Supreme Court to Hear CFAA Case

The U.S.’s top court takes on a statute that could criminalize violating terms of service. Currently, there are two different views among federal appeals courts, meaning one’s criminal liability depends on where they are charged.

The Supreme Court of the United States (Court) will consider a case on the scope of the “Computer Fraud and Abuse Act” (CFAA) (18 U.S.C. § 1030). Specifically, the Court will rule on whether a person authorized to use part of a computer system is committing a crime when she accesses information on that system without authorization and with an improper purpose. Federal appellate courts have disagreed about what the term “exceeds authorized access” means in this context, and so the Court has the opportunity to define this term under the CFAA. This term could conceivably be used to punish people who violate the terms of service (TOS) for a service or website by lying about their identity or location. Consequently, the Court could determine how this key term in the CFAA should be applied and address the bigger question of whether any TOS violation set by a private company can lead to criminal liability or whether the CFAA may lead to criminal charges only if a person bypasses a clear barrier like a page that requires a passcode.

In Van Buren v. United States, the Court will consider the question of “[w]hether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose.” In this case, the defendant was a police officer who took money as part of a sting operation to illegally use his access to Georgia’s database of license plates to obtain information about a person. The Eleventh Circuit Court of Appeals denied his appeal of his conviction under the CFAA per a previous ruling in that circuit that “a defendant violates the CFAA not only when he obtains information that he has no “rightful[]” authorization whatsoever to acquire, but also when he obtains information “for a nonbusiness purpose.”

According to the defendant’s summary of the legal issues:

The Computer Fraud and Abuse Act (CFAA)makes it a federal crime to “access[] a computer without authorization or exceed[] authorized access, and thereby obtain[] information from any protected computer.” 18 U.S.C.§ 1030(a)(2)(C). Under the Act, to “exceed[] authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Id.§ 1030(e)(6).This case presents a recurring question about the interpretation of these provisions, on which the courts of appeals are openly divided: Does a person obtain information on a computer that he is “not entitled so to obtain” when he has permission to access the information, but does so for an improper purpose? The answer to this question has sweeping implications.

The defendant continued

Accessing information on those computers is virtually always subject to conditions imposed by employers’ policies, websites’ terms of service, and other third-party restrictions. If, as some circuits hold, the CFAA effectively incorporates all of these limitations, then any trivial breach of such a condition—from checking sports scores at work to inflating one’s height on a dating website—is a federal crime.

The Department of Justice argued

• Although some disagreement exists in the circuits about the meaning of the phrase “exceeds authorized access” in 18 U.S.C. 1030, this case would be a poor vehicle for resolving that issue because the decision below is interlocutory and because the jury instructions at petitioner’s trial were consistent with petitioner’s narrower interpretation of “exceeds authorized access. ”Further review is therefore unwarranted.
• The petition does not otherwise warrant this Court’s review. Congress has prohibited “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing]***information from any protected computer.”18 U.S.C. 1030(a)(2)(C). And Congress has defined the phrase “‘exceeds authorized access’” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”18 U.S.C. 1030(e)(6). Petitioner contends (Pet. 6) that a person exceeds authorized access only when “he had no right at all to access the information ”he obtained, and argues (Pet. 6-7, 16-22) that the Eleventh Circuit’s contrary reading of “exceeds authorized access” is too broad. But this case would be a poor vehicle for resolving any circuit disagreement about the scope of the statutory phrase “exceeds authorized access.”

So far there have been two briefs filed by interested parties (so-called amicus briefs). The National Association of Criminal Defense Lawyers argued that

• Computers are ubiquitous in daily life. It is important that the Court clarify that ordinary deviances from terms-of-use requirements—whether imposed by internet websites or private company use guidelines, to name but a few—are not criminal. For that reason, this Court should grant review. This Court’s review also is necessary because the Eleventh Circuit’s decision deviates from settled practices for construing federal criminal statutes.

The Electronic Frontier Foundation, Center for Democracy & Technology, and New America’s Open Technology Institute filed the other brief and asserted

As the CFAA has been increasingly invoked in both criminal and civil proceedings over the last fifteen years, courts have become split on key questions of the statute’s scope. The disagreement between the courts has translated into widespread public confusion—the very outcome that the Rule of Lenity is supposed to prevent…It has also chilled important security research and investigations of discriminatory practices online.

The Court’s ultimate ruling could conceivably be narrow and just address the question of whether a public servant using his otherwise authorized access to government systems to exceed his authorization runs afoul of the CFAA. In any event, a ruling in this case would come later this year at the earliest.