INVITATION TO CYBERSECURITY 276 CFAA would likely not stick because of the university’s poor cybersecurity posture. The Family Educational and Privacy Rights Act (FERPA) protects student educational records, including transcripts, from unauthorized disclosure. That may mean in this case that the university could have a major cyber risk management issue on their hands for failing to adequately safeguard that protected information. However, FERPA would have no bearing on Alice since she was not the steward of the protected data. Alice did not break a federal law, but she may have debatably crossed an ethical line (see Section 10.1). At the least, she should have asked her roommate first before trying her trick. The first conviction under CFAA was in 1990 in the United States v. Morris. As we saw in Chapter 3, Robert Tappan Morris unleashed the first worm (the Morris Worm) on the Internet when he had just graduated from Harvard and was on his way to graduate school at Cornell. The Morris Worm marked the end of cyberspace innocence and foreshadowed a future of cyberspace insecurity. It crashed thousands of computers and cost organizations tens of thousands of man-hours to recover. Morris’ case is especially interesting because his father was a high-ranking NSA official, and Morris was a brilliant young man who did not fit the stereotypical image of a felon. He showed a lack of judgment and did not think through the potential negative consequences of his actions. He had assumed that his malware would cause no actual damage, and had no intention of using it for any kind of profit. Rather, for him, his worm was an experiment to test the cybersecurity of the pre-Internet computer network. Unfortunately, Morris misjudged his worm’s “infection rate” parameter, and even though he intended his worm to be innocuous, it ended up crashing the systems it infected. So it could be said that his worm had a bug in it, and that was the real cause of Morris’ problems! Morris was rightly convicted of the CFAA and faced jail time, but the judge realized that probation, community service, and a fine better fit the full-context of the situation. Morris went on to become a professor at MIT. Because the CFAA is broad, it is charged in a wide variety of computer-related crimes, and sometimes this means the charges do not stick. In the United States v. Drew, a famous cyberbullying case where an adult woman created a fake social media profile and used it to humiliate a teenage girl that sadly ended up committing suicide, the United States government charged Drew with violating the CFAA. However, the law did not really fit the crime and Drew was acquitted. The judge found that she did not “gain unauthorized access” and did not ”exceed authorized access,” therefore, she was innocent of the charges. This upset some people who felt that Drew had obviously committed a crime and should have been punished. Since the time of her case, several states have passed specific laws criminalizing cyberbullying. If those laws were on the books at that time in the state where Drew lived, she likely would have been found guilty. But since laws are not retroactive, they had no bearing on her. 10.3.1.2 Electronic Communications Privacy Act The Electronic Communications Privacy Act (ECPA), also passed in 1986, complements the Fourth Amendment’s right to privacy. It is the most comprehensive United States law
RkJQdWJsaXNoZXIy MTM4ODY=