Internet Law
by Tom W. Bell

Ch. 09: Hacking Claims and Defenses


  Prior Prior Chapter Up Title Page Next Next Chapter   Email Listserve Email Listserve  
Table of Contents

Ch.  Subject
01:  Course Management
02:  Introduction
03:  "Law" Online
04:  Free Speech
05:  Privacy
06:  Trespass to Chattels
07:  Intellectual Property
08:  Encryption
09:  Hacking
    A.  CFAA
    B.  PPA & ECPA
    C.  State Law

10:  Commerce
11:  Jurisdiction
12:  Lawyers Online
13:  Review

A. Computer Fraud and Abuse Act

U.S. v. Morris, 928 F.2d 504 (2d Cir. 1991) (affirming that release of internet worm violated Computer Fraud and Abuse Act notwithstanding lack of intent to cause harm) [an alternate source]

North Texas Preventive Imaging, L.L.C. v. Eisenberg, 1996 U.S. Dist. LEXIS 19990 (C.D. Cal. Aug. 19, 1996) (SA CV 96-71 AHS (EEx)) (denying motion to dismiss claim that "software bomb" violated CFAA) [an alternate source]

U.S. v. Czubinski, 106 F.3d 1069 (1st Cir. 1997) (holding that mere unauthorized browsing of computer files did not constitute a felony under CFAA or other federal statutes) [an alternate source]


  1. As the cases in this section indicate, the unauthorized use ("hacking") of computer systems can give rise to criminal claims and defenses. Other Internet uses can, of course, trigger criminal sanctions under other laws, among them such federal ones as the Copyright Act, the National Stolen Property Act, federal mail and wire fraud statutes, the Communications Decency Act of 1996, the Child Pornography Prevention Act, and the Child Pornography Prevention Act of 1996. Assorted state laws show a corresponding sensitivity to the wide variety of criminal acts perpetuated on the Internet.

  2. The USA Patriot Act of 2001, Public Law No. 107-56, signed by President Bush on Oct. 26, 2001, amended various portions of both the CFAA and ECPA with the aim of improving the federal government's response to terrorist activity. For present purposes, the amendments made by § 814 of the USA Patriot Act to § 1030(a)(5) of the CFAA bear the most attention. Those amendments retain the former language of § 1030(a)(5) but squeeze it all into sub-sub-subsection (A) by putting under (i), (ii), and (iii) what had formerly been under (A), (B), and (C), respectively. Then § 814 of the USA Patriot Act adds a new § 1030(a)(5)(B) to the CFAA, which in relevant part targets:

    conduct described in clause (i), (ii), or (iii) of subparagraph (A), caused (or, in the case of an attempted offense, would, if completed, have caused)--
    (i) loss to 1 or more persons during any 1-year period (and, for purposes of . . . [a] proceeding brought by the United States only, loss . . . affecting 1 or more other protected computers) aggregating at least $5,000 in value;

    . . .

    (iii) physical injury to any person;

    (iv) a threat to public health or safety; or

    (v) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security . . . .
    Although the CFAA already provided for the prosecution of attempts, in § 1030(b), the amendments set forth above, together with related ones in § 814 of the USA Patriot Act, radically increase the penalties both for attempts and completed crimes covered by the statute. For one interpretation of that as-of-yet-untested law, see Dept. of Justice Criminal Division, Computer Crime and Intellectual Property Division, Field Guidance on New Authorities that Relate to Computer Crime and Electronic Evidence Enacted in the USA Patriot Act of 2001 (November 5, 2001).

  3. Note that Morris was tried under an earlier version of the CFAA, § 1030(a)(5) of which covered anyone who "intentionally accesses a Federal interest computer without authorization . . . and thereby (A) causes loss . . . ." Section 1030(a)(5) now covers anyone who "(A)(i) knowingly causes [a] transmission . . . and as a result . . . intentionally causes damage . . . ; (ii) intentionally accesses a protected computer without authorization, and . . . recklessly causes damage; or (iii) intentionally accesses a protected computer without authorization, and . . . causes damage . . . ." How would you now plead the case against Morris? Do you think that you would obtain the same result?

  4. Suppose that your client sells software and wants to install a time bomb of the sort at issue in North Texas Preventive Imaging, L.L.C. v. Eisenberg. What does that case suggest you should tell your client?

  5. Do you think that Czubinski was guilty of violating § 1030(a)(2), (3) of the CFAA? If so, what penalty would he face? See id. § (c)(2)(A).

  6. For a case interpreting the scope of the CFAA's protections, see U.S. v. Middleton, 231 F.3d 1207 (9th Cir. 2000) (affirming that corporation included within scope of CFAA provisions criminalizing damage "to one or more individuals").

Useful Resources and Optional Reading

  • Computer Fraud and Abuse Act, 18 USC § 1030 (2000)

  • Dept. of Justice Criminal Division, Computer Crime and Intellectual Property Section, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations (July 2002) (guiding federal agents and attorneys in the search and seizure laws applicable to computers, computer networks, and the Internet)

  • For a table of cases recently prosecuted under the CFAA, including helpful summaries of the interests harmed, targets, perpetrators' characteristics, and punishments, see Dept. of Justice Criminal Division, Computer Crime and Intellectual Property Section, Computer Crimes Case Chart (December 14, 2001).

  • In Re DoubleClick, Inc. Privacy Litigation, 00 Civ. 0641 (NRB) (S.D.N.Y. March 28, 2001) (dismissing plaintiffs' claims that defendant's use of cookies violated ECPA, Wiretap Act, and CFAA)

  • U.S. v. Sablan, 92 F.3d 865 (9th Cir. 1996) (following Morris in affirming that intent to cause harm does not bar prosecution under CFAA) [an alternate source]

  • U.S. v. Fernandez, 1993 U.S. Dist. LEXIS 3590 (S.D.N.Y. 1993) (discussing and denying various defenses raised in an intrusive hacker case), affirmed 1997 U.S. App. LEXIS 2382 (2nd Cir. Feb. 12, 1997) (96-1408) (unpublished)

  • Bruce Sterling, The Hacker Crackdown (Texinfo Ed. 1.2, Feb. 1994) (describing culture and practices of hackers and law enforcement agents)


Bell's Class 24: Please read the materials in Ch.09.A.


B. Privacy Protection Act and Electronic Communications Privacy Act

Steve Jackson Games, Inc. v. U.S. Secret Service, 816 F.Supp. 432 (W.D. Tex. 1993) (finding that Secret Service violated Privacy Protection Act and Electronic Communications Privacy Act) [an alternate source]

Steve Jackson Games, Inc. v. U.S. Secret Service, 36 F.3d 457 (5th Cir. 1994) (affirming that seizure of computer does not constitute interception under ECPA) [an alternate source]

Davis v. Gracey, 111 F.3d 1472 (10th Cir. 1997) (affirming summary judgment against plaintiffs' claims that defendant police officers violated PPA, ECPA, First Amendment, and Fourth Amendment in searching and seizing computer equipment, software, and email) [an alternate source]


  1. As noted above, the USA Patriot Act of 2001, Public Law No. 107-56, recently amended the ECPA in various ways. For instance, § 212 of the USA Patriot Act amends § 2702 of the ECPA to create an exception allowing providers of remote computing or electronic communication services to divulge customer information to government entities in the event such a provider reasonably believes doing so will mitigate an immediate danger of death or serious physical injury to any person. Also, § 217 of the USA Patriot Act amends §§ 2510-11 of the ECPA to provide that subject to certain limitations a person acting under color of law does not violate the privacy of a computer trespasser by intercepting communications of that trespasser transmitted to, through or from a protected computer.

  2. Suppose that you were a federal agent eager to intercept email communications but wary of violating the ECPA. How might you use reasoning of the trial and appellate courts in Steve Jackson Games, Inc. v. U.S. Secret Service to accomplish your ends?

  3. Guest v. Leis, 255 F.3d 325 (6th Cir. 2001) , offers a nice contrast to Steve Jackson Games. In finding no liability arose under the ECPA for defendants' access to stored communications and subscriber information, the Guest court commented, "The [Steve Jackson Games] court appeared to assume that the provisions of the ECPA require notice to subscribers even when police are operating with a valid warrant, an understanding we do not find supported by the statute." 255 F.3d at 339 n. 7. Furthermore, in finding no liability arose under the PPA for the seizure of PPA-protected materials commingled on a criminal suspect's computer with criminal evidence, the Guest court distinguished Steve Jackson Games on grounds that in the latter case, "The owner of the computers was not a criminal suspect, and the court found that the agents had read the electronic communications and deleted some documents." 255 F.3d at 342 n. 12.

  4. The court in Konop v. Hawaiian Airlines, Inc., 236 F.3d 1035, 1046 (9th Cir. 2001), offered a critical analysis of Steve Jackson Games: "It makes no [] sense that a private message expressed in a digitized voice recording stored in a voice mailbox should be protected from interception, but the same words expressed in an e-mail stored in an electronic post office pending delivery should not." Relying in part on suggestive amendments to an unrelated part of the ECPA, the Ninth Circuit concluded, "We hold that the Wiretap Act protects electronic communications from interception when stored to the same extent as when in transit." Id. But the Ninth Circuit subsequently withdrew the opinion, 2001 U.S. App. LEXIS 19206 (9th Cir. August 28, 2001), and issued a new one, 302 F.3d 868 (9th Cir. 2002), that embraced the Steve Jackson Games court's interpretation of the ECPA.

  5. In addition to the remedies they enjoy under the PPA and the ECPA, parties accused of criminal hacking enjoy Fourth Amendment protections against unreasonable search and seizure. For a recent case exploring the Fourth Amendment's application to the search and seizure of a computer hard drive, see Trulock v. Freeh, 2001 U.S. App. LEXIS 27341 (4th Cir. Dec. 28, 2001) (No. 00-2260), wherein plaintiff Trulock objected that FBI agents had violated his Fourth Amendment rights by searching files he had protected with a password and stored on a hard drive shared with plaintiff Conrad. To the FBI's claim that Conrad had consented to the search, the court replied, "[B]ecause he concealed his password from Conrad, it cannot be said that Trulock assumed the risk that Conrad would permit others to search his files. Thus, Trulock had a reasonable expectation of privacy in the password-protected computer files and Conrad's authority to consent to the search did not extend to them. Trulock, therefore, has alleged a violation of his Fourth Amendment rights." Id. at *20-*21. The court nonetheless found the defendants' entitled to qualified immunity on grounds a reasonable officer would not have known the search violated clearly established law. "[W]e are aware of no reported cases answering whether an individual has a reasonable expectation of privacy in password protected files stored in a shared computer. . . . [T]he law of computers is fast evolving, and we are reluctant to recognize a retroactive right based on cases involving footlockers and other dissimilar objects." Id. at *22.

Useful Resources and Optional Reading

  • Privacy Protection Act, 42 USC § 2000aa et seq. (1999)

  • Electronic Communications Privacy Act, 18 USC §§ 2510-22, 2701-2711 (1999)

  • U.S. v. Riggs, 743 F. Supp. 556 (N.D. Ill. 1990) (discussing and denying various defenses raised in intrusive hacker case)


Bell's Class 25: Please read the materials in Ch.09.B.


C. State Law

Thrifty-Tel, Inc. v. Bezenek, 54 Cal. Rptr. 2d 468 (Cal. Ct. App. 1996) (affirming judgment that unauthorized access to telephone system constituted trespass to chattels and fraud) [an alternate source]

Second Amended Verified Original Petition and Application for TRO and Temporary Injunction, Universal Image, Inc. v. Yahoo, Inc., No. 99-13839-A (County Ct. Dallas County, Tex., filed Jan. 18, 2000) (complaining that unauthorized use of cookies constituted, inter alia, criminal trespass and stalking) [an alternate source (PDF format)]

People v. Lawton, 48 Cal. App. 4th Supp. 11, 56 Cal. Rptr. 2d 521 (Cal. App. Dep't Super. Ct. 1996) (affirming conviction under California anti-hacking statute for permissible use of hardware to impermissibly access software) [an alternate source]


  1. Although neither Thrifty-Tel, Inc. v. Bezenek nor Universal Image Inc. v. Yahoo, Inc. represent criminal proceedings, a willing prosecutor could probably adapt the claims therein with little difficulty.

  2. Do the arguments made by the complaint in Universal Image Inc. v. Yahoo, Inc. seem to you a natural extension of the arguments adopted by the court in Thrifty-Tel, Inc. v. Bezenek? Why or why not?

  3. Why do you suppose that the plaintiff in Thrifty-Tel, Inc. v. Bezenek did not avail itself of the same California anti-hacking statute applied in People v. Lawton? It was surely not for want of a civil remedy; Cal. Penal Code § 502(e)(1) gives private parties the right to sue for violations of the act.

Useful Resources and Optional Reading

  • Cal. Penal Code § 502 (2000) (criminalizing various types of unauthorized access to computer) [scroll down the accessed page to the section cited]

  • CigarCafe, L.C. v. America Online, Inc., 50 Va. Cir. 146 (Cir. Ct. City of Alexandria June 30, 1999) (dismissing plaintiff's claim that defendant committed criminal trespass by denying plaintiff access to its site and removing its pop-up ads from defendant's computer network)

  • State v. Allen, 260 Kan. 107, 917 P.2d 848 (1996) (affirming dismissal of complaint based on Kansas anti-hacking statute)

  • State v. Riley, 121 Wn.2d 22; 846 P.2d 1365 (Wash. 1993) (interpreting "computer trespass" under Washington state statute)


Bell's Class 26: Please read the materials in Ch.09.C.


Prior Prior Chapter Top Top of Page Next Next Chapter   Email Listserve Email Listserve
(C) 2001-05 Tom W. Bell. All rights reserved. Fully attributed noncommercial use of this document permitted if accompanied by this paragraph. - v.2005.11.09