OK, so would you be OK with it if unauthorized access to a computer system (eg an ex-employers or some other case where the lack of authorization is clear and criminal intent is present) resulted in a charge of burglary?
The problem is that there is already a well developed set of laws to govern human interactions with each other and with the environment. This is like the broken patent system: it's something that has been done for 40 years, except on a computer! We do not need a patent for that, and we do not need a new law for stealing information on a computer. We already have laws for theft.
The problem the authors of CFAA faced when the law was written is that this is actually not the case. Existing laws regarding e.g. burglary did not cleanly apply to computer crimes.
I think there are probably cases that do a better job showcasing the need for computer-specific crime laws, and crimes that do a worse job at that. Basic wire fraud cases don't really need CFAA from what I can tell, and CFAA serves primarily as a sentence accelerant in them. But in other cases, particularly where people cause damage but don't reap profits, the need for specific laws is clearer.
Was it really the case that someone could steal information from a computer and not be charged with a crime, or indicted by a grand jury and then successfully prosecuted under existing law, and that until recently, when information was stolen from a computer, that was not a crime?
It would be an awful lot easier to argue that. I'd need to go back and look up a bunch of cases which I don't feel like doing at present because it would be a large research project, but absent any specific computer-crime laws I'd argue that because a computer is a digital system and a digital system is just a complex agglomeration of switches, there's no qualitative difference between accessing a computer system and turning a light switch on and off. You'd never convict someone of a crime for turning a light switch on and off; if they entered your office at night to do so that would just be trespass rather than burglary. So how is operating a computer all that different? You're just opening and closing a few million different circuits. Sure, you could say my client illegally obtained information by doing so, but where is this information? Can you produce it in evidence? If you can't do so without printing it out, and you can't show that my client printed it out, where is the crime? Etc. etc. Likewise I could argue that no fraud has taken place because fraud involves a deception, a deception involves a deceiver and a deceived, and computers are not sapient, therefore they're not capable of being deceived. Defeating a login system isn't a case of deception because administrator of said system was not consulted for permission; arguably he automated away his duty of granting or withholding access and the defendant should not be blamed for the inadequacy of that automated process.
Sure, these are bullshit arguments, but the point is that our legal system works on a rough mix of common sense and code. If I can find an exploitable ambiguity in statute or precedent and apply it to a defendant's case, then it's like an exploit in which throwing an exception is equivalent to a trial resulting in an acquittal. we have laws defining what a computer system is and what constitutes access to one etc. precisely because the virtualized nature of digital information makes it tricky to apply laws that were drafted to deal with theft of physical property.
Is the intent of existing law considered as part of the concept of common law? Would the average member of the jury really not understand this? Why couldn't a prosecutor receive an indictment and then argue this before a court and jury and thereby develop the methodology to approach this problem. This process may require several cases but wouldn't that be preferable to have jurists extend common law rather than have legislators parachute in new laws that obviously have problems?
Those are very good questions: the fact is that there is a huge amount of tension between the judicial and legislative branches, and within the judicial branch itself, about there the boundary between jduges' interpretation and reaasonable interpolation of teh law, and the text of statute as written. Conservative jurists like Justice Antonin Scalia think you should always go by the text of the law, and that it's dead wrong to consider legislative intent, no matter how obvious or well-documented it is/was; this approach (known as textualism) holds that if a law is no good, the correct remedy is for Congress to rewrite it. Judges should only dismiss a law as unconstitutional or go around it in cases where there is a clear and unambigious conflict between the Constitution and the statute. Other jurists, such as Justice Stephen Breyer, look at the Constitution as more of a framework document and think that you absolutely need to examine laws within the context in which they were passed and in the light of which problem they're intended to solve.
This is a very gnarly question, with good arguments on both sides - but in addition, there's a lot of unstated political baggage tied to both sides of the argument, so that what is on the surface a question of legal philosophy is on closer examination rooted in quite different philosophies of governance.
Now myself, I like the common-law approach and I would prefer a general class of crimes and that the details of individual cases be taken up by wise jurists. On the other hand, it's not a foregone conclusion that all judges are wise or selfless, and of course there might be judges who are both but who would come to quite different conclusions from me because they operate on a different moral calculus. So for the sake of consistency and predictability, there's a strong argument to have laws debated and promulgated by legislators rather than judges, so that anyone can do and look them up for guidance about what is and is not legal. Of course that involves some idealistic assumptions about legislators...
If you like high-density reading material, I strongly recommend How Judges Think by Judge Richard Posner.
You think I'm arguing something I'm not arguing. I'm not saying there aren't crimes that are chargeable under CFAA that could be better charged under a pre-existing law. I'm just saying there are crimes that can't be charged that way, thus the need for computer-specific crime laws.
CFAA is not a good computer-specific crime law. Two gigantic problems with it: sentences that scale linearly with damages despite the fact that criminal intent and diligence does not scale the same way, and the CFAA's "sentencing accelerant" property, where it bonds covalently with other criminal charges to increase penalties.
I understand and I share your point of view to a degree, but I remain skeptical that until CFAA, there were no successful prosecutions for crimes that we are told are only now covered by CFAA. Computers and criminals have been around for a while now.
I am also opposed to the idea that we need specific crime laws for things like this. What about vehicular manslaughter while listening to an iPod, and why would that not be covered as distraction equivalent to listening to radio, which I assume and also hope that it would be. There should be some respect for the intent of existing law in addition to the letter, because we do have laws for theft and I am certain that the intent of those laws covers these cases.
Before CFAA, computer crimes were charged under wire fraud statutes. But to prove wire fraud you have to establish the elements of a fraud, which include deliberate intent to secure some kind of gain from your deception.
Would the charge be burglary for unauthorized access, or burglary if information was stolen after unauthorized access, and otherwise breaking and entering or just entering? To that, yes. If the information that was stolen was then used to commit other crimes, then other charges should follow as appropriate.
The former. burglary (in some places criminal trespass) is entry to premises with the intent of committing a crime [1]. Anyway we're on the same page, insofar as you're OK with extending existing law to cover virtual intrusions. See my other comment upthread, though.
1. The exact definition varies by state - in some places only residences can be burgled (but you can have criminal trespass on commercial premises) and now that I think of it burglary is usually defined as taking place during the night, whereas in the daytime the same crime would be breaking & entering, and so on.