No edit summary |
No edit summary |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
{{Quote|a [[computer]] |
{{Quote|a [[computer]] |
||
:(A) exclusively for the use of a [[financial institution]] or the United States Government, or, in the case of a [[computer]] not exclusively for such use, used by or for a [[financial institution]] or the United States Government and the conduct constituting the offense affects that use by or for the [[financial institution]] or the Government; or |
:(A) exclusively for the use of a [[financial institution]] or the United States Government, or, in the case of a [[computer]] not exclusively for such use, used by or for a [[financial institution]] or the United States Government and the conduct constituting the offense affects that use by or for the [[financial institution]] or the Government; or |
||
| − | :(B) which is used in [[interstate commerce|interstate]] or [[foreign commerce]] or [[communication]], including a [[computer]] located outside the United States that is used in a manner that affects [[interstate commerce|interstate]] or [[foreign commerce]] or [[communication]] of the United States.<ref>18 U.S.C. § |
+ | :(B) which is used in [[interstate commerce|interstate]] or [[foreign commerce]] or [[communication]], including a [[computer]] located outside the United States that is used in a manner that affects [[interstate commerce|interstate]] or [[foreign commerce]] or [[communication]] of the United States.<ref>18 U.S.C. §1030(e)(2)), ''as amended.''</ref>}} |
== Legislative history == |
== Legislative history == |
||
| Line 13: | Line 13: | ||
[[Congress]] corrected this error in the 1996 amendments to the [[Computer Fraud and Abuse Act]] )[[CFAA]]), which defined "protected computer" as a [[computer]] used by the federal government or a [[financial institution]], or one "which is used in [[interstate commerce|interstate]] or [[foreign commerce]]."<ref>18 U.S.C. §1030(e)(2) (1996).</ref> The definition did not explicitly address situations where an attacker within the United States attacks a [[computer system]] located abroad. In addition, this definition was not readily applicable to situations in which individuals in foreign countries routed communications through the United States as they hacked from one foreign country to another. |
[[Congress]] corrected this error in the 1996 amendments to the [[Computer Fraud and Abuse Act]] )[[CFAA]]), which defined "protected computer" as a [[computer]] used by the federal government or a [[financial institution]], or one "which is used in [[interstate commerce|interstate]] or [[foreign commerce]]."<ref>18 U.S.C. §1030(e)(2) (1996).</ref> The definition did not explicitly address situations where an attacker within the United States attacks a [[computer system]] located abroad. In addition, this definition was not readily applicable to situations in which individuals in foreign countries routed communications through the United States as they hacked from one foreign country to another. |
||
| − | In 2001, the [[USA PATRIOT Act]] amended the definition of "protected computer" to make clear that this term includes [[computer]]s outside of the United States so long as they affect "[[interstate commerce|interstate]] or [[foreign commerce]] or [[communication]] of the United States."<ref>''Id.'' §1030(e)(2)(B) (2001).</ref> |
+ | In 2001, the [[USA PATRIOT Act of 2001]] amended the definition of "protected computer" to make clear that this term includes [[computer]]s outside of the United States so long as they affect "[[interstate commerce|interstate]] or [[foreign commerce]] or [[communication]] of the United States."<ref>''Id.'' §1030(e)(2)(B) (2001).</ref> |
| + | |||
| + | == Analysis == |
||
| + | |||
| + | Note that the [[computer]] must be "used in or affecting" not "used by the defendant in" — that is, it is enough that the [[computer]] is connected to the [[Internet]]; the [[statute]] does not require proof that the defendant also used the [[Internet]] to [[access]] the [[computer]] or used the [[computer]] to [[access]] the [[Internet]]. |
||
| + | |||
| + | Several courts have held that using the Internet from a computer is sufficient to meet this element.<ref>''See, e.g.,'' [[U.S. v. Drew|United States v. Drew]], 259 F.R.D. 449, 457 (C.D. Cal. 2009) ("[T]he latter two elements of the section 1030(a)(2)(C) crime [obtaining information from a protected computer] will always be met when an individual using a computer contacts or communicates with an Internet website"); [[U.S. v. Trotter|United States v. Trotter]], 478 F.3d 918, 921 (8th Cir. 2007) ("No additional interstate nexus is required when instrumentalities or channels of interstate commerce are regulated") (internal citations omitted); [[Paradigm Alliance v. Celeritas Technologies|Paradigm Alliance, Inc. v. Celeritas Technologies, LLC]], 248 F.R.D. 598, 602 (D. Kan. 2008) ("As a practical matter, a computer providing a 'web-based' application accessible through the internet would satisfy the 'interstate communication' requirement").</ref> |
||
| + | |||
| + | Prior to 2008, this definition did not explicitly cover [[computer]]s that were not connected to the [[Internet]] and that were not used by the federal government or [[financial institution]]s. For example, some state-run utility companies operate [[computer]]s that are not connected to the [[Internet]] for security reasons. [[Congress]] remedied this gap in the [[Identity Theft Enforcement and Restitution Act of 2008]] by broadening the definition of “protected computer” to include [[computer]]s that “affect” [[interstate or foreign commerce]] or [[communications]].<ref>18 U.S.C. §1030(e)(2)(B).</ref> |
||
| + | |||
| + | In the [[USA PATRIOT Act of 2001]], [[Congress]] amended the definition of “protected computer” to make clear that this term includes [[computer]]s outside of the United States so long as they affect “[[interstate or foreign commerce]] or [[communication]] of the United States.”<ref>''Id.'' §1030(e)(2)(B) (2001).</ref> This change addresses situations where an [[attacker]] within the United States [[attack]]s a [[computer system]] located abroad and situations in which individuals in foreign countries [[route]] [[communications]] through the United States as they [[hack]] from one foreign country to another. Both situations can therefore be violations of section 1030. |
||
==References== |
==References== |
||
<references /> |
<references /> |
||
| + | |||
| + | == Source == |
||
| + | |||
| + | * [[Prosecuting Computer Crimes]], at 4-5. ("Analysis" section) |
||
[[Category:Legislation-U.S.-Criminal]] |
[[Category:Legislation-U.S.-Criminal]] |
||
[[Category:Legislation]] |
[[Category:Legislation]] |
||
Latest revision as of 04:29, 4 December 2011
Definition[]
A protected computer is
| “ | a computer
|
” |
Legislative history[]
The term "protected computer" did not appear in the Computer Fraud and Abuse Act (CFAA) until 1996, when Congress attempted to correct deficiencies identified in earlier versions of the statute. In 1994, Congress amended the CFAA so that it protected any "computer used in interstate commerce or communication" rather than a "Federal interest computer." This change expanded the scope of the Act to include certain non-government computers that Congress deemed deserving of federal protection.[2] In doing so, however, Congress "inadvertently eliminated Federal protection for those Government and financial institution computers not used in interstate commerce." [3]
Congress corrected this error in the 1996 amendments to the Computer Fraud and Abuse Act )CFAA), which defined "protected computer" as a computer used by the federal government or a financial institution, or one "which is used in interstate or foreign commerce."[4] The definition did not explicitly address situations where an attacker within the United States attacks a computer system located abroad. In addition, this definition was not readily applicable to situations in which individuals in foreign countries routed communications through the United States as they hacked from one foreign country to another.
In 2001, the USA PATRIOT Act of 2001 amended the definition of "protected computer" to make clear that this term includes computers outside of the United States so long as they affect "interstate or foreign commerce or communication of the United States."[5]
Analysis[]
Note that the computer must be "used in or affecting" not "used by the defendant in" — that is, it is enough that the computer is connected to the Internet; the statute does not require proof that the defendant also used the Internet to access the computer or used the computer to access the Internet.
Several courts have held that using the Internet from a computer is sufficient to meet this element.[6]
Prior to 2008, this definition did not explicitly cover computers that were not connected to the Internet and that were not used by the federal government or financial institutions. For example, some state-run utility companies operate computers that are not connected to the Internet for security reasons. Congress remedied this gap in the Identity Theft Enforcement and Restitution Act of 2008 by broadening the definition of “protected computer” to include computers that “affect” interstate or foreign commerce or communications.[7]
In the USA PATRIOT Act of 2001, Congress amended the definition of “protected computer” to make clear that this term includes computers outside of the United States so long as they affect “interstate or foreign commerce or communication of the United States.”[8] This change addresses situations where an attacker within the United States attacks a computer system located abroad and situations in which individuals in foreign countries route communications through the United States as they hack from one foreign country to another. Both situations can therefore be violations of section 1030.
References[]
- ↑ 18 U.S.C. §1030(e)(2)), as amended.
- ↑ See S. Rep. No. 104-357, at 10 (1996), available at 1996 WL 492169 (discussing the 1994 amendment).
- ↑ United States v. Middleton, 231 F.3d 1207, 1212 n.2 (9th Cir. 2000) (citing S. Rep. No. 104-357).
- ↑ 18 U.S.C. §1030(e)(2) (1996).
- ↑ Id. §1030(e)(2)(B) (2001).
- ↑ See, e.g., United States v. Drew, 259 F.R.D. 449, 457 (C.D. Cal. 2009) ("[T]he latter two elements of the section 1030(a)(2)(C) crime [obtaining information from a protected computer] will always be met when an individual using a computer contacts or communicates with an Internet website"); United States v. Trotter, 478 F.3d 918, 921 (8th Cir. 2007) ("No additional interstate nexus is required when instrumentalities or channels of interstate commerce are regulated") (internal citations omitted); Paradigm Alliance, Inc. v. Celeritas Technologies, LLC, 248 F.R.D. 598, 602 (D. Kan. 2008) ("As a practical matter, a computer providing a 'web-based' application accessible through the internet would satisfy the 'interstate communication' requirement").
- ↑ 18 U.S.C. §1030(e)(2)(B).
- ↑ Id. §1030(e)(2)(B) (2001).
Source[]
- Prosecuting Computer Crimes, at 4-5. ("Analysis" section)