UCLA-LAW-260 CYBER LAW COMPREHENSIVE EXAM
PREDICTOR 2026/2027 Q&A
1. Which of the following best describes the primary legal standard
established by the Fourth Amendment for warrantless searches of
electronic data stored on cloud servers?
A. The reasonable suspicion standard applied to all digital
communications
B. The third-party doctrine, which holds that no reasonable
expectation of privacy exists for data voluntarily shared with third
parties
C. The exigent circumstances exception, which applies only to
physical evidence
D. The good faith exception, which automatically validates all digital
searches by law enforcement
Correct Answer: B
Explanation: The third-party doctrine, established in cases like
Smith v. Maryland (1979) and applied to electronic data, holds that
individuals lack a reasonable expectation of privacy for information
voluntarily conveyed to third parties (e.g., cloud providers). Options
A, C, and D mischaracterize Fourth Amendment standards for
digital data.
2. Under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030,
which of the following actions would MOST likely constitute
"exceeding authorized access"?
A. An employee accessing public company website information
B. A former employee using retained credentials to access the
company network after termination
C. An individual viewing publicly available social media profiles
D. A hacker deploying malware to infiltrate a server from outside the
network
Correct Answer: B
, Explanation: The CFAA prohibits exceeding authorized access,
which includes accessing a computer with authorization but using
that access to obtain or alter information the accessor is not entitled
to. Option B fits this definition as the former employee's
authorization was terminated. Option D involves "without
authorization" rather than "exceeding authorized access." Options A
and C involve public information.
3. The "right to be forgotten" under Article 17 of the EU General Data
Protection Regulation (GDPR) most directly conflicts with which U.S.
legal principle?
A. TheENZA requirement for data minimization
B. The First Amendment protection of free speech and press
C. The Securities and Exchange Commission's disclosure rules
D. The Federal Trade Commission's unfair deception standards
Correct Answer: B
Explanation: The GDPR right to be forgotten requires deletion of
personal data, which can conflict with U.S. First Amendment
protections that prevent government-mandated suppression of
information, particularly news and public records. Options A, C,
and D represent other regulatory frameworks not directly conflicted
by this right.
4. In the context of digital intermediary liability, Section 230 of the
Communications Decency Act provides which of the following
protections?
A. Absolute immunity from all criminal liability for online platforms
B. Protection from liability for third-party content posted on their
platforms, except in limited federal criminal exceptions
C. Mandatory content removal obligations for all illegal material
D. Liability for platforms that knowingly facilitate copyright
infringement
Correct Answer: B
Explanation: Section 230(c)(1) shields interactive computer services
, from liability for third-party content as publishers, with exceptions
for federal criminal law, intellectual property, and certain sexual
exploitation cases. Option A is incorrect because Section 230 doesn't
cover criminal liability. Option C contradicts Section 230's purpose.
Option D describes DMCA liability, not Section 230.
5. Which Supreme Court case established that the government must
obtain a warrant to search cell site location information (CSLI)
collected by wireless carriers?
A. Smith v. Maryland (1979)
B. United States v. Jones (2012)
C. Carpenter v. United States (2018)
D. Riley v. California (2014)
Correct Answer: C
Explanation: Carpenter v. United States (2018) held that the Fourth
Amendment requires a warrant for CSLI, rejecting the third-party
doctrine application to this historical location data. Smith v.
Maryland established the third-party doctrine. Jones involved GPS
tracking on a vehicle. Riley addressed cell phone searches during
arrest.
6. Under the Digital Millennium Copyright Act (DMCA), what is the
primary requirement for a copyright holder to obtain a subpoena
requiring an ISP to disclose the identity of an alleged infringer?
A. Proof that the infringer has committed willful copyright violation
B. A proper notice of infringement and a completed copyright
infringement complaint
C. Demonstration that the ISP failed to implement reasonable
security measures
D. Evidence that the infringer is a commercial entity rather than an
individual
Correct Answer: B
Explanation: DMCA § 512(h) allows copyright holders to obtain a
subpoena for infringer identity by submitting a proper notification
, of infringement and completing the required complaint form.
Options A, C, and D are not statutory requirements for DMCA
subpoenas.
7. The "specialized knowledge" exception to the CFAA, as interpreted in
Van Buren v. United States (2021), limits the statute's application to:
A. Individuals who possess technical expertise in computer systems
B. Those who access computers for improper purposes regardless of
authorization
C. Situations where the accessor has a clear purpose limitation on
their authorized access
D. Cases involving government employees accessing classified
information
Correct Answer: C
Explanation: Van Buren held that the CFAA's "exceeds authorized
access" provision applies only when access itself is restricted, not
when someone with authorized access uses it for improper purposes.
This narrows CFAA to clear purpose limitations. Options A, B, and D
misinterpret the Supreme Court's ruling.
8. Which of the following best describes the legal standard for
determining whether online speech constitutes "incitement" under
the First Amendment?
A. The speech must be likely to cause immediate unlawful action and
be directed to producing such action
B. The speech must contain explicit threats of violence
C. The speech must be posted on a platform with more than 10,000
followers
D. The speech must reference specific criminal statutes
Correct Answer: A
Explanation: The Brigns v. United States (1969) standard requires
that inciting speech be "directed to inciting or producing imminent
lawless action" and "likely to incite or produce such action." Options
B, C, and D are not required elements of the incitement doctrine.
PREDICTOR 2026/2027 Q&A
1. Which of the following best describes the primary legal standard
established by the Fourth Amendment for warrantless searches of
electronic data stored on cloud servers?
A. The reasonable suspicion standard applied to all digital
communications
B. The third-party doctrine, which holds that no reasonable
expectation of privacy exists for data voluntarily shared with third
parties
C. The exigent circumstances exception, which applies only to
physical evidence
D. The good faith exception, which automatically validates all digital
searches by law enforcement
Correct Answer: B
Explanation: The third-party doctrine, established in cases like
Smith v. Maryland (1979) and applied to electronic data, holds that
individuals lack a reasonable expectation of privacy for information
voluntarily conveyed to third parties (e.g., cloud providers). Options
A, C, and D mischaracterize Fourth Amendment standards for
digital data.
2. Under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030,
which of the following actions would MOST likely constitute
"exceeding authorized access"?
A. An employee accessing public company website information
B. A former employee using retained credentials to access the
company network after termination
C. An individual viewing publicly available social media profiles
D. A hacker deploying malware to infiltrate a server from outside the
network
Correct Answer: B
, Explanation: The CFAA prohibits exceeding authorized access,
which includes accessing a computer with authorization but using
that access to obtain or alter information the accessor is not entitled
to. Option B fits this definition as the former employee's
authorization was terminated. Option D involves "without
authorization" rather than "exceeding authorized access." Options A
and C involve public information.
3. The "right to be forgotten" under Article 17 of the EU General Data
Protection Regulation (GDPR) most directly conflicts with which U.S.
legal principle?
A. TheENZA requirement for data minimization
B. The First Amendment protection of free speech and press
C. The Securities and Exchange Commission's disclosure rules
D. The Federal Trade Commission's unfair deception standards
Correct Answer: B
Explanation: The GDPR right to be forgotten requires deletion of
personal data, which can conflict with U.S. First Amendment
protections that prevent government-mandated suppression of
information, particularly news and public records. Options A, C,
and D represent other regulatory frameworks not directly conflicted
by this right.
4. In the context of digital intermediary liability, Section 230 of the
Communications Decency Act provides which of the following
protections?
A. Absolute immunity from all criminal liability for online platforms
B. Protection from liability for third-party content posted on their
platforms, except in limited federal criminal exceptions
C. Mandatory content removal obligations for all illegal material
D. Liability for platforms that knowingly facilitate copyright
infringement
Correct Answer: B
Explanation: Section 230(c)(1) shields interactive computer services
, from liability for third-party content as publishers, with exceptions
for federal criminal law, intellectual property, and certain sexual
exploitation cases. Option A is incorrect because Section 230 doesn't
cover criminal liability. Option C contradicts Section 230's purpose.
Option D describes DMCA liability, not Section 230.
5. Which Supreme Court case established that the government must
obtain a warrant to search cell site location information (CSLI)
collected by wireless carriers?
A. Smith v. Maryland (1979)
B. United States v. Jones (2012)
C. Carpenter v. United States (2018)
D. Riley v. California (2014)
Correct Answer: C
Explanation: Carpenter v. United States (2018) held that the Fourth
Amendment requires a warrant for CSLI, rejecting the third-party
doctrine application to this historical location data. Smith v.
Maryland established the third-party doctrine. Jones involved GPS
tracking on a vehicle. Riley addressed cell phone searches during
arrest.
6. Under the Digital Millennium Copyright Act (DMCA), what is the
primary requirement for a copyright holder to obtain a subpoena
requiring an ISP to disclose the identity of an alleged infringer?
A. Proof that the infringer has committed willful copyright violation
B. A proper notice of infringement and a completed copyright
infringement complaint
C. Demonstration that the ISP failed to implement reasonable
security measures
D. Evidence that the infringer is a commercial entity rather than an
individual
Correct Answer: B
Explanation: DMCA § 512(h) allows copyright holders to obtain a
subpoena for infringer identity by submitting a proper notification
, of infringement and completing the required complaint form.
Options A, C, and D are not statutory requirements for DMCA
subpoenas.
7. The "specialized knowledge" exception to the CFAA, as interpreted in
Van Buren v. United States (2021), limits the statute's application to:
A. Individuals who possess technical expertise in computer systems
B. Those who access computers for improper purposes regardless of
authorization
C. Situations where the accessor has a clear purpose limitation on
their authorized access
D. Cases involving government employees accessing classified
information
Correct Answer: C
Explanation: Van Buren held that the CFAA's "exceeds authorized
access" provision applies only when access itself is restricted, not
when someone with authorized access uses it for improper purposes.
This narrows CFAA to clear purpose limitations. Options A, B, and D
misinterpret the Supreme Court's ruling.
8. Which of the following best describes the legal standard for
determining whether online speech constitutes "incitement" under
the First Amendment?
A. The speech must be likely to cause immediate unlawful action and
be directed to producing such action
B. The speech must contain explicit threats of violence
C. The speech must be posted on a platform with more than 10,000
followers
D. The speech must reference specific criminal statutes
Correct Answer: A
Explanation: The Brigns v. United States (1969) standard requires
that inciting speech be "directed to inciting or producing imminent
lawless action" and "likely to incite or produce such action." Options
B, C, and D are not required elements of the incitement doctrine.
