Hacking And Unauthorized Access Offences

22 Sep 2025 --
0 Comments

Hacking & Unauthorized‑Access Offences — clear explanation plus 6 detailed cases

Below I’ll (A) explain the typical offences and legal elements for “hacking” / unauthorized computer access, and then (B) go through six landmark cases in detail — facts, legal issue(s), holdings, and why each matters. I won’t link to anything external (as you requested) and I’ll be careful and precise about legal principles.

A. What are the core offences and legal elements?

Common statutory model (U.S. Computer Fraud & Abuse Act — CFAA)
Most modern prosecutions for “hacking” in the U.S. use the CFAA. Key concepts:

Unauthorized access — accessing a computer “without authorization.” That typically means you had no permission to access the machine at all (e.g., breaking in).

Exceeds authorized access — accessing parts of a computer or data you were allowed to use, but accessing information you were not supposed to (e.g., an employee using credentials to pull restricted data).

Obtaining information, damaging a computer, or causing loss — CFAA covers obtaining information, impairing operation, transmitting code that damages (viruses/worms), and conspiracies.

Mens rea — most CFAA violations require intentional or knowing conduct; some require intent to defraud or cause loss.

Penalties vary widely: misdemeanor for minor items, felonies where there is significant loss, damage, or intent to defraud, or where national defense/financial systems are targeted.

Why the definitions matter
Courts have struggled with two competing lines:

A broad approach treating violations of employer policies / website terms as “unauthorized,” which would criminalize many commonplace behaviour; and

A narrow approach that limits CFAA to truly unauthorized intrusions (logically similar to breaking into a building), not to mere policy violations or improper use.

Different cases below illustrate how U.S. courts resolved that tension.

Other jurisdictions

The UK uses the Computer Misuse Act 1990 (s.1, s.3 etc.), with conceptually similar offences: unauthorized access, unauthorized access with intent to commit further offences, unauthorized modification.

Many countries have similar criminal statutes; the same core debates (scope: technical access vs. policy violations) recur globally.

B. Six landmark cases (detailed)

I’ll cover: Morris (1988 worm), Nosal (employee access), Van Buren (Supreme Court CFAA narrowing), hiQ v. LinkedIn (web-scraping), Aaron Swartz (JSTOR downloads & prosecutorial controversy), and Auernheimer (AT&T iPad email harvest vacancy). For each: facts → issue → holding → significance.

1) The Morris Worm — prosecution of Robert T. Morris (late‑1980s)

Facts:
In 1988 a Cornell graduate student (Robert Tappan Morris) released a self‑propagating worm on the internet that exploited known vulnerabilities to replicate itself. The worm caused many systems to slow or crash and required cleanup. Morris said the spread was unintended, and he did not intend to cause long‑term damage.

Legal issue:
Did creating and releasing a self‑propagating worm that caused damage to networks violate the CFAA (and related statutes)?

Holding & outcome:
Morris was prosecuted under the federal computer fraud statute (the CFAA was new then) and convicted. He received probation, community service, and a fine (plus civil consequences followed). The conviction established criminal liability for unauthorized actions that cause damage to computers, even where intent was not theft but reckless/wanton conduct.

Significance:

The case was the first high‑profile criminal prosecution for computer misuse in the internet era and demonstrated that destructive code could lead to criminal penalties.

It helped cement the CFAA as the principal tool to punish malware/worm authors.

It also raised policy debates about proportionality of punishment and about how to classify negligent vs. intentional acts in a novel tech landscape.

2) United States v. Nosal — “exceeds authorized access” and employer policy (Ninth Circuit; en banc ruling)

Facts:
A former employee of a company (ultimate facts involve an executive search firm) surreptitiously asked current employees to use their valid logins to download confidential information from the employer’s computers, which the former employee himself could not access directly. The government charged him under the CFAA.

Legal issue:
Does the CFAA’s phrase “exceeds authorized access” criminalize violations of employer computer‑use policies (e.g., using an authorized account for a prohibited purpose), or is it limited to circumventing technical barriers to access areas of a computer to which one is not entitled?

Holding:
In an earlier panel decision the Ninth Circuit allowed a broader reading. However, in a later en banc decision the Ninth Circuit narrowed the CFAA: the court held that “exceeds authorized access” cannot be read to make employees criminally liable for merely violating use policies or acceptable‑use rules when they access information they are otherwise entitled to access. The correct reading excludes situations where someone has legitimate access credentials but uses them for improper purposes.

Significance:

Clarified scope: The en banc ruling prevented the CFAA from criminalizing many routine workplace policy violations (e.g., personal use of company email, browsing prohibited sites) merely because they flout employer policy.

Practical effect: Prosecutions must show an access boundary was crossed (e.g., bypassing authentication) rather than simply an improper use of valid access.

3) Van Buren v. United States — U.S. Supreme Court (2021) (definitive narrowing)

Facts:
A police officer had legitimate access to a law‑enforcement database for official purposes but used his access to obtain license‑plate information for an unauthorized private purpose (for payment). He was charged under the CFAA for “exceeding authorized access.”

Legal issue:
What does “exceeds authorized access” mean in the CFAA? Does it criminalize misuse of information that the user was otherwise authorized to obtain, or is it limited to accessing data that the user was not authorized to access at all?

Holding:
The Supreme Court adopted a narrow interpretation. It held that “exceeds authorized access” applies when a person accesses areas of a computer — files, folders, databases — that are off‑limits to them, not when someone with legitimate access misuses or misappropriates information they are allowed to view. In short, violating a use‑restriction (a policy) is not the same as gaining access to a place in the system that you’re not allowed to enter.

Significance:

This is the controlling Supreme Court precedent in the U.S. and greatly limited the reach of the “exceeds authorized access” theory.

The ruling protects against criminalizing a wide swath of commonplace online misbehavior (e.g., breaching website terms or employer policies) under the CFAA, shifting enforcement focus onto actual technical access violations (e.g., hacking, bypassing passwords, accessing restricted accounts or systems).

4) hiQ Labs v. LinkedIn — web scraping & CFAA (Ninth Circuit, 2019)

Facts:
hiQ scraped publicly accessible LinkedIn user profiles en masse to provide analytics about employee movement. LinkedIn sent cease‑and‑desist orders and used technical measures to block hiQ. LinkedIn argued hiQ’s automated scraping violated the CFAA because LinkedIn had “revoked authorization” by blocking hiQ’s IPs and sending the cease‑and‑desist.

Legal issue:
Does scraping data that is publicly available on a website, in the face of a cease‑and‑desist or IP‑blocking, amount to accessing the site “without authorization” in violation of the CFAA?

Holding:
The Ninth Circuit held that scraping publicly available profile data does not violate the CFAA because the information was publicly accessible — blocking or sending a cease‑and‑desist did not retroactively make the public pages “off‑limits” under the CFAA. The court distinguished access to publicly available content from accessing private, protected areas.

Significance:

The decision provided an important protection for certain kinds of web scraping of public data, limiting CFAA use against scrapers in the Ninth Circuit.

It also emphasized the CFAA’s limits: the statute targets unauthorized access to restricted resources, not generally downloading public webpages.

Note: hiQ’s legal status has been the subject of later appeals and filings in other courts; but the Ninth Circuit opinion is influential and widely cited.

5) Aaron Swartz / JSTOR downloads — criminal charging and policy debate (prosecution leading to 2013 tragedy)

Facts:
Aaron Swartz, an internet activist and programmer, used MIT campus network access and automated scripts to download large numbers of academic articles from JSTOR. Prosecutors alleged he bypassed restrictions to download articles en masse and intended to publicly distribute them. He was indicted on multiple counts under the CFAA and related statutes and faced potentially decades in prison. In 2013 he died by suicide while the case was pending.

Legal issue:
Besides the substantive application of the CFAA to mass downloading, the case highlighted prosecutorial discretion and whether aggressive use of the CFAA in cases of non‑commercial sharing is appropriate. Did his conduct amount to criminal “unauthorized access” and an intent to cause significant harm so as to justify severe felony charges?

Outcome & significance:

Swartz was never convicted (case ended with his death). The prosecution and the harsh charges drew intense public criticism.

The case prompted widespread calls for CFAA reform and for restraint in charging practices where the alleged harms are small or where the defendant’s intent was not primarily commercial theft.

It influenced academic and legislative debates about proportionality, intent, and whether statutes designed for computer intrusions should be applied to data‑sharing activists or researchers.

6) United States v. Auernheimer (“Weev”) — AT&T iPad email list (Third Circuit; conviction vacated)

Facts:
In 2010 two researchers/programmers discovered that a public AT&T API endpoint returned email addresses for iPad users if supplied with a sequential device identifier; one researcher collected thousands of email addresses and shared them; Auernheimer publicized the data. AT&T claimed a breach; prosecutors charged Auernheimer under the CFAA and identity‑theft statutes.

Legal issue:
Did harvesting publicly‑accessible API data (even if AT&T would have preferred it not be collected) constitute “unauthorized access” under the CFAA? Another procedural question: was the prosecution brought in the correct venue?

Holding & outcome:

Auernheimer was initially convicted. On appeal, the Third Circuit vacated the conviction — not on the core CFAA interpretation but on venue grounds (prosecution in New Jersey was improper because the defendant was not found to have committed the alleged conduct in that district). Because of the appeal and procedural posture, the CFAA merits question remained contested in that case.

The vacatur underscored the complications of applying CFAA to harvesting/public APIs and reinforced that courts will scrutinize venue and other procedural safeguards.

Significance:

The case illustrated how prosecutions based on scraping or collecting publicly exposed data can lead to complicated disputes about authorization, venue, and prosecutorial choice.

It also reinforced the concept that not all bulk collection from poorly secured interfaces is clearly criminal under the CFAA — context and court interpretation matter.

C. Key takeaways & how courts are trending

Criminal liability for true hacking (breaking in, bypassing authentication, planting malware) remains robust. Morris‑type cases and conventional malware prosecutions are plainly within CFAA’s reach.

Courts have pushed back on treating policy violations as criminal acts. Nosal (en banc Ninth Circuit) and Van Buren (Supreme Court) significantly limit the “exceeds authorized access” theory where someone has legitimate credentials but uses them for unauthorized purposes.

Publicly available data & scraping occupy a grey area — courts (e.g., hiQ) often protect scraping of public pages, but platform terms/technical blocking can cause disputes. Outcomes can vary across circuits and on facts (e.g., whether access was technically restricted).

Prosecutorial discretion matters a lot. High‑profile non‑violent cases (e.g., Aaron Swartz) have led to critique of overbroad charging. Reformers argue for clearer statutory language or prosecutorial restraint.

Jurisdictional & procedural issues (venue, standing) are frequently dispositive. Auernheimer shows procedural defects can end prosecutions even when the factual conduct is suspect.

D. Practical examples (what is usually criminal vs. what probably is not)

Likely criminal (classic “hacking”):

Bypassing authentication to access a system you have no permission to use (password cracking, exploiting vulnerabilities to enter an internal corporate network).

Installing malware or ransomware that damages systems or holds data for ransom.

Exfiltrating data from servers behind authentication and encryption after bypassing those protections.

Often not criminal (post‑Van Buren / Nosal logic):

Using your authorized account for a prohibited purpose (personal browsing on company computer contrary to policy) — this is normally internal discipline, not a federal crime.

Violating a website’s terms of service alone (e.g., lying about age, or using a site for a reason the terms disallow) where no technical barrier was bypassed and data scraped is public.

E. Where the law remains unsettled / watchpoints

Cross‑circuit differences: Some circuits have been more protective of scraping/business‑litigation uses than others.

APIs and “public” data: Whether an API is “public” or “protected” can be decisive. If an API requires an API key or token, courts may deem access to be restricted.

State laws and international laws: Outside the U.S., statutes (e.g., UK Computer Misuse Act) have different wording and case law, and can produce different results.

Legislative reform: After Van Buren and public controversies, there are ongoing debates about legislative clarifications to balance cybersecurity enforcement and not criminalize benign conduct.