Supreme Court Ponders Proper Application of the Computer Fraud and Abuse Act

“On balance, and while it is sometimes difficult to forecast a Supreme Court outcome, the Court seemed extremely troubled by the government’s position.”

Computer Fraud and Abuse Act - https://depositphotos.com/63467245/stock-photo-justice-gavel-and-laptop-computer.htmlIn Van Buren v. United States, argued yesterday, the Supreme Court has a chance to address how the Computer Fraud and Abuse Act (CFAA) applies when a defendant is authorized to access and obtain information from a computer but subsequently uses this information for a purpose that is not permitted. The outcome of this case is important to every company that has computer data and will provide guidance on how best to protect that data.

Evolution of the Computer Fraud and Abuse Act

In 1986, Ronald Reagan was in his second term as president of the United States. “Out of Africa” won the Academy Award for best picture. The space shuttle Challenger exploded just after launch from Cape Canaveral, killing all eight on board, including teacher-astronaut Christa McAuliffe. And the CFAA was passed as an amendment to an earlier computer fraud law—before commercial email was available for the general public and prior to the advent of text messaging and downloadable applications.

Much has changed in the last 34 years, but the CFAA remains the primary statute used to prosecute hackers. More than 30 years after the enactment of the CFAA, courts do not agree on the meaning of these terms, which has led to inconsistent and irreconcilable outcomes. Indeed, it has become even more difficult to neatly categorize the different approaches taken by various courts.  The circuits are divided between on the one hand a “broad” approach and on the other, a more “narrow” approach as to what it means to access a computer without authorization or “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”

The government has used the CFAA to prosecute individuals for classic hacking offenses, such as defendants who hack into computers of government officials, universities, financial institutions or commercial establishments in order to steal confidential government information, trade secrets and credit card numbers. The government has also used the CFAA to obtain convictions of foreign nationals who conspired to gain unauthorized access to protected computer networks in the United States in order to obtain sensitive for the purpose of exporting that information to a foreign country. However, the broad reach of the CFAA has also permitted the government, with varying degrees of success, to go after defendants who don’t fit the classic definition of a hacker. For example, the government prosecuted a defendant under the CFAA for using a law enforcement database to acquire intimate details about women that the defendant then shared on websites and discussed how he planned to butcher rape, torture and eat these women. United States v. Valle, 807 F.3d 508 (2d Cir. 2015).

Further, courts have held that the civil reach of the CFAA also includes instances where a user violates the terms of use of a website by, for example, using a scraper program to harvest data from a website in violation of the computer system’s terms of service. Cybersecurity experts are also concerned that the CFAA could be used to prosecute good faith security researchers who violate a website’s terms of service during investigations. Whether these cases survive usually turns on whether the defendant accessed a computer “without authorization” or “in excess of authorization.”

[[Advertisement]]

Judicial Interpretations

The First, Fifth, Seventh, and Eleventh Circuits have adopted a broad construction of the statute, concluding that unauthorized access would encompass adverse use of accessed information. See e.g., EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 9 ILR 490 (1st Cir. 2001); United States v. John, 597 F.3d 263 (5th Cir. 2010); United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010). Under the broad approach, wherever an employee breaches a duty of loyalty, or a contractual obligation or otherwise acquires an adverse interest to the employer, their authorization to access information stored on an employer’s computer terminates, and all subsequent access is unauthorized or exceeds the scope of authorization, whether or not access is still technologically enabled. Thus, for example, the Seventh Circuit in an opinion by Judge Posner determined that a company adequately stated a cause of action under the CFFA where its employee, who had submitted his resignation, installed a secure-erasure program on his company-issued laptop in order to prevent the recovery of files he had deleted from the computer. Int’l Airport Centers L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006). The Court found that defendant’s resignation terminated his agency relationship, and with it “his authority to access the laptop, because the only basis of his authority had been that relationship.”

In contrast, the Second, Fourth, and Ninth Circuits have adopted a “narrow” approach holding that an employee’s misuse or misappropriation of an employer’s business information is not “without authorization” so long as the employer has given the employee permission to access such information. In other words, courts adopting the narrow approach hold that, once an employee is granted “authorization” to access an employer’s computer that stores confidential company data, that employee does not violate the CFAA, regardless of how he subsequently uses the information.

SCOTUS Steps In

Van Buren involves a former Georgia police officer who was convicted of breaching the CFAA after accepting $5,000 from an acquaintance to check a law enforcement database to determine whether someone was an undercover police officer. Van Buren argued to the Supreme Court that the Eleventh Circuit’s October 2019 decision to uphold the conviction on the basis that the officer “exceeded” his “authorized access” defined the law so as to permit the government seemingly non-criminal behavior, such as where a person lies on a dating website about his or her weight or where a law student misuses a school computer for personal use where he or she was not authorized to do so. In other words, a defendant who obtains information that he had a right to obtain from the computer for certain purposes (like the license plate records at issue in this case) should not face criminal sanctions solely because of the particular way in which he obtained the information, such as the information at issue here.

In contrast, the government argued that Van Buren’s reading of the CFAA eliminates the word “so” from the relevant statutory phrase, which criminalizes obtaining information that the defendant “is not entitled so to obtain or alter.” According to the government, the inclusion of “so” in that phrase means it is a crime if, as is the case here, the defendant was not entitled to obtain or alter the information in a particular way that the defendant did.

At oral argument, the parties repeated the arguments. Counsel for the appellant Van Buren focused on the assertion that the government’s understanding of the CFAA would make many Americans criminals on a daily basis. The appellant gave a number of such examples that were dubbed a “list of horribles.” This term was subsequently adopted by a number of the justices. The appellant also argued that the predecessor to the CFAA, the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984,  which altered the language of the statute, also supported this viewpoint. Justice Sotomayor also noted that there are a number of potential federal and state criminal charges that could cover the type of conduct with which Van Buren is accused, and the rule of lenity supports a narrow reading of the statute.

The government argued that the Van Buren situation can be analogized to an employee who has authority to access a warehouse but doesn’t have authority to remove items from there. While this situation may be superficially appealing, this brick and mortar comparison actually does not make much sense since, in that case, the defendant would be charged with theft and not trespass, because at its core, the CFAA is really a computer trespass statute. A number of the Justices, including Justices Gorsuch, Sotomayor and Roberts, said that the Court is being asked to narrow a statute that is “dangerously vague” and ambiguous. “My problem is that you are giving definitions that narrow the statute that the statute doesn’t have,” Sotomayor told the government attorney.

Gorsuch also expressed concerned that this is just another case in a long line of cases in which the government has sought to increase the scope and breadth of criminal laws and that had to be curbed by the Supreme Court. Barrett also expressed skepticism about the way the government attempted to define the scope of the law: “It seems to me that you’re attributing an awful lot of specificity to the word ‘authorization’….” The government asserted that appellant’s argument about the “parade of potential horribles” was overstated.

Alito appeared to be the most supportive of the government’s position, stating that he was interpreting the statute “very, very broadly.” However, he stated that the case was “very difficult to decide based on the briefs we’ve received.” Alito also asked “[w]hat exactly is ‘authorization’?” What exactly does it mean it mean to ‘obtain or alter’ information? What is the statute talking about when it speaks of ‘information in the computer.’?” He added that he doesn’t “really understand the potential scope of the statute, without having an idea about exactly what all of those terms mean.”

On balance, and while it is sometimes difficult to forecast a Supreme Court outcome, the Court seemed extremely troubled by the government’s position, especially that the outcome should rest on the meaning of the word “so.” Moreover, the Court seemed concerned that the CFAA is “dangerously vague” and could criminalize innocuous online activity. As the appellant summed up, the government should not be allowed to claim that citizens should simply trust them not to prosecute cases that involve daily activities, such as sharing a password.

Reading the Tea Leaves

The outcome of this case may have consequences for employees charged with abusing access to networks and ramifications for millions of Americans. The Court appeared skeptical that it is simply not enough that, historically, prosecutors rarely have brought cases of that sort. The Court seemed to leave no doubt that it may be left to Congress to deal with this issue. Based on the oral argument, it appears that a likely reversal should be expected next spring.

Image Source: Deposit Photos
Image ID:63467245
Copyright:BrianAJackson 

Share

Warning & Disclaimer: The pages, articles and comments on IPWatchdog.com do not constitute legal advice, nor do they create any attorney-client relationship. The articles published express the personal opinion and views of the author as of the time of publication and should not be attributed to the author’s employer, clients or the sponsors of IPWatchdog.com.

Join the Discussion

One comment so far.

  • [Avatar for Anon]
    Anon
    December 2, 2020 06:41 am

    I do not see this law as ONLY pertaining to hackers who would have zero level of authorization.

    It is eminently clear that authorization is not a binary aspect, as used in this law.

    If this were to be only for outside hackers, or if authorization were to be viewed as binary, then the law would have been written differently (and more direct to the point of the ‘ultra-narrow’ attempt at reading the law).