Interpretation of the Computer Fraud and Abuse Act (CFAA)

    Interpretation of the Computer Fraud and Abuse Act (CFAA), and similar laws, is often up for debate due to ambiguous terminology, such as "unauthorized access." This issue has come up in several recent cases. Read the article, "The Arrest of a Florida Data Scientist Demonstrates a Weird Hole in Cybercrime LawLinks to an external site.."   Briefly describe the case, including how the Florida Computer Crime Law and CFAA, are central to it. Discuss your perspective on whether the type of access Jones performed should make her guilty of unauthorized access and justify your opinion pointing to relevant components of the laws. You can also leverage the other cases presented (Briggs and Rodriguez) on both sides of this debate. Research and present one other case of unauthorized access that presents a conundrum for current computer security laws and discuss your opinion on the case. After reading a few of your classmate's postings, reply to those from which you learned something new or to which you have something constructive to add. For example:   Discuss what you learned. Ask probing questions or seek clarification. Explain why you agree or disagree with your classmate's main points, assertions, assumptions, or conclusions. Suggest research strategies or specific resources on the topic.

The core of the legal debate here, and why the Florida Computer Crime Law (which is closely related to the CFAA) is central, revolves around the interpretation of "unauthorized access." The article highlights that the username and password for the ReadyOP system were reportedly printed in a publicly accessible operations manual on the FDOH website for relevant staff. Jones, as a former employee, had previously been authorized to use these credentials. The state's argument hinged on the idea that her authorization was revoked upon her termination, even if the technical means of access (the password) remained the same and easily accessible.

The case thus spotlights the "weird hole" in cybercrime law: does "unauthorized access" refer strictly to breaking through technical barriers (like hacking a system without knowing the password), or does it extend to using authorized credentials for an unauthorized purpose or after authorization has been formally revoked (even if technical access wasn't removed)? This is precisely the ambiguity that the CFAA and similar state laws grapple with.

My Perspective on Jones's Access and Guilt

In my opinion, if Rebekah Jones did indeed send the message using credentials she had been given as an employee, but after her employment and authorization had been formally revoked, then she should be considered guilty of unauthorized access under a reasonable interpretation of the law.

Here's my justification, pointing to relevant components of the laws and leveraging other cases:

  • "Exceeds Authorized Access" vs. "Without Authorization": The CFAA and similar laws often distinguish between "accessing a computer without authorization" (like an external hacker) and "exceeding authorized access" (someone with initial permission who then goes beyond their permitted scope or purpose). The Florida Computer Crime Law, specifically Florida Statutes Section 815.06, criminalizes access with "knowledge that such access is unauthorized or the manner of use exceeds authorization."
  • The Intent of the System Owner (Organizational Policy): While Jones may not have engaged in "hacking" in the traditional sense of technical circumvention, the authorization to access a system ultimately rests with the system owner (in this case, the FDOH). When an employee is terminated, their authorization to use company resources, including computer systems, is generally revoked. The argument is that continued access, even with a valid password, is "without authorization" because the permission from the owner has been withdrawn.
  • The Van Buren v. United States Precedent: This Supreme Court case (2021) narrowed the interpretation of "exceeds authorized access" under the CFAA. The Court held that "an individual 'exceeds authorized access' when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off-limits to him." This ruling specifically rejected the "purpose-based" interpretation, meaning that merely using authorized access for an improper purpose is not, by itself, a CFAA violation if the areas accessed were within one's permission.
    • Application to Jones: Van Buren might seem to favor Jones initially if her argument is that she still had permission to access the system itself because the password worked. However, the Van Buren case focused on "exceeds authorized access" for current employees using data for an improper purpose. Jones was a former employee. If her overall access to the system was terminated, then any subsequent login, even with old credentials, could fall under the "without authorization" clause, rather than "exceeds authorized access." The "without authorization" prong typically covers those who were never given permission or whose permission has been explicitly revoked.
  • The United States v. Nosal (9th Circuit) Cases: These cases offer a contrast. In Nosal II, the court held that a former employee who directed others to use a current employee's password to access his former employer's system acted "without authorization." This emphasizes that when authorization is revoked, subsequent access, even through indirect means or shared credentials, can be unauthorized.
    • Application to Jones: While Jones didn't use someone else's active credentials in the same way, the Nosal cases support the idea that revocation of permission makes subsequent access unauthorized, regardless of technical difficulty.
  • Florida's Rodriguez v. State: This specific Florida case, cited by legal analyses of Florida's Computer Crime Law, stated that "someone who accesses a computer network while acting in the scope of their lawful employment cannot be found guilty under the statute." However, it also clarifies that if the access itself was not lawful, or occurred outside the scope of employment/authorization, the statute can apply. Jones was explicitly not in the scope of lawful employment.

The crucial distinction lies in whether Jones's permission to access the system at all was revoked, not just whether her purpose was improper. If her employment termination unequivocally meant an end to her authorized access, then her subsequent login, even with a known password, constitutes "without authorization." The state's failure to revoke credentials is a security lapse, but it doesn't necessarily grant a former employee perpetual authorization.

Another Conundrum: The Case of United States v. Lori Drew

One case that presented a significant conundrum for current computer security laws, specifically the CFAA, is United States v. Lori Drew (2008-2009).

Brief Description: Lori Drew, an adult mother, created a fake MySpace profile, posing as a teenage boy named "Josh Evans," to cyberbully a 13-year-old neighbor, Megan Meier. Megan had been friends with Drew's daughter and had reportedly fallen out. After online exchanges between "Josh" and Megan, "Josh" sent a message to Megan stating that "the world would be a better place without you." Megan tragically committed suicide shortly thereafter.

The Conundrum: Drew was prosecuted under the CFAA, specifically for "accessing a computer without authorization or exceeding authorized access." The prosecution argued that by creating a fake profile and violating MySpace's Terms of Service (TOS) (which prohibited false identities and harassment), Drew had "exceeded authorized access" to MySpace's computers.

My Opinion on the Case: This case presents a massive conundrum and highlights the overbreadth issue of the CFAA. In my opinion, Lori Drew should NOT have been found guilty under the CFAA.

  • CFAA's Original Intent: The CFAA was primarily designed to combat malicious hacking, espionage, and computer fraud – activities that undermine the security and integrity of computer systems. It was not intended to be a broad "internet policing" tool for enforcing website Terms of Service.
  • Terms of Service as Criminal Law: The prosecution's argument essentially elevates a website's TOS into a criminal statute. If violating a TOS constitutes "unauthorized access," then millions of people could be prosecuted under the CFAA for commonplace online activities, such as:
    • Using a fake name on social media.
    • Sharing an account password (e.g., Netflix, despite Nosal II pushing against this, it's still a real-world behavior).
    • Scraping data from a website, even if publicly available, if the TOS prohibits it.
    • Lying about age during sign-up.
    • Automating tasks on a website that the TOS disallows.
  • The Van Buren Impact: The Supreme Court's ruling in Van Buren v. United States (2021) has largely, though not entirely, resolved the Drew-like conundrum by rejecting the "purpose-based" interpretation of "exceeds authorized access." Van Buren emphasized that "exceeds authorized access" means accessing files or information that are off-limits to them, not merely using authorized access for an improper purpose that violates a policy or TOS. While Van Buren was decided long after Drew, its reasoning underscores the fundamental flaws in using the CFAA to criminalize TOS violations.
  • Alternative Legal Avenues: While Lori Drew's actions were morally reprehensible and tragically led to a child's death, the CFAA was the wrong legal tool. Laws related to cyberbullying, harassment, stalking, or even child endangerment (where applicable) would have been more appropriate for addressing the specific harm caused, rather than stretching a hacking statute to cover TOS violations.

The Lori Drew case exemplifies the dangers of broadly interpreting "unauthorized access" to encompass violations of private contractual agreements (like TOS), potentially criminalizing vast swathes of everyday internet behavior and creating a "trap for the unwary." The Van Buren decision, while not directly overturning Drew, significantly undermined the legal theory upon which Drew's conviction rested, pushing the interpretation of the CFAA back towards its original intent: preventing unauthorized intrusion into computer systems, rather than policing internal use policies or TOS.

The ambiguity of "unauthorized access" in computer crime laws like the Computer Fraud and Abuse Act (CFAA) is a central and ongoing legal debate. Let's delve into the Rebekah Jones case, analyze the implications, and examine other relevant cases.

The Rebekah Jones Case and its Centrality to Computer Crime Law

Rebekah Jones was a data scientist for the Florida Department of Health (FDOH) who helped create and manage Florida's COVID-19 dashboard. She was fired in May 2020 after publicly alleging that the state was manipulating COVID-19 data to suppress case numbers.

In November 2020, someone accessed an FDOH emergency response system called ReadyOP and sent an unauthorized text message to about 1,750 people, stating: "It's time to speak up before another 17,000 people are dead. You know this is wrong. You don't have to be part of this. Be a hero." Law enforcement traced the message to an IP address linked to Jones's home, and she was subsequently arrested and charged with illegally accessing a Florida state computer under the Florida Computer Crime Law.

Aced Essays

Free Resources

Recent Posts

Let us help

Contact Us

USA: +1 917 810-5386 
UK: +44 748 007-0908 

© 2025 ACED ESSAYS. All Rights Reserved. Aced Essays