Law Commons^™

Platforms, Encryption, And The Cfaa: The Case Of Whatsapp V Nso Group, Jonathon Penney, Bruce Schneier

Articles, Book Chapters, & Popular Press

End-to-end encryption technology has gone mainstream. But this wider use has led hackers, cybercriminals, foreign governments, and other threat actors to employ creative and novel attacks to compromise or workaround these protections, raising important questions as to how the Computer Fraud and Abuse Act (CFAA), the primary federal anti-hacking statute, is best applied to these new encryption implementations. Now, after the Supreme Court recently narrowed the CFAA’s scope in Van Buren and suggested it favors a code-based approach to liability under the statute, understanding how best to theorize sophisticated code-based access barriers like end-to-end encryption, and their circumvention, is now …

Hacking Antitrust: Competition Policy And The Computer Fraud And Abuse Act, Charles Duan

Articles in Law Reviews & Other Academic Journals

The Computer Fraud and Abuse Act, a federal computer trespass statute that prohibits accessing a computer "without authorization or exceeding authorized access," has often been criticized for clashing with online norms, over-criminalizing common behavior, and infringing freedom-of-expression interests. These controversies over the CFAA have raised difficult questions about how the statute is to be interpreted, with courts of appeals split on the proper construction and the Supreme Courtset to consider the law in its current October Term 2020.

This article considers the CFAA in a new light, namely its effects on competition. Rather than merely preventing injurious trespass upon computers, …

Criminal Trespass And Computer Crime, Laurent Sacharoff

Sturm College of Law: Faculty Scholarship

The Computer Fraud and Abuse Act (CFAA) criminalizes the simple act of trespass upon a computer—intentional access without authorization. The law sweeps too broadly, but the courts and scholars seeking to fix it look in the wrong place. They uniformly focus on the term “without authorization” when instead they should focus on the statute’s mens rea. On a conceptual level, courts and scholars understand that the CFAA is a criminal law, of course, but fail to interpret it comprehensively as one.

This Article begins the first sustained treatment of the CFAA as a criminal law, with a full elaboration of …

Legal Risks Of Adversarial Machine Learning Research, Ram Shankar Siva Kumar, Jonathon Penney, Bruce Schneier, Kendra Albert

Articles, Book Chapters, & Popular Press

Adversarial machine learning is the systematic study of how motivated adversaries can compromise the confidentiality, integrity, and availability of machine learning (ML) systems through targeted or blanket attacks. The problem of attacking ML systems is so prevalent that CERT, the federally funded research and development center tasked with studying attacks, issued a broad vulnerability note on how most ML classifiers are vulnerable to adversarial manipulation. Google, IBM, Facebook, and Microsoft have committed to investing in securing machine learning systems. The US and EU are likewise putting security and safety of AI systems as a top priority.

Now, research on adversarial …

Consenting To Computer Use, James Grimmelmann

Cornell Law Faculty Publications

The federal Computer Fraud and Abuse Act (CFAA) makes it a crime to “access a computer without authorization or exceed authorized access.” Courts and commentators have struggled to explain what types of conduct by a computer user are “without authorization.” But this approach is backwards; authorization is not so much a question of what a computer user does, as it is a question of what a computer owner allows.

In other words, authorization under the CFAA is an issue of consent, not conduct; to understand authorization, we need to understand consent. Building on Peter Westen’s taxonomy of consent, I argue …

Code Is Law, But Law Is Increasingly Determining The Ethics Of Code: A Comment, Jonathon Penney

Articles, Book Chapters, & Popular Press

“Code is Law”, the aphorism Larry Lessig popularized, spoke to the importance of computer code as a central regulating force in the Internet age. That remains true, but today, overreaching laws are also increasingly subjugating important social and ethics questions raised by code to the domain of law. Those laws — like the CFAA and DMCA — need to be curtailed or their zealous enforcement reigned; they deter not only legitimate research but also important related social and ethics questions. But researchers must act too: to re-assert control over the social, legal, and ethical direction of their fields. Otherwise, law …

Code Is Law, But Law Is Increasingly Determining The Ethics Of Code: A Comment, Jonathon Penney

Articles, Book Chapters, & Popular Press

“Code is Law”, the aphorism Larry Lessig popularized, spoke to the importance of computer code as a central regulating force in the Internet age. That remains true, but today, overreaching laws are also increasingly subjugating important social and ethics questions raised by code to the domain of law. Those laws — like the CFAA and DMCA — need to be curtailed or their zealous enforcement reigned; they deter not only legitimate research but also important related social and ethics questions. But researchers must act too: to re-assert control over the social, legal, and ethical direction of their fields. Otherwise, law …

Criminalizing Hacking, Not Dating: Reconstructing The Cfaa Intent Requirement, David Thaw

Articles

Cybercrime is a growing problem in the United States and worldwide. Many questions remain unanswered as to the proper role and scope of criminal law in addressing socially-undesirable actions affecting and conducted through the use of computers and modern information technologies. This Article tackles perhaps the most exigent question in U.S. cybercrime law, the scope of activities that should be subject to criminal sanction under the Computer Fraud and Abuse Act (CFAA), the federal "anti-hacking" statute.

At the core of current CFAA debate is the question of whether private contracts, such as website "Terms of Use" or organizational "Acceptable Use …

Rights Of Access And The Shape Of The Internet, Michael J. Madison

Articles

This Article reviews recent developments in the law of access to information, that is, cases involving click-through agreements, the doctrine of trespass to chattels, the anti-circumvention provisions of the Digital Millennium Copyright Act, and civil claims under the Computer Fraud and Abuse Act. Though the objects of these different doctrines substantially overlap, the different doctrines yield different presumptions regarding the respective rights of information owners and information consumers. The Article reviews those presumptions in light of different metaphorical premises on which courts rely: Internet-as-place, in the trespass, DMCA, and CFAA contexts, and contract-as-assent, in the click-through context. It argues that …