Supreme Court Narrowly Interprets CFAA to Avoid Criminalizing “Commonplace Computer Activity”
On June 3, 2021, the United States Supreme Court issued a 6-3 opinion in Van Buren v. United States, No. 19-783, resolving the circuit split regarding what it means to “exceed authorization” for purposes of the Computer Fraud and Abuse Act (the “CFAA”). The Court held that only those who obtain information from particular areas of the computer which they are not authorized to access can be said to “exceed authorization,” and the statute does not—as the government had argued—cover behavior, like Van Buren’s, where a person accesses information which he is authorized to access but does so for improper purposes.
As we previously reported, the CFAA provides for both criminal and civil penalties for accessing a computer “without authorization” or in a manner “exceeding authorized access.” 18 U.S.C. § 1030(a)(2). “[E]xceeds authorized access” is defined as “access[ing] a computer with authorization and . . . us[ing] such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” Id. § 1030(e)(6).
Prior to the Court’s decision, the United States Courts of Appeal were split on how to interpret the “exceeding authorized access” language. On one hand, the Second, Fourth, and Ninth Circuits criminalized only unauthorized access to a computer system, regardless of the purpose of that use. The First, Fifth, Seventh, and Eleventh Circuits, by contrast, more broadly interpreted the text to include misuse of data, even if the offender gains access to the information permissibly. In those Circuits, a person violated the CFAA simply by downloading information from a database they were authorized to use, but did so for an impermissible reason.
As a reminder, in the case before the Court, a police sergeant named Nathan Van Buren used his patrol-car computer to access the law enforcement database—a database which he indisputably had authority to access. However, his search for information was done in exchange for money from an acquaintance and was not for law enforcement purposes; it was therefore in violation of departmental policy. The Court noted, however, that the relevant question was not whether Van Buren “exceeded his authorized access but whether he exceeded his authorized access as the CFAA defines the phrase.” The Court held that he did not, adopting the narrower reading of the statute advocated by Van Buren.
Justice Barrett’s opinion first engaged in a textualist analysis of the definition of the word “so” and its status as a qualifier for the word “entitled.” She wrote that “[t]he disputed phrase ‘entitled so to obtain’ thus asks whether one has the right” to access information one is not allowed to obtain by using a computer that he is authorized to access. Justice Barrett stated that while the Court’s decision was driven by the text of the statute, the government’s proposed reading of the statute also had to be rejected as untenable because it “would attach criminal penalties to a breathtaking amount of commonplace computer activity.” In other words, the “exceeds authorized access” clause would criminalize every violation of a computer-use policy, creating criminals out of “millions of otherwise law-abiding citizens” who are, for example, sending personal e-mails or reading the news on work computers. These real-world implications are likely what drove the Court’s three liberal justices to join Justices Barrett, Kavanaugh, and Gorsuch in the majority opinion.
The dissent, written by Justice Thomas and joined by Chief Justice Roberts and Justice Alito, focused on the term “entitled,” and how Van Buren by the plain meaning of the word was not “entitled” to the information because “proper grounds” to obtain it did not exist. The dissent also noted that the majority’s reading was at odds with basic tenants of property law, and that much of the Federal Code already criminalizes common activity, such as taking a grain of sand from the National Mall or permitting a horse to eat federal land grass. In the dissent’s view, being uncomfortable with criminalizing conduct, therefore, did not give the Court authority to alter the plain meaning of the statute.
* * *
The key takeaway from this decision is that if an employee uses his or her credentials to access “information located in particular areas of the computer” he or she is entitled to access, that behavior will not violate the CFAA, even if the reason for doing so is personal, in violation of company policy, or otherwise improper.
The court essentially interpreted the CFAA as a prohibition on a person breaking into a computer system as an outside hacker (“without authorization”) or as an authorized user exceeding the scope of her authorization by accessing data in a gated part of that system. Future analysis will therefore turn on what the person accessed and not the reasons why. Beyond federal prosecution, the Court’s holding will impact a company’s ability to bring civil claims against its users—who are authorized to access their platforms—under the CFAA for disobeying company policy or their terms of service. However, companies can and should still deter such behavior by having explicit and well-drafted policies in place.