The Ninth Circuit’s 2012 decision in United States v. Nosal created a circuit split regarding the interpretation of the phrase “exceeds authorized access” in the Computer Fraud and Abuse Act (CFAA). The Ninth Circuit (since joined by the Fourth Circuit) held that one “exceeds authorized access” to a computer by violating an access restriction (e.g., do not access File X), but not by violating a use restriction (e.g., do not use the computer for non-business purposes). This interpretation conflicts with the First, Fifth, Eighth, and Eleventh Circuits, which have held that use restrictions are within the scope of “exceeds authorized access.”
This post compares the Ninth Circuit’s access-only interpretation of the CFAA with the use-and-access interpretation, and suggests these two positions are not that different. This post then discusses the alternative, code-based interpretation and recent efforts to amend the CFAA.