Menu & Search

What is the Computer Fraud and Abuse Act (CFAA)?

January 3, 2015

The Computer Fraud and Abuse Act (CFAA) (See 18 U.S.C. § 1030) is a law that, generally, prohibits intentionally accessing a computer, without authorization (or exceeding authorized access), and obtaining information from a protected computer.


Because of the manner it was written and interpreted, the CFAA governs much of our regular online activity. As summarized above, the CFAA prohibits intentional access of a computer “without authorization” or “exceeding authorized access” to obtain information from a “protected computer.” Each of these elements allows from the courts sweeping discretion in applying the CFAA.

Without Authorization

The first type of CFAA breach stems from intentionally accessing a protected computer “without authorization”.

“Congress did not define the phrase ‘without authorization,’ perhaps assuming that the words speak for themselves. The meaning, however, has proven to be elusive.” EF Cultural Travel BV v. Explorica, 274 F.3d 577, 582 n.10 (1st Cir. 2001).

This elusive nature of “without authorization” led the lower court in EF Cultural Travel BV to apply a vague “reasonable expectation” standard. The reasonable expectation standard defines access without authorization as access that is not “in line with the reasonable expectations” of the website owner and its users.

Other courts look to “intended function” to determine whether access was authorized. United States v. Morris, 928 F.2d 504, 510 (2d Cir. 1991). This approach mysteriously allows for a subjective analysis of a website’s intended function.

Perhaps the most sensible approach is found in LVRC Holdings LLC v. Brekka. The 9th Circuit held “that a person uses a computer ‘without authorization’ under [the CFAA] when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1135 (9th Cir. 2009).

Exceeding Authorized Access

The second type of CFAA breach arises when access to a protected computer “exceeds authorized access”.

Congress rather generously defines the term “exceeds authorized access” as “access[ing] a computer with authorization and . . . us[ing] such access to obtain or alter information in the computer that the accesser is not entitled . . . to obtain or alter.” 18 U.S.C. § 1030(e)(6).

These issues typically arise in the context of employer-employee relationships. In EF Cultural Travel BV, the Defendant, a former employee of the Plaintiff, was found to have exceeded his authorized access to the Plaintiff’s website by using his proprietary knowledge of the Plaintiff’s website (protected by a “broad confidentiality agreement prohibiting . . . disclosure of any information ‘which might reasonably be construed to be contrary to the interests of [the Plaintiff]'”) to assist in the development of a “web scraper” that made “wholesale use” of the Plaintiff’s information. EF Cultural Travel BV, 274 F.3d 577 at 583.

Protected computer

A protected computer is a computer used by a financial institution, or the U.S. Government, or more importantly, a computer affecting interstate commerce or communication. Because a protected computer is a computer affecting interstate communication, people using ordinary internet connected personal computers (and mobile devices) can been subjected to prosecution under the CFAA due to the inherent interstate nature of normal internet communication.

In US v. Trotter, the Defendant argued that his former employer’s computer network was not a “protected computer” as set forth in 18 U.S.C. § 1030(e)(2)(B). The 8th Circuit rejected this claim and affirmed the Defendant’s conviction because the Defendant admitted, at a plea hearing, that his former employer’s network was connected to the internet. The Court used this admission to determine the computer network met the statutory definition of a “protected computer.” US v. Trotter, 478 F.3d 918, 921 (8th Cir. 2007); see also United States v. Walters, No. 05-15739, 2 (11th Cir. 2006) (“the internet is an instrumentality of interstate commerce”).

Whereas in United States v. Kane the Court determined that exploiting a software bug in a video poker machine does not constitute a CFAA breach because the video poker machine was not connected to the internet. Therefore, it did not qualify as a “protected computer” affecting interstate commerce or communication. Report & Recommendation of United States Magistrate Judge at 6United States v. Kane, No. 2:11-cr-00022-MMD-GWF (D. Nev. Oct. 15, 2012). Though, the video poker machine was likely a “computer” under the definition of the CFAA (see 18 U.S.C. § 1030(e)(1)), it was not a “protected computer.”

Specific Criminal Conduct

While the CFAA is written broadly, it also includes provisions prohibiting specific types of conduct such as:

Civil Liability

The CFAA is mainly a criminal statute (evidenced by its location in Title 18 of the U.S. Code). However, it also includes a civil cause of action (See 18 U.S.C. § 1030(g)) that permits compensatory damages, injunctive and other equitable relief for any specific conduct described in 18 U.S.C. § 1030(a)-(b) if the conduct caused:

  • Loss of at least $5,000 in value
  • Impairment, or potential impairment, of the medical examination, diagnosis, treatment, or care to one or more persons
  • Physical injury to any person
  • A threat to public health or safety
  • Damage affecting a computer used by or for an entity of the U.S. Government
  • Damage affecting 10 or more protected computers during any 1-year period

Civil liability, under the CFAA, is subject to a 2-year statute of limitations.

Corey Varma

Corey Varma is an attorney that focuses on Information Technology and Privacy, Cyberspace, Social Media, and Intellectual Property law.

4 Discussion to this post

  1. […] The Computer Fraud and Abuse Act (CFAA) (See 18 U.S.C. § 1030) is a law that generally prohibits intentionally accessing a computer, without authorization, and obtaining information from a protected computer. Though Congress decided to leave interpretation of “without authorization” to the courts. This causes some uncertainty in analyzing whether certain online behavior might be illegal – especially when the computer that is accessed is a publicly accessible computer. This leads us to United States v. Auernheimer.  […]

  2. […] commercial or financial activity to qualify as a violation of the law, but the vagueness of the act means that all online activity could fall under this designation. So as it stands, the law gives companies a legal cover to call finding their complete lack of any […]

  3. […] commercial or financial activity to qualify as a violation of the law, but the vagueness of the act means that all online activity could fall under this designation. So as it stands, the law gives companies a legal cover to call finding their complete lack of any […]

Join the discussion

Type your search keyword, and press enter to search