The Supreme Court Limits the Scope of the Computer Fraud and Abuse Act

On June 3, 2021, the Supreme Court issued its much-anticipated decision in Van Buren v. United States,[1] regarding the limits of the Computer Fraud and Abuse Act (“CFAA”)—the Court’s first serious look at the CFAA.  Resolving a Circuit split, the Court limited the reach of the statute and held that individuals who have authorization to access a computer system do not violate the CFAA simply because they access information on the system for a prohibited purpose. 

At issue in Van Buren is the CFAA’s prohibition on certain conduct that “exceeds authorized access.”  Writing for the Court, Justice Barrett held that that provision “covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend.”  But it “does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.”[2] In so holding, the Court rejected the government’s position that using permitted access for “improper motives” violates the CFAA.

Van Buren significantly constrains not only the ability of the U.S. government to prosecute individuals under the CFAA, but also private litigants who employ the CFAA’s private right of action to go after “insiders” who misuse their access.  The decision suggests that private sector companies should rely on programmatic “gates” (i.e., technological blocks), rather than policies to limit users or employees’ access to sensitive information, to stand on strong footing for establishing a CFAA violation.  Where it is not possible to implement such “programmatic gates,” companies should unambiguously define a users’ access privileges.  Companies may also increasingly need to rely on other vehicles, like trade secret and contract law, to curb the unauthorized use of their information.

CFAA Background

Enacted in 1986, the CFAA is one of the primary computer crime laws in the United States.  It reportedly was enacted in response to concerns arising from the film “War Games,” in which a teenage hacker breaches the United States’ nuclear defense system and almost starts World War III.  The CFAA generally prohibits accessing a protected computer “without authorization” or certain categories of conduct that involves “exceeding authorized access” and applies broadly in both criminal and civil contexts.  Over the years, it has been amended several times.

A key question in many CFAA cases is whether the defendant acted “without authorization” or “exceed[ed] authorized access.”  The CFAA does not define “without authorization”—the prong of the CFAA that addresses situations in which a hacker breaks into a computer system.  The CFAA, however, defines “exceeds authorized access” to mean accessing “a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”[3]

Case Background

In the course of an FBI sting operation, former Georgia police sergeant Nathan Van Buren was approached by an individual seeking information about a woman the man had met at a strip club.  In exchange for money, Van Buren used his patrol-car computer to access a law enforcement database to retrieve information about the woman.

While Van Buren used his own credentials to perform the search, he did so for non-law enforcement purposes.  Van Buren argued that, although he accessed data for a personal purpose, he did not violate the CFAA as he was authorized to use the database in question.

Van Buren was charged and convicted for violating the CFAA, and the Eleventh Circuit upheld his conviction.[4] Van Buren sought Supreme Court review.

Supreme Court Holding

In a 6-3 decision, Justice Barrett, joined by Justices Breyer, Kagan, Sotomayor, Gorsuch, and Kavanaugh, held that Van Buren did not violate the CFAA.  The Court’s inquiry turned on whether his search “exceed[ed] authorized access.”  Focusing on the definitional phrase “is not entitled so to obtain,” the Court agreed with Van Buren that this phrase means “information that a person is not entitled to obtain by using a computer that he is authorized to access.”[5] The Court was explicit: “[A]n individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.”[6] Responding to the dissent, the Court explained that its interpretation was consistent with the meaning of “access” in the computing context, which “equate[s] ‘exceed[ing] authorized access’ with the act of entering a part of the system to which a computer user lacks access privileges.”[7]

Thus, the Court read the statute as employing a “gates-up” vs. “gates-down” approach.  The owner of a computer system can put gates down over an entire system or just parts.  But an individual does not violate the CFAA for accessing information when the gates are up.

In addition to construing the statute, the Court made clear its discomfort with reading the statute in a way that would criminalize common-place activity:

To top it all off, the Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity. . . .  If the “exceeds authorized access” clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals.[8]

Although the Court treats these policy concerns as merely “extra icing on the cake,” Justice Thomas in dissent (joined by Chief Justice Roberts and Justice Alito) suggested that these over-criminalization concerns lie at the heart of the majority’s decision.  He believed that the Court’s construction of “not entitled so to obtain” ignores the phrase’s plain meaning.  As an example, Justice Thomas explained a valet can take possession of a person’s car to park it, but not to go on a joyride.  Under the dissent’s framework, the first phrase “without authorization” is a gates-up-or-down inquiry and the second phrase “exceeds authorized access” is dependent on the circumstances of each case.

Conclusion

The Van Buren decision resolves what had been a circuit split over the scope of the “exceeds authorized access” language in the CFAA.  The decision makes clear that merely accessing information for “improper purposes” no longer violates the CFAA.  Already, the decision has prompted calls from legislators and others for a national privacy law to prevent corporate employees from abusing their access to databases with sensitive personal information.

Jackie Lender, a summer associate in Morrison & Foerster LLP’s San Francisco office, contributed to this alert.

[1] No. 19-783, 2021 U.S. LEXIS 2843 (June 3, 2021).

[2] Id. at *8.

[3] 18 U.S.C. § 1030(e)(6).

[4] United States v. Van Buren, 940 F.3d 1192 (11th Cir. 2019).

[5] 2021 U.S. LEXIS 2843, at *17 (emphasis added).

[6] 2021 U.S. LEXIS 2843, at *32 (emphasis added).

[7] 2021 U.S. LEXIS 2843, at *22.

[8] 2021 U.S. LEXIS 2843, at *28.