Sign Up
Stay current with GH&R Newsletters. Click here to sign up.
E-Commerce News
CFAA Does Not Require Intent To Harm; Fuzzy Zoeller Sues IP Address Registrant
May 22, 2007
CFAA DOES NOT REQUIRE INTENT TO HARMA U.S. Appellate Court recently considered what kind of intent is required for a conviction under the Computer Fraud and Abuse Act (CFAA). The question for the court was whether it was necessary merely to establish intent to access the information, or in addition, it was necessary also to establish intent to cause damage. According to the court, the only intent required is the intent to access information from a protected computer. While damages in excess of $5,000 must result, the government does not need to prove intent to cause those damages.
The CFAA prohibits anyone from “... intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] ... information from any protected computer." The statute imposes fines and prison terms, the steepest for felony offenses. The unauthorized access is a felony if "the value of the information obtained exceeds 5,000."
The defendant in the case sold customer credit account information for drugs. He admitted that he obtained the credit information by intentionally accessing the customer database without authorization. Apparently, the party who received the credit information caused at least $5000 in damages as a result of the access. The defendant hung his slim hopes for acquittal on the argument that he did not intend the damage that resulted nor did he think that his drug dealer would use the information to steal the customers' identities (why do you think they call it “dope”?).
Unlike the defendant’s drug connection, the court was not buying. The court pointed out that: "A plain reading of the statute reveals that the requisite intent to prove a violation of § 1030(a)(2)(C) is not an intent to defraud, ...it is the intent to obtain unauthorized access of a protected computer."
In short, once the government establishes an intent to access, and the damage threshold, it wins, even if the defendant never intended for the harm to ensue. This is a sensible ruling. A contrary result would have created an enormous loophole.
FUZZY ZOELLER SUES IP ADDRESS REGISTRANT
Fuzzy Zoeller recently filed a complaint in a Florida state court against a corporation that allegedly controlled the Internet Protocol address that posted an unflattering Wikipedia entry about him.
Although the complaint lists the plaintiff as “John Doe”, the filing attorney has confirmed that Zoeller is the plaintiff. According to the complaint, the Wikipedia entry unlawfully painted Zoeller as an alcoholic who abused his family.
The complaint did not name the Wikimedia Foundation, a non-profit that operates the Wikipedia.com Web site. In all likelihood that claim would have been barred by the immunity provided by the federal Communications Decency Act.
The complaint instead contends that Josef Silney & Associates Inc., a Miami education consulting firm, is liable for the posting. According to the complaint, the IP address from which the posting originated "is registered to" Josef Silney & Associates. The complaint contends that "an IP address is the equivalent of a computer's home address."
The complaint, which seeks recovery for defamation, invasion of privacy, publication in false light, and intentional affliction of emotional distress, is somewhat unique in its effort to pin publication liability on the IP address. Given the broad immunity afforded by the CDA, coupled with the difficulty in locating the actual author of such comments, this approach may offer the best hope for someone in Zoeller’s position.
This Newsletter is a periodic publication of Graydon Head & Ritchey LLP and should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general information purposes only, and you are urged to consult your own advisor concerning your situation and any specific legal question you may have.