第四章 國際立法例與我國法比較
第三節 美國聯邦電腦詐欺及濫用法(CFAA)
第一項 背景
由於電腦與網路被廣泛使用的科技是以美國為核心,向其他國家擴散發展,
自然也是最早探討網路犯罪規制的國家,而網路入侵行為的立法規制在美國法的 發展可以分為四個時期189:
一、1970 年代後半至 1980 年代的第一階段:由於電腦是一種稀少的資源,重視 電腦使用的保護,主要的保護對象係「電腦資源的稀少性」,因而尚有處罰無 權使用他人電腦者,但大多以有其他目的或後續動作的犯罪為主。
二、1970 年代後半至 1980 年代的第二階段:明確地開始重視物理性的財產利益 之保護,由於此時電腦資源已不再稀少,社會電腦使用普及率越來越高,除
187 葉亭巖(2008),前揭註 158,頁 19-20。
188 徐育安(2014),前揭註 93,頁 132-133;王文成(2011),前揭註 178,頁 59。
189 李茂生(2001),前揭註 37,頁 7-9。
72
了政府與銀行之外,公司或一般個人也開始使用電腦,故此時開始強調不法 入侵行為之後的財產犯罪行為。
三、1980 年代後半至 1990 年代的第三階段:重視智慧財產權的保護,由於資本 主義的發展,財產利益的保護不只是保護有體財產權,也開始重視無體財產 權保護,開始處罰刺探秘密、侵害智慧財產權的行為,此時美國遇到的困境 是,因為他國的資訊科技發展比不上美國,造成跨國犯罪偵查困難重重。
四、1990 年代至今:以間接的方法保護以上利益,對於網路入侵的態度不再像之 前一樣強調實際上的經濟利益保護,而開始著重保護具備經濟利益的電子措 施,電腦網路的保護措施或登入控制機制都有規範,此時網路入侵行為本身 可能也有獨立侵害的法益,例如隱私權。
自 1980 年代起,美國舊有的法律規範體系已經無法滿足國內電腦犯罪的立法 需求,例如在電腦犯罪行為人侵害被害人的財產利益時,法院將面臨以竊盜罪如 何解釋利用電腦破壞經濟利益行為之難題,擴張解釋的結果是,法院常常只有在 造成重大財產損害的情形才會下有罪判決,因而招致批評190。
後來又於 1984 年先通過「電腦非法入侵、詐欺與濫用法」(The Counterfeit Access Device and Computer Fraud and Abuse Act),但因為電腦用語定義不足,同 時也缺乏明確的法院管轄權,使得適用上還是出現許多的障礙有待解決。到了 1986 年,又通過電腦詐欺及濫用法(Computer Fraud and Abuse Act, CFAA),該 法可說是美國聯邦法典對於電腦犯罪最為基本且重要的立法191,在主觀要件、客
190 Orin S. Kerr, Cybercrime's Scope: Interpreting 'Access' and 'Authorization' in Computer Misuse Statutes , NYU Law Review, Vol. 78, No. 5, 1613 (2003).
191 Chuck Easttom and Det. Jeff Taylor, Computer Crime, Investigation, and the Law, Boston, MA, USA: Course Technology / Cengage Learning, 72 (2010).
73
觀要件與專有名詞等方面皆有所擴充,再經過 1990、1994、1996、2001 年持續修 訂,才成為今日的樣貌192。
第二項 內容概述
在聯邦法方面,經過 1984 年、1986 年、1994 年、1996 年的數次修正,在美 國聯邦刑法典第 18 章第 1030 條規範「電腦詐欺及濫用法」,以確保資訊以及系統 的秘密性、完整性及可用性,其中第 1030(a)條中有許多規定與我國的入侵電腦罪 較為類似,大多以入侵電腦行為作為犯罪成立要件的核心193,惟各項規定又分別 從不同的主觀意圖、被入侵電腦類型或是所造成的損害對入侵電腦行為劃分出更 為精細的態樣。
第 1030(a)(1)條194規定:「任何人故意無權或越權入侵電腦,藉此取得美國政 府基於國防或外交理由而依據行政命令或法律禁止無權揭露的資訊,或是任何如
192 李崇偉(2004),〈美、日、德三國網路犯罪相關法制之探討〉,《中央警察大學法學論集》,第 9 期,頁 139-140;劉景嘉(2014),《刑法上電腦犯罪立法之研究》,國立臺北大學法律學系碩士 論文,頁 38-39。
193 access 在我國文獻上也常被翻譯為「存取」或「進入」,為了方便與我國刑法第 358 條入侵電 腦罪對照,本文在此仍譯作「入侵」。
194 Whoever having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or
74
同 1954 年原子能法第 11 條第 y 項所定義之受限制數據資料,且足認此資訊可被 用於對美國造成損害,或是為外國之利益,故意通信、交付、傳送,或致使被通 信、交付、傳送,或意圖通信、交付、傳送,或致其被通信、交付、傳送予無權 接收者,或故意保留此資訊使其無法交予有權的美國政府官員或雇員。」
第 1030(a)(2)條195規定:「任何人故意無權或越權入侵電腦,並因此獲取:(A) 金融機構之金融紀錄資訊,或第 15 編第 1602(n)條定義之發卡人之金融紀錄資訊,
或消費者報告機關之消費者檔案資訊,相關名詞在公平信用報告法中定義;(B) 來自美國任何部門或機關的資訊;或(C)來自任何受保護電腦中的資訊。」
第 1030(a)(3)條196規定:「任何人故意無權入侵任何屬於美國政府部門或機關 的非公共使用電腦,此種電腦是專供美國政府部門或機關使用,或者該電腦雖非 美國政府部門或機關專用,但受美國政府使用且該行為足生影響於美國政府對此 電腦之使用。」
transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it.
195 Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or (C) information from any protected computer.
196 Whoever intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States.
75
197 Whoever knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.
198 Whoever—(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.
199 Whoever knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if—
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States
76 的電腦」(protected computer),至少還會要求損害的造成202,其定義可見於第 1030(e)(2)條203:「受保護之電腦是指:(A)專為金融機構或美國政府使用之電腦,
或是非其專用但受到金融機構或美國政府使用且犯行將影響金融機構或政府之使 用;或(B)被利用於州際或國際貿易或通訊之電腦,或是能對其造成影響之電腦,
包括在美國境外使用而能影響美國之州際或國際貿易或通訊之電腦。」對非受保
200 Whoever with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—
(A) threat to cause damage to a protected computer;
(B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or
(C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion
201 Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.
202 李崇偉(2004),前揭註 192,頁 152。
203 the term “protected computer” means a computer—
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States
Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;
77
護的電腦採取單純未經授權入侵行為並未成立犯罪,至於本法其他規定著重於電 腦入侵之後可能造成的電腦系統損失,或者是電腦之外的財產上損害等問題。