The Computer Fraud and Abuse Act of 1986 (CFAA) is a United States cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law, which had been included in the Comprehensive Crime Control Act of 1984. Prior to computer-specific criminal laws, computer crimes were prosecuted as mail and wire fraud, but the applying law was often insufficient. The original 1984 bill was enacted in response to concern that computer-related crimes might go unpunished. The House Committee Report to the original computer crime bill included a statement by a representative of GTE-owned Telenet that characterized the 1983 techno-thriller film WarGames—in which a young teenager (played by Matthew Broderick) from Seattle breaks into a U.S. military supercomputer programmed to predict possible outcomes of nuclear war and unwittingly almost starts World War III—as "a realistic representation of the automatic dialing and access capabilities of the personal computer." The CFAA was written to extend existing tort law to intangible property, while, in theory, limiting federal jurisdiction to cases "with a compelling federal interest—i.e., where computers of the federal government or certain financial institutions are involved or where the crime itself is interstate in nature", but its broad definitions have spilled over into contract law (see "Protected Computer", below). In addition to amending a number of the provisions in the original section 1030, the CFAA also criminalized additional computer-related acts. Provisions addressed the distribution of malicious code and denial-of-service attacks. Congress also included in the CFAA a provision criminalizing trafficking in passwords and similar items. Since then, the Act has been amended a number of times—in 1989, 1994, 1996, in 2001 by the USA PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act. With each amendment of the law, the types of conduct that fell within its reach were extended. In 2015, President Barack Obama proposed expanding the CFAA and the RICO Act. DEF CON organizer and Cloudflare researcher Marc Rogers, Senator Ron Wyden, and Representative Zoe Lofgren stated opposition to this on the grounds it would make many regular internet activities illegal. In 2021, the Supreme Court ruled in Van Buren v. United States to provide a narrow interpretation of the meaning of "exceeds authorized access".

Protected computers

The only computers, in theory, covered by the CFAA are defined as "protected computers". They are defined under section to mean a computer: In practice, any ordinary computer has come under the jurisdiction of the law, including cellphones, due to the interstate nature of most Internet communication.

Criminal offenses under the Act

(a) Whoever—

Specific sections

Notable cases and decisions referring to the Act

The Computer Fraud and Abuse Act is both a criminal law and a statute that creates a private right of action, allowing compensation and injunctive or other equitable relief to anyone harmed by a violation of this law. These provisions have allowed private companies to sue disloyal employees for damages for the misappropriation of confidential information (trade secrets).

Criminal cases

Civil cases

Criticism

There have been criminal convictions for CFAA violations in the context of civil law, for breach of contract or terms of service violations. Many common and insignificant online acts, such as password-sharing and copyright infringement, can transform a CFAA misdemeanor into a felony. The punishments are severe, similar to sentences for selling or importing drugs, and may be disproportionate. Prosecutors have used the CFAA to protect private business interests and to intimidate free-culture activists, deterring undesirable, yet legal, conduct. One such example regarding the harshness of the law was shown in United States vs. Tyler King, where King refused initial offers by the government for involvement in a conspiracy to "gain unauthorized access" to a computer system for a small company that an ex-girlfriend of King worked for. His role, even while not directly involved, resulted in 6.5 years imprisonment. No financial motive was established. A non-profit was started to advocate against further harshness against others targeted under the broad law. Tim Wu called the CFAA "the worst law in technology". Professor of Law Ric Simmons notes that many provisions of the CFAA merely combine identical language to pre-existing federal laws with "the element of “access[ing] a protected computer without authorization, or [by] exceed[ing] authorized access," meaning that "the CFAA merely provides an additional charge for prosecutors to bring if the defendant used a computer while committing the crime." Professor Joseph Olivenbaum has similarly criticized the CFAA's "computer-specific approach," noting both the risk of redundancy and resultant definitional problems. The CFAA increasingly presents real obstacles to journalists reporting stories important to the public’s interest. As data journalism increasingly becomes “a good way of getting to the truth of things. . . in this post-truth era,” as one data journalist told Google, the need for further clarity around the CFAA increases. As per Star Kashman, an expert in cybersecurity law, the CFAA presents some challenges in cases related to Search Engine Hacking (also known as Google Dorking). Although Kashman states that accessing publicly available information is legal under the CFAA, she also notes that in many cases Search Engine Hacking is ultimately prosecuted under the CFAA. Kashman believes prosecuting cases of Google Dorking under the CFAA could render the CFAA void for vagueness by making it illegal to access publicly available information.

Aaron Swartz

In the wake of the prosecution and subsequent suicide of Aaron Swartz (who used a script to download scholarly research articles in excess of what JSTOR terms of service allowed), lawmakers proposed amending the Computer Fraud and Abuse Act. Representative Zoe Lofgren drafted a bill that would help "prevent what happened to Aaron from happening to other Internet users". Aaron's Law would exclude terms of service violations from the 1984 Computer Fraud and Abuse Act and from the wire fraud statute. In addition to Lofgren's efforts, Representatives Darrell Issa and Jared Polis (also on the House Judiciary Committee) raised questions in the immediate aftermath of Swartz's death regarding the government's handling of the case. Polis called the charges "ridiculous and trumped up," referring to Swartz as a "martyr." Issa, chair of the House Oversight Committee, announced an investigation of the Justice Department's prosecution. By May 2014, Aaron's Law had stalled in committee. Filmmaker Brian Knappenberger alleges this occurred due to Oracle Corporation's financial interest in maintaining the status quo. Aaron's Law was reintroduced in May 2015 and again stalled. There has been no further introduction of related bills.

Amendments history

2008