On June 3, 2021, the United States Supreme Court issued its highly anticipated opinion in Van Buren v. United States, narrowing the scope of the Computer Fraud and Abuse Act (the “CFAA”). In a decision that will have sweeping ramifications for technology companies and employers of all kinds, the Court held that a person exceeds his authorized access in violation of the CFAA only when he alters or “obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” It rejected the government’s broad interpretation of that prohibition, declining to extend the CFAA’s reach to people with computer access who merely breach circumstance-specific limits (such as a restriction against accessing business files for personal use).
By ruling as it did, the Court avoided criminalizing a “breathtaking amount of commonplace computer activity.” But the decision left many companies and employers with fewer tools to address violations of their policies and terms of service. Private litigants may need to seek alternative means to obtain remedies for misuse and exploitation of their computer systems and sensitive or proprietary information. And the law on internet scraping—extracting data from websites—remains as murky as ever. So, while this was the Court’s first significant encounter with the CFAA, it will not be the last.
Facts of the Case
Van Buren involved a police officer whose employment gave him access to a law-enforcement database of license plates. The target of an FBI sting, the officer accepted a bribe to use that access to obtain information about a particular license plate, a violation of his department’s policy against accessing the database for non-law enforcement purposes. The government indicted Van Buren under 18 U.S.C. § 1030(a)(2), which makes it a crime when a person “intentionally accesses a computer without authorization or exceeds authorized access.” Van Buren was charged with the second half of that prohibition—exceeding authorized access—which means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). The jury found him guilty and the Eleventh Circuit affirmed. Its decision aligned with decisions in the First, Fifth, and Seventh Circuits, but split with decisions of the Second, Fourth, Sixth, and Ninth Circuits. The Supreme Court granted review to resolve the conflict.
At stake was a critical issue on the scope of Congress’s main statutory prohibition against computer hacking: whether the CFAA reaches anyone with access to a computer who violates limits on his authorization (such as an employee who checks sports scores in breach of an employer’s ban on using the internet for private purposes) or only authorized users of a computer who venture into files or folders barred to them. Also at stake was the extent to which the CFAA—which is enforceable civilly as well as criminally—could be used to sue employees who abscond with their employers’ customer lists upon leaving the company.
The Court’s Decision
In a 6-3 opinion written by Justice Barrett and joined by Justices Breyer, Sotomayor, Kagan, Gorsuch, and Kavanaugh, the Court held that the “exceeds authorized access prohibition” applies only when a person “obtain[s] information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend.” In other words, only when an authorized computer user exploits his permitted access to reach prohibited areas of the computer will the CFAA reach the conduct.
The Court’s opinion relied largely on the text, but also found support in the structure of the statute. The Court concluded that the CFAA’s prohibition on accessing a computer without authorization requires a “gates up, gates down” approach; i.e., a user either can or cannot access the computer, and only a person with no authorized access can violate the “without authorization” prohibition. The Court took a similar structural approach to the prohibition on exceeding authorization: users either do or do not have access to particular information within the computer, so courts should look to whether access to the particular information is permitted at all, not to circumstance-based limits on the user’s access (e.g., access permitted for one purpose but not another).
In explaining its rejection of the government’s circumstance-based authorization test, the Court used the example of websites that “authorize a user’s access only upon his agreement to follow specified terms of service.” The Court stated: “If the ‘exceeds authorized access’ clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why [the clause] would not also encompass violation of [terms of service] restrictions on website providers’ computers . . . [thus] criminali[zing] everything from embellishing an online-dating profile to using a pseudonym on Facebook.”
Justice Thomas’s dissent, which was joined by Chief Justice Roberts and Justice Alito, acknowledged that adopting the government’s position could lead to the criminalization of common internet activity, but argued that the plain reading of the CFAA compelled such a conclusion and that the majority’s opinion ignored well-established property law principles.
The opinion resolves a circuit split by rejecting the government’s broad interpretation of the CFAA’s “exceeds authorized access” prohibition, but leaves open important questions about how the “exceeds authorization” standard will be applied and how it related to the cognate prohibition against accessing a computer “without authorization.”
What Comes Next?
The Court left two critical issues open for further development. First, while the Court made clear that “exceeding authorized” access meant that a computer user obtained information from particular areas of a computer to which the user’s access did not extend, it did not address what type of limits would define the denial of access—if technological or “code-based” limits would be necessary, or if limits in contracts and policies would suffice. This issue is key to assessing the scope of an authorized user’s access. Second, while the Court touched on the meaning of the prohibition against accessing a computer “without authorization,” it did not construe that provision. A pending certiorari petition, LinkedIn Corp. v. HiQ Labs Inc, asks the Court to take up that issue in the context of website scraping. We will soon know whether the Court intends to venture into that issue so soon after Van Buren or allow the question to percolate in the lower courts.
In the meantime, all computer users—which is to say, everyone—must pay careful attention to how the CFAA is being applied to new factual circumstances. Companies, in particular, will need to evaluate their existing information security policies and potentially modify their network configuration to ensure that sensitive information is not accessible by those without authorization. This promises to be a dynamic area of the law, with many more developments to come.