Computer Fraud and Abuse Act (CFAA)

Computer Fraud and Abuse Act (CFAA)
March 9, 2020 Christine Siebels
Computer Fraud and Abuse Act (CFAA)

Computer Fraud and Abuse Act (CFAA)

Computer Fraud and Abuse Act (CFAA)

Computer Fraud and Abuse Act (CFAA)

As technology advances, the use of the criminal law to regulate conduct using such technology also advances. Perceptions concerning the role of technology in both traditional and high-tech criminal conduct prompted Congress to enact the first federal computer crime law thirty years ago. Increases in computer availability and mainstream usage, however, have propelled government regulation of computer conduct into overdrive.

Over the course of thirty years, federal computer crimes went from non-existent to touching on every aspect of computer activity for intensive and occasional users alike. The Computer Fraud and Abuse Act (CFAA) was enacted in 1986, as an amendment to the first federal computer fraud law, to address hacking. Over the years, it has been amended several times, most recently in 2008, to cover a broad range of conduct far beyond its original intent.

The CFAA prohibits intentionally accessing a computer without authorization or in excess of authorization, but fails to define what “without authorization” means. With harsh penalty schemes and malleable provisions, it has become a tool ripe for abuse and use against nearly every aspect of computer activity.

The breadth and ambiguity of the CFAA are deeply troubling. NACDL supports wholesale reform of the CFAA and, in particular, believes violations of website terms of services should not be federal crimes. NACDL opposes any additional expansion of the CFAA and is actively working to reform the CFAA through amicus support, coalition building, and legislative advocacy.

Provisions of the Computer Fraud & Abuse Act
18 U.S.C. § 1030




Obtaining National Security Information (a)(1) 10 yrs (20)
Accessing a Computer and Obtaining Information (a)(2) 1 or 5 yrs (10)
Trespassing in a Government Computer (a)(3) 1 yr (10)
Accessing a Computer to Defraud and Obtain Value (a)(4) 5 yrs (10)
Intentionally Damaging by Knowing Transmission (a)(5)(A) 1 or 10 yrs (20)
Recklessly Damaging by Intentional Access (a)(5)(B) 1 or 5 yrs (20)
Negligently Causing Damage and Loss by Intentional Access (a)(5)(C) 1 yr (10)
Trafficking in Passwords (a)(6) 1 yr (10)
Extortion Involving Computers (a)(7) 5 yrs (10)
Attempt and Conspiracy to Commit such an Offense (b) 10 yrs for attempt but no penalty specified for conspiracy in section (c)