David Thaw, Criminalizing Hacking, Not Dating: Reconstructing the CFAA Intent Requirement

David Thaw, Criminalizing Hacking, Not Dating: Reconstructing the CFAA Intent Requirement

Comment by: Jody Blanke

PLSC 2013

Published version available here:

Workshop draft abstract:

The Computer Fraud and Abuse Act (CFAA) originally was enacted as a response to a growing threat of electronic crimes, a threat which continues to grow rapidly.  Congress, to address concerns about hacking and cybercrime, criminalized unauthorized access to computer systems through the CFAA.  The  statute poorly defines this threshold concept of “unauthorized access,” however, resulting in widely varied judicial interpretation.  While this issue is perhaps still under-examined, the bulk of existing scholarship generally agrees that an overly broad interpretation of unauthorized access — specifically one that allows private contract unlimited freedom to define authorization — creates a constitutionally-impermissible result.  Existing scholarship, however, lacks workable solutions.  The most notable approach, prohibiting contracts of adhesion (e.g., website “Terms of Service”) from defining authorized access, strips system operators of their ability to post the virtual equivalent of “no trespassing” signs and set enforceable limits on the (ab)use of their private property.

This Article considers an alternative approach, based on examination of what is likely the root cause of vagueness and overbreadth problems in the CFAA — a poorly constructed mens rea element.  It argues that judicial interpretation may not be sufficient to effect Congressional intent concerning the CFAA, and argues for legislative reconstruction of the mens rea requirement requiring a strong nexus between an individual’s intent and the unique computer-based harm sought to be prevented.  The Article proposes a two-part conjunctive test:  first, that an individual’s intent must not only be to engage in an action (which technically results in unauthorized access), but that the intent must itself be to engage in unauthorized access; and second, that the resultant actions must be in furtherance either of an (enumerated) computer-specific malicious action or of an otherwise-unlawful act.  While courts may be able to reinterpret the statute to accomplish the first part, this still leaves substantial potential for private agreements to create vagueness and overbreadth problems.  The second part of the test mitigates this risk, and thus Congressional intervention is required to save both the validity of the statute as well as the important protections it affords.