How Does Computer Fraud and Abuse Act18 U.S.C. § 1030(a)(2)(C)] Affect Blockchain, Crypto and Defi?
As the the US government attempts to force regulation on blockchain, cryptocurrency and decentralized finance; imagine a bunch of senior citizens forcing a puzzle piece into the wrong spot, I want to take the time to examine one possible regulatory means: the Computer Fraud and Abuse Act18 U.S.C. § 1030(a)(2)(C)] (hereinafter referred to as the “CFAA”.
The CFAA makes it a federal crime to “access a computer without authorization or exceed authorized access and thereby obtain information from any protected computer exceeding authorization.” “[U]nauthorized access means to obtain or alter information in the computer that the accessor is not entitled to obtain or alter.” It’s the exceeding authorized access prong that is both protective and worrisome.
The CFAA predates the modern computer and there is a ton of Federal Court precedent interpreting the CFAA as computers have become indispensable to our society. The position taken by the Eleventh Circuit regarding the CFAA may protect crypto users negatively affected by frauds that occur inside of watching projects (IE Rug Pulls). Although the Vanburen case had nothing to do with crypto I think it could be extended to protect the industry. I.E. If an insider at a crypto exchange has the right to access private keys, customer data and overall value and uses that access improperly that insider could be charged under the CFAA & subject to criminal penalties. Think stealing from the blockchain or misappropriatingholders personal information causing injury.
However, there is also potential for regulatory overreach. The 11th Circuit’s interpretation of the CFAA could also implicate an office fantasy football league or a March Madness pool in violation of company policies. It’s important to note that for the CFAA to apply there typically needs to be “terms of service” or rules which are being broken. In Vanburen a police officer utilized the police database to obtain unauthorized information on another person.
The 1st, 5th, 7th and 11th Circuits have imposed liability where a person with access to data on a system/protocol exceeds the scope of their authorization by obtaining information. How and when this will be applied to blockchain is the question. On the other hand, the 2nd, 4th and 9thCircuits have opined that a person violates the CFAA only if they access data on a computer they are prohibited from accessing for any reason. This is a less stringent interpretation.
The broad 11th Circuit interpretation may suggest a trader on a crypto exchange who spoofs, churns or washes trades or who engages in rug pulls may be subject to criminal liability under the CFAA as long as their https://restislaw.com/liability-51-attacks-cfaa/e are pre-exisitng terms of service. Seems like a good thing. This interpretation could also prevent 51%attack against public network blockchains if a court viewed the consensus rules, work, smart contracts and software as contributed by miners to form implied contracts. A 51% attack refers to an attack on a blockchain—most commonly Bitcoin, by a group of miners controlling more than 50% of the network’s mining hash rate or computing power. The CFAA is undeniably a regulatory presence preventing 51% attacks, but they aren’t exactly happening everyday.
While the CFAA prohibits anyone to distribute computer code or place it in the stream of commerce if they intend to cause either damage or economic loss, there is a real risk of regulating individuals operating within a protocol with no such malicious intent. Furthermore, the courts have traditionally held that the mere possession of code, even if harmful, is speech protected under the First Amendment.
Moral of the story is that we have regulation in place which could be interpreted to help crypto actors, but the worry is that governments will attempt to usurp the courts and interpreting these regulations in line with their lack of understanding of the overall industry.