Overly broad interpretations of the Computer Fraud and Abuse Act (CFAA)

Hello everyone,

Today, we will discuss the overly broad interpretations of the Computer Fraud and Abuse Act (CFAA)—the law under which many individuals, including hackers, are prosecuted and imprisoned.

I teach an Information Security course at UCLA Extension, and one of the most common questions I receive from students is: What constitutes hacking under the law?

Many of my students engage in security testing, often experimenting with corporate websites with the intent of assessing vulnerabilities. They do so not with malicious intent but rather as an educational exercise or to enhance security awareness. However, does this qualify as hacking under the CFAA?

Unfortunately, yes—it could be legally classified as hacking. The CFAA’s broad language allows for prosecution even when there is no clear malicious intent. Under its provisions, accessing a computer system without authorization or exceeding authorized access can constitute a federal crime. The lack of precise definitions for these terms has led to inconsistent enforcement, making it possible for well-meaning security researchers or ethical hackers to be prosecuted.

One of the key issues with the CFAA is that courts have applied differing interpretations, particularly regarding what “unauthorized access” means. Some courts have ruled that violating a website’s Terms of Service (TOS) could qualify as unauthorized access, turning routine activities into potential felonies. This ambiguity has led to significant legal concerns, especially in cases where individuals engage in good faith security testing without explicit permission.

The broad application of the CFAA raises serious concerns about overcriminalization, chilling effects on cybersecurity research, and the need for legislative reform to distinguish between malicious hacking and ethical security research.

What is ethical hacking?

Ethical hacking involves utilizing mathematical and programming abilities to pinpoint weak areas or susceptibilities in information systems. The hacking realm is categorized based on purpose, with a white hat hacker being an ethical hacker with good intentions. These professionals specialize in penetration testing and other examination methodologies that guarantee the security of an organization’s information systems. Most ethical hackers possess advanced knowledge in mathematics, computer programming, networking, and operating systems.
The security obstacles we encounter in the present day pale in comparison to those that we will encounter in the future. Our world is so interconnected with technology that cybersecurity has an impact on our financial stability, families, and even electoral processes. As technology continues to progress, the threat posed by hacking increases.
The booming industry of cybersecurity has been brought about by the ransom of hospitals, the shutdown of power grids, and the theft of intellectual property and trade secrets. Malicious attackers, who are often well-funded and supported by governments, operate globally, use sophisticated technology and methods, and are constantly improving their tactics.
To combat the rise of computer-based crimes and the tampering of sensitive information, skilled experts, known as ethical hackers or “white hats,” evaluate computer systems to identify vulnerable spots and then reinforce them through hardening or improvements. Ethical hacking is legal since the actions are aimed at increasing the security of computer and network systems. Essentially, ethical hacking involves the breaking of a system to identify vulnerable areas, whereas the act of computer hacking refers to modifying or altering computer software and hardware to achieve objectives outside the creator’s original intent. Ethical hackers play an essential role in safeguarding systems from malicious penetrations.
The United States has a significant number of federal and state laws enacted during the last 3 decades. Unfortunately, the law is about five years behind developing technology.

Federal cybersecurity laws

There are several federal laws that address hacking, including:
• 18 USC Section 1030 of The Computer Fraud and Abuse Act (CFAA);
• 18 USC Section 1029: The Access Device Statute;
• The Stored Communications Act (SCA);
• The Digital Millennium Copyright Act (DMCA);
• 18 USC Sections 2510, 2701 of The Electronic Communications Privacy Act (ECPA); and
• The Defend Trade Secrets Act (DTSA).

The Computer Fraud and Abuse Act

The focus of our post is on the Computer Fraud and Abuse Act (CFAA) which has been amended by the USA PATRIOT Act, a crucial federal law that deals with acts that compromise computer network security. The CFAA prohibits unauthorized access to computer systems and networks, extortion by means of threatening such attacks, the dissemination of code or programs that harm computers, and other related actions.
The Computer Fraud and Abuse Act (CFAA) was enacted in 1986 as an extension to existing computer fraud law under the Comprehensive Crime Control Act of 1984, and is the primary cybersecurity legislation in the United States. Its primary purpose is to prohibit unauthorized access to computer systems, including the unauthorized exceeding of authorized access. Although initially intended to protect the computer systems of U.S. government entities and financial institutions, subsequent amendments have broadened its scope to include virtually any computer in the country, such as servers, desktops, laptops, cell phones, and tablets.
The CFAA plays a significant role in regulating the activities of ethical hackers, who must ensure they are authorized to conduct security testing to avoid running afoul of the law. Additionally, it is important to note that the CFAA has been criticized for its broad and vague language, which could lead to unintended consequences, such as the criminalization of seemingly innocuous activities. While virtually anyone can potentially be convicted under the CFAA, it should be noted that a violation requires the individual to access a computer system without authorization or exceed authorized access, meaning being in the wrong place at the wrong time would not necessarily result in a conviction.

The following are examples of CFAA violations and their corresponding penalties:
1. Accessing a computer to defraud and obtain value – 5 years imprisonment, and up to 10 years for a second conviction.
2. Accessing a computer and obtaining information – 1 to 5 years imprisonment, and up to 10 years for a second conviction. 1 to 10 years imprisonment, and up to 20 years for a second conviction.
3. Extortion involving computers – 5 years imprisonment, and up to 10 years for a second conviction.
4. Intentionally damaging by knowing transmission – 1 to 10 years imprisonment, and up to 20 years for a second conviction.
5. Trafficking in passwords – 1 year imprisonment, and up to 10 years for a second conviction.

Password trafficking refers to the sharing, selling, or purchasing of stolen passwords, which is penalized under the Computer Fraud and Abuse Act (CFAA) due to the potential for criminals to use the stolen passwords to gain unauthorized access to sensitive information such as bank accounts.
While ethical hacking can be a risky profession, it becomes illegal when the individual, known as a white hat, exceeds the limits of their authorization or permission. This can be a challenge, given the complexity of modern websites and systems, and it is easy to unintentionally exceed the limits of authorization.
Many modern websites contain contents form hundreds or even thousands of third parties. For example bank website can have merchant services, debit cards information storage providers, cloud service providers, cookies and many other services and codes from various third parties.
In many cases, obtaining consent from all parties involved can be virtually impossible, and ethical hackers may accidentally access someone else’s application or data during routine testing work.

Van Buren Case

In 2021, the United States Supreme Court made a significant decision in the Van Buren case regarding the application of the Computer Fraud and Abuse Act (CFAA). Jeffrey L. Fisher, a law professor at Stanford University who represents the petitioner in the case, argues that the law’s language is outdated in the context of modern computer usage, and that its broad interpretation could criminalize ordinary breaches of computer restrictions and terms of service that individuals may not even be aware of.
The Van Buren case has sparked a significant debate within the academic community, with some, such as Sacharoff, a professor from the University of Arkansas, suggesting that any violation under the CFAA must be done knowingly. In other words, individuals who unintentionally gain access to a platform without proper authorization or violate its terms of service would not be guilty of a federal crime. This has particular relevance to ethical hackers who may exceed authorized access while performing penetration testing, but do not do so knowingly with malicious intent.
There have been numerous instances where ethical hackers have been arrested while performing their job, indicating a need for correction in the way the law treats and understands their work. A recent case in the United States involved two penetration testers hired to assess the security of an Iowa courthouse, who were subsequently arrested, charged, and jailed for physically entering the courthouse despite it being a planned security test commissioned by the government.
Modern websites often contain codes and contents from numerous third parties, making it easy for ethical hackers to accidentally exceed authorized access and access information that belongs to these third parties. As a result, they can be subject to punishment under the Computer Fraud and Abuse Act (CFAA).
Retaining a cybercrime lawyer can be an expensive endeavor, depending on various factors such as the type of advice required and the legal jurisdiction. It can be particularly challenging for ethical hackers to deal with big tech corporations, even with the assistance of an experienced cybercrime lawyer.
Thankfully, there are organizations that advocate for the rights of individuals and small businesses against big corporations. One such organization is the Electronic Frontier Foundation (EFF), which has provided legal assistance to people in cases involving large companies. For instance, EFF helped individuals accused of copyright infringement by 28 of the world’s biggest entertainment firms, led by MGM Studios, for distributing peer-to-peer file-sharing software. Additionally, EFF sued Sony Corporation for using software that could spy on users’ listening habits.
However, there is a pressing need for reform to protect ethical hackers who are often mistreated and misunderstood by the law. Unfortunately, there are gray areas in ethical hacking that can lead to misunderstanding and confusion. For example, two ethical hackers were recently hired to evaluate the security of an Iowa courthouse but were arrested, charged, and jailed for physically entering the courthouse, despite the fact that it was a planned security test commissioned by the government. This case highlights how legal systems view and treat ethical hackers and cybersecurity professionals.
Ethical hackers must be able to think creatively to identify and solve technical problems in computer systems while being mindful not to exceed the authorized boundaries. However, there is always a risk that they may unintentionally access sensitive information during the process of assessing systems and networks. It is crucial that ethical hackers are granted protected status under federal law. This would allow security professionals to access systems on the internet and disclose weaknesses without fear of prosecution under federal and state laws.
The current situation is akin to a pharmacist being arrested for drug possession while performing routine work. Trusted hackers should be able to inspect the security of websites and public-facing applications with more freedom, similar to how a police officer can investigate a person or location with reasonable grounds to do so. Professional penetration testers currently conduct assessments only with explicit consent from the owner, but it would be beneficial for security professionals to have more leeway to assess systems in the public domain and disclose any significant security risks without facing punishment.
Bug bounty programs are offered by some organizations and software developers as a way to incentivize individuals to report security vulnerabilities and bugs. These programs offer recognition and compensation to those who report such vulnerabilities. However, not all organizations have bug bounty or responsible disclosure programs, and even those that do often have limitations. In some cases, participants may be required to sign non-disclosure agreements in order to receive compensation, which can result in vulnerabilities not being addressed as quickly as they should be.
The effort highlights how federal anti-hacking laws aren’t keeping pace with the way security vulnerabilities are often identified and patched. Laws such as the CFAA and the DMCA don’t contain protections for researchers who disclose bugs, creating a legal gray area discouraging ethical hacking.
The cybersecurity community is well aware of the issue of companies taking legal action against security researchers and professionals who uncover critical security vulnerabilities. Last year, for instance, the FBI investigated security researchers in Georgia after they discovered millions of publicly accessible voter registration records on the state’s election website. The law often lags behind technology advancements, and private companies and organizations have varied and often inconsistent policies for managing vulnerability disclosures. This inconsistency makes it challenging for ethical hackers to discern the boundary between what is deemed permissible and what could potentially result in legal repercussions.
The act of accessing another person’s computer without authorization is criminalized by the CFAA. It is recommended that the CFAA be amended to require that any violation under the statute must be done knowingly or intentionally. Similarly, other laws, including state laws, should also be changed to require knowingly as a form of intent. The application of the CFAA to ethical hackers and even users who may exceed the “terms of service” of particular applications or social networking websites in everyday practice is ambiguous.
In the recent case of Van Buren v. United States, the Supreme Court ruled on concerns regarding the Computer Fraud and Abuse Act (CFAA). The case involved the prosecution of a former police sergeant who used a law enforcement computer to run a license plate search in exchange for an anticipated payment of around $5,000. The question was whether this action violated the CFAA, which criminalizes intentional access to a computer without authorization or exceeding authorized access to obtain certain types of information, subjecting the offender to criminal liability. In a 6-3 decision written by Justice Barrett, the Supreme Court concluded that it was not a violation of the CFAA. However, the language of the CFAA is still concerning as it can make everyday systems that internet users commonly access, such as social media, news, online gaming, and streaming services, “protected computers” subject to criminal liability. A major problem with the CFAA is the ambiguous nature of the statutory language. The term “without authorization” is not defined in the statute. “Exceeds authorized access” is defined, but only in a somewhat circular manner that does little to limit its scope. Many academic papers, commentary pieces, news articles, and amicus briefs have noted that the language of the CFAA, when interpreted overly broadly, can be used to criminalize commonplace uses of computers that most people would consider innocuous.
Consider the scenario where exceeding authorized access is interpreted to include breaking a website’s terms of service. In such a case, violating the terms of service could result in criminal liability, as pointed out by the Electronic Frontier Foundation. Similarly, if violating an employer’s computer-use policy is seen as exceeding authorized access, it could also lead to concerns about overcriminalization. The Supreme Court addressed this issue in the Van Buren case, stating that if every violation of a computer-use policy is deemed as exceeding authorized access, then millions of law-abiding citizens would become criminals. For instance, many employers restrict computer and electronic device use to business purposes only. Therefore, under the government’s interpretation of the CFAA, an employee who uses their work computer to read the news or send a personal email would be in violation of the statute.
In its ruling, the Supreme Court determined that someone exceeds authorized access “when he accesses a computer with authorization but then obtains information located in particular areas of the computer – such as files, folders, or databases – that are off limits to him.” Since Van Buren had permission to access the license plate database, his misuse of the information did not constitute a violation of the CFAA, although it may have resulted in liability under other laws.

Suggestions to change CFAA

My recommendation is that Congress should define the required mental state for prosecution under the Computer Fraud and Abuse Act (CFAA) as “intentional.” However, it is unlikely that Congress will ever do so because it would reduce their leverage in hacking cases. The CFAA is the primary statute under which most hackers are prosecuted. Given that hacking cases are inherently difficult to prosecute, adding “intent” as a separate element that prosecutors must prove would make securing convictions nearly impossible.

Under federal law, different types of mental states exist, primarily based on mens rea (the guilty mind). The most commonly recognized mental states include:

1. Intentional – The defendant acted with a conscious objective to bring about a particular result.
2. Knowing – The defendant was aware that their conduct would likely produce a particular outcome.
3. Reckless – The defendant consciously disregarded a substantial and unjustifiable risk.
4. Negligent – The defendant failed to be aware of a substantial risk that a reasonable person would have recognized.

In a criminal case, prosecutors must prove all elements of the offense, including the requisite mental state. If a penal statute does not explicitly define a mental state, courts typically infer one based on legislative intent. The Supreme Court has often interpreted silent statutes by applying Staples v. United States and Morissette v. United States, which presume that criminal laws require at least a knowing or reckless mental state unless Congress clearly indicates otherwise.

Conclusion

The recent Van Buren decision has partially addressed concerns about the broad scope of the CFAA, but several questions remain unanswered. One such issue is the definition of accessing a computer “without authorization” or “exceeding authorized access.” Is it limited to bypassing technical barriers or also includes violating access limits specified in a contract or policy? UC Berkeley law professor Orin Kerr notes that the ruling is somewhat ambiguous on this point. Although the risk of overly broad interpretations of the CFAA has decreased, reform is still necessary.
To address this, first, the Supreme Court should change its interpretation of the CFAA and establish that intent is a necessary element of the crime. Most people who access a platform without authorization or violate its terms of service may not know that their access is unauthorized. Therefore, they should not be found guilty of a federal crime. Second, new laws should be enacted to create and protect ethical hackers as independent professionals, even in cases of accidental unauthorized access. Such laws should require licensure for ethical hackers to operate within the legal framework.