I was reading a book on Cybersecurity Law, and I read about one of the federal statutes in the U.S. cybersecurity legal spectrum; the Computer Fraud and Abuse Act (CFAA). This is probably considered an important and controversial statute. It was originally enacted in 1986, and it was designed to combat malicious hacking. Over the years, however, its scope and application have evolved, prompting debates about its reach, ambiguity, and impact on both cybersecurity professionals and everyday users.
What Is the CFAA?
The CFAA is codified at Title 18 U.S. Code § 1030 and criminalizes a wide array of computer-related offenses. It targets unauthorized access to computers and data, fraud, damage, and even trafficking in passwords.
The law applies to “protected computers,” which includes not only government and financial institution systems but also any computer involved in interstate or foreign commerce, effectively covering nearly all computers connected to the internet.
Here are some of the central terms and offenses under the CFAA:
- Protected Computer – Any computer used in or affecting interstate or foreign commerce or communication, including computers outside the U.S. that affect U.S. commerce.
- Access Without Authorization – Accessing a computer without any permission at all. This typically refers to external actors like hackers.
- Exceeds Authorized Access – Accessing a computer with permission but using that access to obtain or alter information that the user is not entitled to access.
- Transmission – The act of sending code, commands, or information, including malware or denial-of-service commands.
- Damage – Any impairment to the integrity or availability of data, a program, a system, or information.
- Loss – Includes the cost of responding to an offense, conducting a damage assessment, and restoring the system or data, among others.
The CFAA has faced criticism for its vague language, particularly the phrase “exceeds authorized access.” Critics argue it has been used to criminalize benign activities, such as violating terms of service agreements or engaging in security research.
Why is the CFAA important?
The CFAA is a double-edged sword. It’s a powerful tool for protecting systems against malicious attacks, but when interpreted too broadly, it can also stifle innovation, security research, and digital freedom.
As we rely more and more on digital infrastructure, understanding and refining laws like the CFAA is important to strike the right balance between security and liberty.
Whether you’re a cybersecurity professional, legal expert, or just an everyday internet user, the CFAA is a law worth understanding. Its applications affect how we secure networks, how companies monitor user behavior, and how the law draws the line between curiosity and crime.
Here are some key resources on CFAA
- Statutory Text
- DOJ Prosecutor’s Manual
- EFF’s CFAA Primer
Here are some notable CFAA court cases
United States v. Morris (1991): The first CFAA conviction, involving a worm that disrupted early internet systems.
United States v. Nosal (2012): The Ninth Circuit ruled that violating a company’s internal computer use policies doesn’t necessarily violate the CFAA.
Van Buren v. United States (2021): The Supreme Court narrowed the CFAA’s reach, ruling that improper use of access (e.g., for personal gain) isn’t the same as unauthorized access.
hiQ Labs v. LinkedIn (2022): The Ninth Circuit held that scraping public data may not be a CFAA violation if no technical barriers are bypassed.
Hope you found this post helpful and informative. Thanks for stopping by!
CyberCasta 
Leave a comment