In a 6-3 decision handed down on Thursday, June 3, 2021, the Supreme Court issued an opinion narrowly interpreting the Computer Fraud and Abuse Act (“CFAA”) . Just Amy Coney Barrett authored the opinion, and was joined by Justices Sotomayor, Kagan, Gorsuch, Breyer, and Kavanaugh. Justice Clarence Thomas authored the dissent, which was joined by Justice Alito and Chief Justice Roberts.
Former Georgia police sergeant Nathan Van Buren (Van Buren) used his patrol-car computer to access a law enforcement database to retrieve information about a particular license plate number in exchange for money. Although, Van Buren used his own, valid credentials to perform the search, his conduct violated a department policy against obtaining database information for non-law enforcement purposes. Unbeknownst to Van Buren, his actions were part of an FBI sting operation, and Van Buren was charged with a felony violation of the CFAA, which subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” 18 U. S. C. §1030(a)(2). The term “exceeds authorized access” is defined to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” §1030(e)(6).
A jury convicted Van Buren under the CFAA’s “exceeds authorized access” clause, and the District Court sentenced him to 18 months in prison. Van Buren appealed to the Eleventh Circuit, arguing that the “exceeds authorized access” clause applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have. The Eleventh Circuit upheld Van Buren’s CFAA conviction consistent with its precedent taking a broad view of the “exceeds authorized access” clause. The Supreme Court granted certiorari to resolve the split in authority regarding the scope of liability under the CFAA’s “exceeds authorized access” clause.
The Supreme Court reversed the Eleventh Circuit’s decision, adopting a narrow interpretation of the CFAA’s “exceeds authorized access” clause. The Supreme Court held that §1030(e)(6) of the CFAA covers those who obtain information from particular areas in the computer – such as files, folders or databases – to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them. In reaching its narrow interpretation, SCOTUS relied almost exclusively on the statute’s text and the practical dangers a broad interpretation would yield.
Subsection (a)(2) of the CFAA specifies two distinct ways of obtaining information unlawfully—first, when an individual “accesses a computer without authorization,” §1030(a)(2), and second, when an individual “exceeds authorized access” by accessing a computer “with authorization” and then obtaining information he is “not entitled so to obtain,” §§1030(a)(2), (e)(6). The second method was before SCOTUS, as it was undisputed that Van Buren had authorization to access his computer and the police department’s database.
Van Buren’s conduct plainly flouted his department’s policy, which authorized him to obtain database information only for law enforcement purposes. Before SCOTUS was whether Van Buren also violated the CFAA, which makes it illegal “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The Supreme Court held he did not.
The Supreme Court went through a brief history of the CFAA, culminating with its prohibition now applying to “at a minimum — to all information from all computers that connect to the Internet.” §§1030(a)(2)(C), (e)(2)(B). SCOTUS pointed out that those who violate the CFAA face penalties ranging from fines and misdemeanor sentences to imprisonment for up to 10 years. §1030(c)(2). Additionally, individuals risk civil liability under the CFAA’s private cause of action, which allows persons suffering “damage” or “loss” from CFAA violations to sue for money damages and equitable relief. §1030(g).
SCOTUS started, and focused, its analysis on the text of the CFAA. Specifically, it focused on the most relevant text – the phrase “exceeds authorized access,” which means “to access a computer with authorization and to use such access to obtain . . . information in the computer that the accesser is not entitled so to obtain.” §1030(e)(6).
It was undisputed that: (1) Van Buren accessed a computer with authorization when he used his patrol-car computer and valid credentials to log into the law enforcement database; (2) Van Buren obtained information in the computer when he acquired the license-plate record; and (3) Van Buren had been given the right to acquire license-plate information – that is, he was entitled to obtain it from the law enforcement computer database. This issue before SCOTUS – Was Van Buren “entitled so to obtain” the license-plate information, as the statute requires?
SCOTUS agreed with Van Buren: The phrase “is not entitled so to obtain” is best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access. The word “entitled” does not stand alone. The modifying phrase “so to obtain” directs the reader to consider a specific limitation on the accessor’s entitlement: his entitlement to obtain the information “in the manner previously stated.” The “manner previously stated” is using a computer one is authorized to access. So, the relevant question is not whether Van Buren exceeded his authorized access but whether he exceeded his authorized access as the CFAA defines that phrase.
In the computing context, “access” references the act of entering a computer “system itself” or a particular “part of a computer system,” such as files, folders, or databases. It is thus consistent with that meaning to equate “exceed[ing] authorized access” with the act of entering a part of the system to which a computer user lacks access privileges.
In criticizing the Government’s position, SCOTUS recalled that violating §1030(a)(2), the provision under which Van Buren was charged, also gives rise to civil liability. See §1030(g). Provisions defining “damage” and “loss” specify what a plaintiff in a civil suit can recover. The statutory definitions of “damage” and “loss” focus on technological harms – such as corruption of files – of the type unauthorized users cause to computer systems and data. Limiting “damage” and “loss” in this way makes sense in a scheme “aimed at preventing the typical consequence of hacking.” The term’s definitions are ill-fitted, however, to remediating “misuse” of sensitive information that employees may permissibly access using their computers. Ibid. Van Buren’s situation is illustrative: His run of the license plate did not impair the “integrity or availability” of data, nor did it otherwise harm the database system itself.
SCOTUS believed the Government’s broad interpretation of the CFAA would attach criminal penalties to a breathtaking amount of commonplace computer activity – this fallout would be “extra icing on a cake already frosted.” If the “exceeds authorized access” clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals. Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA. Or consider the Internet. Many websites, services, and databases—which provide “information” from “protected computer[s],” §1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers. And indeed, numerous amici explain why the Government’s reading of subsection (a)(2) would do just that criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook.
The Supreme Court’s final observation: The Government’s approach would inject arbitrariness into the assessment of criminal liability. The Government concedes, as it must, that the “exceeds authorized access” clause prohibits only unlawful information “access,” not downstream information “‘misus[e].’” But the line between the two can be thin on the Government’s reading. Because purpose-based limits on access are often designed with an eye toward information misuse, they can be expressed as either access or use restrictions.
SCOTUS concluded the majority opinion as follows. In sum, an individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer such as files, folders, or databases—that are off limits to him. The parties agree that Van Buren accessed the law enforcement database system with authorization. The only question is whether Van Buren could use the system to retrieve license-plate information. Both sides agree that he could. Van Buren accordingly did not “excee[d] authorized access” to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose. We therefore reverse the contrary judgment of the Eleventh Circuit and remand the case for further proceedings consistent with this opinion.