Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act (CFAA) is the short title of Pub. L. 99–474, enacted on October 16, 1986. It substantially amended 18 U.S.C. § 1030 (Counterfeit Access Device and Computer Fraud and Abuse Act), originally enacted in 1984, by revising mental‑state requirements, adding new offenses (including password trafficking), defining "Federal interest computer", and clarifying "exceeds authorized access". ^{[1] [2]}

What the 1986 Act changed

Two years after the Counterfeit Access Device and Computer Fraud and Abuse Act, the Congress significantly expanded the computer crime statute by passing the Computer Fraud and Abuse Act ("CFAA"). The original text was directed at protecting classified information, financial records, and credit information on governmental and financial institution computers. With the CFAA, Congress intended to prohibit unauthorized access to "federal interest" computers. The amendment provided additional penalties for fraud and related activities in connection with access devices and computers, as well as additional protection for federal interest computers. Congress attempted to limit federal jurisdiction over computer crimes to those cases involving a compelling federal interest (i.e. where computers of the federal government or certain financial institutions are involved or where the crime itself is interstate in nature).^[3]

Particularly:

• Replaced the term "knowingly" with "intentionally" in § 1030(a)(2) and "exceeds authorized access" with "having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend".
• Created new offenses:
  • § 1030(a)(4): prohibited unauthorized access access to a Federal interest computer with intent to defraud;
  • § 1030(a)(5): prohibited accessing a Federal interest computer without authorization and altering, damaging, or destroying information;
  • § 1030(a)(6): prohibiting password trafficking affecting interstate/foreign commerce or U.S. Government computers.^{[1] [3]}
• Added definitions including "Federal interest computer" and the statutory definition of "exceeds authorized access"
• Added a law‑enforcement/intelligence activities exception (now codified at § 1030(f)).^[1]

Early application

A prominent early conviction under the post‑1986 framework was United States v. Morris (2d Cir. 1991), arising from the 1988 "Morris worm", under then‑§ 1030(a)(5)(A).^[4]

Relationship to later amendments

• 1994: Computer Abuse Amendments Act (Pub. L. 103‑322): added the private "civil cause of action" at § 1030(g).^[3]
• 1996: National Information Infrastructure Protection Act (Pub. L. 104‑294): replaced "Federal interest computer" with "protected computer", expanded coverage, revised § 1030(a)(5), and added extortion via computer § 1030(a)(7).^{[5] [6]}
• Subsequent amendments in 2001, 2002, and 2008 broadened scope and penalties; for an overview of the amendment history and present structure, see the CRS primer and the USSC primer.^{[7] [8]}

Interpretive developments

• Van Buren v. United States (2021): Supreme Court narrowed the reading of "exceeds authorized access."^[9]
• DOJ charging policy (May 19, 2022): instructs declining prosecution for "good‑faith security research" under the CFAA.^[10]

References