Computer Fraud and Abuse Act


Computer Fraud and Abuse Act (CFAA) of 1986 is a Act of Congress codified in U.S.C. Title 18 § 1030 as an amendment to existing computer fraud law (U.S.C. Title 18 § 1030), which had been included in the Comprehensive Crime Control Act of 1984.

Computer Fraud and Abuse Act law prohibits accessing a computer without authorization, or in excess of authorization.

The Comprehensive Crime Control Act of 1984 bill was enacted in response to concern that computer-related crimes might go unpunished. The House Committee Report to the original computer crime bill characterized the 1983 techno-thriller film WarGames—in which a young Matthew Broderick breaks into a U.S. military supercomputer programmed to predict possible outcomes of nuclear war and unwittingly almost starts World War III—as “a realistic representation of the automatic dialing and access capabilities of the personal computer.”[2]

Computer Fraud and Abuse Act was written to increase the scope of the previous version of U.S.C. Title 18 § 1030 while, in theory, limiting federal jurisdiction to cases "with a compelling federal interest-i.e., where computers of the federal government or certain financial institutions are involved or where the crime itself is interstate in nature." (see "Protected Computer", below). In addition to amending a number of the provisions in the original section 1030, the CFAA also criminalized additional computer-related acts. Provisions addressed the distribution of malicious code and denial of service attacks. Congress also included in the CFAA a provision criminalizing trafficking in passwords and similar items.[1]

Since then, the Act has been amended a number of times—in 1989, 1994, 1996, in 2001 by the United States PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act.

In January 2015 Barack Obama proposed expanding the CFAA and the RICO Act in his Modernizing Law Enforcement Agency to Combat Cybercriminals proposal.[3] DEF CON organizer and Cloudflare researcher Marc Rogers, Senator Ron Wyden, and Representative Zoe Lofgren have stated opposition to this on the grounds it will make many regular Internet activities illegal, and moves further away from what they were trying to accomplish with Aaron's Law.


In this case, 9th Circuit holds that scraping a public website likely does not violate the CFAA We therefore look to whether the conduct at issue is analogous to "breaking and entering."

When section 1030(a)(2)(c) was added in 1996 to extend the prohibition on unauthorized access to any "protected computer", the Senate Judiciary Committee explained that the amendment was designed to "to increase protection for the privacy and confidentiality of computer information." S. Rep. No. 104-357, at 7 (emphasis added).

The legislative history of section 1030 thus makes clear that the prohibition on unauthorized access is properly understood to apply only to private information—information delineated as private through use of a permission requirement of some sort.

As one prominent commentator has put it, "an authentication requirement, such as a password gate, is needed to create the necessary barrier that divides open spaces from closed spaces on the Web." Orin S. Kerr, Norms of Computer Trespass, 116 Colum. L. Rev. 1143, 1161 (2016).

Moreover, elsewhere in the statute, password fraud is cited as a means by which a computer may be accessed without authorization, see U.S.C. Title 18 § 1030(a)(6),12 bolstering the idea that authorization is only required for password-protected sites or sites that otherwise prevent the general public from viewing the information.

More Information#

There might be more information for this subject on one of the following: