The Computer Fraud and Abuse Act (CFAA) criminalizes the simple act of trespass upon a computer—intentional access without authorization. The law sweeps too broadly, but the courts and scholars seeking to fix it look in the wrong place. They uniformly focus on the term “without authorization” when instead they should focus on the statute’s mens rea. On a conceptual level, courts and scholars understand that the CFAA is a criminal law, of course, but fail to interpret it comprehensively as one.
This Article begins the first sustained treatment of the CFAA as a criminal law, with a full elaboration of the appropriate mens rea based upon congressional intent, cognate state criminal trespass statutes, and recent Supreme Court guidance on federal mens rea in general. A fully realized mens rea sweeps away many of the unjust potential applications of the CFAA on a far more principled basis than does a focus on, and re-writing of, “without authorization.”
My interpretative approach limits unjust applications of the provision, but many will remain. In a coda, I briefly show why we should likely abolish the trespass provision of the CFAA. The flaws of the CFAA, such as criminalizing ordinary and innocent behavior and arbitrary enforcement, flow from the same pathologies already inherent in criminal trespass law.