The ongoing conversation over the breadth of the Computer Fraud and Abuse Act (18 U.S.C. § 1030) sometimes overlooks the fact that states have their own expansive computer-fraud crimes on the books, too.
In California, Penal Code § 502 is the state-law parallel to the CFAA. I haven’t seen a discussion of PC § 502’s origins and its gradual expansion elsewhere, so let me (briefly) relate at least some of this story here. (I am omitting a discussion of the statute’s penalty provisions. These obviously are of great importance, but they would take too long to describe.)
Much more usefully, I also have attached links to some enrolled bill reports and other legislative history materials associated with the enactment of section 502 and the revisions to the statute that I describe below. I obtained these documents some time ago from the California State Archives, and I am happy to share them here.
1979: Two Crimes
The California legislature enacted PC § 502 all the way back in 1979. Section 502 wasn’t the first American state statute dedicated to computer crimes; that honor goes (I think) to a Florida law passed the prior year.
As originally enacted, PC § 502 related only two crimes. First, section 502, subdivision (b) provided that “Any person who intentionally accesses or causes to be accessed any computer system or computer network for the purpose of (1) devising or executing any scheme or artifice to defraud or extort or (2) obtaining money, property, or services with false or fraudulent intent, representations, or promises shall be guilty of a public offense.”
The new crime at Section 502, subdivision (c), meanwhile, specified that “Any person who maliciously accesses, alters, deletes, damages, or destroys any computer system, computer network, computer program, or data shall be guilty of a public offense.”
Both the latter offense and that proscribed by PC § 502(b) resembled crimes already on the books. The new section 502(b) looked like a species of fraud; the new section 502(c) like vandalism (with a seed of trespass planted therein, which would germinate in later revisions to the statute).
An enrolled bill report for the measure acknowledged that the first of these crimes overlapped at least somewhat with existing offenses. The report observed that “[p]resent law could be construed to make computer fraud a crime.” But better safe, than sorry, thought the Legislature; per the report, “This bill . . . clearly specifies a computer fraud as a crime.” (Italics added.)
Here is at least some of the the legislative history for the 1979 law. My apologies for the lopsided positioning of the scans.
1981: More Crimes
In 1981, the legislature tacked another subdivision onto PC § 502. This provision added new offenses that involved a pair of relatively specific scenarios: the malicious acquisition of credit information stored on computers, and the wrongful manipulation of credit information stored on computers.
As enacted, the new subdivision provided:
“Any person who maliciously accesses or causes to be accessed any computer system or computer network for the purpose of obtaining unauthorized information concerning the credit information of another person or who introduces or causes to be introduced false information into that system or network for the purpose of wrongfully damaging or wrongfully enhancing the credit rating of any person shall be guilty of a public offense.”
Here is at least some of the legislative history for the 1981 law.
1984: More Crimes
The next significant revision of PC § 502 occurred in 1984. This time, the legislature acted after getting all freaked out by the movie “Wargames.” The new provisions addressed unauthorized “hacking”—obtaining unauthorized access to a computer for the mere “fun of it,” in the words of one contemporary report.
The measure that amended PC § 502 began with a series of findings:
Section 1. Legislature recognizes that the computer has now become an integral part of society. Because of this pervasiveness, the Legislature recognizes the need to protect the rights of owners and legitimate users of computer systems, as well as the privacy interests of the general public, from those who abuse these systems.
The Legislature finds that with the increased availability and use of computers by private individuals and by both public and private sectors, there has been a corresponding increase in the incidence of misuse and intrusions by unauthorized individuals. In order to discourage “browsing,” which has led to significant destruction of property and numerous instances of invasion of privacy, as well as to punish the more serious offenders, it is the intent of the Legislature to establish a range of penalties to correspond with the level of culpability of individuals who abuse computer systems.
In an effort to protect the rights of the general public and the rights of legitimate users of computer systems, the Legislature hereby declares its intent to establish sanctions against unauthorized intrusions into computer systems which are not intended for general public use for which access is limited by the owner or lessee.
Consistent with these concerns, the 1984 amendment to PC § 502 added another offense to the computer-crime mix. The new provisions made “hacking” a public offense, with the penalties ranging from a simple fine to imprisonment.
Specifically, the new § 502(e) provided that “Any person who intentionally and without authorization accesses any computer system, computer network, computer program, or data, with knowledge that the access was not authorized, shall be guilty of a public offense. This subdivision shall not apply to any person who accesses his or her employer’s computer system, computer network, computer program, or data when acting within the scope of his or her employment.”
In a sense, California was coming late to the anti-hacking party. Six years earlier, one of the offenses within Florida’s pioneering computer-crimes statute applied to “Whoever willfully, knowingly and without authorization accesses or causes to be accessed any computer, computer system, or computer network.”
Here is at least some of the legislative history for the 1984 law.
1987: More Crimes
The final significant revision of section 502 occurred in 1987, when the legislature chucked the existing version of the statute and replaced it with a new law developed by the ominous-sounding Computer Crime Task Force, a subcommittee of the Los Angeles County Criminal Justice Coordinating Committee. This Task Force consisted of “16 members including representatives from law enforcement, district attorney offices, the U.S. Attorney’s office, and private industry, including banks, accounting firms and big business.” To the surprise of absolutely no one, no representatives of the defense bar served on the Task Force.
In rewriting section 502, the legislature sought “to expand the degree of protection afforded to individuals, businesses, and governmental agencies from tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems.” The alterations replaced the existing set of four crimes with seven offenses, each of which applied to “knowing” conduct that was engaged in “without permission,” as opposed to the “malicious” or “intentional” conduct associated with previously proscribed computer crimes.
The new section 502(c) provided:
(c) Except as provided in subdivision (i),* any person who commits any of the following acts is guilty of a public offense:
(1) Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.
(2) Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.
(3) Knowingly and without permission uses or causes to be used computer services.
(4) Knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network.
(5) Knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.
(6) Knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section.
(7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.
* Subdivision (i)(1) clarified that the crimes specified at subdivision (c) did not apply “to any person who accesses or uses his or her employer’s computer system, computer network, computer program, or data when acting within the scope of his or her lawful employment.” Subdivision (i)(II) explained that the crime of “knowingly and without permission us[ing] or caus[ing] to be used computer services did “not apply to any employee who accesses or uses his or her employer’s computer system, computer network, computer program, or data when acting outside the scope of his or her lawful employment, so long as the employee’s activities do not cause an injury . . . to the employer or another, or so long as the value of computer services . . . which are used do not exceed one hundred dollars.”
Here, here, and here is some of the legislative history for the 1987 law. There have been other amendments to PC 502 since 1987, but the story that I want to tell ends here—the same year as the worst rap song ever.
* * *
I haven’t traced the development of many crimes tethered to new technologies, but I’d wager that the aggrandizement of the computer-fraud statute follows a pretty common, or at least not uncommon, pattern for the evolution of these offenses. (I am 1000% certain that other professors have written on this issue. I am too lazy to spend a few minutes on Westlaw to dig up a good citation, however. My apologies.)
First, the legislature enacts an initial crime or crimes directly aimed at “improper” use of the technology, with this action being prompted by a single crime or another cue that suggests that the innovation might create new ways to commit old crimes. (1979) (In Florida, a scam in which scofflaws used a computer to print fake winning tickets at a dog track prompted the 1978 law.) The full capabilities of the technology not being apparent yet, the legislature frames these crimes in terms similar to those that describe existing offenses.
As new uses appear for the technology, so too do discrete, relatively narrow crimes associated with the technology’s extension to these specific contexts. (1981)
As the technology continues to diffuse to a broader audience and its capabilities become better known, legislatures enact additional crimes that address vague but widespread fears associated with the technology’s distinctive attributes. This class of crimes sometimes involves language that later proves regrettably broad, given the wider range of uses to which the more mature method or device will be put by a larger body of consumers. (1984)
Finally, the technology diffuses to a point when “The Professionals” feel compelled enter the room and create a more comprehensive set of criminal laws. (1987) These laws sometimes retain the language of earlier-adopted crimes, warts and all. After all, even if some of these offenses may seem a bit too broad, there aren’t any defense attorneys on the Committee to complain.