The Computer Fraud and Abuse Act (CFAA) is the sort of broadly worded criminal statute which gives white-collar prosecutors considerable power—and makes defense counsel and judges uneasy. The law prohibits obtaining information by “access[ing] a computer without authorization or exceed[ing] authorized access.” Computer hacking—“access[ing] a computer without authorization”—clearly violates the law. But the meaning of the other operative words, “or exceed[ing] authorized access,” is not so clear.

The different ways of interpreting the statute have led to a split in the Courts of Appeals. Four Circuits have read the statute broadly: An individual “exceeds authorized access” when she accesses a computer and obtains information for an improper purpose, even if the person’s access to the information is authorized. Four other circuits have read the statute narrowly: An individual “exceeds authorized access” only if she obtains information that she is not allowed to access, even if the purpose is improper. In practical terms, if a company Human Resources officer peeks at sensitive information out of idle curiosity, not because of work, would that be a crime because of the improper purpose, or would it not be a crime because the HR officer had the authority to review personnel files?