The CFAA, he wrote, applies primarily to unauthorized access involving external hackers. The definition of "exceeds authorized access" under the CFAA applies mainly to people who have no authorized access to the computer at all. The term would also apply to insiders who might have legitimate access to a system but not to specific information or files on the system Applying the language in the CFAA any other way would turn it into a "sweeping Internet-policing mandate," he wrote.

"Consider the typical corporate policy that computers can be used only for business purposes. What exactly is a 'nonbusiness purpose'?" he wrote. "If you use the computer to check the weather report for a business trip? For the company softball game? For your vacation to Hawaii? And if minor personal uses are tolerated, how can an employee be on notice of what constitutes a violation sufficient to trigger criminal liability?"

Kozinski acknowledged that other appellate courts have applied the CFAA more broadly to apply to violations of corporate computer use restrictions or violations of a "duty of loyality". In his opinion, Koznski said he was not persuaded by the decisions of the other courts and insisted that the term "exceeds authorized access" was meant to be applied in a very narrow and specific context.

"Basing criminal liability on violations of private computer use polices can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved," he said. "Employees who call family members from their work phones will become criminals if they send an email instead.".

In a dissenting opinion, Circuit Judges Barry Silverman and Richard Tallman wrote that the majority had taken a clearly written federal statute and parsed it in a manner that distorts the original intent.