Cyber Security is already a complex subject, but Cyber law makes it even more so. Cyber Law has constantly mutated over the past few decades as more and more complex threats have arisen with the need of being addressed. A quick disclaimer: I am not a lawyer nor am I an authority on cyber law.
This article was written for the purpose of education and to raise awareness of the charges you could be subject to if you make the foolish decision to go down the black-hat road. Each headline is linked to each law in its entirety. If I've made any careless errors or omissions, please reach out to me so we can continue make great, informative content together for the greater good of internet users.
It goes without saying that conspiracy to commit any sort of physical crime online is punishable but we will be focusing on laws especially relevant to hackers and computer security professionals.
The Computer Fraud and Abuse Act, or CFAA for short, was enacted in 1984 as an amendment to the existing computer fraud laws in the United States. The CFAA prohibits any common unethical use cases for computer hacking and makes it illegal to perpetrate any acts of computer hacking without explicit permission from the owner of the protected computer(s) in question. The computers protected officially by the CFAA are computers used in financial institutions, governments and those affecting interstate or foreign commerce or communication. Due to the international nature of the internet, any ordinary computer is protected in practice.
If you are ever indicted for computer hacking, this is the law that will help put you in the clink. The sentencing guidelines for computer hacking have been very harsh historically and amendments such as the PATRIOT Act and the FREEDOM Act have only extended its jurisdiction. These amendments also criminalize cyber terrorism (which is punishable by life in prison) and effectively hacktivism.
This act in particular has gained massive attention and controversy over the last 20 years. The Digital Millennium Copyright Act, or DMCA for short, is the law that makes any circumvention methods for the access-controls of copyrighted content illegal and was signed by Bill Clinton in 1998—Jesus, the Clintons always seem to be behind our misery. The "circumvention" that the amendments refer to is the act of decrypting encrypted data and unscrambling scrambled data for the purpose of using copyrighted content without authorization. The DMCA is the closest thing to an anti-reverse-engineering law that can be found in the United States, so you can expect to be indicted under if you get caught cracking software and developing keygens for non-research purposes.
The DMCA also extends to the distribution of copyrighted content. You can and will be accused of copyright violation if you make copyrighted content available in the form of file sharing, tools to remove DRM mechanisms or using the protected content in your own content which isn't covered under fair use since you are technically circumventing copyright mechanisms. Naturally, the DMCA has been abused greatly in recent years by big companies to step on the little man and has received tremendous criticism as a result. Content creators on YouTube such as Felix Kjellberg (PewDiePie), James Donaldson (MrBeast), Ethan and Hila Klein (H3H3 Productions) and Christian Büttner (TheFatRat) have all suffered at the hands of DMCA and copyright law abuse online.
The DMCA is not meant to be an evil law and does allow certain exceptions that allow you to hack these mechanisms legally. Some of the exceptions to the DMCA are: it doesn't affect government organizations (go figure); revere engineering for the sake of interoperability and compatibility is permitted; and reverse engineering for the sake of research is also permitted. That is, the analysis of copyright safeguards are covered under fair use if you do not have any illegal motivations. Remember that circumventing access-controls on copyrighted content for personal use does not fall under fair use and you are thereby liable for your actions.
The Access Device Statute criminalizes any use of an unauthorized access device or device-making equipment. An access device is defined as “any card, plate, code, account number or other means of account access that can be used, alone or in conjunction with another access device, to obtain money, goods, services, or any other thing of value, or that can be used to initiate a transfer of funds...". The term “unauthorized access device” means any access device that is lost, stolen, expired, revoked, canceled, or obtained with the intent to defraud a person or persons. With that extra context, you can probably guess where I'm going with this.
This law serves as not just for anti-carding but also applies to any sort of account, whether you used a computer or not. You can and will be charged under this law for reasons such as: hacking someone's social media, installing a keylogger on your girlfriend's computer, stealing your parent's credit card to buy something online or using keygens.
A keygen counts as device-making equipment since it does facilitate the creation of a very general definition of an access device or the means to obtain an access device (an activated product or account in this case) without authorization. Obtaining or generating credentials for access devices for which you are not authorized is also made illegal here. That means creating scam sites; keyloggers; keygens; and selling your questionably legitimate NordVPN accounts on Discord are all punishable.
The maximum possible prison sentence allowed for the most severe of cases is 20 years. The Access Device Statute is relatively short compared to the others (making it easier to digest) and you can read about what sentencing guidelines pertain to different types of crimes by clicking in the section header.
The legislation for cyber security in the United States does extend further than what is presented here. The goal of this article was to equip you, the reader, with the essential knowledge of cyber law that applies to your activities. Many people who are new to hacking don't understand the consequences for their actions and learn hacking especially for the purpose of perpetrating illegal actions. It's not worth it! Please copy the contents of this article and paste it around to spread awareness.
I hope this article helps you keep your nose clean. I wish you safe travels and happy hacking!