Subscribe with Bloglines The Privacy Lawyer: The Computer Fraud and Abuse Act...and unauthorized wireless network access

Friday, August 19, 2005

The Computer Fraud and Abuse Act...and unauthorized wireless network access

The best fit of all US national laws (other than trespass) is the CFAA (the computer fraud and abuse act). It criminalizes intentional access of a computer. The CFAA was used in a case involving Lowes and someone who accessed an open wireless access point (a WAP) to steal credit card information of Lowes customers stored on their network. Here the access was a small component of the larger criminal activity.

The law requires the intent to access, as well as a requirement that there is some damage caused by the unauthorized access. It also requires proof (at least by implication) that the access is unauthorized. There are many factors that can be usewd ot prove that the person accessing the WAP knew that it belonged to a family (such as when they use their surname to name their WAP) and therefore the interloper should have known it was unauthorized.

But what is the damage? perhaps increased demand on the wireless bandwidth? The CFAA provides that damage can include any impairment to the intergity or availability of data, a program, the syste or information. (1030(a)(5)(A)(ii). Diminishing the capacity or slowdowns may qualify as an impairment, under the law. The mere exchange of information is enough to trigger a misdemeanor (although it is arguable that a violation of the CFAA's section 1030(a)(2) may not be triggered by a mere exchange of packet and IP information required in the mere act of accessing a WAP).

although not designed to criminalize the unauthorized access of an unsecured WAP alone, as prosecutors seek laws to use to put netnappers in jail...they will probably look to this one.

until later...