The Computer Fraud and Abuse Act (CFAA) was enacted in 1986, as an amendment to the first federal computer fraud law, to address hacking. Over the years, it has been amended several times, most recently in 2008, to cover a broad range of conduct far beyond its original intent. The CFAA prohibits intentionally accessing a computer without authorization or in excess of authorization, but fails to define what “without authorization” means. With harsh penalty schemes and malleable provisions, it has become a tool ripe for abuse and use against nearly every aspect of computer activity.

Amicus curiae brief of the National Association of Criminal Defense Lawyers in support of appellant.

Argument: The Fifth Amendment’s due process clause requires a narrow interpretation of “without authorization” under the Computer Fraud and Abuse Act (CFAA). The District Court’s finding that venue was proper exceeds constitutional limitations and invites prosecutorial forum-shopping.

Brief of Amici Curiae Electronic Frontier Foundation, Center for Democracy & Technology, National Association of Criminal Defense Lawyers, and Scholars in Support of Defendant-Appellant Gilberto Valle.

Argument: The Computer Fraud and Abuse Act (CFAA) does not prohibit violations of computer use restrictions. The CFAA was meant to target “hacking,” not violations of computer use restrictions. This case presents a mere use restriction. The District Court’s broad reading of the CFAA renders it unconstitutionally vague. Corporate policies do not provide sufficient notice of what conduct is prohibited. Allowing CFAA liability for mere use restrictions turns a vast number of ordinary individuals into criminals.

Brief of Amici Curiae Electronic Frontier Foundation, National Association of Criminal Defense Lawyers, and Center for Democracy & Technology in Support of Appellant.

Argument: The Computer Fraud and Abuse Act does not prohibit violations of computer use restrictions, such as the restriction at issue. The CFAA was meant to target "hacking," not violations of computer use restrictions. Written, policy-based restrictions on manner of access are restrictions on use. The lower court's broad reading of the CFAA renders the statute unconstitutionally vague. Corporate policies do not provide sufficient notice of what conduct is prohibited. Basing CFAA liability on violations of use restrictions would permit capricious enforcement by prosecutors. This Court should reverse Appellant's conviction under Specification 13 of Charge II.

Brief of Electronic Frontier Foundation and National Association of Criminal Defense Lawyers as Amici Curiae in Support of Appellant

Argument: The lower courts misconstrued the technology at issue. The lower courts misconstrued the CFAA’s purpose and case law. Congress intended the CFAA to target serious computer break-ins. Consistent with Congress’s intent, courts across the country have held that the CFAA does not criminalize violations of computer use policies. Courts adopting the ‘narrow’ interpretation have rejected the lower courts’ theory that written computer use restrictions on how someone accesses information are ‘access’ restrictions. The military judge ignored basic rules of statutory construction. The lower courts’ broad reading of the CFAA renders the statute unconstitutionally vague. 
 

Government Abuses Computer Crime Law to Boost Criminal Charges - Washington, DC (August 6, 2010) – The Electronic Frontier Foundation (EFF) and the National Association of Criminal Defense Lawyers asked a federal appeals court Thursday to block the government's attempt to wrongly expand federal computer crime law, turning misdemeanor charges into felonies.