Technology crime defense: old statutes, new prosecutions.

The CFAA was enacted in 1986. Reagan had just watched WarGames and decided something had to be done about hackers. ARPANET was still mostly universities and defense contractors. And here we are — federal prosecutors are using this statute to charge security researchers, scraping engineers, and people who shared a password.

That's the defining feature of technology criminal law: the gap between what these statutes were written to address and what they're actually being used to prosecute is enormous. A strong defense requires someone who understands both the legal argument and what the technology actually does — not just "my client is a good person" but "the government's theory of this case doesn't survive contact with how TCP/IP actually works."

We represent individuals and companies from initial grand-jury subpoenas through trial and, where the verdict warrants it, appeal. The statutory landscape we work in:

The CFAA is the workhorse of federal computer-crime prosecution. It criminalizes "unauthorized access" and access that "exceeds authorization" — plus computer damage, extortion using computers, and trafficking in passwords. "Unauthorized access" is breathtakingly vague. For years, the government argued violating a website's terms of service constituted "unauthorized access."

We've watched the government charge security researchers under § 1030(a)(2) for finding vulnerabilities in systems they had permission to probe. We've seen CFAA charges used against former employees who accessed systems after termination using credentials that hadn't been revoked — where the "without authorization" question turns entirely on when revocation is legally effective. These cases require technical fluency.

The ECPA has two main criminal tracks. The Wiretap Act prohibits intentional interception of wire, oral, or electronic communications. The Stored Communications Act prohibits unauthorized access to stored electronic communications. The difference matters — wiretap requires real-time interception; SCA can involve accessing stored emails or data at rest.

ECPA charges arise from network-monitoring tools configured to capture more than intended, IT administrators accessing employee communications, corporate-espionage claims, and domestic disputes where one party installed software on a shared device. Carpenter signaled the Supreme Court is willing to reconsider digital privacy doctrine; the constitutional overlay on ECPA prosecutions is fertile ground for suppression motions.

§ 1201(a)(1) makes it illegal to "circumvent a technological measure that effectively controls access to a work protected under" copyright. Criminal liability attaches under § 1204 when the circumvention is willful and for commercial advantage or private financial gain. The statute captures an enormous amount of legitimate activity: reverse engineering for interoperability, security research, accessibility modifications, and right-to-repair all technically implicate § 1201.

The Copyright Office runs a triennial rulemaking to carve out exemptions, but those exemptions are narrow and expire. Criminal DMCA charges against researchers are rare but they happen — and civil DMCA threats are used routinely to chill security disclosure.

Criminal CAN-SPAM violations require willfulness. § 7705(b) makes it a felony — up to five years — to violate the Act willfully in connection with falsified header information or deceptive subject lines. The Act preempts state spam laws but not state fraud or computer-crime statutes, which means a bad email campaign can generate parallel prosecutions. Liability turns on technical details: whether headers were falsified, whether the subject line misrepresents content, and whether required opt-out mechanisms were functional.

The TCPA is primarily a civil statute — private plaintiffs can sue for $500–$1,500 per unsolicited call or text, which is why TCPA class actions are a cottage industry. § 227(b)(1) creates strict liability for using an ATDS or prerecorded voice to call numbers without consent. The central fight has been defining what constitutes an ATDS.

If your automated messaging system is the subject of a class action or regulatory enforcement action, the technical characterization of your equipment is the whole ballgame.

The ACPA creates civil liability for registering, trafficking in, or using a domain name that is "identical or confusingly similar" to a distinctive or famous mark — if done with "bad faith intent to profit." The in rem provision (§ 1125(d)(2)) allows mark owners to sue the domain name itself in the judicial district where the registrar is located. Statutory damages run from $1,000 to $100,000 per domain. ACPA claims often run alongside UDRP proceedings, but a UDRP decision doesn't preclude a federal court action. We defend domain registrants — including portfolio holders and resellers — against ACPA claims where the "bad faith" characterization doesn't fit the facts.

COPPA requires verifiable parental consent before collecting, using, or disclosing personal information from children under 13. The implementing rule is at 16 C.F.R. Part 312. Civil penalties are $51,744 per violation — and the FTC counts each child's information as a separate violation. YouTube settled for $170 million in 2019. TikTok (then Musical.ly) settled for $5.7 million in 2019 and faced a follow-on action in 2023. Mixed-audience platforms, apps with age gates, and EdTech companies operating in schools under FERPA are all in the crosshairs. If you're receiving a Civil Investigative Demand from the FTC on a COPPA matter, the investigative stage is the most important stage.

The PATRIOT Act dramatically expanded federal surveillance authority and added technology-facilitated conduct to existing financial-crime statutes. Section 802 expanded the definition of "domestic terrorism." Section 215 (now expired and replaced) authorized bulk collection of business records. The PATRIOT Act also expanded the money-laundering statute to reach cryptocurrency transactions in ways that still generate prosecutorial creativity.

FISA (50 U.S.C. §§ 1801–1885c) and the FISA Amendments Act's § 702 authorize collection of foreign-intelligence communications — including communications of U.S. persons when they're in contact with foreign targets. Digital evidence obtained under FISA orders surfaces in criminal prosecutions through parallel construction, which means defense counsel needs to understand not just the evidence presented but how it was actually obtained. Challenging the legality of FISA-derived evidence is procedurally complex and governed by 50 U.S.C. § 1806(e), which creates an in camera, ex parte review process. It's annoying. We do it anyway.

Technology crime convictions are appealed at a higher rate than most federal convictions — and for good reason. The statutes are old, the facts are technically complex, and trial courts regularly apply interpretations that circuit courts later reject. If you've been convicted or received an adverse ruling at the district level, our technology appellate practice handles direct appeals, post-conviction review, and habeas proceedings for cases where the legal theory used to convict you isn't as solid as the government made it sound.