Supreme Court Narrows Federal "Anti-Hacking" Law to Exclude Enforcement Against Those Who Use Otherwise Authorized Access for Improper Purpose
By Joshua Rich --
There is a well-worn legal maxim that "hard cases make bad law." In deciding Van Buren v. United States today, the Supreme Court was faced with the opposite problem: bad laws[i] make hard cases. Specifically, in a 6-3 decision, the Court found that the Computer Fraud and Abuse Act ("CFAA") does not extend to an individual's accessing information over the internet for an improper purpose, so long as the individual would be entitled to access for a proper purpose. There's no question that interpreting the opaquely-worded CFAA forced the Court to choose between two bad options, with a parade of horribles on both sides; it chose the option that clearly decriminalizes everyday behavior (but also would allow abusive use of access that individuals have solely for work purposes).
The CFAA (codified at 18 U.S.C. § 1030) was enacted in 1986, based on a number of hacking incidents as well as -- allegedly -- Reagan White House viewings of the movie "War Games." It was originally intended to deter hacking into government computers, financial institution networks, and other "protected computers." For that reason, it established that a person commits a crime when he or she "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer." In that context, "the term 'exceeds authorized access' means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." And the term "protected computer" includes any computer "which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States." With the advent of the internet and its expansion into every part of our lives, however, the portion of the law prohibiting exceeding access to protected computers has expanded the scope of the CFAA immensely.
Against the backdrop of this broad law came Sergeant Nathan Van Buren and a set of facts seemingly out of Southern Gothic lore. Sergeant Van Buren was a financially troubled officer in the Cumming, Georgia police department. He (along with the rest of the department) had been warned to stay away from Andrew Albo, a local widower in his sixties with a penchant for much younger women, including prostitutes. But instead of staying away, Van Buren befriended Mr. Albo during an arrest for providing alcohol to a minor and helped him "handle" disputes with young women.
Seeing an opportunity for help with his financial woes, Van Buren told Albo -- falsely -- that he had substantial medical debts. He then asked Albo for a loan. But instead of appreciating Van Buren's position, Albo went to the county sheriff's department with recordings of the request and told them Sergeant Van Buren was shaking him down. The FBI got involved and decided to run a sting operation. First, it had Albo ask Van Buren for help running drugs, but the police sergeant refused. Then, it had Albo ask for information about a female friend that Albo had allegedly met at a strip club (specifically, information regarding whether she was an undercover police officer). Albo offered money in exchange for Van Buren accessing Georgia and national criminal databases to run the woman's license plates. Van Buren accepted the money and ran the plates, then texted Albo when he had done so. The FBI and Georgia Bureau of Investigation then swept in and arrested Van Buren, who admitted to all of the facts and agreed what he had done was wrong.
The local U.S. Attorney charged Van Buren with honest services fraud and unauthorized access to the government databases in violation of the CFAA. He was convicted on both counts, but the Court of Appeals reversed the honest services fraud verdict on the basis of improper jury instructions. Van Buren then took the CFAA conviction to the Supreme Court.[ii] Specifically, the Supreme Court considered whether a person who is authorized to access information on a computer for certain purposes violates the CFAA if he accesses that information for an improper purpose.
The six-Justice majority, in an opinion written by Justice Barrett, decided that the CFAA would not extend so far. The majority started with the text of the CFAA, and believed that the act was structured so that the two options for the offense (access with authorization or access exceeding the scope of authorization) would be parallel in a binary "gates-up-or-down inquiry." That is, because the only question for the first part was whether the accesser had authorization or not, the second part should be limited to the question of whether the accesser had authorization to access that information in any circumstance or not. In that sense, Justice Barrett used a physical analogy for the scope of authorization, describing the prohibition as relating to "particular areas of the computer – such as files, folders, or databases – to which their computer access does not extend." In doing so, she rejected the government's assertion that the majority's interpretation would read the word "so" (in the phrase "entitled so to obtain or alter") from the statutory definition of "exceeds authorized access." She indicated that the word "so" could be understood to distinguish the situation where an individual is not entitled to see the same information in non-computer-based means (such as, hypothetically, if a person were entitled to see a personnel file in hard copy by not electronically).
The majority also relied on the history of the CFAA's enactment and a parade of horrible possible applications of the law to reject the government's reading that it covers access for an improper purpose. The first version of the law that the CFAA replaced explicitly considered the purpose of access and the CFAA did not. However, the legislative history (which neither the majority nor the dissent mentions) expressly stated that the change was not intended to be substantive. In addition, the majority noted that the CFAA as read by the government could be understood to encompass everyday violations of terms of service, such as use of a work computer for personal reasons or embellishing online-dating profiles or using a pseudonym on Facebook. For all of these reasons, the majority held that exceeding authorized access related to computer structures, not terms (or purposes) of access.
Justice Thomas, writing in dissent and joined by Chief Justice Roberts and Justice Alito, disagreed with the outcome of the case primarily based on settled property law considerations. He saw nothing more definitive about the majority's reading -- any more of a "gates-up-or-down" approach -- than if exceeding authorized access considered what the circumstances of authorization were. In doing so, he analogized to property law, which generally protects against unlawful entry and unlawful use of property after entry. And he saw nothing more reasonable in decriminalizing access in all circumstances if there is a single exception than prohibiting such access if an authority had explicitly said so. For example, the majority's reading decriminalizes an IT administrator's actions in deleting every file on a computer minutes before resigning. Thus, Justice Thomas noted, the majority's reading of the CFAA constitutes a substantial narrowing of the law.
As a practical matter, the narrow reading of the CFAA shifts power from employers and the government to employees and website visitors. The CFAA previously provided an arrow in the quiver of employers to discourage employees from misusing their access to information or misappropriating trade secrets (it was another criminal offense that could lead to an arrest before the employee disseminated the trade secrets beyond the doors of the company). It also served as the primary basis for the federal government to charge employees who used IRS, Social Security, or law enforcement databases to stalk private citizens. On the other hand, it also chilled some investigative reporting and whistleblowing because of violation of terms of service for websites. Thus, every person who shops on their company computer or uses a fake e-mail address to avoid spam from a website can breathe a little easier. And we can all hope that Congress will take the Court's decision as a reason to rewrite the CFAA and bring it into the internet age.
Van Buren v. United States (2021)
Opinion by Justice Barrett, joined by Justices Breyer, Sotomayor, Kagan, Gorsuch, and Kavanaugh; dissenting opinion by Justice Thomas, joined by Chief Justice Roberts and Justice Alito
[i] Columbia University Law School professor Tim Wu called the CFAA the "worst law in technology" in a 2013 New Yorker article.
[ii] See United States v. Van Buren, 940 F.3d 1192 (11th Cir. 2019).
A little presumptuous with the title....?
It is not, nor ever was, meant to be an "anti-hacking" law.
Sure, hacking IS one aspect of the law, but to limit the law to ONLY hacking goes to the opposite extreme that the FBI wanted.
Hacking could be seen to fall into the "Fraud" part of the title of the act, leaving the "Abuse" portion of the title to cover more than mere hacking.
Posted by: skeptical | June 04, 2021 at 07:24 AM
If Congress does anything, it should take the initiative to develop a comprehensive data privacy scheme instead of trying to shoehorn that sort of content into the CFAA where it doesn't belong. Not that I'm holding my breath of course!
Otherwise, I do appreciate this concise, lucid summary. Aside from the observation above, the only thing I take issue with is the suggestion at the very end that the CFAA isn't suited for the internet age. Properly construed, it already does that job perfectly well.
CRS also put out a report last fall on the CFAA noting a number of unresolved issues. So this decision on the "access" provisions is likely not the last we'll hear about the statute.
https://fas.org/sgp/crs/misc/R46536.pdf
@skeptical
I sure hope you're kidding. The whole point of the CFAA is to address hacking—the OP is totally correct on that score.
"hacking" is quite a broad category that certainly encompasses, among other things, both fraud and abuse. The former includes accessing systems through deceitful means. Social engineering is an example of this. However, I'd argue that the latter form of conduct—abuse—is really at the core of the hacking category. That includes things like exploiting a technical vulnerability to gain unauthorized access to a system or particular data on a system, altering or corrupting data, or compromising the functionality of a system.
If you have more to elaborate on what in your view the CFAA does cover aside from hacking, it'd be interesting to hear that.
-hr
Posted by: hardreaders | June 07, 2021 at 05:11 PM
hr,
I found the dissent in this case to be far more compelling than the majority opinion.
Posted by: skeptical | June 08, 2021 at 06:20 AM
The dissent was a joke. Thomas either can't comprehend, or just refuses to acknowledge, that not every modern scenario has a meaningful analogy to the common law of property that was developed centuries ago. Especially when dealing with a very recent (speaking relatively) subject like computing, that should be exceedingly obvious.
And it's ironic because the misconduct that Van Buren unquestionably did commit—the invasion of sensitive personal information—also lacks a viable common law analog. Presumably, Thomas' moral outrage over the data privacy violation was a factor that inspired him to dissent. So you have the irony of using unworkable common law analogies to twist a statute to cover conduct that itself wasn't addressed at common law.
Alito's joining the dissent is also sort of ironic, or maybe a bit puzzling. In U.S. v. Jones, a big part of his concurrence was devoted to criticizing the futility of Scalia's majority opinion relying on common law analogies when faced with facts involving highly technical subjects. We all remember Alito's great quip about "tiny constables." But in this case, he joins on with a dissent taking the exact same approach he previously—and rightly—criticized.
Roberts' join is also a bit surprising, considering his opinions in Bond and McDonnell narrowing the scope of other federal criminal statutes. But he has a soft spot for data privacy as shown by Carpenter, so maybe that explains it.
Posted by: hardreaders | June 09, 2021 at 12:33 PM
In all fairness to Thomas, let me just point out one area where I actually think he was sort of correct.
At the top of his dissent p. 8 / start of section I.B.3, he does in fact do a fairly good job of noting how the majority's construction leads to some apparently inconsistent outcomes. But I have to qualify my praise a little. The inconsistencies, such as they are, don't arise because the majority is wrong. Rather, while the majority is right, its decision is incomplete because, at FN8, it refuses to address the distinction between technical and policy-based access restrictions. Had the majority gone the distance—and I recognize it might have had reasons for not doing so—I think the inconsistencies could have been avoided. But I do give Thomas a little credit for pointing them out.
-hr
Posted by: hardreaders | June 09, 2021 at 02:50 PM
I think that you may be too enamored with how you want to portray a dependence on analogy. Sure, analogies are used - but I do not see misuse as you seem to want to see.
I also think that you presume your own conclusion (that the law is strictly an "anti-hackers" law.
It simply is not, given that it is written to include those who need not have hacked to have access.
Posted by: skeptical | June 09, 2021 at 06:43 PM