SCOTUS Limits Reach of Computer Fraud and Abuse Act: Nefarious Reasons Are Not Enough for Criminal Liability
In June 2021, the U.S. Supreme Court resolved an important question about the meaning of provisions prohibiting "unauthorized access" or "exceeding authorized access" to computer systems and databases under the Computer Fraud and Abuse Act of 1986 (CFAA). The Court, in a 6-3 decision in Van Buren v. United States, 141 S. Ct. 1648 (2021), sided with lower courts that found the CFAA does not prohibit accessing data for a purpose other than the purpose for which the user was permitted access in the first place. The decision will have far-reaching consequences for anyone who uses computers to access and retrieve information digitally.
The CFAA subjects to criminal and civil liability anyone who "intentionally accesses a computer without authorization or exceeds authorized access." 18 U.S.C. § 1030(a)(2). The term "exceeds authorized access" means "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6).
Everyone agrees that these provisions of the CFAA prohibit traditional hacking done for a malicious purpose—for example, breaking into a computer system by using an illegally obtained password to steal data or encrypt files. They also cover "insider threats"—employees who, for example, have access to a portion of a computer system but who access portions that they are not authorized to access (e.g., restricted systems containing business secrets).
For decades, courts have been divided whether the CFAA also prohibits accessing computer systems or files with permission but for a forbidden reason. Does an employee "exceed[] authorized access" by, for example, downloading materials the employee is allowed to access for work, but with the intent of quitting and taking those materials to another employer?
The facts of Van Buren provide a stark example. A police officer, Nathan Van Buren, was offered $5,000 to check whether someone was an undercover police officer by using a license plate number. Van Buren searched for the number in a license plate database to which he had access, but only for legitimate law enforcement purposes.
In fact, the request was part of a sting operation, and Van Buren was arrested after carrying out the search and offering that he had information to share. Prosecutors charged Van Buren with several crimes, including violations of the CFAA. Van Buren argued that he was authorized to access that database, and the fact he accessed it for an unauthorized reason did not mean he had "exceed[ed] authorized access."
The U.S. Supreme Court agreed. To the majority, the case was simple. The Court relied primarily on the text of the statute, particularly the definition of "exceeds authorized access," to conclude that Van Buren was "entitled" to obtain the material he obtained and in the manner that he obtained it. That he accessed the material for an improper purpose did not change the textual analysis.
The Court also concluded that this reading was more consistent with the overall structure of the CFAA, as it harmonized the analysis under the "without authorization" and "exceeds authorized access" prongs of the statute. Under the majority's reading, both prongs pose a straightforward "gates-up-or-down" inquiry—one either has permission to access a system or part of a system or one does not.
The Court also concluded that the government's reading of the statute would mangle the CFAA's civil liability provisions, reasoning that the statute's civil remedies for "loss" and "damage" are best suited to address the consequences of traditional computer hacking (loss of data, inability to access systems, etc.)—not claims of data "misuse." In fact, the government conceded that the access provisions in the CFAA "prohibit[] only unlawful information 'access,' not downstream information 'misus[e].'"
Finally, the Court noted that "the Government's interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity." "If the 'exceeds authorized access' clause criminalizes every violation of a computer-use policy," the Court explained, "millions of otherwise law-abiding citizens are criminals." Any employee who is authorized to use an employer-supplied computer only for business purposes would, for example, violate the CFAA by sending a personal email.
Van Buren is critically important to a vast array of companies. The decision will limit the ability of some companies to use the CFAA to enforce terms of service that prohibit particular uses of their data as well as the ability to punish employee misconduct.
And the decision is a welcome result for computational journalism. As The Markup, a nonprofit news organization that conducts data-driven investigations into digital technology, argued in its amicus brief in the litigation, a different, broader reading would have infringed on established First Amendment protections for journalists. DWT attorneys Kate Bolger, Jack Browning, and David Gossett represented The Markup in the litigation.
This article was originally featured as a privacy and security advisory on DWT.com on June 08, 2021. Our editors have chosen to feature this article here for its coinciding subject matter.
David M. Gossett and Michael T. Borgia are partners in the Washington, D.C., office of Davis Wright Tremaine. Katherine M. Bolger is a partner and John M. Browning an associate in the New York office of Davis Wright Tremaine.