User:Lbm67/sandbox

The California Comprehensive Computer Data Abuse and Fraud Act (also known as "CCCDAFA" or "CDAFA" or "CDAF" or "§ 502") is codified in § 502 of the California Penal Code. It was enacted in 1987, soon after the analogous federal Computer Fraud and Abuse Act ("CFAA"). The impetus for these statutes, and similar statutes in many other states, was a rise in computer crime and an increasing fear of hacking. The law itself states that "the proliferation of computer technology has resulted in a concomitant proliferation of computer crime and other forms of unauthorized access to computers, computer systems, and computer data." The CCCDAFA, like the CFAA, expands liability for accessing and interfering with another's electronic data. The Act broadly criminalizes "unauthorized computer access," which generally means the access of computer or data without permission. It has been criticized for its breadth and potential to punish common and harmless behavior.

Provisions
Section 502(c) makes it a public offense to knowingly introduce a computer contaminant to any computer or computer system. "Computer contaminant" is defined in Section(b)(12), and includes viruses and worms.

It is also an offense to knowingly, and without permission, commit any of the following acts:


 * Alter or use any data or computer system for fraudulent purposes
 * Copy any data or supporting documentation within a computer system
 * Use or disrupt, or cause to be used or disrupted, "computer services"
 * Assist in providing access to a computer or computer system
 * Use another's name or profile to send email that damages computer systems or data
 * Cause disruption of government computer services

Although all 50 states have computer hacking laws, only 19 states have laws that provide a civil right of action. California became one of these 19 states in 2000, when it passed an amendment sponsored by eBay. California later passed additional amendments that allow plaintiffs to recover punitive damages and attorneys' fees. Any plaintiff who can show "damage or loss" can bring suit under the CDAFA, as the Act does not require a minimum amount of loss.

Penalties
Most activities under § 502 can be charged as either a misdemeanor or a felony. The penalty for a misdemeanor under the Act is jail time not exceeding one year and/or a fine not exceeding $5,000. The penalty for a felony under the Act is imprisonment for 16-36 months and a fine not exceeding $10,000.

Comparison to the federal Computer Fraud and Abuse Act:
The California Act is seen as the state analog to the federal Computer Fraud and Abuse Act, but there are several key differences. The federal CFAA only imposes liability when a defendant accesses a computer "without authorization." Under California's Act, the computer access need not necessarily be unauthorized for the conduct to be considered unlawful. A defendant can be liable under the state Act just for "knowing" access to a computer if they subsequently use data from the computer without permission. In other words, the CFAA prohibits unauthorized access, whereas the CDAFA prohibits unauthorized use, even if a defendant had authorization to access the computer.

The federal and state acts also have different damages provisions. While the CFAA imposes a floor for the amount of damage required to incur liability, the CDAFA does not; any amount of damage is enough to state a claim under the CDAFA.

Technical Access Barrier Rule
The Technical Access Barrier Rule requires that, in order for computer access to count as "unauthorized," a defendant must circumvent some security measure (or "barrier to access"). The Northern District of California has invoked the Technical Access Barrier Rule in interpreting the CCCDAFA, but not in interpreting the CFAA. While many advocates have argued that the Technical Access Barrier Rule should be a tool to constrain broad applications of these types of statutes, Michael Dorsi and Keenan Ng have argued that the rule has no such effect, because when a CCCDAFA claim is dismissed based on the Rule, CFAA claims are generally dismissed on some other ground, and when a CCCDAFA claim is "particularly egregious," courts will find a way to uphold the conviction regardless of technical barriers to access.

The Technical Access Barrier Rule was initially introduced by the Northern District of California in a motion in the 2012 Facebook v. Power Ventures case. The court applied the rule to the CCCDAFA, but did not consider whether it would apply to the CFAA. After that order was issued, other cases in the Northern District followed its holding, requiring circumvention of a technical barrier in order to convict a defendant under the CCCDAFA. Ultimately, the Facebook v. Power Ventures case was resolved on summary judgment for Facebook on CFAA grounds, so the Technical Access Barrier Rule was not considered by the Ninth Circuit.

In 2013, a California state appellate court considered a situation where a defendant who had permission to access the City and County of San Francisco's computer network blocked the city from using it, without circumventing any security measures. The court held that he had violated the CCCDAFA even though he had not hacked the network.

Legislative History
Before the enactment of the CCCDAFA, the 1979 version of Section 502 prohibited 1) accessing a computer system to intentionally commit fraud and 2) maliciously accessing or damaging a computer system. Up until 1987, when the previous version of Section 502 was repealed and replaced with the CCCDAFA, accessing a computer was always "a key element of the offense."

The initial version of the CCCDAFA, enacted in 1987, enumerated seven distinct crimes, and two more were added in 1989 and 1998. The Act was drafted by the Computer Crime Task Force, a subcommittee of the Los Angeles County Criminal Justice Coordinating Committee, as Senate Bill 255. The American Civil Liberties Union opposed the provision of bill that allowed law enforcement to seize a computer that had been used to in a crime because it was "tantamount to a bounty."

The most recent amendment to the law was made in 2019, and clarified that the Act includes computers that are inside or connected to motor vehicles.

Notable Cases:
The following cases have considered the CCCDAFA and how it should be interpreted. The California Supreme Court has never interpreted the Act.


 * Facebook v. Power Ventures (9th Cir. 2016)
 * Power Ventures scraped data from Facebook, and continued to do so after receiving a cease & desist letter from Facebook. It was a violation of the CDAFA to continue scraping data after receiving a cease & desist letter, because Power Ventures "knowingly accessed and without permission took, copied, and made use of Facebook’s data." The Ninth Circuit held that Power Ventures' conduct violated the CFAA as well.
 * United States v. Christensen (9th Cir. 2015)
 * The Ninth Circuit clarified that "access" includes logging onto a database with a valid password, and then using data from it without permission. The court also held that the California CDAFA, unlike the federal CFAA, criminalizes knowing access, not just unauthorized access.
 * People v. Tillotson (2007) 157 Cal.App.4th 517.
 * A California appellate court clarified that access, alone, to an unauthorized computer is not enough to violate the Act, because under § 502(c)(1), the defendant must knowingly access a computer system and, without permission, alter or use the data they obtain, and the purpose of the alteration or use is fraud or the like.
 * People v. Lawton (1996) 48 Cal.App.4th Supp. 11.
 * In upholding a conviction under § 502(c)(7), the court held that the prohibitions in CCCDAFA apply to software as well as hardware. Lawton had used the terminal on a public library computer to bypass basic security measures and access software that was not meant to be public.


 * People v. Childs
 * Terry Childs was a network engineer for the Department of Telecommunications and Information Services of the City and County of San Francisco, and was responsible for creating the city's new fiber-optic wide area network. Child's used his access to the network to block others from accessing the network, and was charged under § 502(c)(5). Childs argued that the Act was meant to apply to hackers, not to employees who were authorized to access computer systems. The court disagreed, and held that § 502(c)(5) applies to those who have authorized access to a computer system, but abuse that access.