Computer Fraud and Abuse Act (CFAA)

PATRIOT featureAs technology advances, the use of the criminal law to regulate conduct using such technology also advances. Perceptions concerning the role of technology in both traditional and high-tech criminal conduct prompted Congress to enact the first federal computer crime law thirty years ago. Increases in computer availability and mainstream usage, however, have propelled government regulation of computer conduct into overdrive.

Over the course of thirty years, federal computer crimes went from non-existent to touching on every aspect of computer activity for intensive and occasional users alike. The Computer Fraud and Abuse Act (CFAA) was enacted in 1986, as an amendment to the first federal computer fraud law, to address hacking. Over the years, it has been amended several times, most recently in 2008, to cover a broad range of conduct far beyond its original intent.

The CFAA prohibits intentionally accessing a computer without authorization or in excess of authorization, but fails to define what “without authorization” means. With harsh penalty schemes and malleable provisions, it has become a tool ripe for abuse and use against nearly every aspect of computer activity.

The breadth and ambiguity of the CFAA are deeply troubling. NACDL supports wholesale reform of the CFAA and, in particular, believes violations of website terms of services should not be federal crimes. NACDL opposes any additional expansion of the CFAA and is actively working to reform the CFAA through amicus support, coalition building, and legislative advocacy.

Additional information on the CFAA and NACDL's reform efforts are available at the hyperlinks below.  

 

Provisions of the Computer Fraud & Abuse Act
18 U.S.C. § 1030 

Offense 

Section 

Sentence* 

Obtaining National Security Information

(a)(1)

10 yrs (20)

Accessing a Computer and Obtaining Information

(a)(2)

1 or 5 yrs (10)

Trespassing in a Government Computer

(a)(3)

1 yr (10)

Accessing a Computer to Defraud and Obtain Value

(a)(4)

5 yrs (10)

Intentionally Damaging by Knowing Transmission

(a)(5)(A)

1 or 10 yrs (20)

Recklessly Damaging by Intentional Access

(a)(5)(B)

1 or 5 yrs (20)

Negligently Causing Damage and Loss by Intentional Access

(a)(5)(C)

1 yr (10)

Trafficking in Passwords

(a)(6)

1 yr (10)

Extortion Involving Computers

(a)(7)

5 yrs (10)

Attempt and Conspiracy to Commit such an Offense

(b)

10 yrs for attempt but no penalty specified for conspiracy in section (c)

*The maximum prison sentences for second convictions are noted in parentheses.

 

News Of Interest

"Security researcher posts 10 million passwords," by Elizabeth Weise, USA Today, February 10, 2015.

"New agency to sniff out threats in cyberspace," by Ellen Nakashima, The Washington Post, February 10, 2015.

"White House Accelerates Drive to Improve Data Privacy," by Julie Hirschfeld Davis, The New York Times, February 5, 2015.

"Advocates want to hear from AG nominee on Aaron Swartz," by Mario Trujillo, The Hill, January 28, 2015.

"Obama, Goodlatte Seek Balance on CFAA Cybersecurity," by Tom Risen, U.S. News & World Report, January 27, 2015.

See more news

In This Section

Advertisement Advertise with Us
ad