In Van Buren v. U.S., Supreme Court Clarifies Scope of CFAA, the Federal Anti-Hacking Statute

In Van Buren v. United States, the Supreme Court has issued its first ever opinion interpreting the Computer Fraud and Abuse Act.  The CFAA, originally conceived as an anti-hacking statute, broadly prohibits, and imposes civil and criminal penalties for, accessing computers or computer systems “without authorization” or in a way that “exceeds authorized access.”  18 U. S. C. §1030(a)(2).  The question before the Court was how far CFAA liability extends under that latter clause—“exceeds authorized access.”  Does it apply merely to those allowed to obtain information from some parts of computer systems but not others?  Or does it apply broadly to people who are allowed to access a computer system but do so to obtain information for improper purposes?  For a number of reasons, the Court rejected the broader interpretation and adopted the narrower one.

So, what does that mean?

This may all seem a bit abstract.  But the Court’s opinion has sweeping implications for everyday life.  The more expansive reading, the Court wrote, could have criminalized “a breathtaking amount of commonplace computer activity,” including employees who use their work computers to send a personal email or check the news in violation of workplace policies limiting computer access to business-purpose only.  It could also have applied to violations of website terms of service—those use restrictions websites impose, which barely anyone ever reads but agrees to implicitly or by click-through agreements.  Justice Barret cited amici arguments that the broad CFAA reading could “criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook.”  Slip Op. at 18.

The case itself was about a former police officer who allegedly committed a felony violation of the CFAA when he ran a search in a law enforcement license plate database in exchange for money in violation of police policies requiring that the database be used for law enforcement purposes only.  Because the officer allegedly misused his access privileges in violation of that policy, his conduct was deemed criminal under the CFAA’s broader interpretation.  But the Court held that the Computer Fraud and Abuse Act did not “cover” people like the officer who “have improper motives for obtaining information that is otherwise available to them.”

What does this mean for the rest of us?

Some clues emerge after one navigates the opinion’s thicket of textualist analysis.  (I will spare you the gory details, but it suffices to say that textualism is having its day at the Supreme Court when several pages of an opinion about a computer fraud statute are dedicated to dictionary arguments about the meaning of the word “so.”)

First, employees can rest easier knowing that, for example, online shopping on work computers, though still possibly a violation of workplace electronic device policies, likely won’t turn them into CFAA criminals.  The Court rejected the government’s arguments for an expansive CFAA on grounds that it might penalize employees who use their work electronics for non-business purposes in violation of workplace device policies.

Second, the Court’s opinion seemingly puts to rest the hot-button issue about whether the CFAA penalizes website terms of service violations—the Court says it does not.  The more expansive CFAA interpretation might have swept in innocuous violations—the embellished online dating profile, for instance—as well as other activities that have been the subject of past litigation, such as prohibitions against data-scraping.  The Court’s opinion suggests that the CFAA can no longer be interpreted to penalize website terms of service violations.

Third, the Court’s narrower interpretation necessarily takes enforcement authority and discretion away from federal prosecutors.  The government tried arguing that its charging policies offered sufficient protections because they instructed prosecutors that charges may not be warranted when a suspect has merely violated access restrictions in contractual agreements or website terms of service.  The Court took no comfort in the permissive “may not” language and observed that that the government’s approach “would inject arbitrariness into the assessment of criminal liability.” Slip Op. 19.

Fourth, the Court’s opinion, in purporting to resolve a Circuit split, seems to have nationalized the narrower CFAA interpretation, thereby overruling CFAA precedent in the First, Fifth, Seventh, and Eleventh Circuits, and thus potentially changing the rules of the road in many states in New England, the Midwest, and the South (from Texas to Florida).

Time will tell whether Van Buren has meaningfully changed CFAA enforcement, but at least for now it seems that the Supreme Court has shut the door on expansive CFAA penalties for otherwise commonplace computer activity.  We’ll keep you posted as Van Buren works its way through the lower federal courts.

Leave a Reply

Your email address will not be published. Required fields are marked *