The CFAA criminalized “exceeding allowed access” to a computer in 1986, and these rules reflect a newly constrained interpretation of the term. As writer and law professor Orin Kerr said in 2021, there’s been a decades-long debate about whether someone can “beyond” their access by breaking any network or computer owner’s rules — or if they must access specifically off-limits systems and information. The former approach has resulted in cases such as US v. Drew, in which prosecutors accused a woman of creating a phony Myspace profile. The Supreme Court favored the latter version, and the Department of Justice now does as well.
