Spring 2013
  19. 19. requiring accounts for bulk downloads, or even the ability to pop a box and warna repeat downloader.5. Aaron did not “hack” the JSTOR website for all reasonable definitions of“hack”. Aaron wrote a handful of basic python scripts that first discovered theURLs of journal articles and then used curl to request them. Aaron did not useparameter tampering, break a CAPTCHA, or do anything more complicated thancall a basic command line tool that downloads a file in the same manner as right-clicking and choosing “Save As” from your favorite browser.6. Aaron did nothing to cover his tracks or hide his activity, as evidenced by hisvery verbose .bash_history, his uncleared browser history and lack of anyencryption of the laptop he used to download these files. Changing one’s MACaddress (which the government inaccurately identified as equivalent to a car’sVIN number) or putting a mailinator email address into a captured portal are notcrimes. If they were, you could arrest half of the people who have ever usedairport wifi.7. The government provided no evidence that these downloads caused a negativeeffect on JSTOR or MIT, except due to silly overreactions such as turning off allof MIT’s JSTOR access due to downloads from a pretty easily identified useragent.8. I cannot speak as to the criminal implications of accessing an unlocked closeton an open campus, one which was also used to store personal effects by ahomeless man. I would note that trespassing charges were dropped against Aaronand were not part of the Federal case.Stamos concludes that:In short, Aaron Swartz was not the super hacker breathlessly described in theGovernment’s indictment and forensic reports, and his actions did not pose a realdanger to JSTOR, MIT or the public. He was an intelligent young man who founda loophole that would allow him to download a lot of documents quickly. Thisloophole was created intentionally by MIT and JSTOR, and was codifiedcontractually in the piles of paperwork turned over during discovery. If I hadtaken the stand as planned and had been asked by the prosecutor whether Aaron’sactions were “wrong”, I would probably have replied that what Aaron did wouldbetter be described as “inconsiderate”. In the same way it is inconsiderate to writea check at the supermarket while a dozen people queue up behind you or to checkout every book at the library needed for a History 101 paper. It is inconsiderate todownload lots of files on shared wifi or to spider Wikipedia too quickly, but noneof these actions should lead to a young person being hounded for years andhaunted by the possibility of a 35 year sentence.Thomas Jones: Syracuse University School of Information Studies, Spring 2013
  20. 20. Lawrence Lessig also offers unique perspective in a talk at Harvard Law School titled“‘Aarons Laws’ - Law and Justice in a Digital Age”. Regarding Aaron’s case, Lessig opines thismatter is a different source of restriction regarding access and/or authorization - code vs law.With the former (code) you break code restrictions through “hacking”, with the later you breakcontract restrictions through terms of service violations (law). US v. Nosal clarified that,“exceeds authorized access” in the CFAA is limited to violations of restrictions on access toinformation, and not restrictions on its use.As Lessig articulates this disparity in his “Cyberlaw geek mode”, consider that a websiteowner publishes on a webpage (in html code): <H1> By using this site, you agree not to use theprint screen command</H1>, and say you do in fact go and use the print screen command, youwill have not committed a felony. You have merely violated the terms of service, which in thecase of US v Nosal, the Judge pointed out that a website owner reserves the right to change theterms of service at any time for any reason. This would result in everyday common Internetusage subject to felony indictments at virtually any time.However if the webmaster uses a script - automated code to prevent or disable such a printscreen command, an example provided by Lessig that reads:function blockError(){window.location.reload(true);return true;|</script></head><body onload=”setClipBoardData();”>YOU TRY TO COPY AND PASTE THIS SCREEN AND ALL THE ACTICESCREENS</body></html>And you then hack around this code which enables you to use the print screen command, youhave then committed a felony.The Nosal case led the prosecutors in Aaron’s case to drop the claim of “exceeded authorizedaccess” with a superseded indictment. This left the question of if Aaron had “unauthorizedaccess” to the computer system, or use of MIT’s network. In this instance as Lessig rightly pointsout, there is no case of traditional hacking here - also reinforced by Alex Stamos.The short story to this saga is that when JSTOR implemented code restrictions to deny theMAC address of Aaron’s computer, and Aaron subsequently spoofed his MAC address - createda fake MAC address to mask the one included on the network card of his computer - which isactually common best practice computer security for the protection of computer systems, he wasthen alleged to have broken the law in violation of the Act. Unfortunately this precedent wasnever able to be settled in court due to the suicide of Aaron Swartz. Aaron’s actions in this caseThomas Jones: Syracuse University School of Information Studies, Spring 2013
  21. 21. were not obviously legal, but they were also not obviously illegal according to Lessig. These arethe two critical questions which needed to be addressed, and the inherent vagueness of the Actbuilt in by Congress is not advantageous to resolving either.This case raises many contemporary issues regarding the laws of cyberspace, the nature ofcyberspace, and the intent of a company’s network in its role to whether the security posture initself is, at the very least, complicit in allowing access to its resources that its policy may intendto restrict, but its code does not.Do you ever have unauthorized access, physically or digitally, to a network that it is intendedby its very design to be open to the public - even to the point of wiring closet doors not beinglocked? What about the ambiguous nature of “harm” in cyberspace? Is the effect of “hacking”kinetic or non-kinetic? Does it have a measurable, physical impact or detriment? What wouldthat even mean? What kind of harm is done, and what of the circumstance where there is noharm? Does liberating information cause harm, especially in absence of copyright violations?Lessig surmises in shocking similarity with the progressive elaboration structure found inboth the EA and EISA models that, “The harm in this case is ambiguous, leading the statute to beambiguous, meaning the prosecutors have to tie the prosecution to the intent” (of Aaron’s allegedillegal actions under the Act).This is the exact structure the EA and EISA models are built around, and in fact, by designintended to address. Recall that the EA and EISA are designed to provide a singular frameworkto address requirements for each line of business in a corporation. Adopting this approach to theAct, or any law, the EA and EISA models would address these contextual issues across eachsubsection, provision, or charge. To a limited extent the basic EA structure is in place withCongress providing the strategy, the courts establishing precedence thereby declaring the“business objectives”, and the prosecutors and defenders creating new ways to charge or clearpeople of crimes (technical solutions to company problems) according to the judicial precedent(or within the scope of business goals). This eco system changes of course when Congressamends the law as it has done several times with the Act, and after careful reading of the detailedhistory of the Act, this has been done with striking similarity to an ITIL lifecycle, which isconsidered a micro-process within the EISA model itself.A A R O N S L AWThe larger frustration with this entire ordeal in Aaron’s prosecution was the obliviousness ofthe prosecutors. The obliviousness to actions in cyberspace which sometimes cause harm asopposed to actions in the real world which always cause harm. Prosecutors who can tell thedifference between actions in cyberspace and discern the ambiguity of what harm means in thatenvironment. Aaron’s law attempts to address just this issue.Thomas Jones: Syracuse University School of Information Studies, Spring 2013
  22. 22. Aaron’s law was proposed by Representative Zoe Lofgren that would remove terms ofservice violations from the Act and from the Wire Fraud statute. Indeed TOS violations havebeen a major point of contestation and confusion throughout the history of the Act. Thedifference between what I say you cannot do, and that which I impose upon you, through code orsystem security mechanisms, that which you cannot do. This is an issue the EA and EISA model,if applied, could help address tremendously.The Electronic Frontier Foundation (EFF) even argues that, while they endorse Aaron’s Law,it does not go far enough. The EFF proposes reform in three “crucial elements” outlined below:1. Computer users must not face criminal liability for violating privateagreements, policies, or duties.Put simply, there should be no criminal penalties for violating the fine printwritten by a website or service. Users may face civil liability for violating thoseterms, or even criminal liability if they go on to do worse things like destroy data.But it is dangerous for a private one-sided contract to be enforceable uponpunishment of severe criminal penalties at a prosecutors whim.2. If a computer user is allowed to access information, simply doing it in aninnovative way must not be a crime.As the CFAA is written today, users can expose themselves to criminal liability ifthey are authorized to access data, but do so while engaging in commonplace"circumvention" techniques like changing IP addresses, MAC addresses, orbrowser User Agent headers. But these "circumvention" activities can have greatbenefits: they can help protect privacy, ensure anonymity, and aid in testingsecurity. Furthermore, technical barriers are sometimes put into place not toprotect data or computers from intrusion at all. Quite often they are an accidentalresult of misconfigured servers or network equipment.Apart from these accidents, technological barriers increasingly serve purposes farremoved from preventing computer intrusion, such as giving people in onelocation a better price than people in another and blocking competitors fromseeing information otherwise available to the general public. EFFs proposalwould clarify that if access to data is already authorized, gaining that access in anovel or automated way is not a crime.3. Penalties need to be proportionate to computer crime offenses.As a general principle, minor violations of the CFAA should be punishable withminor penalties. As the law is currently written, first-time offenses can be tooeasily charged as felonies instead of misdemeanors. Our proposal would fix that.Thomas Jones: Syracuse University School of Information Studies, Spring 2013
  23. 23. Furthermore, several sections of the CFAA are redundant with other parts of thelaw, which lets prosecutors "double dip" to pursue multiple offenses based on thesame behavior. And the stiff penalties for "repeat" offenses can be used to dole outharsher punishment for multiple convictions based on the same conduct. Ourproposal would ensure that prosecutors cant count the same actions more thanonce to ratchet up the pressure for a plea bargain by threatening a defendant withdecades of jail time.Indeed whatever balance is struck if any, between Representative Lofgren’s proposal and theEFF community’s efforts, they must work to enforce a much narrower interpretation of the law,restore the balance of computer crime away from corporations or overzealous prosecutors, andaddress obliviousness plaguing entire legal system. It cannot be clearer or more warranted thatmore context is needed under the Act or its subsequent amendments. Further research as to theeffect of the EA or EISA models on effective cyber-lawmaking appears to be a viable solutiondeserving genuine consideration and considerable analysis.Field, K. M. (2009). Agency, Code, or Contract: Determining Employees Authorization Underthe Computer Fraud and Abuse Act. Michigan Law Review.Galbraith, C. (2004). Access Denied: Improper Use of the Computer Fraud and Abuse Act toControl Information on Publicly Accessible Internet Websites. Maryland Law Review.Johnson, N. R. (2009). “ I Agree” to Criminal Liability: Lori Drews Prosecution under § 1030(a)(2)(C) of the Computer Fraud and Abuse Act, and Why Every Internet User ShouldCare.Kerr, O. S. (2009). Vagueness Challenges to the Computer Fraud and Abuse Act. Minnesota LawReview.Legal Information Institute. (n.d.). 18 USC § 1030 - Fraud and related activity in connection withcomputers. Retrieved April 30, 2013, from Jones: Syracuse University School of Information Studies, Spring 2013
  24. 24. Pollaro, G. (2010). Disloyal Computer Use and the Computer Fraud and Abuse Act: Narrowingthe Scope. Duke Law & Technology Review.Thomas Jones: Syracuse University School of Information Studies, Spring 2013