Second, Trump Jr. also appears to admit to his access being “intentionally . . . without authorization.” Wikileaks had told him that it was a guessed password, that is, not a password that Wikileaks had been authorized to use. There are some controversial uses of the Computer Fraud and Abuse Act, as the government has occasionally tried to use it in ways that really stretch the notion of unauthorized access. But using a guessed password is a classic case of access without authorizaton under the CFAA. See, e.g., United States v. Morris, 928 F.2d 504, 510 (2d Cir. 1991) (access without authorization established in light of “evidence that the worm was designed to gain access to computers at which he had no account by guessing their passwords”). See also Orin S. Kerr, Computer Crime Law 48 (4th ed. 2018) (“Guessing a password is something like picking a physical lock, and using a stolen password is something like making a copy of the key and using it without the owner’s permission. Indeed, bypassing password gates using stolen or guessed passwords is a common way to ‘hack’ into a computer.”)

It might also be worth pointing out that the access by Trump Jr. might be legally unauthorized even if Wikileaks was an authorized account holder and wished to allow Trump to use its account, at least according to some authority. See United States v. Nosal, 844 F.3d 1024 (9th Cir. 2016). But we don’t have to consider that theory of liability, as here it’s pretty clear that Wikileaks was not an authorized account holder itself.