A Code-Based Approach to Unauthorized Access Under the Computer Fraud and Abuse Act
35 Pages Posted: 20 Apr 2017
Date Written: 2016
Thirty years ago, Congress passed the Computer Fraud and Abuse Act (CFAA) to combat the emerging problem of computer crime. The statute’s core prohibitions targeted one who “accesses” a computer “without authorization” or who “exceeds authorized access.” Over time, incremental statutory changes and large-scale technical changes have dramatically expanded the potential scope of the CFAA. The question of what constitutes unauthorized access has taken on far greater significance than it had thirty years ago, and courts remain deeply divided on this question. This Article explores the text, purpose, and history of the CFAA, as well as a range of normative considerations that should guide interpretation of the statute. The Article concludes that courts should pursue a narrow and “code-based” understanding of unauthorized access under the CFAA—both in terms of what it means to access a computer without authorization and in terms of what it means to exceed authorized access. The CFAA has strayed far from its original purpose: Congress failed to define key terms in the CFAA, and courts have overlooked limiting principles within the statute. From a normative perspective, even if it is desirable to provide owners of networked computer systems with stronger legal protection for their systems, the CFAA’s unauthorized access provisions are not the proper vehicle for doing so.
Keywords: cybercrime, computer crime, hacking, Computer Fraud and Abuse Act, unauthorized access
JEL Classification: K14, K42
Suggested Citation: Suggested Citation