The U.S. Court of Appeals for the 9th Circuit has handed down a very important decision on the Computer Fraud and Abuse Act, /Facebook v. Vachani/ <https://cdn.ca9.uscourts.gov/datastore/opinions/2016/07/12/13-17102.pdf>, which I flagged just last week. For those of us worried about broad readings of the Computer Fraud and Abuse Act <https://www.law.cornell.edu/uscode/text/18/1030>, the decision is quite troubling. Its reasoning appears to be very broad. If I’m reading it correctly, it says that if you tell people not to visit your website, and they do it anyway knowing you disapprove, they’re committing a federal crime of accessing your computer without authorization. I think this decision is wrong, and that it has big implications going forward. Here’s a rundown of the case and why it matters. I’ll conclude with a thought about a possible way to read the case more narrowly, as well as why I’m not convinced that narrow reading is correct. *I. The Facts* Steve Vachani is the chief executive and founder of Power Ventures, which had a website at Power.com. (I’ll refer to Vachani and Power Ventures collectively as “Power.”) Power had a service that let users aggregate their contacts on different social media sites. Power’s software allowed Facebook users to authorize Power to go into their Facebook accounts and gather information for them for use at Power’s website. Power users also authorized the software to send Facebook messages to other Facebook users for them. Facebook didn’t appreciate this, and it sent a “cease and desist” letter to Power telling the company to stop. The cease-and-desist letter told Power that it was violating Facebook’s terms of use and warned Power that it may have violated federal and state law. Facebook also blocked Power’s IP addresses. Power just changed IP addresses and continued operating. Facebook then sued, claiming that Power’s conduct violated the CFAA, a somewhat similar California unauthorized access statute and the CAN-SPAM Act <https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compli...>. Just to keep things simple, I’ll focus this post only on the claims brought under the CFAA. *II. The New Decision* In the new decision, the court holds that Power violated the CFAA when it continued to access Facebook’s computers with users’ permission after receiving the cease-and-desist letter. Oddly, Judge Susan P. Graber’s explanation for why Power violated the CFAA focuses almost exclusively on Power’s state of mind rather than what Power did. The CFAA prohibits intentionally accessing a computer without authorization. Instead of explaining what counts as access “without authorization,” Judge Graber focuses mostly on whether Power had a culpable state of mind with respect to whether it was doing something unwanted. [] <https://www.washingtonpost.com/news/volokh-conspiracy/wp/2016/07/12/9th-circ...>