CFAA vs. UK Computer Misuse Act: Hacking Laws Compared

By · Updated

Different countries, same bottom line: don’t touch what you don’t own. Here’s how the U.S. Computer Fraud and Abuse Act (CFAA) and the UK Computer Misuse Act (CMA) line up—so you can learn, test, and build your portfolio without stepping on legal landmines.

Disclaimer: The information in this article is provided for educational and informational purposes only and does not constitute legal, financial, or professional advice. All content is offered “as-is” without warranties of any kind. Readers are solely responsible for how they choose to use this information and must ensure that any actions comply with all applicable local, national, and international laws and regulations. We expressly disclaim liability for any losses, damages, or consequences that may arise from misuse or misinterpretation of this material. Always apply the information only within authorized, ethical, and legal contexts.

For more details, see our Terms of Service.

TL;DR: Permission is the whole game

Both laws criminalize unauthorized access. The CFAA (U.S.) and CMA (UK) differ in wording and penalties, but the practical rule for ethical hackers is identical: get explicit written authorization and stay in scope. No scope, no testing—period.

At a glance

Topic CFAA (U.S.) CMA (UK)
Core offense Unauthorized access or exceeding authorized access (18 U.S.C. §1030) Unauthorized access; unauthorized access with intent to commit further offenses (CMA 1990)
Civil suits Yes, private civil action available Primarily criminal enforcement
Penalties Fines + imprisonment; scales with damage/fraud Fines + imprisonment; tiered by sections (s1–s3ZA)
Ambiguities Historic debates over TOS violations and “exceeding access” Broad “unauthorized” language; clear offense tiers
Safe learning Self-owned lab / authorized programs (bug bounties) Same: self-owned lab / authorized programs

Sources: Cornell LII (CFAA), legislation.gov.uk (CMA).

Scope, definitions, and why wording matters

CFAA (U.S.)

  • Unauthorized access or exceeding authorized access (using valid creds to reach data you’re not permitted to access) can trigger liability.
  • Allows criminal charges and civil lawsuits by private parties.
  • Practical takeaway: employer permission ≠ blanket access. Scope matters.

CMA (UK)

  • Section 1: Unauthorized access. Section 2/3: access with intent to commit further offenses / impairment of systems.
  • Section 3ZA increases penalties where serious damage or national security risk is involved.
  • Practical takeaway: any access without permission is risky—even “just looking.”

For beginners: the law doesn’t care that you were “only scanning.” If it’s not your box or programmatically authorized, don’t touch it. Learn safely with self-contained labs and authorized platforms.

Penalties (high level)

Both regimes scale penalties based on damage, intent, and prior behavior. In the U.S., civil actions can pile on; in the UK, the charge tier (s1–s3ZA) determines gravity. Either way: don’t gamble. Your lab is where you break things.

Read more: U.S. DOJ Criminal Division, CPS Guidance (UK).

Grey areas you should treat as red

  • Terms of Service vs. authorization: Inconsistent U.S. case law historically muddied whether TOS breaches alone trigger CFAA. Don’t rely on ambiguity—seek written permission.
  • Employee access: Using legitimate creds to browse out-of-scope data is a fast path to “exceeding access.”
  • Publicly exposed services: “It’s on the internet” ≠ authorization to probe. Discovery is not consent.
  • Cross-border testing: Jurisdiction follows the data, the target, and your location. If it spans the U.S./UK, you inherit both risk models.

Background reading: EFF on CFAA, NCSC Penetration Testing Collection.

Authorized testing: bug bounties, VDPs, and labs

If you want real targets legally, use programs that grant authorization by design: HackerOne, Bugcrowd, or a company’s VDP (vulnerability disclosure program). Read the scope like a contract.

For skill-building, keep it in the dojo: TryHackMe, HackTheBox, or your own isolated targets (see my Metasploitable & DVWA setup).

For businesses and recruiters: what to look for

Businesses

  • Write down authorization and scope before any testing.
  • Separate production from training labs.
  • Use recognized providers for pen tests and bounties.

Recruiters

  • Look for candidates who cite CFAA/CMA responsibly.
  • Portfolio artifacts: scoped reports, lawful writeups, reproducible steps.
  • Signals of judgment: uses labs, bounties, VDPs—not random internet targets.

Practical checklist before you test anything

  1. Do I have written authorization (or platform-level authorization) for this target?
  2. Is my scope documented (hosts, subnets, time window, techniques)?
  3. Is my environment isolated (host-only/NAT; no accidental spillover)?
  4. Am I logging actions and preparing a professional report?
  5. Is there a disclosure path (VDP/bug bounty) if I find something?

Authoritative references

Where to go next

Build skills without risk: Safe Hacking Practice, CFAA Explained, Bug Bounty Basics, and Metasploitable & DVWA Setup. Practice in the dojo, not in the wild.

Spot an error or a better angle? Tell me and I’ll update the piece. I’ll credit you by name—or keep it anonymous if you prefer. Accuracy > ego.

Portrait of Mason Goulding

Mason Goulding · Founder, Maelstrom Web Services

Builder of fast, hand-coded static sites with SEO baked in. Stack: Eleventy · Vanilla JS · Netlify · Figma

With 10 years of writing expertise and currently pursuing advanced studies in computer science and mathematics, Mason blends human behavior insights with technical execution. His Master’s research at CSU–Sacramento examined how COVID-19 shaped social interactions in academic spaces — see his thesis on Relational Interactions in Digital Spaces During the COVID-19 Pandemic . He applies his unique background and skills to create successful builds for California SMBs.

Every build follows Google’s E-E-A-T standards: scalable, accessible, and future-proof.

Start Your Project See Our Work