What is “Unauthorized” Access.
Consider that the CFAA will penalize conduct (assuming that it constitutes “access”) that is “unauthorized.” And access might be considered unauthorized if it is either without authorization or exceeds authorization. Notice that authorization may be given by (a) code, e.g., a password (b) contract, e.g., terms of use, or an employment manual or employment agreement, or (c) norms, e.g., widely shared expectations. (see p. 39-42)
Be prepared to discuss Van Buren v. United States and its implications beyond contract-based “authorized access” — What about the curious law firm associate (note 2, p. 62)? What about the scenarios A through H, at pp. 62-63? What about the MySpace Suicide case (US v. Drew)?
How might you rewrite the CFAA to cover the conduct of Mr. Van Buren (or any of the other actors in the scenarios discussed whom you might think to be “deserving” of punishment) while NOT covering the other actors, if any, whom you might believe do not deserve to be punished.
Would you be prepared to make ALL the actors in A through H potentially liable (as well as the curious law firm associate, and Lori Drew)—by introducing legislation that would reverse Van Buren— and then trust to the good sense and good faith of prosecutors to exercise their discretion in deciding whether to charge anyone (and then to charge only the “bad” actors).