The Computer Fraud and Abuse Act ("CFAA") is a Federal criminal statute intended to protect government and other "protected computers" from hacking. Among other things, the CFAA serves as the basis for punishing anyone who "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer."[1] But the provision on exceeding authorized access has been extremely controversial, in part because it allows private companies to shape the contours of criminal law through their terms of service. That controversy has led to a split between the Federal circuit courts on the breadth of the provision, one that the Supreme Court has now agreed to decide through Van Buren v. United States, 940 F.3d 1192 (11th Cir. 2019), cert. granted, __ U.S. __ (2020).
In enacting the CFAA in 1986, Congress sought to address the scourge of hackers who had become able to "trespass into" public and private computer systems. The Act, codified at 18 U.S.C. § 1030, included provisions that would protect against "outside" hackers (those who access a computer without authorization) and "inside" hackers (those who exceed authorized access). The CFAA prohibits hackers from accessing government computers, computers used by banking institutions, and "protected computers." Under § 1030(e)(2)(B), however, the term "protected computer" includes any computer "which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States" -- today, any computer linked to the internet. And the term "exceeds authorized access" means "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."[2]
The U.S. Courts of Appeals have split on whether a person "exceeds authorized access" if he or she is entitled to access under certain conditions (for example, within their scope of employment), but instead accesses that information for an improper purpose. In the Second, Fourth, and Ninth Circuits, obtaining the information for an improper use would not constitute a violation of the CFAA.[3] In the First, Fifth, Seventh, and Eleventh Circuits, however, there are circumstances under which it may be.[4] Thus, in some states, accessing information for an improper purpose is a crime; in others, it isn't. The Supreme Court's decision will remedy that split.
The "exceeds authorized access" provision is notorious as well because of its part in the death of Aaron Swartz. Mr. Swartz, a coding savant who was one of the founders of Reddit, was a long-time believer in open access to information on the internet. He first downloaded and made public for free 2.7 million documents from PACER, the Federal court filing system that normally charges per page. The Administrative Office of the United States Courts expressed concern that his actions exceed his authorized access. Emboldened by an FBI investigation that led to no criminal charges, Mr. Swartz went to MIT -- which prided itself on its open campus -- and used the school's network to access JSTOR (a digital repository to which he had access as a research fellow at Harvard University) and download hundreds of thousands of academic journal articles with the intent to make them freely available. This time, JSTOR complained that his actions exceeded his authorization under its terms of service and Mr. Swartz was criminally charged. Mr. Swartz was indicted on thirteen counts (including ten under the CFAA) and threatened with 50 years imprisonment in what was later seen as "overcharging" and overzealous prosecution. After the U.S. Attorney refused to budge from a requirement that Mr. Swartz serve time in prison, he died by suicide.
The Van Buren case that the Supreme Court chose to review involves a clear violation of the "exceeds authorized access" provision, if that provision covers situations in which the accesser is entitled to access the information but does so for an improper purpose, and a sordid situation to boot. Nathan Van Buren was a sergeant on the police force of Cumming, Georgia, a small town in the exurbs of Atlanta. Van Buren met Andrew Albo, a widower in his sixties who took an unseemly interest in young women -- including underage girls and prostitutes -- when he was arresting Albo for providing alcohol to a minor. Van Buren was in financial distress and saw an opportunity to shake Albo down. Van Buren asked Albo for a "loan" of over $15,000 for fictitious medical expenses; Albo recorded the request and went to the Forsyth County Sheriff's Office, who involved the FBI. The FBI set up a sting: Albo would tell Van Buren that he had met a woman at a strip club and wanted to make sure she was not a police officer, and would provide Van Buren with money in exchange. Ultimately, Van Buren "ran" the license plate numbers that Albo had gotten from the FBI in the Georgia Bureau of Investigation's Georgia Crime Information Center ("GCIC"). As a police officer, Van Buren was empowered to search the GCIC for official business, but not for personal reasons.
After Van Buren ran the plate numbers in the GCIC, the FBI and GBI showed up at his home. He admitted that he had made up the story about medical expenses, had received money from Albo, ran the license plate search in the GCIC, and knew that what he was doing was wrong. He claimed the money from Albo was a "gift," but when asked if he received anything in exchange for the search, answered, "I mean he did give me $1,000." Van Buren was then indicted, tried, and convicted on one count of honest-services wire fraud and one count of felony computer fraud under the CFAA. Upon appeal, the U.S. Court of Appeals for the Eleventh Circuit vacated the honest-services conviction based on improper jury instructions and remanded that count for re-trial. On the CFAA count, the Eleventh Circuit upheld the conviction, even over a challenge that the CFAA did not encompass misuse of a computer by a person who had authority to access it for other reasons.
In addressing Van Buren's appeal on the CFAA count, the Eleventh Circuit noted that while the appeal was styled as an attack on the sufficiency of the evidence, it was actually a request to overrule the Eleventh Circuit's precedent in United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010). In that case, the defendant had been an employee of the Social Security Administration ("SSA") who accessed the SSA database to find personal information (including the addresses) of his ex-wife, an ex-girlfriend, the ex-girlfriend's father, former co-workers and their family members, and numerous other acquaintances. Rodriguez argued that he had not violated the CFAA because "he accessed only databases he was authorized to use," even if for improper purposes. He argued that the Eleventh Circuit should follow the Fifth and Ninth Circuit decisions, but the Eleventh Circuit disagreed with their interpretation of the language of the statute. The Van Buren court noted that other courts had disagreed with the Rodriguez decision, but it was constrained by the prior-precedent rule to follow the prior Eleventh Circuit holding. Thus, it applied the Rodriguez decision's holding and found that permitted access that was made for an impermissible purpose violated the CFAA.
The question the Supreme Court has been asked to resolve is quite simple: "Whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose." The implications, however, are quite far-reaching. The CFAA is both a civil and a criminal statute. On one hand, there should be law -- and preferably, a Federal law -- that prohibits police officers from taking advantage of their positions to obtain information for corrupt purposes. On the other hand, making any improper use of a computer a violation of the CFAA will encompass anyone using their work computer to check sports scores, shop online, or look for a new job. It doesn't seem appropriate that such minor (and common) dalliances should be potentially subject to either criminal or civil liability. But while such a charge would not arise under current DOJ Guidelines and is unlikely for an employer to raise, it is at least a potential outcome that has been raised by certain appellate courts and could result from the Court's consideration of the proper scope of the CFAA.
[1] 18 U.S.C. § 1030(a)(2)(C).
[2] 18 U.S.C. § 1030(e)(6).
[3] See United States v. Valle, 807 F.3d 508 (2d Cir. 2015); WEC Carolina Energy Sols. LLC v. Miller, 687 F.3d 199 (4th Cir. 2012); United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc).
[4] See EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001); United States v. John, 597 F.3d 263 (5th Cir. 2010), cert. denied, 568 U.S. 1163 (2013); Int'l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006); United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010). The CFAA questions in EF Cutural Travel and Citrin arose in civil cases, not in the criminal context.
