In August, 2015, hackers exposed approximately 33 million user records associated with the extra-marital affair website Ashley Madison. The hackers made this data available to the public through torrents and other file sharing protocols. This data became instantly irresistible to the media and suspicious spouses everywhere. However, is accessing the user records illegal under the Computer Fraud and Abuse Act? While many legal scholars agree that accessing or publishing this data is not likely a violation of the Computer Fraud and Abuse Act, the United States Attorney’s office does not necessarily see it that way.
“Once you download or distribute hacked information without specific permission or a fair use license, you've exposed yourself to potential criminal liability under the Computer Fraud and Abuse Act,” says a representative of the Chicago U.S. Attorney’s office. “An individual who retweets or forwards a link to a website containing hacked information could potentially be viewed as an accessory to the hack after the fact.”
A “hack after the fact” not only leads to criminal penalties but a civil cause of action under the Act, which is quickly becoming a leading statute in U.S. cybersecurity law.
This Article describes problems inherent in the Act when compared with modern web-based applications and how savvy civil litigators are “hacking” the Computer Fraud and Abuse Act for their own purposes, namely as a para-copyright tool. This “hack” is accomplished by exposing two vulnerabilities: (1) the literal application of the term “access controls” encompassing token controls; and (2) the mere facial review of loss declarations. For example, by taking advantage of these two vulnerabilities, attorneys for Craigslist were able to secure exclusivity to the publicly-available advertisements on its website.
This Article’s solution to the vulnerabilities is to build in reference to data security standards and define the type of data protectable under the Act, specifically private and confidential data.
Nicholas A. Wolfe,
Using the Computer Fraud and Abuse Act to Secure Public Data Exclusivity,
Nw. J. Tech. & Intell. Prop.