Module 1Q — Beyond CFAA: Economic Espionage Act, Espionage Act, State Statutes, and Trespass to Chattels | LawZeee

Non-Lawyers Summary

The CFAA is not the only law that can land a hacker, researcher, or employee in federal prison. Four other legal frameworks operate alongside — and sometimes independently of — the CFAA:

Economic Espionage Act (EEA): Criminalizes theft of trade secrets (proprietary technical data, product designs, algorithms). A CFAA intrusion that happens to grab trade secret data also triggers EEA — with harsher penalties, especially if a foreign government is involved.
Espionage Act: A 1917 statute that criminalizes unauthorized handling of "national defense information." It does not require the data to be formally classified, and it has been used against journalists' sources, contractors, and military personnel who leaked data they had lawful access to. Never touch U.S. government systems.
State Computer Crime Statutes: All 50 states have their own laws. California, New York, and Texas have statutes that are broader than the CFAA in important ways — lower damage floors, private rights of action, and wider definitions of harm. State charges can stack on top of federal charges.
Trespass to Chattels: A civil tort (lawsuit, not criminal charge) that lets companies sue for unauthorized computer access without proving CFAA elements. No $5,000 floor. Used against scrapers, automated testing tools, and botnet operators. Limited by the Intel v. Hamidi requirement that actual impairment be shown.

What This Module Answers Fast

Can you be charged under EEA for reversing a competitor's firmware? (Yes, potentially.)
What is the difference between § 1831 and § 1832 of the EEA?
Why was Snowden charged under the Espionage Act and not the CFAA?
Does California's § 502 have a lower damage threshold than federal CFAA? (Yes — no floor.)
Can a company sue you for web scraping without proving $5,000 in damage? (Yes, under trespass to chattels in some jurisdictions.)
What is the biggest case limiting trespass to chattels for digital activity? (Intel Corp. v. Hamidi.)

Overview

The CFAA is the entry point to federal computer crime law. But here's what the law school textbooks don't tell you: it has blind spots. Structural limits. Cases it was never built to handle.

It requires proof of "unauthorized access." It has a $5,000 damage floor for civil suits. It was never designed to address trade secret theft by insiders, national security leaks, or the behavior of automated bots.

Four additional legal frameworks fill those gaps — and they appear as co-charges, independent theories, and civil fallbacks in cases that begin with a network intrusion and end in a courtroom no one expected. This module covers each framework in depth, with specific cases, sentencing outcomes, and practical implications for hackers, security practitioners, and anyone who thinks that evading the CFAA means escaping all risk.

Start Here If Your Issue Is...

Situation	Jump to
You grabbed proprietary technical data from a company's systems	EEA §§ 1831–1839
You accessed government systems and saw non-public data	Espionage Act § 793
You're in California and being sued for scraping	CDAFA § 502
You're in New York and facing state criminal charges for system access	NY Art. 156
A company is suing you civilly without invoking CFAA	Trespass to Chattels
You want to compare all five frameworks side by side	Comparison Table
You want to understand EEA vs. CFAA as charged theories	EEA section — "Why EEA vs. CFAA"

Issue Map

mermaid

flowchart TD
    A[Unauthorized Access or Data Exfiltration] --> B{Data type?}
    B --> C[Trade secret / proprietary IP]
    B --> D[National defense / government info]
    B --> E[Any data, private company]
    B --> F[No login gate / public-facing]

    C --> G[EEA §§ 1831-1839\nup to 15yr / 10yr]
    C --> H[CFAA §1030 also charged]
    G --> I{Foreign government\nnexus?}
    I --> |Yes| J[§1831 — up to 15 years]
    I --> |No| K[§1832 — up to 10 years]

    D --> L[Espionage Act § 793\nup to 10 years per count]
    D --> M[CFAA also possible]

    E --> N{Jurisdiction?}
    N --> |California| O[CDAFA § 502\nNo damage floor\nPrivate right of action]
    N --> |New York| P[NY Art. 156\nClass A misdemeanor → E felony]
    N --> |Texas| Q[TX § 33.02\nClass B misdemeanor → 1st degree felony]
    N --> |Federal| H

    F --> R[Trespass to Chattels\nCivil theory only]
    R --> S{Actual impairment\nto servers shown?}
    S --> |Yes| T[TTC viable — eBay v. Bidder's Edge]
    S --> |No| U[TTC fails — Intel v. Hamidi]

Timeline Overview

mermaid

timeline
    title Key Legal Milestones — Beyond CFAA
    1917 : Espionage Act enacted (18 U.S.C. § 793)
    1986 : CFAA enacted
    1996 : Economic Espionage Act enacted (18 U.S.C. §§ 1831–1839)
    1997 : CompuServe v. Cyber Promotions — first trespass to chattels win for spam
    2000 : eBay v. Bidder's Edge — TTC extended to web scraping (N.D. Cal.)
    2003 : Intel v. Hamidi — Cal. Sup. Ct. limits TTC; actual impairment required
    2013 : Chelsea Manning sentenced — 35 years under Espionage Act
    2013 : Snowden indicted under Espionage Act — fled to Russia; charges still active
    2018 : Reality Winner — 63 months for leaking NSA report
    2020 : US v. Zhang — Apple engineer charged EEA + CFAA for AV schematics
    2022 : US v. Xu Yanjun — 20 years, first successful extradition of Chinese intel officer
    2022 : US v. Zheng Xiaoqing — 24 months, turbine tech hidden in sunset photo EXIF
    2024 : Jack Teixeira — 15 years, Discord leaks of classified military intelligence

Key Facts

EEA § 1831 (foreign government nexus): maximum 15 years per count; EEA § 1832 (private): maximum 10 years.
Espionage Act § 793: maximum 10 years per count; multiple counts are common.
California CDAFA § 502: maximum 3 years prison + civil damages + attorney's fees; no $5,000 floor for civil suits.
New York computer trespass: Class E felony (§ 156.10), up to 4 years.
Texas § 33.02: ranges from Class B misdemeanor to 1st degree felony (up to life) depending on aggregate damage amount.
Trespass to chattels requires actual impairment to the physical or functional integrity of the computer/server — mere unwanted access is not enough after Intel v. Hamidi.
Federal EEA charges and state charges can be brought simultaneously by different prosecutors — a federal plea does not dispose of state exposure.

Economic Espionage Act (18 U.S.C. §§ 1831–1839) — "You Didn't Have to Hack In. You Just Had to Walk Out With the Right Files."

Why EEA Exists — The Gap the CFAA Left Open

Here's a scenario the CFAA was never designed to handle: an engineer at a defense contractor with full, legitimate access to a classified technical database downloads a copy of a proprietary turbine blade design onto a USB drive, walks it through the security checkpoint, boards a flight to Beijing, and hands it to a government contact.

No hacking. No unauthorized access. No § 1030 violation in any traditional sense.

This happened. Variations of it happen constantly. And it was costing American companies — and American national security — billions of dollars every year.

The Economic Espionage Act of 1996 was enacted specifically to fill this gap. It criminalizes the theft, misappropriation, or unauthorized conversion of trade secrets — regardless of whether a computer was "hacked" in the traditional sense. The insider threat. The trusted partner who turns. The researcher who leaves with the crown jewels.

Two Offenses — One Statute

18 U.S.C. § 1831 — Theft for Benefit of Foreign Government

Elements: (1) knowingly stealing or misappropriating a trade secret; (2) knowing the offense will benefit a foreign government, instrumentality, or agent.
Penalty: up to 15 years imprisonment per count (organization: up to $10 million fine or 3x value of trade secret, whichever is greater).
Key: "benefit" is broadly interpreted — it does not require proof that money changed hands. Providing economic intelligence to a foreign state counts.

18 U.S.C. § 1832 — Theft for Private Commercial Benefit

Elements: (1) knowingly stealing or misappropriating a trade secret; (2) with intent to convert it to the economic benefit of someone other than the owner; (3) knowing the owner would be injured.
Penalty: up to 10 years imprisonment per count (organization: up to $5 million fine or 3x value of trade secret).
Most common theory for corporate espionage cases not tied to nation-states.

"Trade Secret" Definition (§ 1839) — Broader Than You Think

The EEA's definition is broad and deliberate:

This covers: source code, algorithms, product formulas, manufacturing processes, customer lists, business strategies, and technical specifications. It does not require the information to be patented or formally protected under IP law — only that the owner took reasonable steps to keep it secret (NDAs, access controls, classification markings).

Key Cases — The Sentences That Defined the Statute

US v. Xu Yanjun (S.D. Ohio 2022) — 20 Years, and a Precedent That Changed Everything

He sat across from engineers at aerospace conferences and introduced himself as a researcher affiliated with a Chinese university. He was, in fact, a deputy division director of China's Ministry of State Security. He targeted GE Aviation's turbofan engine designs — specifically composite fan blade technology that took GE decades and hundreds of millions of dollars to develop.

The DOJ charged Xu under EEA § 1831. He made the mistake of traveling to Brussels to meet a GE engineer who was cooperating with the FBI. Belgian authorities arrested him. He was extradited to the Southern District of Ohio.

In 2021, a jury convicted him on all counts. In 2022, he was sentenced to 20 years — the harshest sentence ever imposed under the EEA. He was also the first successful extradition of a Chinese intelligence officer to face U.S. prosecution.

Why it matters: CFAA alone would have capped exposure at lower levels. The foreign government nexus (§ 1831) and the value of the stolen IP ($10M+ range) combined to justify a sentence that CFAA charges alone could not have driven.

US v. Zheng Xiaoqing (N.D.N.Y. 2022) — 24 Months, and a Sunset Photo

Zheng was a principal engineer at GE Power. When he left for a Chinese competitor, he embedded thousands of files of turbine technology — stress test data, design specifications — into the binary code of a sunset photograph using steganography. The concealment method was sophisticated. Federal investigators uncovered it through forensic analysis of files Zheng transmitted via email.

The revelation: the file was a photograph. The secret inside it was industrial espionage.

Sentenced to 24 months. Less than Xu Yanjun because Zheng was not a state intelligence officer, charged under § 1832 (private benefit), and cooperated to some extent. But the EEA covered it entirely. No traditional hack ever occurred.

US v. Zhang (E.D.N.Y. 2020) — CFAA + EEA, the Standard Stack

Xiaolang Zhang was an Apple hardware engineer on the autonomous vehicle project. When he announced his resignation and plans to join a Chinese autonomous vehicle startup, Apple investigated. They found he had downloaded 25 internal schematics — hardware reference files and a component database — from a secure internal network. He was stopped at the airport.

Zhang was charged under both CFAA (§ 1030) and EEA § 1832 (private benefit). He later pleaded guilty. This case illustrates the standard prosecutorial pattern: if you can charge CFAA, you layer EEA on top whenever the stolen data qualifies as a trade secret.

Why EEA vs. CFAA — Practical Differences

Factor	CFAA	EEA
Requires unauthorized access?	Yes — the core element	No — authorized access + theft is enough
Covers insider exfiltration?	Only if they exceed access (Van Buren)	Yes — specifically designed for this
Foreign government nexus	Not relevant	§ 1831: up to 15 years (vs. 10 under § 1832)
Maximum sentence (individual)	20 years (aggravated)	15 years (§ 1831), 10 years (§ 1832)
Civil action?	§ 1030(g) — private right, $5k floor	No private right of action under EEA
Scope of covered information	Computer data broadly	Specifically trade secrets with economic value

For Security Researchers

EEA exposure is real in two scenarios:

Reversing competitor firmware or proprietary software: If the firmware contains trade secrets and you obtained it through unauthorized means (or exceeded the scope of any license), reverse engineering to extract proprietary design information could constitute EEA misappropriation.
CFAA intrusion that sweeps up trade secrets: If you hack a system and the data you access qualifies as a trade secret, prosecutors will add EEA counts. You face two independent federal statutes, each with their own sentencing exposure, running consecutively.

The practical rule: the moment your CFAA conduct touches proprietary technical data — product designs, algorithms, manufacturing specs — the EEA is in play.

Espionage Act (18 U.S.C. § 793) — "Authorized Access Was Not a Defense. It Never Was."

The Hundred-Year-Old Weapon

It was 1917. The country was at war. Congress needed a tool to stop information from reaching the enemy. They wrote a statute deliberately — almost recklessly — broad. They called it the Espionage Act.

A century later, it has been used against military analysts, NSA contractors, Air National Guard airmen, and leakers of every ideological stripe. It has never been limited to formally classified materials. It does not require that you "hacked" anything. And in every major prosecution in the modern era, it has carried the same central revelation: authorized access means nothing if you transmitted what you weren't supposed to transmit.

Key Provisions

§ 793(a): Whoever, with intent to injure the United States or advantage a foreign nation, gathers or obtains any document, writing, or information connected with national defense.

§ 793(b): Copying, taking, making, or obtaining such information.

§ 793(d): Whoever, being lawfully in possession of such documents, willfully communicates or transmits them to a person not entitled to receive them.

§ 793(e): Whoever, having unauthorized possession of such documents, willfully communicates or retains them.

§ 793(f): Whoever, through gross negligence, permits another to obtain national defense information, or fails to report known theft.

Maximum penalty: 10 years per count. Multiple counts charged routinely.

Critical point: "National defense information" is not synonymous with "classified information." Courts have held the term covers any information that could harm national defense if disclosed, regardless of formal classification status. A document marked UNCLASSIFIED but containing operational military details could qualify.

Key Cases — The Sentences That Defined the Statute

Chelsea Manning (2013) — 35 Years Sentenced, Commuted to 7

Private First Class Bradley (later Chelsea) Manning had authorized access as an Army intelligence analyst to SIPRNET, the classified military network. Manning downloaded approximately 700,000 documents — State Department cables, the "Collateral Murder" video, Iraq and Afghanistan war logs — and transmitted them to WikiLeaks.

No hack. Legitimate credentials. Legitimate access. Manning walked in through the front door every morning.

Charged under §§ 793(d) and 793(e) plus CFAA violations. Convicted on 20 of 22 counts. Sentenced to 35 years in 2013. President Obama commuted the sentence to 7 years in 2017.

Key lesson: Authorized access is not a defense under the Espionage Act. The crime is transmitting or retaining national defense information without authorization to transmit, not the access itself.

Edward Snowden (2013 Indictment — Never Tried)

NSA contractor Edward Snowden disclosed the PRISM surveillance program, XKEYSCORE, and other NSA programs to journalists at The Guardian and Washington Post. He was indicted by a grand jury in the Eastern District of Virginia on two counts under § 793(d) (unauthorized communication of national defense information) and one count under 18 U.S.C. § 641 (theft of government property).

Snowden fled to Russia before prosecution. The indictment remains active.

Key lesson: Geography does not matter. The Espionage Act applies to U.S. persons anywhere in the world. Physical departure from the U.S. does not resolve criminal exposure. Snowden has lived under this indictment for over a decade.

Reality Winner (2017) — 63 Months and the Printer That Betrayed Her

NSA contractor Reality Winner printed and mailed a single NSA intelligence report to The Intercept — a report on Russian interference in the 2016 election. She was identified through printer steganography: modern printers embed invisible yellow dot patterns encoding the serial number and print date on every page. The Intercept shared a scan of the document. NSA identified the source from the dot pattern.

Charged under § 793(e). Sentenced to 63 months (5 years, 3 months) — the longest sentence for an Espionage Act offense at that time for a leak to a media organization. Winner had never previously been in trouble and the report covered matters of significant public interest.

Key technical note for researchers: Document metadata is evidence. Printer steganography, EXIF data, file metadata, and access logs can identify the source of a leak even when the leak itself appears anonymous.

Jack Teixeira (2024) — 15 Years, and a Discord Server

Just before dawn on a Friday, inside a private Discord server populated by online gaming friends, a 19-year-old Air National Guard airman began posting photographs of classified military intelligence documents — intelligence about Russian military operations, assessments of Ukrainian battlefield capacity, surveillance of allied nations' communications.

He did it to impress them.

Teixeira pleaded guilty to six counts under § 793(d). Sentenced to 15 years in 2024 — a severe outcome for someone with no prior record, driven by the sensitivity and volume of the disclosures. Teixeira had authorized access to the materials as part of his duties. The crime was retention and transmission, not unauthorized access.

EEA vs. Espionage Act vs. CFAA — Key Distinctions

Question	CFAA	EEA	Espionage Act
What data is covered?	Any computer data	Trade secrets (commercial value)	National defense information
Requires unauthorized access?	Yes	No — insider misappropriation covered	No — authorized possession + transmission covered
Applies to private sector?	Yes	Yes	No — requires national defense nexus
Both often charged together?	Yes (with EEA)	Yes (with CFAA)	Yes (with CFAA § 1030(a)(1))
Max sentence	20 years (aggravated)	15 years (§ 1831)	10 years per count
Foreign government nexus	Not relevant	Doubles exposure (§ 1831)	Any disclosure harms national defense

For Security Researchers

Avoid U.S. government systems at all costs. Even "publicly accessible" government portals — unprotected S3 buckets on .gov domains, open JIRA instances, misconfigured GitHub repos belonging to DOD agencies — can trigger Espionage Act exposure if the data encountered qualifies as national defense information. The lack of a login gate is not a legal safe harbor. CFAA's Van Buren ruling may limit "unauthorized access" claims, but the Espionage Act does not have an "authorization" carve-out — it criminalizes retention and transmission of NDI regardless of how it was accessed.

State Computer Crime Statutes — "The Charges That Survive Your Federal Plea Deal"

Why State Statutes Matter Independently

Here's a scenario that surprises people: you negotiate a federal CFAA plea deal. You serve your time. You walk out thinking the legal exposure is resolved.

Then the California AG files charges under Penal Code § 502. The Texas AG files under § 33.02. The Manhattan DA opens an investigation under Article 156.

A single intrusion that spans multiple states can trigger state charges in multiple states concurrently. State AGs and district attorneys bring state charges. These can proceed simultaneously or sequentially — a federal plea deal does not bind the state. State statutes also provide private rights of action that differ materially from the federal CFAA civil cause of action, including in some cases no minimum damage floor, attorney's fees, and statutory damages.

California Penal Code § 502 — CDAFA — "The Prosecutor's Favorite Tool in Silicon Valley"

California's Computer Data Access and Fraud Act (§ 502) is the most important state computer crime statute for practitioners because California hosts the largest concentration of technology companies. It is broader than CFAA in two critical respects.

Broader coverage — "Disruption" theory:

§ 502(c)(5): "Knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user."

This provision does not require traditional "unauthorized access" as defined by CFAA or Van Buren. It covers service disruption even from someone with partial access — covering DDoS scenarios, aggressive scraping that degrades service quality, and automated crawling that impairs server function.

No $5,000 damage floor for civil suits:

Federal CFAA civil actions under § 1030(g) require "damage or loss to one or more persons during any one-year period aggregating at least $5,000 in value" — a significant threshold that many individual claims cannot meet. California § 502 has no equivalent floor. A company can sue for any quantifiable damage, including attorney's fees and costs.

Private right of action:

§ 502(e) expressly authorizes civil suits by "owner or lessee of the computer, computer system, computer network, computer program, or data" against any person who violates the statute. Recovery includes compensatory damages, punitive damages, and attorney's fees.

Criminal penalties:

First offense: County jail up to 1 year or state prison up to 3 years (depending on the specific subsection and circumstances). Repeat offenses: up to 3 years, and sentencing enhancements apply for losses exceeding specified thresholds.

Key cases:

hiQ Labs v. LinkedIn: LinkedIn asserted § 502 counterclaims against hiQ for scraping. The § 502 claim provided an independent state-law basis for liability even as CFAA claims were being contested federally. The Ninth Circuit's CFAA ruling did not resolve the § 502 question, which remains more plaintiff-friendly.
Facebook scraping suits: Facebook has invoked § 502 against multiple scraper operations as a fallback when CFAA "authorization" arguments are uncertain. § 502's lower bar makes it a preferred theory in California-based cases.

New York Penal Law Article 156 — Computer Tampering

New York's computer crime statutes (Art. 156) track a graduated severity structure:

Provision	Offense	Classification	Max Sentence
§ 156.05	Unauthorized use of a computer	Class A misdemeanor	1 year
§ 156.10	Computer trespass (access with felony intent or $1,000+ damage)	Class E felony	4 years
§ 156.20	Computer tampering (intentional damage)	Class A misdemeanor	1 year
§ 156.25	Computer tampering (second degree — intentional damage $1,000+, or impairs medical records)	Class E felony	4 years
§ 156.26	Computer tampering (first degree — damage $50,000+)	Class C felony	15 years
§ 156.30	Unlawful duplication of computer related material	Class E/D felony	4–7 years

Key characteristics:

§ 156.10 "computer trespass" does not require the $5,000 federal damage floor. Intent to commit a felony plus unauthorized access is sufficient.
New York AG Letitia James has used Art. 156 in data breach enforcement actions against companies (both as victims and, when negligence is severe enough, as co-culprits).
Unlike California, New York Art. 156 does not have an explicit private right of action — civil suits require traditional tort theories (trespass to chattels, negligence) or contract claims.

Texas Penal Code § 33.02 — Breach of Computer Security

Texas defines "breach of computer security" as knowingly accessing a computer, computer network, or computer system without the effective consent of the owner, with intent to defraud or harm.

Graduated penalties based on aggregate financial harm:

Aggregate Damage	Classification	Max Sentence
Under $100	Class B misdemeanor	180 days
$100 – $750	Class A misdemeanor	1 year
$750 – $2,500	State jail felony	2 years
$2,500 – $30,000	Third degree felony	10 years
$30,000 – $150,000	Second degree felony	20 years
Over $150,000	First degree felony	Life or 99 years

Texas also has § 33.021 (online solicitation of a minor through computers) and § 33.04 (aiding the breach of computer security) which expand the surface area considerably.

Key Texas-specific point: Texas courts have broad jurisdiction over computer crimes when any element of the offense occurs in Texas — including where the victim's server is located, even if the attacker operated from another state. This gives Texas AG independent authority to pursue actors who hit Texas-based businesses.

Circuit Split and Multi-State Exposure

A single intrusion touching servers in California, New York, and Texas simultaneously exposes a defendant to:

Federal CFAA charges (DOJ)
California § 502 charges (California AG or Santa Clara DA)
New York Art. 156 charges (NYAG or Manhattan DA)
Texas § 33.02 charges (Texas AG)
Civil suits under California § 502(e) with no damage floor

These proceed independently. A guilty plea at the federal level does not bind state prosecutors. A researcher who settles a civil CFAA claim with a company does not thereby resolve potential state criminal exposure.

Trespass to Chattels — "The Lawsuit From 1760 That Can Now Target Your Crawler"

What It Is — and Why It Matters in 2026

Trespass to chattels is a common law tort — a civil claim, not a criminal charge — that predates computer crime statutes by centuries. Its traditional elements:

The defendant intentionally interfered with the plaintiff's personal property (a "chattel")
The plaintiff suffered actual harm — damage, deprivation, or impairment of the property

In the pre-internet era, chattels were physical objects: cars, jewelry, machinery. In the late 1990s, plaintiffs began arguing that computer systems — and the server resources consumed by unauthorized processes — were chattels subject to the same protection.

The argument succeeded. And when it did, it created a civil liability theory that operates without the CFAA's structural requirements:

No $5,000 damage floor
No need to prove "unauthorized access" under Van Buren's technical gate framework
No need to prove the defendant intended to cause computer damage
Any measurable diminution of server resources or functionality can constitute the required "harm"

Companies have used trespass to chattels against: web scrapers consuming significant server bandwidth, spam operators flooding mail servers, automated security testing tools generating excessive load, and bots executing rapid-fire API requests.

Key Cases — The Law That Drew the Line

CompuServe Inc. v. Cyber Promotions, Inc. (S.D. Ohio 1997) — The First Victory

Cyber Promotions was sending massive volumes of unsolicited commercial email through CompuServe's servers, consuming server resources and degrading service for CompuServe's paying subscribers. CompuServe sought an injunction.

The court granted it, holding that Cyber Promotions' bulk email constituted a trespass to chattels: the electronic signals traversed CompuServe's physical server equipment, consuming processing time and storage without consent, causing quantifiable harm to CompuServe's property.

This established the foundational principle that digital conduct can constitute trespass to chattels if it imposes real resource costs on computer infrastructure. A threshold was crossed. The old law had found new territory.

Intel Corp. v. Hamidi (Cal. 2003) — The Case That Almost Ended It

Kourosh Hamidi was a former Intel employee who sent mass emails to Intel employees criticizing the company's employment practices. Intel blocked him. He routed around the blocks. Intel sued under trespass to chattels.

The California Supreme Court ruled against Intel in a 4-3 decision. The court held that trespass to chattels for electronic intrusions requires actual impairment to the computer's functionality — not merely unwanted use or an unwanted message. Intel's computers had not been damaged, degraded, or impaired by Hamidi's emails. The only harm was to Intel's employment relations and employee morale — not to the computer system itself.

The Hamidi limitation is now the operative standard in California: you must show functional impairment, not just unauthorized use.

eBay, Inc. v. Bidder's Edge (N.D. Cal. 2000) — The Scraper That Lost

Bidder's Edge operated an auction aggregator that crawled eBay's site thousands of times per day to gather price and listing data for comparison. eBay blocked Bidder's Edge. It circumvented the blocks. eBay sued under trespass to chattels and sought a preliminary injunction.

The court granted it. It found that even though Bidder's Edge's crawling constituted less than 1.5% of eBay's total server load, the aggregate effect of all similar scrapers consuming server resources without authorization was sufficient to show impairment — and that eBay had a right to exclude unauthorized users from its servers entirely.

This is the most favorable TTC precedent for companies suing scrapers. Note, however, that the eBay ruling came before the Hamidi limitation and has been questioned in subsequent California cases. Its precedential value varies by jurisdiction.

Current State of the Law

Jurisdiction	Standard for Digital TTC	Notes
California	Actual functional impairment required (Hamidi)	Most restrictive; hard to show for low-volume scraping
Federal (9th Cir.)	Hamidi-influenced; actual harm to server required	Trend away from TTC for scraping post-hiQ
Ohio	Resource consumption theory still viable (CompuServe)	More plaintiff-friendly
General common law	Split — some courts require impairment, others accept diminished value	Jurisdiction-specific; always check

The Civil Stack — How Companies Combine These Theories

The most common civil attack pattern against scrapers and automated testers combines:

Breach of contract — violation of Terms of Service (if there was an enforceable agreement; less clear after Van Buren-era circuit developments)
Trespass to chattels — server resource consumption without consent
California § 502 — if the target is California-based (no damage floor)
CFAA § 1030(g) — if $5,000 threshold can be met

A company does not need to win all four claims. The combination creates settlement pressure even where individual theories are weak.

For Hackers and Researchers

Automated tools — scanners, fuzzers, crawlers, API hammers — consume server resources. Even in a legitimate bug bounty context, if the scope agreement does not expressly authorize automated testing, you are running TTC exposure on top of potential ToS breach.

Specific risk scenarios:

Running a nuclei/nmap scan on a target outside scope: TTC applies even if CFAA does not (because Van Buren may protect authorized users abusing access, but not external scanners with no authorization at all)
Web scraping after a cease-and-desist: If you continue scraping after the target sends a C&D and blocks your IP (Power Ventures pattern), both CFAA and TTC are live
Burp Suite on a target with no VDP: Every request is potentially a chattel interference if the server logs demonstrate resource consumption above baseline

Comparison Table

Framework	Key Elements	Max Criminal Sentence	Civil Action?	Damage Floor	Key Limitation
CFAA (§ 1030)	Unauthorized access to protected computer; damage or loss	20 years (aggravated)	Yes — § 1030(g)	$5,000 (civil); none (criminal)	Van Buren — must exceed authorization by entering prohibited zone, not just misuse
EEA § 1831	Theft of trade secret + benefit of foreign government	15 years / $10M fine	No private right of action	N/A (criminal only)	Must prove foreign government nexus and reasonable measures to keep secret
EEA § 1832	Theft of trade secret + private commercial benefit	10 years / $5M fine	No private right of action	N/A (criminal only)	Must prove info had independent economic value; public info not covered
Espionage Act § 793	Collection/retention/transmission of national defense information	10 years per count	No private right of action	N/A (criminal only)	Only national defense information; not classified≠NDI, but NDI is very broad
CA CDAFA § 502	Unauthorized access, disruption, or damage to CA computers	3 years (state prison)	Yes — § 502(e); attorney's fees	No floor	Requires California jurisdiction; "disruption" broader than federal CFAA access
NY Art. 156	Unauthorized access / computer trespass / tampering	Up to 15 years (1st degree tampering)	No express private right	$1,000 (for felony trespass tier)	Jurisdiction-specific; no statewide private right of action
TX § 33.02	Unauthorized access with intent to defraud or harm	Life (1st degree if damage over $150K)	No express private right	Graduated by damage amount	Texas nexus required; felony tiers escalate rapidly with aggregate damage
Trespass to Chattels	Intentional interference with personal property (server) + actual harm	N/A — civil tort only	Yes — common law	No statutory floor; must show actual impairment	Hamidi: actual functional impairment required, not just unwanted access

Practical Takeaways

EEA stacks automatically on proprietary data. Any CFAA intrusion that touches technical specifications, algorithms, or product designs creates EEA exposure. Prosecutors charge both. Plan defenses for both.
Authorized access is not a defense to the Espionage Act. The Manning, Winner, and Teixeira cases all involved people who had lawful access to the systems from which data was taken. The crime was transmission, not access. Government systems: do not touch, period.
California § 502 is the most dangerous state statute for tech companies and scrapers. No $5,000 floor, private right of action, attorney's fees, and a "disruption" theory that is broader than CFAA's "unauthorized access" standard.
State charges survive federal plea deals. If you plead guilty to CFAA at the federal level, the California AG can still pursue § 502 charges. The Texas AG can still pursue § 33.02 charges. Multi-state intrusions create multi-state exposure that no single resolution addresses.
Trespass to chattels is the civil fallback when CFAA fails. If a company cannot meet the $5,000 CFAA floor or cannot establish "unauthorized access" under Van Buren, TTC gives them another avenue — especially against scrapers and automated tool operators. Always verify whether your testing consumes measurable server resources.
Printer steganography, EXIF data, and metadata are investigative tools. The Reality Winner prosecution proved this beyond academic interest. If you are handling leaked documents in a research or disclosure context, scrub metadata before sharing. If you receive documents, document the chain of custody and consult counsel before doing anything with them.
The EEA "reasonable measures" requirement is your only real defense. If the company you accessed left trade secrets in a publicly accessible S3 bucket with no access controls, they arguably failed the "reasonable measures" standard. This does not eliminate CFAA exposure but may undercut EEA charges.
Foreign government nexus is a sentence multiplier. If any element of your activity touches a foreign state actor — you were directed by one, you transferred data to one, you were recruited by one — § 1831 applies and the maximum doubles from 10 to 15 years per count.

What This Module Does Not Cover

CFAA § 1030 elements and Van Buren analysis → Module 1A
Trade secret civil litigation under the Defend Trade Secrets Act (DTSA, 18 U.S.C. § 1836) — the civil companion to EEA
Espionage Act as applied to journalists and First Amendment limitations — an active and unresolved constitutional question
State wiretapping and electronic surveillance statutes (ECPA-equivalent state laws)
Computer crime statutes outside California, New York, and Texas — 47 other states have their own frameworks
Whistleblower protections under the Inspector General Act and Whistleblower Protection Act — potential defenses in some Espionage Act cases
International trade secret law — EU Trade Secrets Directive, Chinese Anti-Unfair Competition Law → Module 1C

For Non-Technical Readers

Think of it this way: the CFAA is like breaking-and-entering law. It cares about whether you picked the lock or walked through an open door. But there are four more sets of laws that care about entirely different things.

The Economic Espionage Act cares about what you took, not how you got in. If you walked into your office, copied your company's secret formula onto a USB drive, and handed it to a competitor, you never "hacked" anything — but you committed a federal crime carrying up to 10 years in prison, or 15 years if a foreign government was involved. A GE engineer who hid turbine specs in a sunset photograph was sentenced to 24 months. A Chinese intelligence officer who did the same work through recruited sources got 20 years.
The Espionage Act cares about national security data specifically. It was written in 1917 and has been used against soldiers, contractors, and government employees who shared information about military operations — not because they broke in, but because they transmitted information they weren't supposed to share. Chelsea Manning had authorized access to everything she disclosed. It cost her 35 years, commuted to 7. Reality Winner leaked a single document. She got 63 months. Jack Teixeira posted classified intelligence to a Discord server to impress his friends. He got 15 years.
State laws are like building codes: they vary by state, they can be stricter than federal law, and a state inspector (the state AG) can cite you independently of the federal government. California's law, in particular, lets companies sue with no minimum dollar amount in damages — making it a favored tool against scrapers and bots.
Trespass to chattels is an old property law theory applied to computers. If you use someone's computer resources without permission and actually slow down or impair their systems, they can sue you — even without invoking any specific computer crime statute. The catch: courts have said you need to show the computer was actually impaired, not just that the company didn't want you there.

The combined lesson: even if you believe your conduct doesn't violate the CFAA, there are four other legal frameworks that may apply. This is why security researchers always need explicit written authorization before probing any system they don't own.

Test your knowledge

Ready to check what stuck?

10 questions — cases, statutes, and the practical move for each. Takes 5 minutes.

Take the quiz now →