Measuring Computer Use Norms

Abstract

The Computer Fraud and Abuse Act prohibits unauthorized use of computer systems. One proposed method of defining unauthorized use is to use the norms of actual computer users, restricting punishment to that which many or all agree to be unauthorized. This study measures lay authorization beliefs and punishment preferences for a variety of computer misuse activities. Though perceived authorization is strongly predictive of punishment attitudes, results show that many people view common misuse activities as unauthorized but not deserving of any meaningful punishment. Respondents also viewed as unauthorized many activities – such as ignoring a website’s terms of service, surfing the news while at work, or connecting to a neighbor’s unsecured wireless network – that scholars have argued are implicitly licensed. This divergence between perceived authorization and desired punishment presents a challenge for the CFAA framework. To avoid results that would strike both the lay public and field experts as overcriminalization, “unauthorized use” must therefore be interpreted far more narrowly than common usage would suggest.