On November 30, 2020, the Supreme Court held oral argument in its first case interpreting the "unauthorized access" provision of the Computer Fraud and Abuse Act (CFAA). The CFAA in part prohibits knowingly accessing a computer "without authorization" or "exceeding authorized access" to a computer and thereby obtaining information and causing a "loss" under the statute. The case concerns an appeal of an Eleventh Circuit decision affirming the conviction of a police officer for violating the CFAA for accessing a police license plate database he was authorized to use but used instead for non-law enforcement purposes. (See U.S. v. Van Buren, 940 F. 3d 1192 (11th Cir. 2019), pet. for cert. granted Van Buren v. U.S., No. 19-783 (Apr. 20, 2020)). The issue presented is: "Whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose."
The defendant Van Buren argued that he is innocent because he accessed only databases that he was authorized to use, even though he did so for an inappropriate reason. He contended that the CFAA was being interpreted too broadly and that such a precedent could subject individuals to criminal liability merely for violating corporate computer use policies. During oral argument, Van Buren's counsel suggested that such a wide interpretation of the CFAA was turning the statute into a "sweeping Internet police mandate" and that the Court shouldn't construe a statute "simply on the assumption the government will use it responsibly." In rebuttal, the Government countered that Van Buren's misuse of access for personal gain was the type of "serious breaches of trust by insiders" that statutory language is designed to cover.
The CFAA does not define "authorization" (but courts have generally interpreted it to mean to access a computer with sanction or permission), but the Act defines "exceeds authorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6). As we explained in our last post on the emerging CFAA issue, in the criminal context circuit courts are split on how to interpret the "unauthorized access" or "exceeding unauthorized access" provisions with respect to accessing a database with an improper purpose or against posted policies.
Although it is a criminal case, the Supreme Court has the opportunity to clarify the meaning of "exceeds authorized access" under the CFAA and perhaps bring more legal certainty to "unauthorized access" claims advanced against entities engaged in unwanted data scraping. Interestingly, during oral argument, there was an exchange between the the Deputy Solicitor General arguing on behalf of the Government and Chief Justice Roberts that touched on what "authorization" means with respect to public websites:
CHIEF JUSTICE ROBERTS: Mr. Feigin, is your friend correct that everyone who violates a website's terms of service or a workplace computer use policy is violating the CFAA?
FEIGIN: Absolutely not, Your Honor. [...] First of all, on the public website, that is not a system that requires authorization. It's not one that uses required credentials that reflect some specific individualized consideration.
CHIEF JUSTICE ROBERTS: Okay. Then limit my — my question to any computer system where you have to, you know, log on.
FEIGIN: So, Your Honor, I don't think all log –all systems that require you to log in would be authorization-based systems because what Congress was driving at here are inside –
CHIEF JUSTICE ROBERTS: All right. Well, then every — every system that has a password.
FEIGIN: No, Your Honor, and let me explain why. What Congress was aiming at here were people who were specifically trusted, people akin to employees, the kind of person you — that had actually been specifically considered and individually authorized.
While prognosticating on how the Court will rule based on the tone and substance of the oral argument is an inexact science, it appeared that that the Justices encountered some difficulty parsing the ambiguity in the statute surrounding "authorization." Indeed, as Justice Alito commented: "Well, I find this a very difficult case to decide based on the briefs that we've received," even adding that "I don't really understand the potential scope of this statute, without having an idea about exactly what all of those terms mean." Thus, we will simply have to wait until next year to see how the Supreme Court interprets "exceeding authorized access."
When first enacted in 1984 the CFAA was originally directed at serious "hacking" activities into government networks, inspired by the pre-digital era movie War Games, where a teenager hacks into the U.S. military missile system NORAD and nearly starts a global thermonuclear war while playing a simulated game with the computer ("Shall we play a game?). But, we live in a different world now and the CFAA has also changed. Over the past three decades, Congress has expanded the statute and added a civil right of action, and technology and the way we store and access data have become more advanced. As a result, the language of the CFAA is susceptible to broader application and has been brought to bear in many contexts beyond traditional outside hacking scenarios. With the Van Buren case, the Supreme Court has the opportunity to rule on the contours of "unauthorized access" and thus bring some clarity beyond the criminal context. However, criminal convictions present different equities than civil cases, and it remains to be seen if the Court's opinion will resolve questions surrounding civil liability that we've been seeing in many scraping disputes, including the ongoing hiQ dispute (which itself is before the Supreme Court on a petition for cert.).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.