Everything You Need to Know about CFAA

two factor auth screen

The business world can be a very cut-throat arena when the competition gets stiff. Often, people may turn to not-so-legal dealings in a bid to get even a slight advantage over their competitors. And in this modern era, the bid will more than likely involve the use of a computer. Hence, the Computer Fraud and Abuse Act (CFAA), an intended deterrent against using technology for nefarious purposes. Yes, the CFAA seeks to protect enterprises as well as individuals. Here’s everything you need to know about CFAA.

Introduction to CFAA

Congress passed the Computer Fraud and Abuse Actin 1986. It was an amendment to an existing computer fraud law, further amended several times since. This broad law seeks to prohibit a range of computer-and network-related activities deemed illegal. Among them: accessing a computer without authorization, trafficking in passwords and access information, and extortion involving computers.

Overview of the law

As mentioned, the CFAA is a broad law. It lists the following activities as illegal:

  • accessing national security information,
  • compromising confidentiality,
  • accessing a government computer without authorization,
  • getting access to defraud and obtain value,
  • causing damage to a computer or information,
  • trafficking in passwords and access information,
  • and threatening to damage a computer.

CFAA’s original intent was to cover protected computers only, such as those in the federal system. But it now extends to ordinary computers and mobile phones as well. That’s in keeping with the nature of modern-day communication and technological advancements,

Consequences of violating the act

The penalties for committing any of the abovementioned activities will vary.  For example, illegally accessing classified information will get you charged with a felony. Accessing financial records or government computers is considered a misdemeanor. Felony convictions are punishable with either a fine or a sentence of up to 10 years, or both. A second conviction is punishable with either a fine or a sentence of not more than 20 years, or both.


One of the biggest arguments against the CFAA has been that it is not clear, but wide-open to interpretation. Cases such as United States v. Drew and United States vs. Nosal prompted arguments that some legal actions were wrongly interpreted as illegal computer access. Prosecutors were thought to be twisting the Act to suit their own agendas. Often, for example, prosecutors suggest that violation of private agreements is tantamount to violating the CFAA. Critics of this Act also argue against what they see as its excessive penalties. First-time offenders faced up to five years behind bars for accessing computers without adequate authorization.

A clearer, less punitive definition of unauthorized access has emerged from a recent appellate court decision in HiQ Labs vs. LinkedIn (September 2019). For details of the issues and outcome in that case, see our article Web Scraping and CFAA – A Big Step Toward Clarity.

Staying on the right side

Every law written by human beings will inevitably face opposition, however much legal weight it may hold. The Computer Fraud and Abuse Act arose from the need to protect enterprises, governments, and individuals from criminal use of technology. It has its merits, but it also has several ambiguous provisions that have aroused controversy over the years. However, regardless of what one may think of this Act, the knowledge of it is imperative. It affects everyone who uses a computer and accesses the Internet, which is just about everyone.