Available, Granted, Revoked: A New Framework for Assessing Unauthorized Access Under the Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act (CFAA) criminalizes a broad range of conduct related to the compromise of computer systems. Specifically, the CFAA prohibits unauthorized access to computer systems, defining such access as that which occurs “without authorization” or in a manner that “exceeds authorized access.” Courts interpreting the meaning of unauthorized access under the CFAA have diverged into two camps. On one side, proponents of the broad approach argue that the CFAA unauthorized access inquiry should focus on access purpose, assessing whether a given access was conducted for a purpose authorized by the computer owner. On the other side, proponents of the narrow approach argue that the relevant inquiry should instead be permission focused, looking only at whether the computer owner had granted the accesser permission to access the computer (without regard for why the computer was accessed).

This Comment proposes a three-step framework for assessing CFAA unauthorized access that will resolve the present circuit split. Leveraging concepts from CFAA case law and offering applicability across a wide range of factual and technological contexts, this Comment’s Available-Granted-Revoked (AGR) Framework sequentially evaluates (1) whether the computer in question is publicly available or private; (2) whether the computer’s owner had, at any point, granted the accesser permission to access the computer; and (3) whether the computer owner had affirmatively revoked the accesser’s permission, if any, prior to the purportedly unauthorized access. By adopting the Available-Granted-Revoked Framework, courts will be able to effectively advance the interests underlying both sides of the current circuit split and bring clarity to a persistent legal ambiguity.