Kasad 1

Dallas Kasad
Professor Fisher
ENG123, Intermediate Composition
18 October 2015
The Computer Fraud and Abuse Act: Imprisoning the Masses
The threat of the Information age is not identity theft, hackers bringing down the
government or losing your bank account to some greedy hacker. In 1986, Congress was
concerned that major information could leak and they would have no way of prosecuting those
at fault after they were caught. The downfall is that these laws can be used to imprison any
individual who uses the internet, even if it is just to update your Facebook status. Todays laws
that are used to charge cybercrimes are too broad and in most cases the punishment does not fit
the crime. The Computer Fraud and Abuse Act was originally born to make cybercrimes
punishable, but has become a power-hungry piece of legislation responsible for punishing
average Americans with charges the top-notch cybercriminal would receive. With the threat of
everyday people serving massive amounts of jail time, paying huge fines and losing any chance
at a normal life again, there is a need for reform. Through the Code-Based Theory of
Interpretation as proposed by Dr. Orin Kerr, with reinforcement of the reform Aarons Law
proposed after the death of Aaron Swartz, will stop the tyrannical snowball that is gaining speed
in the digital age.
The history of the Computer Fraud and Abuse Act goes back to 1984 when Congress
made the realization that the Information Age they were in at that time allowed for the data on
their computers to be easily copied, tampered with or even erased (Skibell). This left the

Kasad 2

government with an uneasy feeling that they had no means to prosecute the individuals
committing these crimes. This is the reason for the heavy government focus in the early stages of
the act. By 1986 the CFAA was enacted. Every few years as technology improved, the act
became broader (Mayer). By 1994, civil action was added to allow for incarceration of the
individuals responsible for committing various cybercrimes (Mayer). Two years later in 1996, it
was no longer just government computers, but now any computers that worked as a third party
in government affairs and foreign trade and the words intent to use were removed from the
taking classified information offense (Mayer). Removing this clause meant that there was no
need to prove in court that whoever stole the information meant to use it in any certain way;
hackers collecting trophies now received identical punishment to those guilty of espionage.
It slowly built up over the years to encompass large penalties for the crimes committed,
classifying anyone who tampered or took classified information as a terrorist, finally in 2008,
broadening the scope to any private protected computer system in the United States (Mayer).
Basically protected computer means any computer connected to the internet on U.S. soil. From
personal computers to PDAs and from tablet computers to cellphones, no longer is anyone
exempt from the laws.
Lets say you are simply making a false account on one of the popular social networking
websites such as Twitter or Facebook to keep an eye on your daughter or son. Upon viewing
their digital-life that you are kept away from, you find out that your under-aged child has been
talking to someone much older than them on a daily basis and the eerie comment comes up
which suggests a meeting in person. Realizing that you know this individual, any parent would
be quick to confronting them in a very stern manner which might result in a swift right-hook (as
a father of two beautiful daughters, I understand the feeling). On the first offense, a punch will

Kasad 3

rarely send an individual to prison, but there is another issue here that could lock the parent up.
Simply because the parent violated the terms of service they scrolled past, as we all do, to
create a fake account they are now in violation of the CFAA. According to most websites, the
terms of service are the conditions for receiving access to the social networks protected
computers. Through a massive technicality, this means that violating the no fake username
clause in the terms of service could be translated as a violation of the CFAA. The first offense
under the CFAA, is up to 5-years in prison and a hefty fine. For taking five minutes to make an
account?
In the similar case of the United States v. Drew, Lori Drew violated that exact clause in
Myspaces terms of service. In the case, Lori Drew posed as a boy named Josh Evans, who the
parents of 13 year old Megan Meier allowed her to talk to after viewing his profile (Murray).
After some time, while they were acquainted through the messaging system, Megan was subject
to cyber-bullying by Mrs. Drew. The emotions the bullying caused led Megan to the shocking
outcome of committing suicide. The parents as well as the community were heartbroken and
enraged, seeking prosecution once they found out who Josh Evans actually was (Murray). The
case was very hard to try, but the only thing they could convict Mrs. Drew of was violating the
CFAA because she violated the contract she agreed upon in the Myspace terms of service
(Murray). The court case itself was flimsy and the judge dismissed the four felony counts that
Mrs. Drew was being charged with and instead she was found guilty on three misdemeanor
counts under the CFAA.
While Mrs. Drew was not found guilty and sent off to prison, she did in fact receive light
criminal charges for simply violating a meaningless contract on some website. In this case the
waters were tested by the desperation of the attorney to prosecute. Mrs. Drew was indeed wrong

Kasad 4

and should have answered for her actions, but this sentencing has nothing to do with the death of
Megan Meier. The problem lies with taking the route of the Computer Fraud and Abuse Act to
insure that the appropriate punishment can happen. If one court case successfully charges
someone under the law, there would be 1,000s more cases the next day claiming the same thing,
thus leading to more people getting sent off to prison on outrageous charges.
Looking at the various theories of interpretation as explained by Mr. Kevin Jakopchek,
who at the time was a student at the Northwestern University School of Law, we see how broad
the CFAA can be evaluated by the courts. The primary focus of his arguments are in the work
environment and cases of employer vs. employee such as International Airport Centers, L.L.C. v.
Citrin. The case spoke of an employee who had access to a computer that was property of the
company and for whatever reason, erased the data on the computer (Jakopchek). This was a
breach of the employees loyalty to the company and because a computer was involved, the
CFAA came into play and the employee was charged based on the breach of loyalty, not the
action (Jakopchek). This is called the Agency Theory of Interpretation, as the focus is on the
loyalty to the agency. The problem with this theory is that the company or agency now has the
power to say what is legal or illegal.
A similar case is EF Cultural Travel v. Explorica Inc. where there was a contract that kept
both companies in check so they would not divulge sensitive information (Jakopchek).
However, an employee decided to sell information that they received electronically from the
other company which was a breach of the contract, making for a simple case but without a
distinction of what information is learned by the employee to do their job and what is sensitive to
the company (Jakopchek). This is called the Contract Theory of Interpretation as a contract is
set in place before the interaction occurs. The major issue with this is that it is impossible to plan

Kasad 5

for everything that could happen as well as the line dividing guilty (purposely breaching the
contract) from not-guilty (sharing information learned to complete the job) is very fine.
The answer to that theory is the Narrow Theory of Interpretation that Jakopchek offers
with LVRC Holdings LLC v. Brekka. The employer went after the ex-employee for taking the
information the employee learned to complete their job and used it to start their own company in
competition with the employer while they still had access to their old work email (Jakopchek).
This opened a figurative can-of-worms allowing employers to press charges on ex-employees
based on the information they learned while on the job. The threat of this theory is that if we
cannot take the information we learn from one job and apply it to another, how can we progress
as a society?
Jakopchek demonstrates that there is a vast problem with the CFAA in that it is still open
for various forms of interpretation. This allows for nearly anyone who is currently or has held a
job involving a computer to now be in dangerous territory for violating the laws set in place and
they can receive major punishment for their seemingly harmless actions. Based on the narrow
interpretation the court is getting dangerously close to sentencing people to jail time based on the
knowledge that they have gained through life. If they are allowed to sentence us to jail for the
digital knowledge we gain, who is safe?
The case that changed some of the ways the CFAA works, is the major case of the United
States v. Swartz. The outline of the case is that Aaron Swartz, who was admired by the creator of
the internet himself Sir Tim Berners-Lee, was wildly convicted of a simple security breach while
on the campus of Massachusetts Institute of Technology or MIT. Mr. Swartz was a modernday prodigy. At the age of 14, he wrote a line of computer code that changed the face of the
internet forever, called RSS and at 19 he helped create the international social news site Reddit

Kasad 6

(Schwartz). Alongside of these great accomplishments, Aaron Swartz was an early example of an
Internet Activist or Hacktivist. He believed that information on the internet should be free to
anyone who can access it so that humanity can combine their efforts to advance as a group as he
authored in his Guerilla Open Access Manifesto (Swartz).
Mr. Swartz at the time of his arrest, was a Research Fellow at Harvard University
(Seidman). With his position he was granted access to various databases, one of which was the
JSTOR database, responsible for storing millions of academic journals, articles, e-books
(electronic books) and just about any information you could find at your local library multiplied
exponentially. Aaron Swartz figured out through a digital loophole how to download over 4
million submissions to the JSTOR database with a line of code and a connection into one of the
server closets on MIT open campus (Kirschbaum). MIT has been known for having a core
belief of communicating and bringing knowledge to the people to advance the people; however
this was not the case for Aaron Swartz.
On January 6, 2011 Aaron Swartz was arrested by Cambridge police on breaking and
entering charges regarding the digital act he committed (Kirschbaum). He turned over his harddrives containing the downloaded works and JSTOR said that they disapproved of the action, but
were not going to pursue charges against Swartz. MIT saw the stunt as a security breach and felt
that he was in direct violation and pursued accordingly. The sentence Aaron Swartz faced
because of his action was up to 35 years in prison with 3 years of supervised release, restitution
(returning what he had taken), forfeiture (loss of all equipment he used), and a fine of up to $1
million (Alleged Hacker Charged with Stealing Over Four Million Documents from MIT
Network."). Speaking to some that have served any amount of time, life is hard enough once you
are released from prison, but to pay $1 million? This might as well had been a life sentence.

Kasad 7

Swartz was a victim of depression throughout his life, from time to time suffering from
suicidal thoughts (Swartz). The charges he faced gave him a reason in his mind to pursue one of
those thoughts, leading to his death on January 11, 2013 at the age of 26. His death sparked a
need for change for the outrageous charges he faced, thus the drafting of Aarons Law. Aarons
Law took care of some of the issues, focusing on sentences not consisting of prison time for
violating websites terms of service contracts, allowing new and different ways to access the same
information and making sure that the punishment fits the crime ("Computer Fraud And Abuse
Act Reform."). Simply by allowing the information Mr. Swartz had access to, to be accessed in a
different way (different computer, different place, different time), we could have saved one of the
most influential and brilliant minds of today. Aarons law, while it does fix a lot of problems the
CFAA was causing, is still being disputed by many, as it is easier and less time consuming to
sentence someone under the CFAA and send them off to jail rather than having them stand trial.
The solution is easy in theory in dealing with issues brought on by the Computer Fraud
and Abuse Act, but the execution of these plans is what is key. While Aarons Law makes sense
in many ways, it seems that it is not really set in stone as the issue is constantly brought up and
revisited. I believe the first step to tackling this issue is to do exactly that, set it in stone so that it
cannot be tampered with further. Companies should not have the ability to say this individual
did wrong by us, so they deserve to serve time in jail, that is for the courts to decide. Data that is
accessed one way should be open to be accessed through different ways as well, as long as it is
not causing harm to the original source.
For example, all smartphones have apps these days. The apps are typically an easier way
to access the information from your bank, social network or other websites from your handheld
device. If you were not allowed to access such information in different ways, developers would

Kasad 8

be unable to make the applications and they would now become illegal and cease to exist. This
however is only an example as this does not happen. As another example, if you enforce the
CFAA and remove the ability to access information in new and different ways, how does a
security firm (white-hat hackers or good hackers) test the defenses major companies and
government agencies to make sure that they will fend off anyone who is trying to steal the
information they have?
The theory as explained by Dr. Orin Kerr as the Code-Based Theory of Interpretation in
regards to cyber laws makes the most sense. While if the purpose of whatever the cybercrime
was meant to accomplish, be it financial, terrorism or violent activism, it is not for the CFAA to
decide how these things are carried out, those are other matters. The Code-Based theory deals
with the act of exploiting the loophole in the system that allowed the individual to breach a
system and take what they wanted (Chung). Simply put, the code-based theory attacks the act of
accessing the information over what information was taken. This keeps the CFAA in the realm it
is meant for; the digital world. The other issues are handled separately with charges similar to
robbing a bank or defacing a building.
Most importantly the code-based theory brings the original reason for the CFAA back
into focus. Congress quickly drafted and passed the Computer Fraud and Abuse Act of 1984
because of the fear that digital information was extremely easy to copy and make it disappear.
Using the code-based theory to blame the act rather than the treasure that was taken focuses
strictly on what is done on the digital side, thus satisfying the governments want to be able to
enforce the appropriate laws.
The Computer Fraud and Abuse Act was brought in with the best intentions: to protect
the government, which in turn protects the people of the United States. Sadly, over the years and

Kasad 9

the advancements in technology, the lines have been blurred and the act has become a tyrannical
sponge of power. Due to the tragic death of Aaron Swartz, and the Code-based theory of
interpretation, there is a light at the end of the dark tunnel we seem to be in. Using Aarons
Law, the sentences for those who commit non-violent cybercrimes will be less to fit the
crimes making for the prisons to be less crowded. It will also remove the ability for the private
sector (companies, websites etc.) to send people to prison because their internet contract was
breached. The Code-Based Theory would apply to the way the court handles it. If there is an
obvious issue with internet information and a work-around found and exploited, the CodeBased theory will punish those who need punishment.
Due to the subject matter being in regards to technology today, no one in Biblical times
could foresee where we are today (except the Lord Himself) and thus it is not clearly stated and
will have to come from more than one verse.
Dear brothers and sisters, when troubles of any kind come your way, consider it
an opportunity for great joy. For you know that when your faith is tested, your
endurance has a chance to grow. So let it grow, for when your endurance is fully
developed, you will be perfect and complete, needing nothing. (James 1:2-4,
NLT)
Those that are accused of cybercrimes that receive heavy sentences for small crimes are not
entirely innocent. However the magnitude of their sentences out-weighs the justification of their
crime. While this has happened, it should be our duty to encourage them to grow from it. If their
faith can survive the penalties they have endured, they will be stronger and have a closer
relationship to God for it.

Kasad 10

Romans 12:19 says, Dear friends, never take revenge. Leave that to the righteous anger
of God. For the Scriptures say, I will take revenge; I will pay them back, says the LORD (NLT).
We should not seek revenge on those who wrongly accuse us or in the case of the CFAA overaccuse us. In conjunction with the verse from James 1, the message is clear that we are to leave
everything in the hands of the Lord. If we or someone we know serves jail time and has a
seemingly endless life of problems to follow, it is God testing us through others. We should
encourage those going through this pain to strengthen them.
How can we help? Most of all we should try to strengthen and encourage those who fall
victim to this injustice. Come, you who are blessed by my Father, inherit the Kingdom prepared
for you from the creation of the world. . .[For] I was in prison, and you visited me (Matthew
25:34,36). God is always watching and we are to do His will.
We should keep an eye out for legislation changes. Our current President, Barack Obama
is currently proposing a new measure and reforms to the CFAA to try to increase security of the
internet in America, yet decrease the amount of privacy and security we as individuals have. He
seems to be active in looking for cybercriminals, trying to get more information from companies
of security breaches and what information of theirs is free on the internet. This poses a huge
concern for both our privacy and the fact that the CFAA is broken, allowing for anyone to be
guilty of a cybercrime. Voting and signing petitions are the single most effective civil ways of
combating these measures because it makes the government take a second look at everything. If
the Code-Based theory of Interpretation was embraced and Aarons Law acknowledged, the
internet would not only be safer, but information would be liberated and we as a people can

Kasad 11

grow. If we turn a blind eye to the issues at hand, the internet will be a fraction of what it is
today.

Kasad 12

Works Cited
"Alleged Hacker Charged with Stealing Over Four Million Documents from MIT Network."
USDOJ: US Attorney's Office. N.p., 19 July 2011. Web. 04 Oct. 2015.
Chung, Cyrus Y. "The Computer Fraud And Abuse Act: How Computer Science Can Help With
The Problem Of Overbreadth." Harvard Journal Of Law & Technology 24.1 (2010): 233256. Academic Search Premier. Web. 13 Sept. 2015.
Cohn, Cindy. "Aarons Law Reintroduced: CFAA Didnt Fix Itself." Electronic Frontier
Foundation. N.p., 29 Apr. 2015. Web. 25 Sept. 2015.
"Computer Fraud And Abuse Act Reform." Electronic Frontier Foundation. N.p., n.d. Web. 13
September 2015.
Galicki, Alexander, Drew Havens, and Alden Pelker. "Computer Crimes." American Criminal
Law Review 51.4 (2014): 875-922. Academic Search Premier. Web. 13 Sept. 2015.
Hanna, Paul, and Matthew Leal. "The Computer Fraud And Abuse Act: An Attractive But Risky
Alternative To Texas Trade Secret Law." St. Mary's Law Journal 45.3 (2014): 491-534.
Academic Search Premier. Web. 12 September 2015.
"Indictment of Aaron Swartz." Indictment of Aaron Swartz. N.p., 14 July 2011. Web. 26 Sept.
2015.
The Internet's Own Boy: The Story of Aaron Swartz. Dir. Brian Knappenberger. Perf. Tim
Berners-Lee, Cory Doctorow, Peter Eckersley. Participant Media, 2014. Film.
Jakopchek, Kevin. "Obtaining" The Right Result: A Novel Interpretation Of The Computer Fraud
And Abuse Act That Provides Liability For Insider Theft Without Overbreadth." Journal

Kasad 13

Of Criminal Law & Criminology 104.3 (2014): 605-633. Academic Search Premier. Web.
12 September 2015.
Kirschbaum, Connor. "Swartz Indicted for JSTOR Theft - The Tech." Swartz Indicted for JSTOR
Theft - The Tech. N.p., 03 Aug. 2011. Web. 04 Oct. 2015.
Larkin, Paul. "Reasonably Construing the Computer Fraud and Abuse Act to Avoid
Overcriminalization." The Heritage Foundation. N.p., 19 June 2013. Web. 26 Sept. 2015.
Mayer, Jonathan. "Summarized Revisions to the Computer Fraud and Abuse Act." Computer
Security and Privacy (Spring 2014). Stanford Law School, 3 Apr. 2014. Web. 04 Oct.
2015.
Murray, Ryan Patrick. Myspace-ing is Not a Crime: Why Breaching Terms of Service
Agreements Should Not Implicate the Computer Fraud and Abuse Act. Loyola of Los
Angeles Entertainment Law Review (2009). Web. 13 September 2015.
Sauter, Molly. "Online Activism and Why the Computer Fraud and Abuse Act Must Die." Boing
Boing. N.p., 26 Sept. 2014. Web. 13 Sept. 2015.
"Sir Tim Berners-Lee Pays Tribute to Aaron Swartz." The Telegraph. N.p., 14 Jan. 2013. Web. 25
Sept. 2015.
Schwartz, John. "Internet Activist, a Creator of RSS, Is Dead at 26, Apparently a Suicide." The
New York Times. The New York Times, 12 Jan. 2013. Web. 26 Sept. 2015.
Seidman, Bianca. "Internet Activist Charged with Hacking into MIT Network." PBS.org. Public
Broadcasting, 22 July 2011. Web. 4 Oct. 2015.
Skibell, Reid. "Cybercrimes & Misdemeanors: A Reevaluation of the Computer Fraud and Abuse
Act." Berkeley Technology Law Journal 18.3 (2003): 909-44. JSTOR. Web. 13 September
2015.

Kasad 14

Swartz, Aaron H. "Full Text of "Guerilla Open Access Manifesto"" Full Text of "Guerilla Open
Access Manifesto" N.p., July 2008. Web. 04 Oct. 2015.
Swartz, Aaron H. "Raw Thought." Sick (Aaron Swartz's ). N.p., 27 Nov. 2007. Web. 04 Oct.
2015.
Wellborn, Paul F. "Undercover Teachers" Beware: How That Fake Profile On Facebook Could
Land You In The Pokey." Mercer Law Review 63.2 (2012): 697-713. Academic Search
Premier. Web. 13 Sept. 2015.
Xiang, Li. "Hacktivism And The First Amendment: Drawing The Line Between Cyber Protests
And Crime." Harvard Journal Of Law & Technology 27.1 (2013): 301-330. Academic
Search Premier. Web. 13 Sept. 2015.
Zetter, Kim. "Judge Acquits Lori Drew in Cyberbullying Case, Overrules Jury." Wired.com.
Conde Nast Digital, 02 July 2009. Web. 12 Oct. 2015.