Curious which routine actions can trigger federal charges? You may think probing a login or testing a system is harmless. But federal statutes and decades of case law draw clear lines.
The Computer Fraud and Abuse Act (CFAA), codified at 18 U.S.C. § 1030, makes unauthorized access, fraud to obtain information, and malware distribution prosecutable offenses. Courts have expanded and refined that reach through landmark cases like United States v. Morris and Van Buren.
Most modern devices — laptops, phones, and servers — count as protected computers because they affect interstate commerce. That means simple acts can lead to fines, restitution, and prison exposure when prosecutors stack counts like wire fraud or identity theft.
Read this guide to get clear, plain-language rules on what crosses the line, what defenses matter, and how to document authorization. For an extra legal primer on where this conduct meets criminal law, see where this conduct is illegal.
Key Takeaways
- The CFAA (18 U.S.C. § 1030) criminalizes unauthorized access and related computer offenses.
- Most devices qualify as protected computers due to interstate communications.
- Charges can include fraud, damage via malware, and denial-of-service attacks.
- Penalties range from fines and restitution to prison, often with stacked counts.
- Authorized testing differs legally from permissionless probing — document consent.
Understanding the Computer Fraud and Abuse Act (18 U.S.C. § 1030) in the United States
Congress created a federal statute in 1986 to target computer misuse that older fraud laws could not reach. That law, codified as 18 U.S.C. § 1030, centralizes rules for federal computer offenses when activity crosses state lines or touches federal systems.
What the CFAA covers
The statute covers unauthorized access, theft of information, and damage to systems. It applies when activity affects interstate or foreign commerce, which brings many ordinary computers and phones into federal view.
How “protected computer” is defined
Section §1030(e)(2) defines a protected computer to include devices used in or affecting interstate commerce. That means most internet‑connected computers and smartphones qualify, so federal jurisdiction often applies.
Key amendments and expansion
Congress updated the law across several years: 1989, 1994, 1996, 2001 (PATRIOT Act), 2002, and 2008. Those revisions added denial‑of‑service, malicious code, password trafficking, and conspiracy liability, letting prosecutors and companies pursue criminal and civil remedies.
| Year | Amendment | Primary effect | Related term |
|---|---|---|---|
| 1986 | Original enactment | Centralized federal computer rules | u.s.c. 1030 |
| 2001 | PATRIOT Act | Broadened jurisdiction and penalties | federal computer |
| 2008 | Identity Theft Act updates | Expanded restitution and liability | protected computer |
Hacking is illegal under federal law: core offenses prosecutors charge
Prosecutors build charges around clear conduct categories that the CFAA and later amendments target. Below are the core offenses you will see in most federal computer cases and the factual markers that trigger charges.
Unauthorized access and exceeding authorized access (§1030(a)(2))
§1030(a)(2) criminalizes intentional access without authorization or exceeding authorized access to pull information from protected computers, government systems, or financial records. Courts now focus on crossing technical or policy boundaries rather than motive.
Computer fraud to obtain value (§1030(a)(4))
Section §1030(a)(4) targets access with intent to defraud to obtain anything of value. When fraud and data theft overlap, prosecutors stack computer fraud with wire fraud and identity theft.
Damage, malware, and denial‑of‑service (§1030(a)(5))
This provision covers transmitting destructive code, reckless damage through access, and intentional acts that cause measurable loss. DDoS-for-hire and destructive malware fall here.
Password trafficking and extortion (§1030(a)(6)-(7))
Trafficking in credentials that affect interstate commerce and extortion threats tied to data or system damage are separate offenses. Conspiracy liability under §1030(b) can apply even when intrusions fall short.
- Common markers: logs showing credential misuse, bypassed IP blocks, and mass extraction scripts.
- Related charges often include credit card or identity theft counts when payment or personal data appears.
- For a legal primer on jurisdictional boundaries, see where this conduct is illegal.
Penalties, felony exposure, and sentencing factors under the CFAA
Sentencing under the CFAA depends on measurable loss, targeted systems, and aggravating facts. Under 18 U.S.C. §1030(c), penalties scale with conduct and the harm caused. Amendments raised exposure for damage and extortion tied to protected computers.
Misdemeanor vs. felony thresholds
Courts separate misdemeanors from felonies by loss amounts, number of victims, and whether critical systems (medical, government) were affected.
Loss includes response costs, downtime, and forensic fees — items prosecutors use to push cases into felony ranges.
Fines, prison terms, and stacked charges
Typical sentencing elements: fines, restitution, and prison years that rise with intent and repeat conduct.
- Penalties under §1030(c) vary by offense and harm; amendments and the 2008 Identity Theft Enforcement and Restitution Act increased maximums.
- Related federal charges — wire fraud, aggravated identity theft, and credit‑related fraud — often add years and restitution exposure.
- Aggravated identity theft can carry mandatory time that runs consecutive to base sentences.
Prosecutors quantify harm using logs, downtime metrics, and incident reports. Early cooperation, rapid remediation, and documented costs can reduce penalties and improve plea outcomes. For a deeper legal primer, see this guide on legal exposure.
Landmark computer hacking cases shaping how the law is applied
Key appellate rulings have clarified where the law draws boundaries around computer access and related offenses. These decisions show how courts treat damage, authorization, and data collection.
United States v. Morris
The Morris worm case (2d Cir. 1991) affirmed a conviction after a self‑propagating program impaired many systems. Courts treated the outage and cleanup costs as damage, prompting Congress to refine the statute’s language.
United States v. Nosal
Nosal split the analysis. Violating a website’s terms of service alone did not create a federal crime. But using an employee’s credentials against employer rules can count as without authorization.
Van Buren v. United States
The Supreme Court narrowed the phrase “exceeds authorized access.” The ruling targets access to off‑limits areas of a computer, not improper motives for viewing allowed information.
Scraping and access blocks
Courts differ on automated scraping. In Craigslist v. 3Taps and Facebook v. Power Ventures, continued scraping after IP bans or cease‑and‑desist letters led to CFAA liability. hiQ v. LinkedIn found public page scraping lawful. After Van Buren, the Ninth Circuit reaffirmed limits and remanded questions tied to u.s.c. 1030.
| Case | Year | Key holding | Practical rule |
|---|---|---|---|
| United States v. Morris | 1991 | Propagation caused actionable damage | Outage and cleanup costs can trigger liability |
| United States v. Nosal | 9th Cir. | TOS violations alone not CFAA | Credential misuse may be unauthorized |
| Van Buren v. United States | 2021 | “Exceeds authorized access” narrowed | Focus on prohibited areas, not motive |
| hiQ / Power / 3Taps | 2010s–2020s | Scraping rulings vary by access controls | Respect IP blocks, auth walls, and cease notices |
Takeaway: honor revocation signals and avoid bypassing technical blocks. If you need context on investigative methods and government practice, see the EFF’s analysis at EFF deep dive on law enforcement.
Legal vs. illegal: authorized testing, bug bounties, and research that stay within the law
Clear permission and narrow scope separate lawful tests from criminal exposure. You should only test with written authorization that lists targets, timing, and allowed techniques. That written consent protects both you and the organization from fraud charges or government scrutiny.
Professional penetration testing follows a Statement of Work, defined Rules of Engagement, and an escalation path for critical findings. Common lawful tests include OWASP‑aligned web app checks, infrastructure reviews, mobile assessments, and timed red team exercises that simulate real attacks.
Bug bounty programs offer safe‑harbor when policies permit tests and require responsible disclosure. Platforms and vendors like Twitter and Facebook pay for verified reports and reduce legal risk with clear timelines and non‑retention rules.
- Only test with explicit written permission that names systems and allowed tools.
- Log activity, follow change control, and keep communication channels open.
- Use passive research and honeypots to study attacker behavior without touching live assets.
- Minimize data access, redact PII, and document consent to support criminal defense if needed.
When in doubt, involve counsel to draft safe‑harbor terms and coordinated disclosure timelines. For a legal primer on authorization and related defenses, see when is hacking illegal and legal.
Protect your rights and systems: act now to reduce risk and strengthen your defense
A clear policy, tested controls, and legal counsel cut exposure to federal criminal and civil claims.
Document who may access computer assets and classify sensitive data. Publish an Authorized Testing Policy and offer a safe‑harbor bug bounty when appropriate.
Practical defenses: require written consent for any security testing, log IP blocks and cease notices as revocation signals, and enforce MFA and least privilege to limit damage.
Prepare an incident plan that preserves evidence, quantifies loss (downtime, forensics, containment), and coordinates criminal defense and counsel for fraud or felony charges.
Act now: engage security and legal teams to align authorization, policy, and controls before an incident forces costly fines, restitution, or prison exposure.
0 Comments