Technology Crime Defense

The Statutes

Computer Fraud and Abuse Act — 18 U.S.C. § 1030

The CFAA is the workhorse of federal computer crime prosecution. It criminalizes "unauthorized access" (§ 1030(a)(2)) and access that "exceeds authorization" — plus computer damage (§ 1030(a)(5)), extortion using computers (§ 1030(a)(7)), and trafficking in passwords (§ 1030(a)(6)). The problem has always been that "unauthorized access" is breathtakingly vague. For years, the government argued that violating a website's terms of service constituted "unauthorized access." The Ninth Circuit pushed back in United States v. Nosal, 844 F.3d 1024 (9th Cir. 2016). The Supreme Court finally drew a line in Van Buren v. United States, 593 U.S. 374 (2021), holding that "exceeds authorized access" only covers someone who accesses information outside the permitted areas of a computer — not someone who uses legitimately permitted access for an improper purpose. That ruling saved an enormous number of people from prosecution. It also left a lot of questions open.

We've watched the government charge security researchers under § 1030(a)(2) for finding vulnerabilities in systems they had permission to probe. We've seen CFAA charges used against former employees who accessed systems after their termination using credentials that hadn't been revoked — where the "without authorization" question turns entirely on when revocation is legally effective, not when the password stopped working. These cases require technical fluency. If the government can't explain the defendant's conduct accurately to a jury, the prosecution falls apart.

Electronic Communications Privacy Act — 18 U.S.C. §§ 2510–2523, 2701–2713

The ECPA has two main criminal tracks. The Wiretap Act (Title I, 18 U.S.C. §§ 2510–2522) prohibits intentional interception of wire, oral, or electronic communications. The Stored Communications Act (Title II, 18 U.S.C. §§ 2701–2713) prohibits unauthorized access to stored electronic communications. The difference matters — wiretap violations require real-time interception; SCA violations can involve accessing stored emails or data at rest.

ECPA charges arise from network monitoring tools configured to capture more than intended, IT administrators accessing employee communications, corporate espionage claims, and domestic disputes where one party installed software on a shared device. Carpenter v. United States, 585 U.S. 296 (2018), extended Fourth Amendment protections to cell-site location data and signaled that the Supreme Court is willing to reconsider digital privacy doctrine. The constitutional overlay on ECPA prosecutions is fertile ground for suppression motions.

Digital Millennium Copyright Act — 17 U.S.C. § 1201

Section 1201(a)(1) makes it illegal to "circumvent a technological measure that effectively controls access to a work protected under" copyright. Criminal liability attaches under § 1204 when the circumvention is willful and for commercial advantage or private financial gain. The problem — and it's a serious one — is that the statute captures an enormous amount of legitimate activity. Reverse engineering for interoperability, security research, accessibility modifications, and right-to-repair all technically implicate § 1201.

The Copyright Office runs a triennial rulemaking to carve out exemptions under § 1201(a)(1), but those exemptions are narrow and expire. Criminal DMCA charges against researchers are rare but they happen — and civil DMCA threats are used routinely to chill security disclosure. If you or your organization is facing DMCA anti-circumvention exposure related to security research, interoperability work, or right-to-repair activity, the exemption framework and the First Amendment arguments are worth a serious look.

CAN-SPAM Act — 15 U.S.C. §§ 7701–7713

Criminal CAN-SPAM violations require willfulness. Section 7705(b) makes it a felony — up to five years — to violate the Act willfully in connection with falsified header information or deceptive subject lines. The Act preempts state spam laws but not state fraud or computer crime statutes, which means a bad email campaign can generate parallel prosecutions. Liability turns on technical details: whether headers were falsified (§ 7704(a)(1)), whether the subject line misrepresents the content (§ 7704(a)(2)), and whether required opt-out mechanisms were functional. In United States v. Kilbride, 584 F.3d 1240 (9th Cir. 2009), the Ninth Circuit affirmed convictions under CAN-SPAM alongside wire fraud and obscenity charges. These cases are almost always bundled with other charges — standalone CAN-SPAM prosecution is unusual.

Telephone Consumer Protection Act — 47 U.S.C. § 227

The TCPA is primarily a civil statute — private plaintiffs can sue for $500–$1,500 per unsolicited call or text, which is why TCPA class actions are a cottage industry. But § 227(b)(1) creates strict liability for using an automatic telephone dialing system (ATDS) or prerecorded voice to call numbers without consent, and the FCC has enforcement authority with significant penalty authority. The central fight in TCPA litigation for the past decade has been defining what constitutes an ATDS. Facebook, Inc. v. Duguid, 592 U.S. 395 (2021), held that equipment must have the capacity to use a random or sequential number generator — not just store and dial lists — to qualify as an ATDS. That significantly narrowed liability for most modern marketing platforms, but the litigation continues. If your automated messaging system is the subject of a class action or regulatory enforcement action, the technical characterization of your equipment is the whole ballgame.

Anticybersquatting Consumer Protection Act — 15 U.S.C. § 1125(d)

The ACPA creates civil liability for registering, trafficking in, or using a domain name that is "identical or confusingly similar" to a distinctive or famous mark — if done with "bad faith intent to profit." Congress listed nine non-exclusive factors for evaluating bad faith, and courts apply them inconsistently. The in rem provision (§ 1125(d)(2)) allows mark owners to sue the domain name itself in the judicial district where the registrar is located — useful when the registrant is overseas or anonymous. Statutory damages run from $1,000 to $100,000 per domain. ACPA claims often run alongside UDRP proceedings (the ICANN arbitration alternative), but a UDRP decision doesn't preclude a federal court action. We defend domain registrants — including portfolio holders and resellers — against ACPA claims where the "bad faith" characterization doesn't fit the facts.

Children's Online Privacy Protection Act — 15 U.S.C. §§ 6501–6506

COPPA requires verifiable parental consent before collecting, using, or disclosing personal information from children under 13. The implementing rule is at 16 C.F.R. Part 312. Civil penalties are $51,744 per violation — and the FTC counts each child's information as a separate violation. YouTube settled for $170 million in 2019. TikTok (then Musical.ly) settled for $5.7 million in 2019 and then faced a follow-on action in 2023. The FTC's enforcement posture under COPPA has become significantly more aggressive, and the definition of what makes an app or platform "directed to children" is litigated routinely. Mixed-audience platforms, apps with age gates, and EdTech companies operating in schools under FERPA are all in the crosshairs. If you're receiving a Civil Investigative Demand from the FTC on a COPPA matter, the investigative stage is the most important stage.

USA PATRIOT Act & Foreign Intelligence Surveillance Act

The PATRIOT Act — formally the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 — dramatically expanded federal surveillance authority and added technology-facilitated conduct to existing financial crime statutes. Section 802 expanded the definition of "domestic terrorism." Section 215 (now expired and replaced) authorized bulk collection of business records. The PATRIOT Act also expanded 18 U.S.C. § 1956 money laundering to reach cryptocurrency transactions in ways that still generate prosecutorial creativity.

The Foreign Intelligence Surveillance Act (50 U.S.C. §§ 1801–1885c) and the FISA Amendments Act's Section 702 authorize collection of foreign intelligence communications — including communications of U.S. persons when they're in contact with foreign targets. Digital evidence obtained under FISA orders surfaces in criminal prosecutions through parallel construction, which means defense counsel needs to understand not just the evidence presented but how it was actually obtained. Challenging the legality of FISA-derived evidence is procedurally complex and governed by 50 U.S.C. § 1806(e), which creates an in camera, ex parte review process. It's annoying. We do it anyway.

When the Trial Goes Wrong

Technology crime convictions are appealed at a higher rate than most federal convictions — and for good reason. The statutes are old, the facts are technically complex, and trial courts regularly apply interpretations that circuit courts later reject. If you've been convicted or received an adverse ruling at the district level, our technology appellate practice handles direct appeals, post-conviction review, and habeas proceedings for cases where the legal theory used to convict you isn't as solid as the government made it sound.