A Code-Based Approach to Unauthorized Access Under the Computer Fraud Abuse Act

Thirty years ago, Congress passed the Computer Fraud and Abuse Act ("CFAA ") to combat the emerging problem of computer crime. The statute's core prohibitions targeted one who "accesses" a computer "without authorization" or who "exceeds authorized access." Over time, the incremental statutory changes and large-scale technological changes have dramatically expanded the potential scope of the CFAA. The question of what constitutes unauthorized access has taken on far greater significance than it had thirty years ago, and courts remain deeply divided on this question. This Article explores the text, purpose, and history of the CFAA, as well as a range of normative considerations that should guide interpretation of the statute. This Article concludes that courts should pursue a narrow and "code-based" understanding of unauthorized access under the CFAA-both in terms of what it means to access a computer without authorization and in terms of what it means to exceed authorized access. The CFAA has strayed far from its original purpose: Congress failed to define key terms in the CFAA, and courts have overlooked limiting principles within the statute. From a normative perspective, even if it is desirable to provide owners of networked computer systems with stronger legal protection for their systems, the CFAA's unauthorized access provisions are not the proper vehicle for doing so.