On June 3, 2021, in Van Buren v. United States, the Supreme Court resolved the circuit split in favor of the narrow view, placing new limits on criminal prosecutions under the CFAA.
The Computer Fraud and Abuse Act (CFAA) subjects anyone who “intentionally accesses a computer without authorization or exceeds authorized access” to criminal prosecution. 18 U.S.C. § 1030 (a)(2). The statute—enacted in 1986 and originally meant to prosecute hackers—defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. §1030(e)(6). Over the years, a circuit split emerged regarding the definition of “exceeds authorized access.” More expansive readings of “exceeds authorized access” had previously been used in civil actions and in high-profile prosecutions of social media cyberbullies, a Social Security Administration employee and Reddit co-founder Aaron Swartz’s mass download of articles from the JSTOR database.
On June 3, 2021, in Van Buren v. United States, the Supreme Court of the United States resolved the circuit split in favor of the narrow view, placing new limits on criminal prosecutions under the CFAA. In a 6-3 decision authored by Justice Amy Coney Barrett, the Court backed a “gates-up-or-down” approach, holding that “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off-limits to him.” As a result, accessing of authorized areas for improper purposes no longer creates a CFAA violation.
The Underlying Case
In the underlying case, former Georgia police Sergeant Nathan Van Buren was prosecuted for accessing a law enforcement database to look up a particular license plate number in exchange for money. Van Buren used his own, valid credentials to access the database, but in doing so, he violated a department policy prohibiting use of the database for purposes other than police business. Van Buren was eventually charged with and convicted of a felony violation of the CFAA and sentenced to 18 months in prison.
Van Buren appealed his case to the Eleventh Circuit Court of Appeals, arguing that authorized access for an unauthorized purpose did not violate the exceeds authorized access clause. In reliance on prior Eleventh Circuit precedent, the Court of Appeals upheld his conviction, reasoning that Van Buren violated the CFAA by accessing the database for an “inappropriate reason.” The Supreme Court granted Van Buren’s petition for certiorari.
The Court’s Concerns About Criminalization of Common Activities
In overturning Van Buren’s conviction, Justice Barrett’s opinion noted that most workplaces have policies limiting computer use to business purposes; so, under an expansive definition of “exceeds authorized access,” anyone who agrees to such a policy and then sends a personal email or reads the news from his work computer will have committed a felony violation of the CFAA. The opinion also noted that many websites require users to agree to detailed terms of service as a condition of access, and that the expansive reading would thus “criminalize everything from embellishing an online-dating profile to using a pseudonym on [social media].” Faced with this reality, Justice Barrett concluded that, “If the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals.”
Important Questions Remain Unanswered, but the Court Provides Clues
Prior to this decision, numerous scholars and tech luminaries have noted the chilling effect created by the expansive reading of the exceeds authorized access clause, particularly as applied to the CFAA’s parallel civil enforcement provisions. The Van Buren opinion does not definitively resolve the question of whether unauthorized access must be barred by a hardware or software gateway or if activity can become unauthorized merely through a contractual ban. Largely for that reason, the practical effects on the civil enforcement provisions remain to be seen.
Justice Barrett’s heavy reliance on the expansive reading’s real world effects, however, provides clues to future rulings interpreting the CFAA. All five of the newest justices and Justice Breyer joined to limit the CFAA’s application based in large part on the real world conditions regarding terms of service and employee computer-use policies.
What the Ruling Means for Companies
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .