Document Type


Publication Date


Publication Information

84 Geo. Wash. L. Rev. 1442 (2016)


Thirty years ago, Congress passed the Computer Fraud and Abuse Act (CFAA) to combat the emerging problem of computer crime. The statute’s core prohibitions targeted one who “accesses” a computer “without authorization” or who “exceeds authorized access.” Over time, incremental statutory changes and large-scale technical changes have dramatically expanded the potential scope of the CFAA. The question of what constitutes unauthorized access has taken on far greater significance than it had thirty years ago, and courts remain deeply divided on this question. This Article explores the text, purpose, and history of the CFAA, as well as a range of normative considerations that should guide interpretation of the statute. The Article concludes that courts should pursue a narrow and “code-based” understanding of unauthorized access under the CFAA—both in terms of what it means to access a computer without authorization and in terms of what it means to exceed authorized access. The CFAA has strayed far from its original purpose: Congress failed to define key terms in the CFAA, and courts have overlooked limiting principles within the statute. From a normative perspective, even if it is desirable to provide owners of networked computer systems with stronger legal protection for their systems, the CFAA’s unauthorized access provisions are not the proper vehicle for doing so.



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.