New draft article, "Norms of Computer Trespass"


I have posted a draft of a new article, Norms of Computer Trespass, forthcoming in the Columbia Law Review. The article addresses a recurring problem in computer crime law: What is unauthorized access? The article tries to answer that question at a conceptual level, and along the way resolves a lot of the hard cases courts have encountered in applying the Computer Fraud and Abuse Act.

Here's the abstract:

Federal and state laws prohibit computer trespass, codified as a ban on unauthorized access to a computer. In the last decade, however, courts have divided sharply on what makes access unauthorized. Some courts have interpreted computer trespass laws broadly to prohibit trivial wrongs such as violating Terms of Service to a website. Other courts have limited the laws to harmful examples of hacking into a computer. Courts have struggled to interpret authorization because they lack an underlying theory of how to distinguish authorized from unauthorized access.

This Essay offers such a theory. It contends that authorization is inherently contingent on social norms. Starting with trespass in physical space, it shows how concepts of authorization necessarily rest on shared understandings of what technologies and its users are allowed to do. Norms classify the nature of each space, the permitted means of access, and the permitted context of access. This idea, applied to the Internet, readily answers a wide range of difficult questions of authorization under computer trespass laws such as the Computer Fraud and Abuse Act. It shows that the open norms of the web authorize most kinds of web use. On the other hand, the closed norms of authentication limit use of canceled or shared accounts. Properly understood, the norms-based nature of trespass does not render unauthorized access laws uncertain. To the contrary, the lines to be drawn become surprisingly clear once you identify the correct norms of computer usage.

Comments very welcome, as always.