Today, the Supreme Court issued a long-awaited decision in Van Buren v. United States interpreting the meaning of “exceeds authorized access” under the Computer Fraud and Abuse Act (“CFAA”). The 6-3 majority, led by Justice Barrett and joined by Justices Breyer, Sotomayor, Kagan, Gorsuch, and Kavanaugh, rejected the Government’s broad definition of this phrase. While the Van Buren majority and dissent provide an excellent workshop on the canons of statutory interpretation, the key takeaway for cyber and privacy practitioners is that motive for access can no longer factor in to the “exceeds authorized access” analysis. As the Court writes: “This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.”
In light of this decision, businesses may need to revisit the language of their internal acceptable use policies, employee handbooks, or outward-facing terms of service to find alternative solutions for deterring or penalizing unwanted conduct.
The Facts – Just The Facts
Nathan Van Buren, a former police sergeant, ran a license-plate search in a law enforcement computer database in exchange for money. This use, unsurprisingly, violated his department’s policy, which authorized him to obtain database information only for law enforcement purposes. However, in reversing a jury’s criminal conviction and the Eleventh Circuit, the Supreme Court concluded that this use did not violate the CFAA.
The Court Finds Van Buren Was “Entitled So To Obtain” The Information Under The CFAA.
The CFAA defines “exceeds authorized access” to “mean to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The parties did not dispute that Van Buren “access[ed] a computer with authorization” and “obtain[ed] . . . information in the computer.” Thus, the question was whether, by obtaining the information for a purpose that violated department policy, he was “not entitled so to obtain” the information.
Based on the text of the statute and other similar statutes, the Court concludes “[t]he phrase ‘is not entitled so to obtain’ is best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.” In other words, “if a person has access to information stored in a computer— e.g., in ‘Folder Y,’ from which the person could permissibly pull information—then he does not violate the CFAA by obtaining such information, regardless of whether he pulled the information for a prohibited purpose. But if the information is instead located in prohibited ‘Folder X,’ to which the person lacks access, he violates the CFAA by obtaining such information.”
The Court Emphasizes The Statutory Distinction Between Accessing Information “Without Authorization” And “Exceed[ing] Authorized Access.”
The Court notes there are two ways of obtaining information unlawfully under CFAA subsection (a)(2): “intentionally access[ing] a computer without authorization or exceed[ing] authorized access.” The Court states these clauses must be interpreted consistently with each other. The “without authorization” clause thus “protects computers themselves by targeting so-called outside hackers—those who access a computer without any permission at all.” In contrast, the “exceeds authorized access” clause protects “certain information within computers.” This clause targets “inside hackers—those who access a computer with permission, but then ‘exceed’ the parameters of authorized access by entering an area of the computer to which that authorization does not extend.” The Court found that the Government’s interpretation would undo this statutory distinction.
The Court Is Concerned With Criminalizing “Commonplace Computer Activity”
The Court bases its decision squarely on the text of the statute and its context. But as “icing on a cake already frosted,” the Court also notes policy arguments against the Government’s interpretation of the CFAA.
If the “exceeds authorized access” clause criminalizes the violation of a computer-use policy, “then millions of otherwise law-abiding citizens are criminals.” The Court points to two examples. In the workplace, there are often policies that state computers and electronic devices can be used only for business purposes. But under the Government’s reading of the CFAA, if an employee who sends a personal e-mail or reads the news using her work computer, they have not just violated company policy but committed a crime as well. Similarly, the Court notes that on many websites, services, and databases authorize a user’s access only upon agreement to follow specified terms of service. But under the Government’s interpretation of “exceeds authorized access,” users who violate these terms would not just be breaching a contract but committing a crime.
Questions Remain For Businesses On How To Deter Unwanted Conduct From Employees or Users
In light of this decision, the CFAA may no longer be a tool that businesses can use to deter unwanted cyber conduct by employees who have access to certain systems or by users who have agreed to certain terms of service. At a minimum, companies may need to revisit their internal policies or terms of service to look for creative alternatives for enforcing codes of conduct or acceptable use policies.