Hacking the Computer Fraud and Abuse Act: The Supreme Court Narrows the Reach of the CFAA’s “Exceeds Authorized Access” Provision
The Computer Fraud and Abuse Act (“CFAA”)1 was designed to stop hacking and other forms of cybercrime. For many years, multiple courts of appeals and the DOJ have taken one provision of the CFAA to mean that individuals can be civilly or criminally liable for abusing their permission to use a computer to access information for improper purposes.2 On June 3, 2021, the Supreme Court decided that the CFAA does not cut so broadly, holding that defendants “exceed authorized access” under the CFAA only in situations where they “obtain information to which their computer access does not extend.”3
In Van Buren v. United States, a 6-3 opinion, the Court reversed the conviction of a former Georgia police officer who had been accused of violating a provision of the CFAA that makes it illegal to “intentionally access a computer without authorization or [in a manner that] exceeds authorized access.”4 In finding for the officer, the Court held that the CFAA’s “exceeds authorized access” provision only applies to situations where an individual has permission to access a computer but then obtains information from areas in that system (such as folders or restricted files) he or she is not authorized to access.
The Court found that the CFAA did not extend to the circumstances at issue here, where the police officer had lawful access to the database and the information within it. Instead, the Court determined that the “exceeds authorized access” provision is only in play where a person “accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits” to that person.5 In addition to providing clarity to the scope of the law, the Supreme Court has significantly narrowed the reach of the CFAA to foreclose criminal and civil liability for “a breathtaking amount of commonplace computer activity,”6 such as violations of a website’s terms of service or using a work computer to access personal email.
A police officer’s misuse of a law enforcement database tests the reach of the CFAA.
Nathan Van Buren was a police officer in Georgia, who was the subject of a sting operation by the FBI investigating possible corruption on his part.7 A criminal informant working with the FBI offered Van Buren $5,000 to run the license plate number of an exotic dancer in the Georgia Crime Information Center database (“GCIC”).8 As a police officer, Van Buren had access to the GCIC and was authorized to use the database for purposes related to law enforcement. Van Buren performed the search and told the informant that he had the requested information. He was subsequently arrested and charged with honest services fraud in the form of bribery and violating the CFAA, a federal statute that criminalizes computer hacking, among other things.9 Specifically, Van Buren was accused of a criminal violation of a CFAA provision that prohibits anyone from “accessing a computer without authorization or exceed[ing] authorized access” to obtain information from a protected computer.10 After a jury trial, Van Buren was convicted and sentenced to 18 months in prison.
Under the text of the CFAA, a defendant “exceeds authorized access” when he or she accesses “a computer with authorization,” but such access is used “to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”11 Van Buren argued that his conduct did not meet the definition of “exceeds authorized access” because obtaining license plate information was not beyond the scope of information he was “entitled to obtain” as an authorized user of the GCIC.12 The government pushed for a much broader reading of the statute, arguing that individuals exceed authorization any time they access information on a computer that they are otherwise authorized to access if done for an improper purpose. Siding with the government, the Eleventh Circuit upheld Van Buren’s conviction under the CFAA.13
As we previously reported, in April 2020, the Supreme Court granted certiorari to resolve a circuit split. The First, Fifth, and Seventh Circuits shared the Eleventh Circuit’s view, but the Second, Fourth, and Ninth Circuits favored Van Buren’s narrower reading of the CFAA.
Text and Policy: The Supreme Court rejects the government’s expansive interpretation of “exceeds authorized access.”
A six-justice majority14 of the Supreme Court sided with Van Buren, holding that the “exceeds authorized access” clause of the CFAA applies to individuals “who obtain information from particular areas in the computer . . . to which their computer access does not extend.”15 The majority’s opinion, authored by Justice Barrett, focused primarily on the text and structure of the CFAA.16 Although the Court agreed with the government that in “common parlance” the “exceeds authorized access” clause would apply to anyone who used their authorized access to a system for an improper purpose, a plain reading of the statute warranted a much narrower reading.17
Relying primarily on the statute’s text and structure, the Court also refused to adopt the government’s proposed interpretation because of what they view as the potential fallout: Judge Barrett wrote that the government’s reading would implicate a huge array of “commonplace computer activity” and make “millions of otherwise law-abiding citizens . . . criminals.”18 For example, the government’s interpretation would criminalize conduct like violating a website’s terms of service, using a pseudonym on social media, or employees using work devices to send personal emails.19 With so much potential conduct falling under the purview of the CFAA, the Court expressed concern that adopting the government’s approach would mean injecting “arbitrariness into the assessment of criminal liability” because there is only a thin line between “unlawful information access” and “misuse of information.”20
The CFAA Going Forward
Since the CFAA was passed in 1986, it has been widely used by prosecutors and civil litigants to reach conduct that does not resemble traditional hacking techniques, such as installing malicious software on a computer to gain system access and obtaining information from a computer network. Beyond criminal prosecutions, the CFAA also contains a private right of action21 and has been a commonly used tool for civil litigants, especially by employers in trade secrets litigation.22 The Supreme Court’s decision greatly narrows the scope of the CFAA by shifting focus away from an individual’s subjective “improper purpose” in accessing information on a computer system and reorients the law as covering conduct that constitutes an objective breach by an individual either through unauthorized access (an outside hack) or by accessing areas of a system where an otherwise authorized user’s access is restricted (an inside hack).
The opinion makes it clear that the CFAA covers “those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend.”23 The Court however left it an open question whether liability under the CFAA’s “exceeds authorized access” provision requires breach of technological limits on a user’s access (such as password-protected drives) or policy-based limits (such as a computer-use policy for employees).24 Businesses concerned about unauthorized access by employees, vendors, or other users to certain areas on their networks should clearly communicate what areas are out-of-bounds. Requiring passwords to access those areas is a clear sign that access is only granted to certain individuals.
Ultimately, Van Buren has provided much-needed clarity to the application of the CFAA. Prosecutors and potential plaintiffs now know that the CFAA’s “exceeds authorized access” clause covers conduct that is much closer to traditional hacking. How that clarity affects the number and breadth of CFAA causes of actions remains to be seen. For example, it is not difficult to imagine possible complications to civil actions for theft of trade secrets under the CFAA where the defendant is an employee authorized to access trade secrets. Nevertheless, what is certain is that hacking—both from outside an organization and inside an organization—remains a concern for private litigants and the government. Unless and until Congress takes steps to revise the CFAA, it remains the primary tool available to counter such intrusions.
1 Computer Fraud and Abuse Act of 1986, Pub. L. No. 99-474, 100 Stat. 1213 (codified at 18 U.S.C. § 1030).
2 See, e.g., United States v. John, 597 F.3d 263 (5th Cir. 2010).
3 The Court’s opinion is in the case of Van Buren v. United States, 593 U.S. __ (2021).
4 Id. at 1, 20.
5 Id. at 20.
6 Id. at 17.
7 Id. at 3.
9 H.R. Rep. No. 98-894 (1984), at 10.
10 Id. at § 1030(a)(2).
11 Id. at § 1030(e)(6).
12 Van Buren, 593 U.S. __, at 4.
13 The Eleventh Circuit, however, vacated Van Buren’s conviction for honest services fraud due to an error in jury instruction, and remanded the case for a new trial on those charges. United States v. Van Buren, 940 F.3d 1192, 1204-05 (11th Cir. 2019).
14 The majority included Justices Barrett, Breyer, Sotomayor, Kagan, Gorsuch, and Kavanaugh. Justice Thomas dissented, joined by Justice Alito and Chief Justice Roberts.
15 Van Buren, 593 U.S. __ (slip op. at 1).
16 Id. at 5-16.
17 Id. at 11-12.
18 Id. at 17-18.
19 Id. at 18.
20 Id. at 19-20.
21 18 U.S.C. § 1030(g).
22 See generally Jonathan Mayer, Cybercrime Litigation, 164 U. Penn. L. Rev. 1456, 1487 (2016); see also, e.g., Craigslist Inc. v. 3Taps Inc., 964 F. Supp. 2d 1178 (N.D. Cal. 2013) (allowing civil CFAA claim against website user); In re Intuit Privacy Litig., 138 F. Supp. 2d 1272 (C.D. Cal. 2001) (trade secrets); KCG Holdings, Inc. v. Khandekar, No. 17-cv-3533, 2020 WL 1189302 (S.D.N.Y. Mar. 12, 2020) (same).
23 Id. at 1.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.