Web And Internet Policy

This Essay develops an approach to interpreting computer trespass laws, such as the Computer Fraud and Abuse Act, that ban unauthorized access to a computer. In the last decade, courts have divided sharply on what makes access unauthorized. Some courts have interpreted computer trespass laws broadly to prohibit trivial wrongs such as violating terms of use to a website. Other courts have limited the laws to harmful examples of hacking into a computer. Courts have struggled to interpret authorization because they lack an underlying theory of how to distinguish authorized from unauthorized access.
This Essay argues that authorization to access a computer is contingent on trespass norms—shared understandings of what kind of access invades another person’s private space. Judges are unsure of how to apply computer trespass laws because the Internet is young and its trespass norms are unsettled. In the interim period before norms emerge, courts should identify the best rules to apply as a matter of policy. Judicial decisions in the near term can help shape norms in the long term. The remainder of the Essay articulates an appropriate set of rules using the principle of authentication. Access is unauthorized when the computer owner requires authentication to access the computer and the access is not by the authenticated user or his agent. This principle can resolve the meaning of authorization before computer trespass norms settle and can influence the norms that eventually emerge.