Reining in overly broad interpretations of the Computer Fraud and Abuse Act

On June 3, the Supreme Court ruled in Van Buren v. United States, a case that considered longstanding concerns about the scope of the Computer Fraud and Abuse Act (CFAA). Van Buren arose from the prosecution under the CFAA of a (now former) police sergeant who, in exchange for an anticipated payment of about $5,000, used a law enforcement computer to run a license plate search. While this action was clearly wrong, was it a violation of the CFAA? In a 6-3 decision authored by Justice Barrett, the U.S. Supreme Court concluded that it was not.

The CFAA, which was enacted in 1986 and has subsequently been amended, subjects anyone (with an exception for “lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency”) who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains” certain types of information to criminal liability. Among other things, the statute criminalizes unauthorized access to information from a “protected computer,” which in turn is defined to include a computer “used in or affecting interstate or foreign commerce or communication.” This language makes “protected computers” of systems that everyday internet users commonly access, including the servers that host websites run by social media companies, news organizations, online gaming companies, and providers of online television, movie, and music streaming services.

A major problem with the CFAA is the ambiguous nature of the statutory language. The term “without authorization” is not defined in the statute. “Exceeds authorized access” is defined, but only in a somewhat circular manner that does little to limit its scope. Many academic papers, commentary pieces, news articles, and amicus briefs have noted that the language of the CFAA, when interpreted overly broadly, can be used to criminalize commonplace uses of computers that most people would consider innocuous.

Suppose, for example, that violating a website’s terms of service is deemed to be a form of exceeding authorized access. As the Electronic Frontier Foundation has pointed out, that would mean that “sharing a social media password” could create criminal liability. Analogous concerns about overcriminalization arise if violations of an employer’s computer-use policy constitute exceeding authorized access. As the Supreme Court explained in Van Buren:

If the “exceeds authorized access” clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals. Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So, on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA.

The Supreme Court concluded that “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” And because Van Buren, the former police sergeant and the petitioner in the case, was authorized to access the license plate database, his improper use of the information in the database may have made him liable for other violations, but it did not create liability under the CFAA.

While Van Buren provides a much-needed check on the CFAA, it left many questions unanswered. Among them is the issue of what constitutes accessing a computer “without authorization” or “exceed[ing] authorized access.” Does this require surmounting a technological barrier designed to limit access, or can it also occur when a user violates access limits specified in a contract or policy? As UC Berkeley law professor Orin Kerr points out in a Twitter thread, the decision is somewhat confusing on this point: Much of the ruling seems to suggest that “authorized access” is defined in technological terms, but the ruling also states in a footnote that “[f]or present purposes, we need not address whether this inquiry turns only on technological (or “code-based”) limitations on access, or instead also looks to limits contained in contracts or policies.”

The upshot is that the risks of overly broad interpretations of the CFAA have not gone away. But, thanks to Van Buren, they are lower than they were before.