Hacking, Unauthorized Access, And Computer System Disruption
Quick legal primer
Most U.S. federal prosecutions for “hacking” rely on the Computer Fraud and Abuse Act (CFAA, 18 U.S.C. § 1030). Typical legal concepts:
Access = obtaining entry to a computer, system, or data.
Unauthorized access = accessing a computer without permission.
Exceeds authorized access = accessing a computer with permission but using that permission to obtain information or do acts the user was not permitted to do. (How this phrase is read is central in modern cases.)
Transmission that damages / causing impairment = interfering with, disrupting, damaging system integrity, or causing loss. CFAA criminalizes intentional, reckless, or negligent conduct in different subsections.
Elements vary by subsection (e.g., intentional access without authorization, obtaining information, causing damage > $5,000 in some contexts, trafficking in passwords, extortion, etc.). States have similar statutes with different language.
Two recurring legal fights in cases:
What counts as “without authorization” or “exceeds authorized access”? (Is violating company rules criminal, or only bypassing technical barriers?)
When is data scraping / automated collection criminal vs. civil? (Consent, technical barriers, cease-and-desist letters matter.)
Five leading cases (detailed)
1) United States v. Morris, 928 F.2d 504 (2d Cir. 1991) — the Morris worm case
Facts: Robert Tappan Morris wrote and released a self-replicating program (the “Morris worm”) in 1988 that infected thousands of computers on the nascent Internet. Its replication and payload caused many systems to slow or become unusable — significant disruption.
Legal issue: Did Morris violate the CFAA (and predecessor federal statutes) by releasing code that caused damage to “protected computers” on the Internet?
Holding & reasoning: The Second Circuit upheld convictions under the relevant federal computer and fraud statutes. The court treated the worm’s spread and the resulting disruption/damage as falling within the statute’s reach because Morris intentionally caused unauthorized access and damage to other systems. The opinion emphasized that sending self-replicating code that damages or impairs operation is criminally punishable.
Why it matters: Morris is the earliest major criminal prosecution under federal computer-crime law. It established that releasing self-replicating malware that damages systems is a federal crime, and courts will treat large-scale network disruption as falling squarely under federal statutes. The case also sparked calls for clearer legislation and definitions — contributing to later refinement of the CFAA.
Practical takeaway: Writing/distributing code that will replicate and impair systems, even as “proof of concept,” can produce criminal liability if it causes damage or unauthorized access.
2) United States v. Nosal (en banc), 844 F.3d 1024 (9th Cir. 2016) — limits on “exceeds authorized access”
Facts: David Nosal enlisted former colleagues to use current employees’ login credentials to pull confidential data from a former employer’s computer system for a competing business. The employer prohibited that use by policy.
Legal issue: Does the CFAA’s phrase “exceeds authorized access” cover purely violations of an employer’s access-use policies — i.e., is using legitimately obtained credentials for an improper purpose a CFAA felony?
Holding & reasoning: The Ninth Circuit sitting en banc held that the CFAA’s phrase “exceeds authorized access” does not criminalize violations of use policies alone. The court read the statute narrowly: it applies when someone accesses areas of a computer (files, folders, databases) that are off-limits — not simply when someone with legitimate access uses that access in the wrong way. The court rejected reading the CFAA to reach ordinary policy violations (which would criminalize large swathes of conduct, e.g., employees checking personal email against company policy).
Why it matters: Nosal curtailed overbroad criminalization under the CFAA — the ruling protected employees and third parties from felony exposure simply for violating internal rules. It forced prosecutors to plead concrete technical or access-based violations (e.g., logging in with a stolen credential, circumventing access controls), not merely policy breaches.
Practical takeaway: Violating an employer’s acceptable-use policy is often a civil or employment issue; it will be criminal under CFAA only when the defendant accessed parts of the system they were technically barred from accessing or used someone else’s credentials or bypassed technical controls.
3) Van Buren v. United States, 593 U.S. ___ (2021) — Supreme Court narrows “exceeds authorized access”
Facts: A police officer asked a fellow officer to run a license-plate search for pay. The officer had legal access to law-enforcement databases for official work; but he queried the database for an improper private purpose in exchange for money. He was charged under the CFAA for “exceeding authorized access.”
Legal issue: Does “exceeds authorized access” criminalize an individual who has legitimate access to a computer system but uses that access for an improper purpose?
Holding & reasoning: The U.S. Supreme Court (6–3) held that “exceeds authorized access” covers only when someone accesses areas of a computer that are off-limits (i.e., parts of a database the user is not entitled to access). The Court rejected the government’s reading that would make criminal any misuse of legitimately accessible information. The majority emphasized avoiding an interpretation that would criminalize routine workplace policy violations and minor transgressions.
Why it matters: Van Buren is the controlling Supreme Court precedent on the phrase “exceeds authorized access.” It largely adopted the narrower approach earlier favored by Nosal’s en banc panel and foreclosed prosecutions based on misuse of legitimately available data (absent access restrictions). It constrains prosecutors: to charge under that CFAA clause, they must show the defendant accessed data they were not permitted to access (not merely used permitted access improperly).
Practical takeaway: The boundary between criminal and civil/administrative violations lies in what parts of the system you could access, not merely what you did with the information once accessed. Van Buren protects many common employee-misuse scenarios from criminal CFAA exposure.
4) Facebook, Inc. v. Power Ventures, Inc. (Ninth Circuit, various opinions culminating circa 2016) — aggregator access & cease-and-desist
Facts: Power Ventures ran a service that allowed users to view all their social-media accounts, including Facebook, via an aggregator. Users voluntarily provided their Facebook credentials. Facebook used technical measures to block Power’s IPs and sent cease-and-desist letters and demands to stop. Power continued to access Facebook on behalf of users, sometimes by having users provide credentials or cookies.
Legal issue: Does continuing to access a website after it has sent a cease-and-desist or blocked IP addresses render the access “without authorization” under the CFAA? Is using consenting users’ credentials on a third-party service criminal?
Holdings & reasoning (short version): Courts in the Ninth Circuit held that:
If a website uses technical measures (blocking IPs, invalidating cookies) and a third party circumvents those measures to access the site, that access can be “without authorization” under the CFAA.
Also, continuing to access after an unambiguous technical block or after explicit and effective communication (e.g., a valid cease-and-desist combined with active blocks) can make previously permitted access into unauthorized access.
Power Ventures survived some early rulings but ultimately the Ninth Circuit (en banc direction and later rulings) found liability under certain circumstances where the defendant circumvented technical access controls or ignored explicit denial of access.
Why it matters: Power Ventures shows that technical access controls and affirmative denial of access (e.g., blocking IPs, invalidating tokens) are powerful evidence that later access is unauthorized. It contrasts with the Van Buren/Nosal line (which concerns misuse of permitted access) — here the defendant is violating technical or expressly rescinded authorization.
Practical takeaway: If a website blocks you technically (or tells you unequivocally to stop and deploys technical blocks), continuing to access it can create CFAA exposure even if users gave consent earlier.
5) United States v. Auernheimer (aka “Weev”), 748 F.3d 525 (3d Cir. 2014) — scraping publicly accessible data; conviction vacated on venue grounds
Facts: Andrew Auernheimer (Weev) discovered that AT&T’s website exposed iPad users’ email addresses in a predictable URL (no login required). Auernheimer wrote a script to iterate over device IDs, collected many email addresses, and publicized the finding. AT&T’s page returned subscribers’ emails when queried with certain values. Auernheimer was charged under the CFAA, among other statutes, and convicted in the District of New Jersey.
Legal issue: Did Auernheimer “access” a protected computer without authorization under the CFAA? (Additionally, was the New Jersey venue proper?)
Holding & reasoning: On appeal, the Third Circuit vacated Auernheimer’s conviction — but not on the CFAA merits. The court held that the venue (trial in New Jersey) was improper: Auernheimer was not found to have committed the criminal acts in New Jersey, so trying him there violated venue rules. The court did not squarely resolve the CFAA merits; it left open important questions about whether access to a publicly reachable web page, even when collection is abusive, can constitute “without authorization.” The prosecution later did not re-try him on the same charge in a different venue (and civil suits and reputational fallout continued).
Why it matters: Auernheimer raised the tension around scraping publicly available data: if a website exposes data without authentication, is collecting it criminal? Auernheimer’s conviction being vacated on procedural grounds left that legal question unresolved in the Third Circuit, but the case signals prosecutorial interest in treating large-scale scraping as potentially criminal when done to embarrass or expose poor security.
Practical takeaway: Collecting large amounts of publicly accessible data can still lead to criminal prosecution depending on how courts read “authorization,” how the data owner responds, and venue issues. Where data is truly public and there are no technical access controls, criminal liability is less clear — but persistent, large-scale, abusive scraping can attract enforcement actions (civil and criminal).
Short comparative summary & practical rules of thumb
If you bypass technical access controls (passwords, IP blocks, authentication tokens) to get data, courts are likely to treat that as unauthorized access (Morris; Power Ventures).
If you have legitimate technical access but use it for a forbidden purpose, the Supreme Court in Van Buren and the Ninth Circuit in Nosal say that’s generally not criminal under the CFAA’s “exceeds authorized access” clause — unless you accessed parts of the system you were explicitly barred from.
Cease-and-desist + technical blocking matters. If the owner revokes access (especially via technical means) and you continue, you risk criminal liability.
Large-scale disruption/damage is plainly criminal. Creating malware that degrades service or destroys data is a classic, provable CFAA violation (Morris).
Scraping public data sits in a grey zone. If data is truly publicly served (no auth, no technical limiters), criminal risk is lower — but abusive scraping, circumventing even minimal technical barriers, or combining scraping with fraud can trigger criminal charges (Auernheimer, Power Ventures tension).
How courts treat intent and damage
Intent matters for many CFAA subsections — knowingly or intentionally causing damage vs. negligent acts have different consequences.
Damage thresholds (for certain subsections) may require showing loss over $5,000, interruption of service, or risk to national security (varies by subsection).
Civil remedies under the CFAA (private right of action) also exist — so even where criminal charges fail, civil suits can follow.
RELATED Blog
comments