Criminalizing Hacking, Not Dating: Reconstructing the CFAA Intent Requirement

43 Pages Posted: 28 Feb 2013 Last revised: 11 Apr 2015

See all articles by David Thaw

David Thaw

University of Pittsburgh - School of Law; University of Pittsburgh - School of Information Sciences; Yale University - Information Society Project; University of Pittsburgh - Graduate School of Public & International Affairs; National Defense University - College of Information and Cyberspace

Date Written: August 4, 2013

Abstract

Cybercrime is a growing problem in the United States and worldwide. Many questions remain unanswered as to the proper role and scope of criminal law in addressing socially-undesirable actions affecting and conducted through the use of computers and modern information technologies. This Article tackles perhaps the most exigent question in U.S. cybercrime law, the scope of activities that should be subject to criminal sanction under the Computer Fraud and Abuse Act (CFAA), the federal "anti-hacking" statute.

At the core of current CFAA debate is the question of whether private contracts, such as website "Terms of Use" or organizational "Acceptable Use Policies" should be able to define the limits of authorization and access for purposes of criminal sanction under the CFAA. Many scholars and activists argue that such contracts should not, because they may result in ridiculous consequences such as the criminalization of misrepresenting one's "desirability" on an online dating website. Critics of such arguments rebut that failing to allow contract-based restrictions opens the door for hackers to engage in many types of activity not otherwise subject to criminal sanction.

This Article examines the tension between these two positions, both from the standpoint of current U.S. jurisprudence and scholarship, and from the standpoint of the respective purposes of criminal and tort law in deterring and punishing socially-undesirable behavior. The Article concludes by proposing a legislative revision to the CFAA that substantially mitigates the risk of overbroad criminalization, while leaving intact the ability of the law to deter and punish the most serious acts affecting and utilizing computers.

Keywords: Cybercrime, Computer Crime, Computer Fraud and Abuse Act, CFAA, Deterrence

Suggested Citation

Thaw, David, Criminalizing Hacking, Not Dating: Reconstructing the CFAA Intent Requirement (August 4, 2013). Journal of Criminal Law and Criminology, Vol. 103, No. 3, 2013, Available at SSRN: https://ssrn.com/abstract=2226176.

David Thaw (Contact Author)

University of Pittsburgh - School of Law ( email )

3900 Forbes Ave.
Pittsburgh, PA 15260
United States

HOME PAGE: http://www.davidthaw.com

University of Pittsburgh - School of Information Sciences ( email )

Pittsburgh, PA 15260
United States

Yale University - Information Society Project ( email )

P.O. Box 208215
New Haven, CT 06520-8215
United States

University of Pittsburgh - Graduate School of Public & International Affairs ( email )

Pittsburgh, PA 15260-0001
United States

National Defense University - College of Information and Cyberspace ( email )

300 5th Ave
Ft McNair
Washington, DC 20319
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
542
Abstract Views
3,877
Rank
100,265
PlumX Metrics