Computer crime statutes prohibit accessing a computer without “authorization.” In recent years, this element has attracted considerable controversy, with some courts expressing concern that “authorization” is so indeterminate that the Computer Fraud and Abuse Act (“CFAA”) is void for vagueness. This Article argues that “authorization” under the CFAA has the same meaning as authorization under criminal physical trespass laws. This approach is more straightforward than the alternatives currently offer, and it aligns with Congress’s announced intention to bring physical trespass law to computer networks. Although interpreting “authorization” under the CFAA can be difficult, near-identical difficulties also arise in the context of physical trespass. As a result, questions under the CFAA can be resolved by looking to the resolution of similar questions in the context of physical trespass. In addition, because both physical trespass and the CFAA require proof that the defendant knew his access was unauthorized, the merits of a void-for-vagueness challenge to computer trespass rise and fall with the merits of a similar challenge to physical trespass. Given the pedigree of the latter, a constitutional challenge to the former seems questionable.
Citation
Aditya Bamzai & Josh Goldfoot, A Trespass Framework for the Crime of Hacking, 84 George Washington Law Review, 177–1499 (2016).