Definition[edit | edit source]
A protected computer is
Legislative history[edit | edit source]
The term "protected computer" did not appear in the Computer Fraud and Abuse Act (CFAA) until 1996, when Congress attempted to correct deficiencies identified in earlier versions of the statute. In 1994, Congress amended the CFAA so that it protected any "computer used in interstate commerce or communication" rather than a "Federal interest computer." This change expanded the scope of the Act to include certain non-government computers that Congress deemed deserving of federal protection. In doing so, however, Congress "inadvertently eliminated Federal protection for those Government and financial institution computers not used in interstate commerce." 
Congress corrected this error in the 1996 amendments to the Computer Fraud and Abuse Act )CFAA), which defined "protected computer" as a computer used by the federal government or a financial institution, or one "which is used in interstate or foreign commerce." The definition did not explicitly address situations where an attacker within the United States attacks a computer system located abroad. In addition, this definition was not readily applicable to situations in which individuals in foreign countries routed communications through the United States as they hacked from one foreign country to another.
In 2001, the USA PATRIOT Act of 2001 amended the definition of "protected computer" to make clear that this term includes computers outside of the United States so long as they affect "interstate or foreign commerce or communication of the United States."
Analysis[edit | edit source]
Note that the computer must be "used in or affecting" not "used by the defendant in" — that is, it is enough that the computer is connected to the Internet; the statute does not require proof that the defendant also used the Internet to access the computer or used the computer to access the Internet.
Several courts have held that using the Internet from a computer is sufficient to meet this element.
Prior to 2008, this definition did not explicitly cover computers that were not connected to the Internet and that were not used by the federal government or financial institutions. For example, some state-run utility companies operate computers that are not connected to the Internet for security reasons. Congress remedied this gap in the Identity Theft Enforcement and Restitution Act of 2008 by broadening the definition of “protected computer” to include computers that “affect” interstate or foreign commerce or communications.
In the USA PATRIOT Act of 2001, Congress amended the definition of “protected computer” to make clear that this term includes computers outside of the United States so long as they affect “interstate or foreign commerce or communication of the United States.” This change addresses situations where an attacker within the United States attacks a computer system located abroad and situations in which individuals in foreign countries route communications through the United States as they hack from one foreign country to another. Both situations can therefore be violations of section 1030.
References[edit | edit source]
- 18 U.S.C. §1030(e)(2)), as amended.
- See S. Rep. No. 104-357, at 10 (1996), available at 1996 WL 492169 (discussing the 1994 amendment).
- United States v. Middleton, 231 F.3d 1207, 1212 n.2 (9th Cir. 2000) (citing S. Rep. No. 104-357).
- 18 U.S.C. §1030(e)(2) (1996).
- Id. §1030(e)(2)(B) (2001).
- See, e.g., United States v. Drew, 259 F.R.D. 449, 457 (C.D. Cal. 2009) ("[T]he latter two elements of the section 1030(a)(2)(C) crime [obtaining information from a protected computer] will always be met when an individual using a computer contacts or communicates with an Internet website"); United States v. Trotter, 478 F.3d 918, 921 (8th Cir. 2007) ("No additional interstate nexus is required when instrumentalities or channels of interstate commerce are regulated") (internal citations omitted); Paradigm Alliance, Inc. v. Celeritas Technologies, LLC, 248 F.R.D. 598, 602 (D. Kan. 2008) ("As a practical matter, a computer providing a 'web-based' application accessible through the internet would satisfy the 'interstate communication' requirement").
- 18 U.S.C. §1030(e)(2)(B).
- Id. §1030(e)(2)(B) (2001).
Source[edit | edit source]
- Prosecuting Computer Crimes, at 4-5. ("Analysis" section)