Legal cybersecurity illustration with gavel, scales of justice, padlock and shield

Legal Guide

Computer Fraud and Abuse Act (CFAA)

The U.S. federal law that covers unauthorized WiFi access, hacking, and computer crimes. What it prohibits, penalties, and legal defenses explained in plain English.

MalwareZero Research Team Updated April 2026

What Is the CFAA?

The Computer Fraud and Abuse Act (CFAA) is a United States federal law enacted in 1986 — yes, before the commercial internet existed — that defines criminal offenses related to computer hacking and unauthorized access to computer systems. It's found at 18 U.S.C. § 1030, and it covers everything from accessing a government mainframe without authorization to cracking a neighbor's WiFi password.

The law was originally passed to address a narrow concern: protecting government computers from unauthorized access. But through a series of amendments over the decades, Congress dramatically expanded its reach. Today, the CFAA is the primary federal statute used to prosecute computer crimes of all kinds, including WiFi hacking, network intrusion, password trafficking, and even creating malware that damages computer systems.

The Department of Justice has interpreted the CFAA broadly. As a result, activities that many people consider minor or victimless — like using a former employer's login credentials after you've been fired, or accessing a business system slightly beyond your authorized permissions — can technically land you in federal prison.

What the CFAA Prohibits (18 U.S.C. § 1030)

The statute lists seven distinct offenses. Here's what it actually prohibits:

  • Subsection (a)(1): Accessing classified data or information from a government computer without authorization, or exceeding authorized access to obtain such data. Penalties include up to 10 years in prison for first offense, up to 20 for repeat offenses.
  • Subsection (a)(2): Accessing a computer without authorization or exceeding authorized access to obtain information from any department or agency of the United States, from any financial institution, or from any "protected computer" (defined as any computer used in interstate commerce — which effectively means nearly all computers).
  • Subsection (a)(3): Accessing a non-public government computer that is exclusively for government use, or a computer used by or for the government, without authorization.
  • Subsection (a)(4): Knowingly and with intent to defraud, accessing a "protected computer" without authorization or exceeding authorized access to further a fraud and obtain anything of value.
  • Subsection (a)(5): Knowingly transmitting a program, information, code, or command that damages a protected computer; or intentionally accessing a protected computer without authorization and causing damage.
  • Subsection (a)(6): Trafficking in passwords or similar access credentials that can be used to access a protected computer.
  • Subsection (a)(7): Threatening to damage a protected computer to extort money or anything of value.

The key phrase throughout is "without authorization or exceeding authorized access." These terms are central to understanding what makes WiFi hacking illegal.

Key Terms: "Exceeds Authorized Access" and "Intentionally Accesses"

The CFAA's two most contested phrases are "without authorization" and "exceeds authorized access." Courts have split for years on what these actually mean, and understanding the distinction is critical for anyone working in security testing.

"Without Authorization"

This one is relatively straightforward: if you access a system, network, or resource that you have no permission to access at all — ever — you're without authorization. Connecting to a secured WiFi network you never asked to join, with no invitation from the owner, is accessing it "without authorization."

"Exceeds Authorized Access"

This phrase is far more contentious. It refers to someone who has some legitimate access but then goes somewhere or does something that their authorization doesn't cover. Example: an employee who is authorized to read a database but copies customer credit card numbers. The access was authorized; the purpose was not.

The Supreme Court weighed in on this in Van Buren v. United States (2021), ruling that "exceeds authorized access" means accessing information or areas that the person is not permitted to access — not merely using authorized access for an improper purpose. This was a significant narrowing of the law that helps protect insider threat cases where someone uses legitimate credentials for bad purposes, but it doesn't help someone who had no authorization to begin with.

"Intentionally Accesses"

Most CFAA violations require that the defendant "intentionally accesses" a computer without authorization. This means you have to knowingly and deliberately access the system — accidentally connecting to the wrong network or stumbling into an open WiFi hotspot isn't typically enough for criminal liability (though civil liability might still apply). However, if you deliberately probe a network, even one with weak security, courts have found this satisfies the intent requirement.

Penalties: Misdemeanor vs. Felony

CFAA penalties vary widely depending on the subsection violated, the defendant's criminal history, and the damage caused. Here's a summary table:

ViolationFirst OffenseRepeat OffenseClassification
§1030(a)(1) — Government/classified dataUp to 10 yearsUp to 20 yearsFelony
§1030(a)(2) — Obtaining info from protected computerUp to 1 year*Up to 10 yearsMisdemeanor / Felony
§1030(a)(3) — Non-public government computerUp to 1 yearUp to 10 yearsMisdemeanor / Felony
§1030(a)(4) — Fraud / obtaining valueUp to 5 yearsUp to 10 yearsFelony
§1030(a)(5)(A) — Intentional damageUp to 10 yearsUp to 20 yearsFelony
§1030(a)(5)(B) — Reckless damageUp to 5 yearsUp to 15 yearsFelony
§1030(a)(5)(C) — Negligent damageMisdemeanorMisdemeanor
§1030(a)(6) — Password traffickingUp to 1 year*Up to 10 yearsMisdemeanor / Felony
§1030(a)(7) — Extortion via threatUp to 5 yearsUp to 10 yearsFelony

* Some first-offense misdemeanors under (a)(2) and (a)(6) can carry up to 5 years if the offense was committed for personal gain or in furtherance of another criminal offense.

In addition to criminal penalties, the CFAA also allows for civil suits — meaning a victim can sue you in civil court for damages, attorney's fees, and injunctive relief, even if you're not criminally charged.

The "Authorization" Requirement — When WiFi Access Is Unauthorized

The most practically important question for WiFi security professionals is: when is accessing a WiFi network "without authorization"?

The answer is more nuanced than most people assume. The CFAA doesn't say "any WiFi network you don't pay for." It says unauthorized access to a "protected computer." A protected computer is any computer used in interstate commerce — which includes virtually every commercial WiFi network and most home routers connected to an ISP.

Consider these scenarios:

  • War driving and connecting to an open coffee shop WiFi: Generally not a CFAA violation because the network was intentionally left open for public use. But capturing traffic on that network without consent may implicate wiretap laws (the Wiretap Act, 18 U.S.C. § 2511).
  • War driving and cracking a WEP key to access a secured network: This is almost certainly unauthorized access. The network owner clearly intended to restrict access, and bypassing that restriction is accessing without authorization.
  • War driving and connecting to a WPA2 network using a password guessed from the router's default credentials: This is unauthorized. You accessed a network configured with restricted access without permission from the owner.
  • Connecting to a neighbor's open WiFi when they left it open accidentally: The neighbor may have "failed to secure" their network, but accessing it without permission still likely constitutes unauthorized access under the CFAA. Several cases have addressed this.
  • Penetration testing a client's network with a signed contract: This is authorized access. The client explicitly permitted the testing.
Open networks are not "invitations." The fact that a WiFi network has no password does not legally authorize anyone to connect to it. The owner may have left it open for guests, but that doesn't mean the entire public is authorized. Always assume you need explicit permission.

Famous CFAA Cases

United States v. Van Buren (2021)

In United States v. Van Buren, a Georgia police sergeant used his valid credentials to search a license plate database for information he was not authorized to access — he was looking up data for a fellow officer who wanted to track down a specific person. The Supreme Court ruled 6-3 that this did not "exceed authorized access" because Van Buren did access the database with proper credentials — he simply did so for an improper purpose. This was a significant narrowing of the CFAA that provides some protection for insider threat scenarios.

United States v. Nosal (9th Circuit, 2012)

In United States v. Nosal, David Nosal convinced former colleagues to download proprietary information from a company database after he had left the company. The Ninth Circuit held that employees who use their legitimate access credentials to obtain information they are authorized to access — but for an unauthorized purpose — do not violate the CFAA under the "exceeds authorized access" prong. This contrasts with circuits that have held otherwise, creating a split that the Supreme Court partially addressed in Van Buren.

United States v. Lori Drew (2008)

In the Lori Drew case — the infamous "MySpace suicide" case — Drew was prosecuted under the CFAA for creating a fake MySpace account to harass a teenage girl who subsequently committed suicide. The case raised enormous controversy because the conduct at issue (creating a fake online persona) seemed far afield from traditional "computer hacking." Drew was convicted of misdemeanor unauthorized access under the CFAA, though the conviction was later dismissed on procedural grounds. The case highlighted how broadly the CFAA can be applied to online behavior that feels "wrong" but isn't traditional hacking.

Why Penetration Testers Need Written Authorization

If you're a security professional conducting authorized penetration testing, the CFAA creates a fundamental tension: you are deliberately doing things that would be illegal if done without permission. This is why written authorization is non-negotiable.

Written authorization serves several legal purposes:

  • Establishes consent: The CFAA's core requirement is that access be "without authorization." A signed contract explicitly authorizing the testing removes the "without authorization" element, meaning your actions are legally permissible (within the scope defined).
  • Defines the scope: Authorization that only covers testing certain IP ranges means going outside those ranges is unauthorized — even if you accidentally cross a boundary.
  • Provides evidence: If you are ever investigated or sued, written authorization is your primary defense. Verbal permission is hard to prove; a signed contract is not.
  • Creates a paper trail: Insurance companies, regulators, and courts want to see documentation that the testing was legitimate.

The authorization document should come from someone with actual authority to grant it. A middle-manager's email is not sufficient if the CEO is the only person who can legally authorize access to the systems being tested. For penetration testers working with enterprise clients, always verify that the authorizing party has actual legal authority over the assets in scope.

Best practice: Get written authorization before you run a single tool. The authorization should specifically identify the systems, the methods authorized, the time window, and the named individuals authorized to conduct the testing. "We're doing a pentest" in an email is not enough.

The "Authorized Testing" Exception and Safe Harbor

The CFAA does not have a formal statutory "safe harbor" for security researchers — unlike some other countries' laws (for example, the UK Computer Misuse Act has a defense of "authorized access" for legitimate security testing). However, written authorization effectively creates a safe harbor in practice.

Additionally, some security testing activities have partial protections:

  • Bug bounty programs: Many organizations run public bug bounty programs that define what testing is authorized. If you operate within those rules, you have authorized access. But read the program's terms carefully — some bug bounties prohibit certain types of testing (like SQL injection or social engineering).
  • Security research carve-outs: Some states have passed laws providing limited protections for good-faith security research. The Digital Millennium Copyright Act (DMCA) has a similar anti-circumvention exception for security research. But these are limited and vary by jurisdiction.
  • Responsible disclosure programs: If a company invites security researchers to find vulnerabilities and discloses them responsibly, many prosecutors will decline to bring CFAA charges even if the testing technically violated the law — though this is prosecutorial discretion, not a legal exemption.

How CFAA Applies to WiFi Attacks Specifically

WiFi hacking occupies a particular corner of CFAA jurisprudence. The act of connecting to a wireless network requires accessing a "computer" (the access point and the network infrastructure) and potentially the devices on that network. Here's how different WiFi attack types map to CFAA provisions:

  • Captive portal bypass: Bypassing a captive portal to access a network without paying or accepting terms of service can implicate the CFAA, as you are accessing a protected computer without authorization.
  • WEP cracking and connecting: Actively cracking WEP encryption to access a network is accessing a protected computer without authorization — the network owner clearly restricted access via encryption, and you bypassed that restriction.
  • WPA2 password brute-forcing: Same analysis. Cracking or guessing a WPA2 password to access a secured network is unauthorized access.
  • Evil twin / rogue access point: Setting up a fake access point with the same name as a legitimate network could implicate fraud provisions of the CFAA (§1030(a)(4)) if you are attempting to deceive users into connecting to obtain their credentials or data.
  • Packet capture on your own network: If you own the network and the devices on it, you can generally capture your own traffic without CFAA issues. However, capturing other people's traffic on the same network may implicate wiretap laws.
  • Deauthentication attacks: Sending deauth packets to disconnect users from a network — if done without authorization of the network owner — could constitute damage under §1030(a)(5), as you are intentionally disrupting authorized use of a protected computer.
The bottom line: If you don't have explicit, written permission from the network owner, attempting to access or attack a WiFi network is likely a federal crime under the CFAA. The penalties are real, the investigations are serious, and the "I was just doing security research" defense has not reliably protected people in court. Get authorization in writing before you touch anything.