23 Pages Posted: 5 Jan 2016 Last revised: 17 Nov 2016
Date Written: January 4, 2016
The federal Computer Fraud and Abuse Act (CFAA) makes it a crime to “access a computer without authorization or exceed authorized access.” Courts and commentators have struggled to explain what types of conduct by a computer user are “without authorization.” But this approach is backwards; authorization is not so much a question of what a computer user does, as it is a question of what a computer owner allows.
In other words, authorization under the CFAA is an issue of consent, not conduct; to understand authorization, we need to understand consent. Building on Peter Westen’s taxonomy of consent, I argue that we should distinguish between the factual question of what uses a computer owner manifests her consent to and the legal question of what uses courts will deem her to have consented to. Doing so allows to distinguish the different kinds of questions presented by different kinds of CFAA cases, and to give clearer and more precise answers to all of them. Some cases require careful fact-finding about what reasonable computer users in the defendant’s position would have known about the owner’s expressed intentions; other cases require frank policy judgments about which kinds of unwanted uses should be considered serious enough to trigger the CFAA.
Keywords: Computer Fraud and Abuse Act, consent, authorization, hacking, computer misuse
JEL Classification: K00
Suggested Citation: Suggested Citation
Grimmelmann, James, Consenting to Computer Use (January 4, 2016). 84 George Washington Law Review 1500 (2016); U of Maryland Legal Studies Research Paper No. 2016-07. Available at SSRN: https://ssrn.com/abstract=2710757