The Computer Fraud and Abuse Act (CFAA) is a dinosaur in the IT world, having been enacted in 1984, the same year domain names were invented. An underlying assumption of that law was that computer networks which stretched across state lines were a rarity, and probably had something to do with national security or the federal government. Now, in 2009, that assumption seems quaint – and very problematic. You see, the CFAA is written extremely broadly, and in today’s interconnected world the Act potentially covers data exchanges as trivial as posting a photo or updating a Facebook page.
Not surprisingly, Facebook and other litigants are increasingly interested in turning up the pressure on those who access their networks for reasons other than those intended. The CFAA, which provides for civil and criminal liability in the event of access “without authorization” as well as “exceeding authorized access,” is quite a sledgehammer for those litigants. Notably, courts are not always buying into these arguments, but the prospect of criminal sanctions and a large legal bill may be deterrent enough for some.
The result? Everyone from data scrapers to employees who get in a few last downloads before leaving their worksite should think carefully before typing in that password.