Federal Laws Part I. – Computer Fraud and Abuse Act (CFAA)

I haven’t posted on the blog for a long time, but there is a reason why. Lately I’ve been working on a study about the legal classification of the Terms of Service on social media sites. It has finally been published (yet only in Hungarian) and I had the opportunity to present my findings for the first time on a conference for PhD students. I will definitely share my thoughts about this topic on this site in the future, but now I would like to focus on the main subject of the blog, the legal aspects of online data after death. More precisely, on the effective federal laws in the United States, which refer to this issue.

Generally, we can declare there are three federal laws in the USA, which are connected to our topic in an outstanding degree:

  • Computer Fraud and Abuse Act (CFAA)
  • Electronic Communication Privacy Act (ECPA)
  • Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA)

RUFADAA is a federal law enacted by 24 member states at the moment, and it is a law regulating entirely the issue of how relatives (fiduciaries) can get access to the digital assets of their deceased loved one. I know that this is a key law of understanding the topic I am writing my posts about but as a good poker player I would like to delay my trump card for a later post. It is also important to get to know the other two federal laws.

This time I would like to introduce the importance of Computer Fraud and Abuse Act (CFAA).

The Computer Fraud and Abuse Act (CFAA) was enacted by Congress in 1986 as an amendment to existing computer fraud law, which had been included in the Comprehensive Crime Control Act of 1984. This law has been made to prevent attacks against „protected computers”. At the beginning, this definition was applicable only for computers used by the US Government and its authorities.  It is basically a criminal law, but from 1994 private individuals and companies have the opportunity to start a legal action against the violators of this law.

CFAA name 7 different types of action which can be criminalized by this law. One is really important from our aspect: not only the access of a computer without authorization is a crime, but the exceeding the authorization also. Why is it important for us?

Because service providers often refer to this part of the CFAA when they refuse the request of leftovers for access to the online data of their deceased relative.  They would commit a crime by exceeding the authorization they get from the deceased person for storing their data and give access to the relatives. Naturally, there is no chance to get authorization from the “owner” of these data, unless there are provisions in the will about this problem.

Next time, I am going to introduce the connection of Electronic Communication Privacy Act to the topic of online data after death. And I promise it won’t take 3 and a half months again.

Born In The USA – Level Of Member States

The first legislature of the world which has found our issue to be something worth to take care of was the legal system of the USA. (Of course, I didn’t have a choice to check all the legal systems of the world, so I would receive happily any contradictions in the comments.) It is an interesting question why the USA was the first in this topic. Altought the answer is not as difficult as it seems: all the huge, multinational service providers (Facebook, Google, Yahoo, etc.) are established in America, and – maybe bacause of this fact – using the services of these companies is significantly common among the citizens of the USA.

connecticutAs far as I know, the first state of all was Connecticut in January, 2013 where written acts have been created about the problem of online data which belongs to people who have already passed away [https://www.cga.ct.gov/current/pub/chap_802b.htm#sec_45a-334a]. This act gave the power for the personal representative of the deceased person to access or copy the content of the person’s electronic mail account. The enactment of this act was a historical moment, it is clear.

rhode-islandThe second state was Rhode Islandhttp://webserver.rilin.state.ri.us/Statutes/TITLE33/33-27/INDEX.HTM ], where an act have been enacted word-by-word the same as in Connecticut.

 

 

indianaThe third state was Indiana in the line [http://iga.in.gov/legislative/laws/2016/ic/titles/029/]. This act was really similar to the one from Connecticut and Rhode Island, but used a better terminology by citing „electronically stored information and documents” instead of talking about only the e-mail account.

 

oklahomaThen came Oklahoma [http://www.oscn.net/applications/oscn/DeliverDocument.asp?CiteID=460302] where they tried to find the golden mean between the too specific form used by Connecticut and Idaho and the too general used by Indiana. They put in the focus of their act the following group of data: e–mail account, social networking account, microblogging account, or short messaging service Web site.

idahoIn Idaho [https://legislature.idaho.gov/idstat/Title15/T15CH3SECT15-3-715.htm] we can find the same rules which grant the right for the personal representative of a deceased person’s estate to take control of, conduct, continue, or terminate a deceased person’s e–mail account, social networking account, microblogging account, or short messaging service Web site.

nevadaState of Nevada’s attitude was more conservative [https://www.leg.state.nv.us/NRS/NRS-143.html]. They only gave the right only to terminate the deceased person’s accounts for the personal representative.

 

 

virginiaIn Virginia [ http://law.justia.com/codes/virginia/2014/title-64.2/section-64.2-110/ ], only the personal representative of the deceased minor (person under 21) got right to access the minors online accounts.

 

 

delawareFinally, Delaware enacted a much detailed law based on UFADAA. What is UFADAA? This will be the topic of a following post, so we should stop here.

 

 

 

If we would like to evaluate the initial acts enacted by these states, we can appreciate the efforts and the braveness of creating laws about the online data after death for the first time, but we have to state: these acts by themselves rule only a small part of the big issue, so they are not able to grant a satisfactory solution to the problem.

 

Is this a legal issue at all?

It is a fair question, but the answer is a big indisputable YES. The extremist views about the internet as a law-free zone are left behind for years, but the right answers from legislatures to the sensitive issues of the intemperate use of the web are yet to come.

If we focus on our main topic – legal aspects of online data after death – as far as we know there has been only one legal system until know, where the legislative power tried to find answers for these complicated legal and moral questions.

Of course, we can approach it from a theoretical aspect. If we think of the rules of privacy law, we can be lost easily, because the most of the national privacy laws consider personal data as information which can be connected to a natural person. That means after someones death, his or her online data ceases to be personal data and become… What? There is no answer in these laws for this question.

Only the „right of the dead” which is actually the subsistence of the deceased personal rights, and a legal tool for the relatives can help the mourning relatives to defend their lost loved one’s memory against offending comments and other immoral online actions, but it does not mean they have right to get access to the leftover online data, family pictures, unsent messages, etc. This is the Bermuda Triangle of this topic, where there are so less answers, and several uncleared issues.

As far as we know we can find related acts in the legal system of the United States. There are two levels of these acts: federal and on the level of member states. What is the content of these laws, and what is the relationship from the aspect of application? This is what my next post is going to be about.