Computer Fraud and Abuse Act (CFAA)

The Computer Fraud and Abuse Act (CFAA) was originally enacted in 1986 as an anti-hacking statute aimed at preventing unauthorized intrusions into computers rather than regulating the collection or use of data. Specifically, the CFAA imposes liability when a person “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains… information from any protected computer.”

A “protected computer” is broadly defined as any computer that is used in or affects interstate or foreign commerce or communication, functionally making the statute applicable to any computer connected to the internet. This broad definition has led to controversies over how “unauthorized access” is interpreted, particularly in data scraping, security research, and employee misuse of employer systems.

CFAA Legal Updates & Clarifications
Van Buren v. United States (2021): The U.S. Supreme Court significantly narrowed the interpretation of “exceeds authorized access.” Previously, prosecutors used the CFAA to charge individuals who accessed systems for an improper purpose, even if they had legitimate credentials. The Court ruled that the CFAA only applies when someone accesses data they are not entitled to at all—not when they misuse data they have legitimate access to. This ruling weakened the CFAA’s use against employee misuse of work systems.

Web Scraping & CFAA: Courts have debated whether scraping publicly available data violates the CFAA.

hiQ Labs v. LinkedIn (2022): The Ninth Circuit ruled that scraping publicly accessible data does not violate the CFAA because public websites do not require “authorization” for access. However, scraping data that is behind a login wall, paywall, or restricted by technical barriers may still violate the CFAA.
Meta v. Bright Data (2024): Meta sued Bright Data for scraping Instagram and Facebook, arguing CFAA violations. This case will further define the limits of web scraping under CFAA.

*Cybersecurity Research & CFAA: *Security researchers have long faced uncertainty regarding ethical hacking, penetration testing, and vulnerability disclosure. In response, the U.S. Department of Justice (DOJ) announced in 2022 that it will not prosecute “good-faith” security research under the CFAA, protecting researchers who test and report vulnerabilities responsibly.

Criminal & Civil Liability Under CFAA
Violations of the CFAA can result in criminal charges, fines, and imprisonment. Additionally, the law allows for a private right of action, enabling victims to sue for damages.

Threshold for Private Lawsuits:

To bring a private lawsuit, a plaintiff must show:

• Loss or damage exceeding $5,000
• Physical injury or impairment to medical care
• A threat to public safety or national security
• Unauthorized access to financial, government, or medical data
  

Limitations of CFAA Claims:

Many web scraping lawsuits have been dismissed when data was publicly available.
Employee misuse of work systems is no longer covered unless they access data they were never permitted to see.
Key Takeaways for OSINT & Cyber Investigators
✔ Scraping publicly available data is generally legal but scraping restricted data may violate CFAA.
✔ Security research is protected if done in “good faith” and responsibly disclosed.
✔ Employers can no longer use CFAA against employees for misusing internal systems unless unauthorized data access occurred.

These updates reflect the changing legal landscape around OSINT investigations, data collection, and cybersecurity practices.

Copyright © 2011– Present, McAfee Institute, LLC, and Respective Authors. All rights reserved. This manual and its contents are protected under U.S. and international copyright laws. Unauthorized reproduction, distribution, or modification is strictly prohibited.