Hacking And Unauthorized Access

22 Sep 2025 --
0 Comments

Core concepts: what “hacking” and “unauthorized access” mean for criminal law

Unauthorized access (the legal core): accessing a computer, account, network, or data without permission. Many statutes criminalize either (a) accessing without any authorization or (b) accessing with authorization but then obtaining information or using it in a way that “exceeds authorized access.” How that latter phrase is read matters a lot in prosecutions.

Typical statutory vehicles:

In the United States, the main federal law is the Computer Fraud and Abuse Act (CFAA) (18 U.S.C. §1030). States have similar statutes.

Other countries use their own computer misuse statutes (e.g., the UK’s Computer Misuse Act 1990 and later amendments), Australia’s Criminal Code provisions, EU member states’ laws, etc.

Key elements prosecutors must establish (varies by statute/jurisdiction):

A protected computer or system was accessed;

Access was unauthorized or exceeded authorization;

The defendant knowingly and intentionally accessed it (some statutes require intent to commit further wrongdoing);

Often there must be a specified harm (loss, damage, fraud, data exfiltration), or sometimes merely the unauthorized access itself is punishable.

Mens rea problems: Modern autonomous actors, mistakes about permission, or ambiguous corporate policies (e.g., “don’t use work computers for personal use”) create thorny questions about whether users “intended” to commit an offense or merely violated a policy.

Policy tension:

Narrow readings protect everyday internet behavior and research (e.g., security researchers, journalists).

Broad readings create sweeping criminal exposure for ordinary violations of website terms or employee computer‑use rules.

Forensics & evidence: Logs, metadata, network captures, and chain of custody are crucial. Courts also consider whether evidence was obtained lawfully.

Cases (detailed: facts → legal issue → court holding → significance)

1) United States v. Morris (1991) — the Morris worm (first major CFAA conviction)

Facts: In 1988 Robert T. Morris released a self‑replicating worm that exploited UNIX vulnerabilities and spread across thousands of internet‑connected machines, causing widespread disruption.

Legal issue: Whether creating and releasing code that causes unauthorized access and damage violated the (then‑new) Computer Fraud and Abuse Act.

Holding: Morris was convicted under the CFAA for knowingly causing intentionally damaging conduct to protected computers; he received probation, a fine, and community service.

Why it matters: The Morris case was the first high‑profile application of a federal computer crime statute to a worm and set early precedent that releasing malware that causes damage is criminal. It also launched debates about proportionality of sanctions and the boundaries of research versus criminality.

2) R v. Gold and R v. Schifreen (UK, late 1980s → leads to Computer Misuse Act 1990)

Facts: Two British computer enthusiasts (Gold and Schifreen) accessed a high‑profile mailbox system (allegedly trying to read Prince Philip’s messages) by exploiting weak passwords on a telecom system. They were prosecuted under existing theft/abuse laws.

Legal issue: Whether existing criminal law covered unauthorized electronic access (the legal categories were written for property and documents, not ephemeral electronic access).

Holding / outcome: Courts concluded the available offences didn’t neatly cover purely electronic unauthorized access; as a consequence, the prosecutions failed under the old legal framework.

Why it matters: The case made clear the law lacked suitable provisions and was a major catalyst for the UK Parliament to enact the Computer Misuse Act 1990, specifically criminalizing unauthorized access and later unauthorized modification. It’s an example of law catching up to technology.

3) United States v. Aaron Swartz (2011–2013) — downloading academic articles; prosecution under CFAA

Facts: Aaron Swartz used a script/system to download a large number of academic articles from the JSTOR repository hosted on MIT computers. Prosecutors alleged he sought to distribute the materials and circumvented access controls.

Legal issue: Whether bulk downloading from a university network, in violation of terms and possibly bypassing restrictions, amounted to criminal access under the CFAA and warranted a heavy federal prosecution.

Holding / outcome: Federal prosecutors charged Swartz with multiple felony counts under the CFAA and related statutes; the case was intensely controversial. Swartz died by suicide while charges were pending; prosecutors faced heavy criticism for aggressive charging decisions.

Why it matters: The Swartz case brought national attention to how the CFAA can be used against researchers, students, and activists; it sparked calls for CFAA reform and highlighted prosecutorial discretion, proportionality, and the chilling effect on legitimate research.

4) United States v. Nosal (9th Cir., en banc 2016)

Facts: David Nosal and others used credentials to access a former employer’s database and took trade secrets to benefit a competing business. The prosecution invoked the CFAA based on “exceeding authorized access.”

Legal issue: Whether the CFAA’s “exceeds authorized access” provision criminalizes employees or ex‑employees who have legitimate credentials but misuse them (i.e., violate employer computer‑use policies).

Holding: The Ninth Circuit, sitting en banc, held that the CFAA’s “exceeds authorized access” language does not reach mere violations of use policies (e.g., using an employer's computer for an improper purpose) when the user is otherwise authorized to access the information. The court adopted a narrower statutory interpretation to avoid criminalizing a vast amount of commonplace behavior.

Why it matters: Nosal narrowed the CFAA’s reach in the Ninth Circuit, protecting people from prosecution simply for violating terms of use or employer rules. It’s a pivotal case in defining the line between wrongful purpose and unauthorized access.

5) Van Buren v. United States (U.S. Supreme Court, 2021) — clarifying “exceeds authorized access”

Facts: A police sergeant accepted money to run a license‑plate search on a law‑enforcement database for an unauthorized purpose. He had valid credentials but used them improperly.

Legal issue: What does “exceeds authorized access” mean under the CFAA — does it criminalize use of access for improper purposes even when the user has proper login permissions?

Holding: The Supreme Court held that “exceeds authorized access” is limited: it covers access to parts of a computer system to which the user is not entitled, but it does not criminalize misuse of access for an improper purpose when the user is otherwise permitted to access the information. In short, Van Buren rejected a broad “purpose‑based” reading of the CFAA.

Why it matters: Van Buren is a landmark narrowing decision. It aligns with Nosal and significantly constrains prosecutors from bringing CFAA charges for mere policy violations or improper use; it protects many common behaviors (and security research) from being swept into felony exposure. It also pushed the landscape toward civil remedies and other statutes for misuse rather than criminal CFAA prosecutions.

6) hiQ Labs, Inc. v. LinkedIn Corp. (9th Cir. 2019) — web scraping and unauthorized access

Facts: hiQ used automated tools to scrape public LinkedIn profiles to build analytics products. LinkedIn tried to block hiQ and asserted that scraping violated the CFAA and other laws; hiQ sued for declaratory relief and obtained a preliminary injunction preventing LinkedIn from blocking access to public profiles.

Legal issue: Does scraping publicly available profile data from a website constitute “unauthorized access” under the CFAA, and can the site operator block such scraping?

Holding (9th Cir.): The Ninth Circuit held that accessing publicly available data on a website likely does not violate the CFAA because there is no “without authorization” access when the data is public. The court issued a preliminary injunction in favor of hiQ, finding they were likely to succeed on their claim that LinkedIn couldn’t use the CFAA to bar scraping of public profiles.

Why it matters: hiQ is a key case limiting the CFAA’s use to prevent scraping of public data, carving out protection for certain data‑collection practices and clarifying that website terms alone do not necessarily create criminal liability. The case is central to debates about data access, competitive scraping, and the protection of public web data.

7) United States v. Auernheimer (2014) — “Weev” and AT&T iPad user data

Facts: Alexander “Weev” Auernheimer discovered that an AT&T website returned iPad subscriber email addresses when queried with certain device identifiers. He collected and published a list of emails. Federal prosecutors charged him under the CFAA and other statutes.

Legal issue: Whether collecting publicly accessible data by automating queries constituted “unauthorized access” and whether venue was proper.

Holding: A federal appeals court (Third Circuit) vacated Auernheimer’s convictions on procedural grounds — primarily improper venue (the government tried him in New Jersey though much of the conduct occurred elsewhere). The court did not fully resolve the CFAA merits but the case highlighted contentious issues about scraping and criminal liability.

Why it matters: The case demonstrated both the prosecutorial reach into automated data collection and procedural defenses (venue). It also spotlighted policy debates about when aggregation of poorly protected but accessible data becomes criminal.

8) United States v. Lori Drew (2008–2009) — social‑network impersonation prosecution and CFAA limits

Facts: Lori Drew allegedly created a fake MySpace profile to befriend and harass a teenager; that harassment preceded the teen’s suicide. Federal prosecutors charged Drew in part under the CFAA for creating a fake account in violation of MySpace’s terms of service (i.e., accessing the site using false information).

Legal issue: Can violations of a website’s terms of use be criminalized under the CFAA as “unauthorized access”?

Holding / outcome: The criminal case ran into serious legal problems. A judge dismissed the CFAA‑based claim as too broad because reading the CFAA to criminalize mere Terms‑of‑Service violations would criminalize a huge swath of ordinary internet behavior. The jury acquitted on one misdemeanor charge; the government eventually declined to re‑try the broader CFAA approach.

Why it matters: The Drew matter is an example of prosecutors testing the CFAA against deceptive account creation and the judiciary resisting an overbroad reading that would criminalize many commonplace web activities. It reinforced the emerging judicial trend of narrowing the CFAA to avoid absurd results.

Practical takeaways from these cases

Courts have moved from broad to narrower readings of “unauthorized” access. Early aggressive uses of the CFAA led to high‑profile controversies (Swartz, Drew), and later judicial decisions (Nosal en banc, Van Buren) narrowed the statute’s reach.

Distinction between “no authorization” and “misuse” is crucial. Access that is truly unauthorised (exploiting credentials, bypassing authentication) remains clearly criminal; what’s controversial is prosecuting people who had credentials but used them for an improper purpose.

Web scraping of public data sits in a gray zone but courts have protected some scraping. hiQ v. LinkedIn is a major authority saying scraping publicly available profiles is generally not CFAA unauthorized access.

“Hacking” that causes damage (worms, ransomware, data destruction) remains firmly within criminal law. Morris is the archetype; modern prosecutions routinely successfully use statutes for malicious intrusions that cause real harm.

Policy and legislative reform remain alive. Cases exposed gaps and overbreadth; some jurisdictions retooled laws (UK’s Computer Misuse Act; ongoing calls for CFAA reform in the U.S.).

Defense strategies often focus on statutory interpretation, venue, and the nature of authorization (policy violation vs. credential misuse). Procedural defenses (e.g., venue) or statutory construction arguments have produced real wins (Auernheimer; Nosal; Van Buren).