The Computer Fraud and Abuse Act (CFAA) was enacted in 1986, as an amendment to the first federal computer fraud law, to address hacking. Over the years, it has been amended several times, most recently in 2008, to cover a broad range of conduct far beyond its original intent. The CFAA prohibits intentionally accessing a computer without authorization or in excess of authorization, but fails to define what “without authorization” means. With harsh penalty schemes and malleable provisions, it has become a tool ripe for abuse and use against nearly every aspect of computer activity.

Effective cybersecurity laws are critical to maintaining both the national security and economic advancement of the U.S. But this security should not come at the expense of civil liberties and innovation. The Computer Fraud and Abuse Act does just that—it unnecessarily sacrifices civil liberties and innovation in the name of cybersecurity. … The upcoming hearing of Ms. Loretta Lynch, on her nomination for Attorney General, will provide a unique opportunity to shine a spotlight on this ongoing tension between attempts to expand the CFAA’s provisions and the need for meaningful reform.

Advocacy Materials on the Computer Fraud and Abuse Act

Letter to the House Judiciary Committee regarding drafted legislation that would enhance penalties and expand punishable conduct under the Computer Fraud and Abuse Act (CFAA).

The House Judiciary Committee’s draft CFAA (Computer Fraud & Abuse Act) bill is the epitome of overcriminalization, overfederalization and government over-reaching at its worst. In the face of a loud and sustained call for CFAA reform that reaches across the right-left divide, some on the Judiciary Committee staff seem to believe now is the time to do exactly the opposite, and expand this vague law even further, hike up its criminal penalties and increase the government’s ability to seize the property of unsuspecting, law-abiding individuals.

These are example cases of federal prosecutions including Computer Fraud and Abuse Act (CFAA) violations. The case entries include links to additional materials from the case and resources related to the case. Also, the Department of Justice has published its own manual on "Prosecuting Computer Crimes" that is available online.

With technological advances come a host of new and novel legal issues. Increases in computer availability and mainstream usage have propelled government regulation of computer conduct into overdrive. Over the course of thirty years, federal computer crimes went from non-existent to touching on every aspect of computer activity for the intensive and occasional users alike.

Brief of the National Association of Criminal Defense Lawyers as Amicus Curiae in Support of Petitioner. 

Argument: The Eleventh Circuit reaffirmed that a person violates the CFAA by using a computer to access information for an improper purpose, even if otherwise authorized to access that information.  This reading goes beyond the CFAA’s text, fails to account for Congress’ intent in enacting it, and flouts the rule of lenity, which requires that ambiguous criminal statutes be construed in a defendant’s favor.  The decision below also interpreted the CFAA in a manner that raises due process concerns, both because it is an unconstitutionally vague reading of the statute and because it invites arbitrary and discriminatory enforcement, and thus the doctrine of constitutional avoidance requires that Petitioner’s reading of the statute prevail.  Further, an expansive reading of the CFAA would contribute to the trend of overcriminalization and give courts and prosecutors a backdoor method of updating criminal laws in response to changed technological—or potentially cultural, economic, or political—realities, something our constitutional structure reserves for Congress.

Reports and articles about CFAA

Brief of the National Association of Criminal Defense Lawyers as Amicus Curiae in Support of Petitioner (on Petition for a Writ of Certiorari). 

Argument: In this case, the Eleventh Circuit reaffirmed that a person violates the CFAA by using a computer to access information for an improper purpose, even if that person is otherwise authorized to access that information. This holding warrants review because it reinforces a conflict of authority regarding the meaning of “authorized access” under the CFAA and because the Eleventh Circuit was wrong on the merits. Review also is warranted because the question presented is important. Computers are ubiquitous in daily life. It is important that the Court clarify that ordinary deviances from terms-of-use requirements— whether imposed by internet websites or private company use guidelines, to name but a few—are not criminal. Review also is necessary because the Eleventh Circuit’s decision deviates from settled practices for construing federal criminal statutes. Because the Eleventh Circuit’s decision and those courts on its side of the open and acknowledged split of authority break from this approach at every level, this Court should grant review.

Coalition letter to members of the Senate regarding Senator Patrick Leahy's amendment to the proposed Cybersecurity Act (S. 3414), which incorporates expanded violations and penalties of the Computer Fraud and Abuse Act (CFAA).

Amicus curiae brief of the Electronic Frontier Foundation and the National Association of Criminal Defense Lawyers in support of appellant.

Argument: When a person accesses another’s stored email without authorization, that single act may not be the basis for both an underlying misdemeanor and a felony enhancement. Ordinarily, first offenses under the Computer Fraud and Abuse Act and the Stored Communications Act are misdemeanors, unless committed for, among other things, in furtherance of another crime. In this case, the defendant’s CFAA offense, unauthorized access to stored email, was not committed “in furtherance of” an SCA violation, because both convictions were based on the same conduct. The government’s attempt to count the same conduct as both an underlying misdemeanor and as the basis for a felony conviction violates the Double Jeopardy Clause.

Amicus curiae brief of the National Association of Criminal Defense Lawyers in support of appellant.

Argument: The Fifth Amendment’s due process clause requires a narrow interpretation of “without authorization” under the Computer Fraud and Abuse Act (CFAA). The District Court’s finding that venue was proper exceeds constitutional limitations and invites prosecutorial forum-shopping.

Brief of Amici Curiae Electronic Frontier Foundation, Center for Democracy & Technology, National Association of Criminal Defense Lawyers, and Scholars in Support of Defendant-Appellant Gilberto Valle.

Argument: The Computer Fraud and Abuse Act (CFAA) does not prohibit violations of computer use restrictions. The CFAA was meant to target “hacking,” not violations of computer use restrictions. This case presents a mere use restriction. The District Court’s broad reading of the CFAA renders it unconstitutionally vague. Corporate policies do not provide sufficient notice of what conduct is prohibited. Allowing CFAA liability for mere use restrictions turns a vast number of ordinary individuals into criminals.

Brief of Amici Curiae Electronic Frontier Foundation, National Association of Criminal Defense Lawyers, and Center for Democracy & Technology in Support of Appellant.

Argument: The Computer Fraud and Abuse Act does not prohibit violations of computer use restrictions, such as the restriction at issue. The CFAA was meant to target "hacking," not violations of computer use restrictions. Written, policy-based restrictions on manner of access are restrictions on use. The lower court's broad reading of the CFAA renders the statute unconstitutionally vague. Corporate policies do not provide sufficient notice of what conduct is prohibited. Basing CFAA liability on violations of use restrictions would permit capricious enforcement by prosecutors. This Court should reverse Appellant's conviction under Specification 13 of Charge II.