While there are efforts afoot to broaden the impact and reach of US law on hackers, particularly with the US Department of Justice (the DOJ) planning to coordinate ransomware attack investigations with similar protocols it uses for terrorism cases, and with members of Congress attempting to extend private citizens the right to sue foreign governments for hacks,1 the United States Supreme Court has adopted a narrower interpretation of the Computer Fraud and Abuse Act (the CFAA), the US’s main anti-hacking statute.
Given the DOJ’s emphasis on investigating and prosecuting cybercrimes, and the need to update aging statutes when it comes to cybersecurity, it is possible that Congress will make a legislative proposal to amend the CFAA in response to the Court’s decision, perhaps even in a package of other reforms. The decision, moreover, leaves open certain questions, such as whether and how the CFAA’s private right of action can be used going forward in civil web-scraping cases. Accordingly, it remains important to stay abreast of this and other fast-moving developments on data protection.
Former circuit split
Last amended in 2008, the CFAA prohibits intentionally accessing a computer without authorization or in excess of authorization, but it does not define either of these term. 18 U.S.C. § 1030(a)(2). As technology has advanced, the courts have differed on the definitions, resulting in a circuit split. The First, Fifth, Seventh, and Eleventh Circuits previously held that using a computer to access information that you are legitimately authorized to access, but doing so for an improper or unauthorized purpose, is a violation of the CFAA. The Second, Fourth, and Ninth Circuits, however, held that a violation of the CFAA only occurs if you access information on a computer that you are prohibited from accessing. The Supreme Court granted certiorari to hear Van Buren to finally define the CFAA’s ambiguous language and settle the dispute. 140 S. Ct. 2667.
Nathan Van Buren’s conviction
This issue finally reached SCOTUS on the conviction of a police sergeant from Cumming, Georgia, who the government argued had abused his authorized access to the Georgia Crime Information Center database by taking money to find out information for a local man. United States v. Van Buren, 940 F.3d 1192, 1197 (11th Cir. 2019). At trial, Van Buren moved for acquittal, arguing he had not exceeded authorized access as meant by § 1030(a)(2) of the CFAA. Id. at 1198. The district court rejected the motion, and the Eleventh Circuit affirmed the conviction. Id. at 1210. The Supreme Court heard argument on November 30, 2020. See our prior alert regarding the oral argument here.
The Supreme Court’s ruling
In a 6-3 opinion written by Justice Amy Coney Barrett, the Supreme Court held that an individual who uses an authorized computer to access permissible areas of the computer—such as files, folders, and databases—does not violate the “exceeds authorized access” clause of the CFAA, even if the individual uses the accessed information for a prohibited purpose. Van Buren v. United States, No. 19-783, 2021 WL 2229206 (US June 3, 2021). The Court ruled that the government’s broader interpretation of the statute “would attach criminal penalties to a breathtaking amount of commonplace computer activity.” Id. at *11.
“If the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals,” reasoned the majority. Van Buren, 2021 WL 2229206, at *11. “Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA.” Id.
The Court also considered the implications of a broader reading to the Internet, discussing the many websites, services, and databases that authorize a user’s access only upon the agreement to follow specified terms of service. Van Buren, 2021 WL 2229206, at *11. Interpreting “exceeds authorized access” as incorporating the purpose for such access might encompass violations of such terms of service. Id.
Finally, the Court stated that the government’s approach “would inject arbitrariness into the assessment of criminal liability.” Van Buren, 2021 WL 2229206, at *12. Because purpose-based limits on access are often designed with an eye toward information misuse, they can be expressed as either access (prohibiting accessing such information for certain purposes) or use (prohibiting the use of information for certain purposes) restrictions. The government’s reading of the CFAA would render such conduct a violation only if the employer phrased the policy as an access restriction. The Court concluded, “An interpretation that stakes so much on a fine distinction controlled by the drafting practices of private parties is hard to sell as the most plausible.” Id.
Given the DOJ’s increasingly assertive role on combatting cybercrime, some of the gaps foreign hackers are exploiting in existing US law, and a Congress looking for ways to strengthen cybersecurity laws and authorities, it is possible that Congress will seek legislative relief to the Van Buren ruling among a broader package of reforms. The decision also has implications for civil web-scraping cases, which involve the unwanted scraping of publicly available website data, as the CFAA’s private right of action is commonly invoked in such cases. This space is therefore an important one to continue to watch.
1 See Michael Bahar, Ulyana Bardyn, and Allison B. Bailey, Getting Back When HACT: Congress’s idea to provide redress to recent cyberattacks, Eversheds Sutherland, https://us.eversheds-sutherland.com/NewsCommentary/Legal-Alerts/241648/Getting-back-when-HACT-Congresss-idea-to-provide-redress-to-recent-cyberattacks (March 6, 2021).