I think it would be a stretch to say that Sony violated CFAA, but I have to admit that in my opinion they come pretty close.

Many readers are well-aware of the scandal of the week in cyberspace - Sony’s stealth digital rights management system which installs automatically (and without any notice to the user) has been likened to rootkits deployed by hackers. In fact, hackers are already taking advantage of the rootkit by using its ability to run software in stealth mode - there are millions of Sony CDs played on [arguably] millions PCs which are potential rootkit hosts.

Can/should Sony be prosecuted under CFAA?

As a threshold issue, because CFAA criminalizes unauthorized access to a computer, we have to look whether Sony’s installation of their DRM software was authorized or not. The EULA says,

Prof. Felten argues that "a rootkit neither protects the audio files nor facilitates use of the content." Additionally, the EULA does not indicate that the users would not be able to download music from the CD onto their iPod (which they are legally allowed to do under copyright law) or that attempting to remove the software would make their computer’s CD drive inaccessible. Also, it is not clear whether the EULA is presented to the user at the point of sale (on the back of the CD) or they are "stuck" with it once they buy the CD, break the seal, and cannot return the opened CD. With all this in mind, a pretty good claim may be made that the EULA is invalid.

Assuming that the EULA is invalid, then Sony’s stealth rootkit installation would clearly be unauthorized access to a computer (all the user is authorizing is the computer to play the music CD.)

18 U.S.C. 1030 (the Computer Fraud and Abuse Act) is the major US statute prohibiting unauthorized access to a computer.

Section 1030(3) criminalizes acts  by anyone who "intentionally, without authorization to access any nonpublic computer
of a department or agency of the United States, accesses such a computer of
that department or agency that is exclusively for the use of the Government
of the United States or, in the case of a computer not exclusively for such
use, is used by or for the Government of the United States and such conduct
affects that use by or for the Government of the United States"

Section 1030(5)(A)(i) criminalizes acts by anyone who "knowingly causes the transmission of a program, information, code, or
command, and as a result of such conduct, intentionally causes damage without
authorization, to a protected computer"

Section 1030(5)(A)(ii) criminalizes acts by anyone who "intentionally accesses a protected computer without authorization, and
as a result of such conduct, recklessly causes damage"

Section 1030(5)(A)(ii) criminalizes acts by anyone who "intentionally accesses a protected computer without authorization, and
as a result of such conduct, causes damage"

Maybe it is just because of the bad name and publicity that Nigeria received because of the so-called "Nigerian" scams (aka 419 scams) but Nigeria has announced efforts to curb scams originating there.

419 and other Nigerian variants of cybercrime have done unquantifiable
damage to Nigeria’s image and credibility. The government has resolved
to deal a fatal blow to the cybercrime networks operating from Nigeria
and the West African sub-region.

–

Nuhu Ribadu, the executive chairman of the Economic and Financial Crimes Commission of Nigeria

How is Nigeria going to "deal [the] fatal blow" to cybercrime networks? According to Mr. Ribadu, Nigeria "will  monitor cybercafes and take on a ’significant’ number of cases against such criminals based in Nigeria." I am not sure what is Nigeria’s record on privacy, but this sounds just as an excuse to monitor what Nigerians are doing online and with whom they are communicating. Prosecution of cyberscams is fine, but are there sufficient laws for this? If there are laws, why weren’t they enforced so far, and if there are no laws, why is this not the first step?

[Via CNET News.com, United States -]