The Computer Fraud and Abuse Act (CFAA) is a problematic statute due, in large part, to its reliance upon ill- or un-defined core concepts of criminality. For example, the statute does not define what it means to access a computer “without authorization.” Scholars commonly attempt to cure such definitional deficiencies by interpreting “authorized access” through reference to physical trespass paradigms. We argue that this framing fundamentally misunderstands the nature and severity of computer intrusion harms. A product of the physical world, trespass is an ill-suited proxy for modern information security harms. While Congress lacked the benefit of a robust security community to inform its crafting of the CFAA in 1986, today’s security paradigms offer better material guidance in definitions and principles. As such, we propose a definitional reframing of the CFAA around the fundamental information security triad of Confidentiality, Integrity, and Availability (“CIA”). That reframing, in turn, highlights a need to eliminate the current civil provisions of the CFAA, while it illustrates an equally urgent need for new, targeted CFAA provisions to address botnets and government employees who abuse positions of trust.
Stephanie Pell is an Assistant Professor and Cyber Ethics Fellow at West Point’s Army Cyber Institute (ACI). She writes about privacy, surveillance and security law and policy, and is particularly interested in the tensions inherent in enabling traditional law enforcement efforts and making our communications networks more secure. Prior to joining the ACI faculty, Stephanie served as Counsel to the House Judiciary Committee, where she was lead counsel on Electronic Communications Privacy Act (ECPA) reform and PATRIOT Act reauthorization during the 111th Congress. Stephanie was also a federal prosecutor for over fourteen years, working as a Senior Counsel to the Deputy Attorney General, as a Counsel to the Assistant Attorney General of the National Security Division, and as an Assistant U.S. Attorney in the U.S. Attorney’s Office for the Southern District of Florida. She was a lead prosecutor in U.S. v. Jose Padilla (American Citizen detained as an enemy combatant prior to criminal indictment and trial), for which she received the Attorney General’s Exceptional Service Award, and in U.S. v. Conor Claxton (IRA operatives who purchased weapons in South Florida and smuggled them into Belfast, Northern Ireland during peace process negotiations). Stephanie received her undergraduate, master’s and law degrees from the University of North Carolina at Chapel Hill.