Reevaluating the Computer Fraud and Abuse Act: Amending the Statute to Explicitly Address the Cloud

October 31, 2017


Cloud-computing systems from companies such as Apple, Google, and Microsoft can run on multiple types of devices, such as laptops, tablets, and smartphones, and can sync data across these devices. Many consumers initially invest in several of these products, then later choose to upgrade and purchase the newest models, resulting in the same cloud-computing accounts syncing to a variety of gadgets.

This Note seeks to answer the question whether an individual violates the Computer Fraud and Abuse Act (CFAA), an antihacking statute passed by Congress in 1986, when she accesses data that is on a device only because it is stored in the cloud, after receiving authorization to use the device for other purposes like internet browsing. To do so, this Note first traces the CFAA’s history and explores the four approaches to interpreting authorization under the Act adopted by different courts of appeals. Next, this Note argues that although the CFAA is widely interpreted in the employment context, courts can still analyze an individual’s access to data on a cloud-computing system through the CFAA lens as the Act is currently written. This Note then applies each CFAA approach to a scenario involving the cloud.

Under the current interpretations of authorization, instances where an individual harmlessly accesses the cloud data of another user could be classified as hacking and a violation of this federal statute. As such, this Note demonstrates that all of the current interpretations of the CFAA are too broad because they could result in this nonsensical outcome. This Note accordingly proposes an amendment to the CFAA specifically addressing user access to data on the cloud. Such an amendment would eliminate the unusual result of innocuous cloud-computing users being deemed hackers under federal law.

November 2017

No. 2