The Computer Fraud and Abuse Act (CFAA) was enacted in 1986, as an amendment to the first federal computer fraud law, to address hacking. Over the years, it has been amended several times, most recently in 2008, to cover a broad range of conduct far beyond its original intent. The CFAA prohibits intentionally accessing a computer without authorization or in excess of authorization, but fails to define what “without authorization” means. With harsh penalty schemes and malleable provisions, it has become a tool ripe for abuse and use against nearly every aspect of computer activity.

Brief of the National Association of Criminal Defense Lawyers as Amicus Curiae in Support of Petitioner. 

Argument: The Eleventh Circuit reaffirmed that a person violates the CFAA by using a computer to access information for an improper purpose, even if otherwise authorized to access that information.  This reading goes beyond the CFAA’s text, fails to account for Congress’ intent in enacting it, and flouts the rule of lenity, which requires that ambiguous criminal statutes be construed in a defendant’s favor.  The decision below also interpreted the CFAA in a manner that raises due process concerns, both because it is an unconstitutionally vague reading of the statute and because it invites arbitrary and discriminatory enforcement, and thus the doctrine of constitutional avoidance requires that Petitioner’s reading of the statute prevail.  Further, an expansive reading of the CFAA would contribute to the trend of overcriminalization and give courts and prosecutors a backdoor method of updating criminal laws in response to changed technological—or potentially cultural, economic, or political—realities, something our constitutional structure reserves for Congress.

Reports and articles about CFAA

These are example cases of federal prosecutions including Computer Fraud and Abuse Act (CFAA) violations. The case entries include links to additional materials from the case and resources related to the case. Also, the Department of Justice has published its own manual on "Prosecuting Computer Crimes" that is available online here.

With the advances in technology over the past few decades, a host of new and novel legal issues have arisen due to the growth of computer availability and application. In 1984, Congress passed the Comprehensive Crime Control Act. Among the numerous provisions in the Act

Advocacy Materials on the Computer Fraud and Abuse Act

Letter to the House Judiciary Committee regarding drafted legislation that would enhance penalties and expand punishable conduct under the Computer Fraud and Abuse Act (CFAA).

Brief of the National Association of Criminal Defense Lawyers as Amicus Curiae in Support of Petitioner (on Petition for a Writ of Certiorari). 

Argument: In this case, the Eleventh Circuit reaffirmed that a person violates the CFAA by using a computer to access information for an improper purpose, even if that person is otherwise authorized to access that information. This holding warrants review because it reinforces a conflict of authority regarding the meaning of “authorized access” under the CFAA and because the Eleventh Circuit was wrong on the merits. Review also is warranted because the question presented is important. Computers are ubiquitous in daily life. It is important that the Court clarify that ordinary deviances from terms-of-use requirements— whether imposed by internet websites or private company use guidelines, to name but a few—are not criminal. Review also is necessary because the Eleventh Circuit’s decision deviates from settled practices for construing federal criminal statutes. Because the Eleventh Circuit’s decision and those courts on its side of the open and acknowledged split of authority break from this approach at every level, this Court should grant review.

Coalition letter to members of the Senate regarding Senator Patrick Leahy's amendment to the proposed Cybersecurity Act (S. 3414), which incorporates expanded violations and penalties of the Computer Fraud and Abuse Act (CFAA).

Amicus curiae brief of the Electronic Frontier Foundation and the National Association of Criminal Defense Lawyers in support of appellant.

Argument: When a person accesses another’s stored email without authorization, that single act may not be the basis for both an underlying misdemeanor and a felony enhancement. Ordinarily, first offenses under the Computer Fraud and Abuse Act and the Stored Communications Act are misdemeanors, unless committed for, among other things, in furtherance of another crime. In this case, the defendant’s CFAA offense, unauthorized access to stored email, was not committed “in furtherance of” an SCA violation, because both convictions were based on the same conduct. The government’s attempt to count the same conduct as both an underlying misdemeanor and as the basis for a felony conviction violates the Double Jeopardy Clause.

Amicus curiae brief of the National Association of Criminal Defense Lawyers in support of appellant.

Argument: The Fifth Amendment’s due process clause requires a narrow interpretation of “without authorization” under the Computer Fraud and Abuse Act (CFAA). The District Court’s finding that venue was proper exceeds constitutional limitations and invites prosecutorial forum-shopping.

Brief of Amici Curiae Electronic Frontier Foundation, Center for Democracy & Technology, National Association of Criminal Defense Lawyers, and Scholars in Support of Defendant-Appellant Gilberto Valle.

Argument: The Computer Fraud and Abuse Act (CFAA) does not prohibit violations of computer use restrictions. The CFAA was meant to target “hacking,” not violations of computer use restrictions. This case presents a mere use restriction. The District Court’s broad reading of the CFAA renders it unconstitutionally vague. Corporate policies do not provide sufficient notice of what conduct is prohibited. Allowing CFAA liability for mere use restrictions turns a vast number of ordinary individuals into criminals.

Brief of Amici Curiae Electronic Frontier Foundation, National Association of Criminal Defense Lawyers, and Center for Democracy & Technology in Support of Appellant.

Argument: The Computer Fraud and Abuse Act does not prohibit violations of computer use restrictions, such as the restriction at issue. The CFAA was meant to target "hacking," not violations of computer use restrictions. Written, policy-based restrictions on manner of access are restrictions on use. The lower court's broad reading of the CFAA renders the statute unconstitutionally vague. Corporate policies do not provide sufficient notice of what conduct is prohibited. Basing CFAA liability on violations of use restrictions would permit capricious enforcement by prosecutors. This Court should reverse Appellant's conviction under Specification 13 of Charge II.

Brief of Electronic Frontier Foundation and National Association of Criminal Defense Lawyers as Amici Curiae in Support of Appellant

Argument: The lower courts misconstrued the technology at issue. The lower courts misconstrued the CFAA’s purpose and case law. Congress intended the CFAA to target serious computer break-ins. Consistent with Congress’s intent, courts across the country have held that the CFAA does not criminalize violations of computer use policies. Courts adopting the ‘narrow’ interpretation have rejected the lower courts’ theory that written computer use restrictions on how someone accesses information are ‘access’ restrictions. The military judge ignored basic rules of statutory construction. The lower courts’ broad reading of the CFAA renders the statute unconstitutionally vague. 
 

Government Abuses Computer Crime Law to Boost Criminal Charges - Washington, DC (August 6, 2010) – The Electronic Frontier Foundation (EFF) and the National Association of Criminal Defense Lawyers asked a federal appeals court Thursday to block the government's attempt to wrongly expand federal computer crime law, turning misdemeanor charges into felonies.