In a highly anticipated ruling, on June 3, 2021, the U.S. Supreme Court narrowed the scope of the Computer Fraud and Abuse Act’s (“CFAA”) application in Van Buren v. United States. The CFAA prohibits computer hacking and provides for severe criminal penalties when an individual “intentionally accesses a computer without authorization or exceeds [his or her] authorized access.” It was enacted in 1986, amending the first federal computer fraud law—the Comprehensive Crime Control Act of 1984—and has since been amended several times over the years to expand the scope of conduct covered by the law. The CFAA covers any information on any computer “used in or affecting interstate or foreign commerce or communication.” Violations of the CFAA can include fines and imprisonment for up to 10 years for first-time offenders (20 years in some instances for repeat violations). The CFAA also includes a civil enforcement mechanism in which persons suffering “damage” or “loss” as a result of a CFAA violation can sue for money damages and equitable relief.
In Van Buren, the petitioner utilized his position as a police sergeant to run a license plate search in a law enforcement computer database in exchange for money from a third party. There was no dispute that Van Buren’s actions were against the department’s policy, which only permitted access to this database for law enforcement purposes. Van Buren was convicted of violating the CFAA by a jury, and sentenced to 18 months in prison by the District Court. At issue on appeal was the CFAA’s definition of “exceeds authorized access,” which provides “access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.”
Van Buren argued that the “exceeds authorized access” clause applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they may otherwise rightfully have. The Eleventh Circuit Court of Appeals disagreed with this argument, applying a broader view of the clause, and upholding his conviction because Van Buren had accessed the law enforcement database for an “inappropriate reason.”
In a 6-3 decision, the Supreme Court overturned the Eleventh Circuit’s findings. In doing so, the Court examined closely the meaning and importance of the word “so” from above-described definition: “so to obtain or alter.” Van Buren argued that he was permitted to access the database, and therefore, “entitled so to obtain” the license plate information. The Court utilized an analogy to describe Van Buren’s position:
[I]f a person has access to information stored in a computer—e.g., in “Folder Y,” from which the person could permissibly pull information—then he does not violate the CFAA by obtaining such information for a prohibited purpose. But, if the information is instead located in prohibited “Folder X,” to which the person lacks access, he violates the CFAA by obtaining such information.
The Government agreed that the CFAA uses “so” in the word’s term-of-reference sense, but read the phrase “is not entitled so to obtain” to refer to information one was not allowed to obtain in the particular manner or circumstances in which he obtained it. The Court again proffered an analogy for this argument:
An employee might lawfully pull information from Folder Y in the morning for a permissible purpose—say, to prepare for a business meeting—but unlawfully pull the same information from Folder Y in the afternoon for a prohibited purpose—say, to help draft a résumé to submit to a competitor employer.
The Government argued that Van Buren’s reading of the statute renders the word “so” superfluous. The Government stated that “so” adds nothing to the sentence if it refers solely to the earlier stated manner of obtaining the information through use of a computer one has rightfully accessed with authorization. The Government noted that if the word “so” was removed, Van Buren’s argument would remain—a person is liable if they simply obtain information that they were not entitled to obtain. The Court disagreed, noting that Van Buren’s reading did not render “so” superfluous because without “so” the statute would allow individuals to use their right to obtain information in nondigital form as a defense to CFAA liability.
Ultimately, the Court found that Van Buren’s interpretation of “so,” which references the previously stated “manner or circumstance” in the text of § 1030(e)(6) itself—was more plausible than the Government’s. The Court held: “The phrase ‘is not entitled so to obtain’ is best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.” The Court reasoned that “the Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity” that was neither supported by the text of the statute, or by Congressional intent. The Court noted that under the Government’s interpretation, “an employee who sends a personal email or reads the news using her work computer has violated the CFAA.” In sum, the Court determined that an individual “exceeds authorized access” when he “accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.”
We will continue to monitor web scraping claims brought under the CFAA (including the pending petition for certiorari in the widely followed HiQ v. LinkedIn case ) and provide additional developments as they become available.