Law Commons^™

Platforms, Encryption, And The Cfaa: The Case Of Whatsapp V Nso Group, Jonathon Penney, Bruce Schneier

Articles, Book Chapters, & Popular Press

End-to-end encryption technology has gone mainstream. But this wider use has led hackers, cybercriminals, foreign governments, and other threat actors to employ creative and novel attacks to compromise or workaround these protections, raising important questions as to how the Computer Fraud and Abuse Act (CFAA), the primary federal anti-hacking statute, is best applied to these new encryption implementations. Now, after the Supreme Court recently narrowed the CFAA’s scope in Van Buren and suggested it favors a code-based approach to liability under the statute, understanding how best to theorize sophisticated code-based access barriers like end-to-end encryption, and their circumvention, is now …

International Application Of Cfaa: Scraping Data Or Scraping Law?, King Fung Tsang

Saint Louis University Law Journal

Web scraping has resulted in a growing number of civil litigations internationally, including claims under the Computer Fraud and Abuse Act (“CFAA”) in the United States. With the Supreme Court’s first ever decision on the CFAA, in Van Buren v. United States, and its granting of LinkedIn’s petition for certiorari in June 2021, the CFAA is expected to attract even more interest among scholars and practitioners. However, little attention has been given to its cross-border ramifications. Cases show that U.S. courts are more than willing to apply the CFAA extraterritorially, even though their analyses are often flawed. In addition, …

Hacking Antitrust: Competition Policy And The Computer Fraud And Abuse Act, Charles Duan

Articles in Law Reviews & Other Academic Journals

The Computer Fraud and Abuse Act, a federal computer trespass statute that prohibits accessing a computer "without authorization or exceeding authorized access," has often been criticized for clashing with online norms, over-criminalizing common behavior, and infringing freedom-of-expression interests. These controversies over the CFAA have raised difficult questions about how the statute is to be interpreted, with courts of appeals split on the proper construction and the Supreme Courtset to consider the law in its current October Term 2020.

This article considers the CFAA in a new light, namely its effects on competition. Rather than merely preventing injurious trespass upon computers, …

Access Denied? Unauthorized Access After Hiq Labs V. Linkedin, Dalton Sjong

Marquette Intellectual Property & Innovation Law Review

None

Fixing What’S Broken: The Outdated Guidelines Of The Sca And Its Application To Modern Information Platforms, Lutfi Barakat

Touro Law Review

In 1986, Congress enacted the Electronic Communications Privacy Act (ECPA) to afford privacy protections to electronic communications and it has not changed since its inception. The ECPA has proven problematic as technology has advanced, but Congress has not modified the law to reflect this change. Courts have struggled to apply the law to both old technologies that have been updated and new technologies that have emerged. The ECPA needs to be revised to reflect the new advances in technology or be repealed and replaced with a new approach. This will ensure that consumer data will be safeguarded while in the …

If The Law Can Allow Takebacks, Shouldn't It Also Allow Hackbacks?, Adam Rodrigues

Marquette Intellectual Property Law Review

None.

Criminal Trespass And Computer Crime, Laurent Sacharoff

Sturm College of Law: Faculty Scholarship

The Computer Fraud and Abuse Act (CFAA) criminalizes the simple act of trespass upon a computer—intentional access without authorization. The law sweeps too broadly, but the courts and scholars seeking to fix it look in the wrong place. They uniformly focus on the term “without authorization” when instead they should focus on the statute’s mens rea. On a conceptual level, courts and scholars understand that the CFAA is a criminal law, of course, but fail to interpret it comprehensively as one.

This Article begins the first sustained treatment of the CFAA as a criminal law, with a full elaboration of …

Legal Risks Of Adversarial Machine Learning Research, Ram Shankar Siva Kumar, Jonathon Penney, Bruce Schneier, Kendra Albert

Articles, Book Chapters, & Popular Press

Adversarial machine learning is the systematic study of how motivated adversaries can compromise the confidentiality, integrity, and availability of machine learning (ML) systems through targeted or blanket attacks. The problem of attacking ML systems is so prevalent that CERT, the federally funded research and development center tasked with studying attacks, issued a broad vulnerability note on how most ML classifiers are vulnerable to adversarial manipulation. Google, IBM, Facebook, and Microsoft have committed to investing in securing machine learning systems. The US and EU are likewise putting security and safety of AI systems as a top priority.

Now, research on adversarial …

Making Room For Big Data: Web Scraping And An Affirmative Right To Access Publicly Available Information Online, Amber Zamora

The Journal of Business, Entrepreneurship & the Law

This paper will explore the legality of web scraping through the lens of recent litigation between web scraper hiQ Labs and the online professional networking platform, LinkedIn. First, the paper will study the background of web scraping litigation, some challenges courts face in issuing consistent verdicts, and the most common claims companies make against web scrapers. Then the paper will address three of the most common claims and identify court motivations and limitations within the doctrines. The first claims are those arising from the federal Computer Fraud and Abuse Act (CFAA). Next, the paper will investigate copyright claims and defenses …

Web Of Lives: How Regulating The Dark Web Can Combat Online Human Trafficking, Christopher Campbell

Journal of the National Association of Administrative Law Judiciary

This article argues that one of the ways to appropriately fight online human trafficking is through governmental regulation of the Dark Web. Specifically, this article argues that a new Attaching Criminal Dark Web Statute is the best method to combat human trafficking because it can incentivize prosecutors to use current human trafficking statutes to prosecute traffickers. This proposal can deter traffickers from enslaving people. Additionally, this article shows the evolution of online human trafficking laws, investigation, and prosecution (Section II); demonstrates why current and proposed laws do not effectively address the online human trafficking issue (Sections III and IV); introduces …

Privacy Remedies, Lauren H. Scholz

Indiana Law Journal

When consumers sue companies for privacy-intrusive practices, they are often unsuccessful. Many cases fail in federal court at the motion to dismiss phase because the plaintiff has not shown the privacy infringement has caused her concrete harm. This is a symptom of a broader issue: the failure of courts and commentators to describe the relationship between privacy rights and privacy remedies.

This Article contends that restitution is the normal measure of privacy remedies. Restitution measures relief by economic gain to the defendant. If a plaintiff can show the likely ability to recover in restitution, that should be sufficient to pass …

Data Scraping As A Cause Of Action: Limiting Use Of The Cfaa And Trespass In Online Copying Cases, Kathleen C. Riley

Fordham Intellectual Property, Media and Entertainment Law Journal

In recent years, online platforms have used claims such as the Computer Fraud and Abuse Act (“CFAA”) and trespass to curb data scraping, or copying of web content accomplished using robots or web crawlers. However, as the term “data scraping” implies, the content typically copied is data or information that is not protected by intellectual property law, and the means by which the copying occurs is not considered to be hacking. Trespass and the CFAA are both concerned with authorization, but in data scraping cases, these torts are used in such a way that implies that real property norms exist …

Terms Of Service And The Computer Fraud And Abuse Act: A Trap For The Unwary?, David A. Puckett

Oklahoma Journal of Law and Technology

No abstract provided.

Consenting To Computer Use, James Grimmelmann

Cornell Law Faculty Publications

The federal Computer Fraud and Abuse Act (CFAA) makes it a crime to “access a computer without authorization or exceed authorized access.” Courts and commentators have struggled to explain what types of conduct by a computer user are “without authorization.” But this approach is backwards; authorization is not so much a question of what a computer user does, as it is a question of what a computer owner allows.

In other words, authorization under the CFAA is an issue of consent, not conduct; to understand authorization, we need to understand consent. Building on Peter Westen’s taxonomy of consent, I argue …

A Threat To Or Protection Of Agency Relationships? The Impact Of The Computer Fraud And Abuse Act On Businesses, Jessica Milanowski

American University Business Law Review

No abstract provided.

The Revised Uniform Fiduciary Access To Digital Assets Act: Has The Law Caught Up With Technology?, Elizabeth Sy

Touro Law Review

No abstract provided.

Data Privacy Regulation In The Age Of Smartphones, Matthew Hettrich

Touro Law Review

No abstract provided.

Kill The Dinosaurs, And Other Tips For Achieving Technical Competence In Your Law Practice, Antigone Peyton

Richmond Journal of Law & Technology

It is a challenge to practice law in the digital age. This is particularly true when a practice involves significant e-Discovery, Intellectual Property, and technology law—areas in which technical issues merge with legal ones. One of the major challenges of bringing a law practice up to twenty-first-century standards relates to dinosaur thoughts, a.k.a. an “old ways are best” mentality.

A Cloudy Forecast: Divergence In The Cloud Computing Laws Of The United States, European Union, And China, Tina Cheng

Georgia Journal of International & Comparative Law

No abstract provided.

Finding The Solution In Wec Carolina Energy Solutions: The Computer Fraud And Abuse Act In The Workplace, Emily V. Malone

Catholic University Law Review

No abstract provided.

Cyber Security Active Defense: Playing With Fire Or Sound Risk Management, Sean L. Harrington

Richmond Journal of Law & Technology

“Banks Remain the Top Target for Hackers, Report Says,” is the title of an April 2013 American Banker article. Yet, no new comprehensive U.S. cyber legislation has been enacted since 2002, and neither legislative history nor the statutory language of the Computer Fraud and Abuse Act (CFAA) or Electronic Communications Privacy Act (ECPA) make reference to the Internet. Courts have nevertheless filled in the gaps—sometimes with surprising results.

Code Is Law, But Law Is Increasingly Determining The Ethics Of Code: A Comment, Jonathon Penney

Articles, Book Chapters, & Popular Press

“Code is Law”, the aphorism Larry Lessig popularized, spoke to the importance of computer code as a central regulating force in the Internet age. That remains true, but today, overreaching laws are also increasingly subjugating important social and ethics questions raised by code to the domain of law. Those laws — like the CFAA and DMCA — need to be curtailed or their zealous enforcement reigned; they deter not only legitimate research but also important related social and ethics questions. But researchers must act too: to re-assert control over the social, legal, and ethical direction of their fields. Otherwise, law …

Code Is Law, But Law Is Increasingly Determining The Ethics Of Code: A Comment, Jonathon Penney

Articles, Book Chapters, & Popular Press

“Code is Law”, the aphorism Larry Lessig popularized, spoke to the importance of computer code as a central regulating force in the Internet age. That remains true, but today, overreaching laws are also increasingly subjugating important social and ethics questions raised by code to the domain of law. Those laws — like the CFAA and DMCA — need to be curtailed or their zealous enforcement reigned; they deter not only legitimate research but also important related social and ethics questions. But researchers must act too: to re-assert control over the social, legal, and ethical direction of their fields. Otherwise, law …

Cyber Security Active Defense: Playing With Fire Or Sound Risk Management?, Sean L. Harrington

Sean L Harrington

Explores contemporary "active defense" techniques in use by private organizations and the legal, regulatory, practical, and business risks associated with each.

Identity Theft On Social Networking Sites: Developing Issues Of Internet Impersonation, Maksim Reznik

Touro Law Review

This Comment focuses on the dangers of social media sites when a person gains access to another's online account through two different methods: (1) stealing the third party's password, or (2) creating a completely fake profile and subsequently impersonating that person.

Access Denied: How Social Media Accounts Fall Outside The Scope Of Intellectual Property Law And Into The Realm Of The Computer Fraud And Abuse Act, Tiffany Miao

Fordham Intellectual Property, Media and Entertainment Law Journal

This note addresses the challenge of applying intellectual property laws to determining ownership rights over social media accounts, specifically in the employer and employee context. This note suggests that IP regimes, namely Trademark, Copyright,and Trade Secrets, fail to provide an adequate framework for determining such ownership rights. Instead, this note proposes that the Computer Fraud and Abuse Act serves as a more appropriate legal framework.

Criminalizing Hacking, Not Dating: Reconstructing The Cfaa Intent Requirement, David Thaw

Articles

Cybercrime is a growing problem in the United States and worldwide. Many questions remain unanswered as to the proper role and scope of criminal law in addressing socially-undesirable actions affecting and conducted through the use of computers and modern information technologies. This Article tackles perhaps the most exigent question in U.S. cybercrime law, the scope of activities that should be subject to criminal sanction under the Computer Fraud and Abuse Act (CFAA), the federal "anti-hacking" statute.

At the core of current CFAA debate is the question of whether private contracts, such as website "Terms of Use" or organizational "Acceptable Use …

Access And The Public Domain, Randal C. Picker

San Diego Law Review

[T]his Article sketches out the emerging public domain. Part III considers three conceptual questions for structuring use of the public domain, focusing on the extent to which the public domain should be viral; on whether we should insist that the public domain be accessed only through the original artifacts embodying it; and on whether private appropriability incentives for distribution of public domain scans match overall social interests. Part IV turns to the tools for restricting use of the public domain, to copyright, contract, the DMCA, and the CFAA. Each of these matters for access to the public domain and for …

An Expected Harm Approached To Compensating Consumers For Unauthorized Information Disclosures, Rachel Yoo

Richmond Journal of Law & Technology

On May 22, 2007, the Executive Office of the President of the United States issued a memorandum concerned with safeguarding personal information, which first defined the term “personally identifiable information” as follows:

[I]nformation which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

Hey! You! Get Off Of My Cloud: Defining And Protecting The Metes And Bounds Of Privacy, Security, And Property In Cloud Computing, Timothy D. Martin

Timothy D Martin

Cloud computing is a growing force in today’s interconnected technological world. It allows people and organizations to purchase computing power and resources on an as-needed, pay-as-you-go basis. Users can employ it to satisfy modest needs, such as simple word-processing tasks, or to create large-scale enterprise applications delivered on the web. But cloud computing raises questions of functionality, security, confidentiality, ethics, enforcement, and data ownership. The lack of a clear body of law defining and regulating law enforcement’s access to electronic data and ability to prosecute related crimes creates other risks and erodes confidence in cloud computing. This paper begins with …