Extraterritorial Application of the Computer Fraud and Abuse Act
Friday, July 3, 2020

A brazen and sophisticated computer intrusion into the records of over 145 million Americans launched from computer hackers based in China led to recent criminal prosecutions under the Computer Fraud and Abuse Act. [1] Courts are willing to extend American law beyond U.S. boundaries often when criminal misconduct takes place overseas that injures Americans. The Constitution grants Congress broad powers to enact laws with extraterritorial scope.[2] The Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”),  is one such statute that provides criminal and civil remedies resulting from unauthorized access to computers used in interstate commerce or communications.[3]  And, it further provides for extraterritorial jurisdiction for criminal or civil violations of the CFAA. Increasingly, U.S.-based companies have become victims of significant computer misconduct launched from overseas.[4]  And, with the increased widespread use of social media platforms during the Covid-19 pandemic, computer mischief in an effort to gain confidential business information is on the rise.[5]

The CFAA was enacted in 1986, in an effort to combat computer crime that mail and wire fraud statutes could not reach.[6]  The statute, as first enacted, criminalized unauthorized access to “federal interest” computers.[7]  Since “federal interest” under the Act included all instances of interstate computer crime—and virtually all computer use is interstate in nature—it effectively criminalized any unauthorized computer access.[8]  Amendments in 1994 quietly added civil remedies and expanded the coverage of the statute to include unauthorized transmissions.[9]  Amendments in 1996 changed the phrase “federal interest computer” to “protected computer,” thereby significantly broadening the Act’s reach.[10]

The CFAA’s expansion into civil litigation led to varied interpretations of the CFAA.  And, “courts continue [to] grapple with the specifics of construing and applying particular provisions of the Act.”[11][12]  This struggle to understand the Act’s scope is exacerbated by “new abuses that spring from the misuse of new technology,”[13] which make it difficult to address the computer abuse problems through a traditional framework.  In one of the first cases to use the CFAA in conjunction with a state statutory trade secrets theft claim, International Airport Centers v. Citrin, the Seventh Circuit sustained a CFAA claim where a real estate development company employee used his employer’s computers to pilfer confidential development plans for a large scale industrial real estate project on the East Coast.[14][15]  The court found that at the point the employee began to prepare to leave his employer, his authority to access its computers and information was no longer “authorized”.  His subsequent taking of electronic information and efforts to cover his tracks through computer wiping software was sufficient to show the necessary injury to support a claim under the CFAA.[16]

The fact that computer abuse is largely intangible and can be launched from anywhere in the world presents the jurisdictional question whether the CFAA can be applied extraterritorially to prosecute those who perpetrate computer abuse in the U.S. from a foreign land.  In deciding whether a U.S. statute may be applied extraterritorially, courts look to two potential foundations for jurisdiction: first, the jurisdictional basis, “territoriality, nationality, passive personality, universality, or the protective principle”;[17] and second, legislative intent.[18]  The CFAA can arguably be applied extraterritorially on either foundation.  Although case law here is sparse, a Connecticut district court concluded that it had jurisdiction to hear a claim against a Russian national under the Act.  The court found “. . . first, because the intended and actual detrimental effects of [the defendant’s] actions in Russia occurred within the United States, and second, because each of the statutes under which [he] was charged with a substantive offense were intended by Congress to apply extraterritorially.”[19]

This first reason encompasses passive personality and protective basis for international jurisdiction.  The second relies upon the legislative intent behind the 1996 amendments to the Act.  Notably, the amendments changed “the definition of ‘protected computer’ so that it included any computer ‘which is used in interstate or foreign commerce or communication.’”[20]  The Connecticut court concluded that “Congress has clearly manifested its intent to apply § 1030 to computers used in interstate or in foreign commerce,”[21] reasoning that “[i]n order for the word ‘foreign’ to have meaning, and not be superfluous, it must mean something other than ‘interstate[,]’ . . . [so] ‘foreign’ in this context must mean international.”[22]

The Patriot Act may also provide extraterritorial jurisdiction for the CFAA.  The Patriot Act amended the CFAA with a change in the definition of “protected computer.”[23]  The Patriot Act modified a “protected computer” to include “a computer which is used in interstate or foreign commerce or communication” and the words “including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.”[24]  The Patriot Act thus expanded the definition of “protected computer” under the CFAA to “expressly include computers located outside the United States.”[25]

The CFAA’s potential reach goes beyond U.S. borders and packs a jurisdictional punch that will likely be able to bring a foreign party into an American court.  Thus, a computer hacker outside the U.S. who causes injury[26] here is likely not immune from a civil or criminal action.  Most recently, videoconferencing applications that have become de facto communication platforms for the Coronavirus era—have become weaponized by foreign nationals and employed for shocking imagery, racial epithets and profanity to derail video conferences taking place in the U.S. and abroad.  The frequency and reach of videoconferencing hacking has prompted the FBI to issue a warning stating that it had “received multiple reports of conferences being disrupted by pornographic or hate images and threatening language” nationwide.[27]  An analysis by The New York Times found at least 153 Instagram accounts, dozens of Twitter accounts and private chats, and several active message boards on Reddit and 4Chan where thousands of people had gathered to organize harassment campaigns, sharing meeting passwords and plans for sowing chaos in public and private meetings.[28]  This recent activity is on top of a few years of concerted computer espionage campaigns against American business from foreign actors.[29]

Foreign based hackers often freelance for companies competing against U.S. corporations.  With the recent massive shift to online communication platforms for day-to-day business operations, and almost all American business now operating in a digital world, U.S. business is exposed more than ever to off-shore computer competitive threats.  The CFAA’s international jurisdictional reach is rarely considered in a civil context and may provide one avenue of relief against foreign competitors taking unfair aim at American businesses.

FOOTNOTES

[1] The United States Department of Justice, Chinese Military Personnel Charged with Computer Fraud, Economic Espionage and Wire Fraud for Hacking into Credit Reporting Agency Equifaxhttps://www.justice.gov/opa/pr/chinese-military-personnel-charged-computer-fraud-economic-espionage-and-wire-fraud-hacking, (last visited April 30, 2020).

[2] U.S. Const. art. I, § 8s. 10, 3; art. VI, cl. 2. Cf. United States v. Baston, 818 F.3d 651, 666-67 (11th Cir. 2016) (“Congress’s power to enact extraterritorial laws is not limited to the Offenses Clause”).

[3] The Supreme Court has granted certiorari in its first CFAA case, Van Buren v. United States, 2020 WL 1906566, at *1 (U.S. Apr. 20, 2020). The narrow question in the appeal is whether CFAA’s restriction on exceeding authorized access to a computer bars an otherwise valid user from using the system for an improper purpose. The Supreme Court’s decision, expected in 2021, may resolve the Circuit split on the issue.

[4] USA Today, How Chinese military hackers allegedly pulled off the Equifax data breach, stealing data from 145 million Americanshttps://www.usatoday.com/story/tech/2020/02/10/2017-equifax-data-breach-chinese-military-hack/4712788002, (last visited April 22, 2020); Asher Moses, Turkish Hackers Bring Down Insurer’s Site, Sydney Morning Herald, July 20, 2007, http://www.smh.com.au/articles/2007/07/20/1184559999284.html?from=top5, (last visited April 22, 2020) (Australian Insurance Company AAMI was forced to shut down its website after Turkish hackers gained unauthorized access and redirected visitors to an anti-Israel propaganda website. AAMI may have brought a suit in the U.S. against the hackers if their actions caused harm in the U.S. although an Australian company, the crime occurred in Australia, and the perpetrators were Turkish.)

[5] Wall Street Journal, Zoom Hires Security Heavyweights to Fix Flawshttps://www.wsj.com/articles/zoom-hires-security-heavyweights-to-fix-flaws-11587061868, (last visited April 22, 2020).

[6] Computer Fraud and Abuse Act of 1986, Pub. L. No. 99–474, 100 Stat. 1213 (1986).

[7] Id.

[8]  Id.

[9] The Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (1994).

[10] Deborah F. Buckman, Validity Construction and Application of Computer Fraud and Abuse Act (18 U.S.C. § 1030), 174 A.L.R. Fed. 101, 2a (2007).

[11] Id.

[12] LVRC Holdings L.L.C. v. Brekka, 581 F.3d 1127 (9th Cir. 2009).

[13] United States Department of Justice, Computer Crime & Intellectual Property Section, The National Information Infrastructure Protection Act of 1996:  Legislative Analysis, http://www.cybercrime.gov/
1030analysis.html.

[14] Int’l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006). (William Kane represented International Airport Centers.)

[15] The Defend Trade Secrets Act not yet enacted relegated most trade secret theft cases to the state courts absent a parallel federal claim.  See 18 U.S.C. Sec. 1836 et seq.

[16] Id.  “Citrin’s breach of his duty of loyalty terminated his agency relationship (more precisely, terminated any rights he might have claimed as IAC’s agent—he could not by unilaterally terminating any duties he owed his principal gain an advantage!) and with it his authority to access the laptop, because the only basis of his authority had been that relationship.”

[17] Ellen S. Podgor, International Computer Fraud: A Paradigm for Limiting National Jurisdiction, 35 U.C. Davis L. Rev. 267, 282 (2002).

[18] Id.

[19] United States v. Ivanov, 175 F. Supp. 2d 367, 370 (D. Conn. 2001).

[20] Id. at 374.

[21] Id.

[22] Id.

[23] The USA PATRIOT Act: Preserving Life and Liberty, https://www.justice.gov/archive/ll/highlights.htm, (last visited April 22, 2020).

[24] USA Patriot Act, Pub. L. No. 107-56, § 814, 115 Stat. 272,384 (2001).

[25] Xiaomin Huang, Peter Radkowski III, and Peter Roman, Computer Crimes, 44 Am. Crim. L Rev 285, 292 n.40 (2007) (noting that “[a]lthough the 1996 Act also extended jurisdiction over computers used in ‘foreign commerce’ in order to reach international computer crimes, in the wake of the September 11, 2001, [sic] attacks this was not considered adequate protection”).

[26] Under the CFAA, courts have found damage when the defendant’s conduct diminishes a plaintiff’s ability to use computer data or systems.  For example, plaintiffs have asserted damage when: (1) a barrage of calls and emails impeded access to voicemail and email, prevented customers from reaching plaintiff’s sales offices and representatives, and forced an employee to turn off her cell phone, Pulte Homes, Inc. v. Laborers’ Int’l Union of N. Am., 648 F.3d 295, 301 (6th Cir. 2011); (2) a defendant impaired the availability of an emergency communication system by transmitting data that interfered with the way the computer allocated communications to other channels.  United States v. Mitra, 405 F.3d 492, 494 (7th Cir. 2005); (3) the permanent deletion of employee emails caused an impairment to the integrity or availability of data, Meridian Fin. Advisors, Ltd. v. Pence, 763 F. Supp. 2d 1046, 1062 (S.D. Ind. 2011); and (4) a program that deleted files impaired the integrity or availability of data, programs, or information on the computer, Int’l Airport Ctrs., L.L.C., 440 F.3d at 419-20.

[27] Federal Bureau of Investigations, FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemichttps://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic (last visited April 22, 2020).

[28]The New York Times, Zoombombing Becomes a Dangerous Organized Effort, https://www.nytimes.com/2020/04/03/technology/zoom-harassment-abuse-racism-fbi-warning.html, (last visited April 22, 2020).

[29] CNBC, Hackers hit telecommunications firms in possible Chinese espionage campaign, researchers sayhttps://www.cnbc.com/2019/06/25/hackers-hit-telecommunications-firms-cybereason.html, (last visited April 22, 2020).

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins