On November 30, 2020, the Supreme Court held oral argument in Van Buren v. United States to determine the scope of criminal liability under the Federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030. The court’s decision may resolve a circuit split and have far-reaching implications for the scope of civil and criminal liability under the CFAA. The key point of dispute under the CFAA is whether a person “exceeds authorized access” of a computer (1) only by accessing the computer as an unauthorized person, or (2) more broadly by using the computer for unpermitted uses, even when otherwise permitted to access the computer. The First, Fifth, Seventh, and Eleventh Circuits have broadly interpreted “exceeds authorized access” to cover access that takes place for an improper purpose, whereas the Second, Fourth, and Ninth Circuits have narrowly interpreted unauthorized access to require a lack of any authorization. For example, under the broad interpretation at dispute before the Supreme Court, an employee who is authorized to access a work computer to carry out certain tasks for employment may still be liable under the CFAA if the employee uses the office computer to download confidential information for non-employment purposes.
Factual and Procedural Background
The petitioner, Van Buren, was a police officer in Cumming, Georgia, who accepted payment from a non-law enforcement acquaintance in exchange for providing information that Van Buren accessed from a vehicle database available only to law enforcement. In order to receive credentials to access the database, Van Buren completed training that explained officers were authorized to search the database only for law enforcement purposes. At trial, a jury found Van Buren guilty of violating the CFAA, and the Federal Court of Appeals for the Eleventh Circuit affirmed.
In briefing on appeal to the Supreme Court, Van Buren argued that the CFAA should be interpreted narrowly to criminalize only obtaining information that an individual is not entitled to access for any purpose. According to Van Buren, extending the CFAA to criminalize unauthorized use of a computer by an otherwise authorized user would produce a parade of horribles that would criminalize even the tiniest of infractions of user agreements, including those imposed by click-through terms-of-use agreements.
The government rebutted that an interpretation of the CFAA that criminalizes unauthorized use of computers is not overly broad, because such authorizations are “specific” to a user, and failing to criminalize such behavior would allow someone with minimal use privileges to misuse systems or steal information that is beyond their authorization. The government argued that statutory and legislative history supported its broad interpretation, citing a 1986 amendment to the statute that added the disputed phrase “exceeds authorized access” and accompanying congressional reports that purportedly explained the change did not narrow the statute’s coverage.
Both the Van Buren and the government disputed the CFAA’s definition of the “exceeds authorized access” under 18 USC 1030(e)(6):
the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter
In particular, the parties disputed the scope of “entitled so to obtain.” The government argued that an individual is “entitled so” to do something only when he has been granted to right to do it in a particular manner or circumstance. To support this interpretation, the government cited to Black’s Law Dictionary that defined “so” as “[i]n the same manner as has been stated; under this circumstance; in this way, referring to something which is asserted” and to Webster’s Third International Dictionary that defined “so” as “in a manner or way that is indicated or suggested.”
Van Buren argued that the ordinary meaning of the word “entitle” is “to give a right” and therefore “entitled so” refers to being given a right to “access a computer with authorization.” Van Buren further argued that even under the government’s interpretation of the term “so,” the manner of access refers to “access a computer with authorization,” without further qualifications on that scope of access.
The justices actively questioned both parties about the statutory text, the limits of “exceeds authorized access” and the impact of Supreme Court precedent.
Justices Sotomayor, Kagan, and Barrett asked the government about how its interpretation of the word “so” in the statutory definition of authorized access conferred implied limits on use, given the parties’ vastly different interpretations.
Justices Kavanaugh and Barrett both queried whether the statute’s usage of the different terms “exceeds authorization” versus “without authorization” implied different scopes that could support the government’s proposed interpretation. Justice Alito suggested that additional briefing might be helpful to provide clarity on the meaning of “authorized” and “authorization” under the statute.
Several of the justices expressed concern about whether a broad interpretation of the CFAA would result in criminalization of minor acts. Justice Gorsuch asked the petitioner whether other criminal statutes could have taken the place of the alleged infractions of the CFAA. Justice Alito expressed concern about over-criminalization during questioning of both the petitioner and the government.
Chief Justice Roberts in particular asked whether the Court’s decision in Musacchio v. United States, 136 S. Ct. 709, 713 (2016) already recognized “obtaining access with authorization but then using that access improperly.” The petitioner replied that Musacchio did not address the specific question before the Court and Musacchio instead provided a nonbinding summary of the CFAA.
What To Expect
The Supreme Court’s opinion in Van Buren will likely be issued in the first half of 2021, before the Court’s summer recess. The Court’s ruling on the scope of “authorized access” in the CFAA has the potential to impact civil liability under the CFAA and more broadly the interpretation of various state statutes. For example, the Florida CADRA (F.S. §668.801), prohibits “obtain[ing] information from a protected computer without authorization and, as a result, causes harm or loss.”
We will continue to monitor developments in the CFAA. For more information or to discuss privacy or data security issues generally, please contact a member of our Data Practice group or visit https://www.ropesgray.com/en/practices/data-privacy-cybersecurity.