This article was first published in IPWatchdog.com on December 1, 2020.
“On balance, and while it is sometimes difficult to forecast a Supreme Court outcome, the Court seemed extremely troubled by the government’s position.”
In Van Buren v. United States, argued yesterday, the Supreme Court has a chance to address how the Computer Fraud and Abuse Act (CFAA) applies when a defendant is authorized to access and obtain information from a computer but subsequently uses this information for a purpose that is not permitted. The outcome of this case is important to every company that has computer data and will provide guidance on how best to protect that data.
Evolution of the CFAA
In 1986, Ronald Reagan was in his second term as president of the United States. “Out of Africa” won the Academy Award for best picture. The space shuttle Challenger exploded just after launch from Cape Canaveral, killing all eight on board, including teacher-astronaut Christa McAuliffe. And the CFAA was passed as an amendment to an earlier computer fraud law—before commercial email was available for the general public and prior to the advent of text messaging and downloadable applications.
Much has changed in the last 34 years, but the CFAA remains the primary statute used to prosecute hackers. More than 30 years after the enactment of the CFAA, courts do not agree on the meaning of these terms, which has led to inconsistent and irreconcilable outcomes. Indeed, it has become even more difficult to neatly categorize the different approaches taken by various courts. The circuits are divided between on the one hand a “broad” approach and on the other, a more “narrow” approach as to what it means to access a computer without authorization or in “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
The government has used the CFAA to prosecute individuals for classic hacking offenses, such as defendants who hack into computers of government officials, universities, financial institutions or commercial establishments in order to steal confidential government information, trade secrets and credit card numbers. The government has also used the CFAA to obtain convictions of foreign nationals who conspired to gain unauthorized access to protected computer networks in the United States in order to obtain sensitive for the purpose of exporting that information to a foreign country. However, the broad reach of the CFAA has also permitted the government, with varying degrees of success, to go after defendants who don’t fit the classic definition of a hacker. For example, the government prosecuted a defendant under the CFAA for using a law enforcement database to acquire intimate details about women that the defendant then shared on websites and discussed how he planned to butcher rape, torture and eat these women. United States v. Valle, 807 F.3d 508 (2d Cir. 2015).
The First, Fifth, Seventh, and Eleventh Circuits have adopted a broad construction of the statute, concluding that unauthorized access would encompass adverse use of accessed information. See e.g., EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 9 ILR 490 (1st Cir. 2001); United States v. John, 597 F.3d 263 (5th Cir. 2010); United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010). Under the broad approach, wherever an employee breaches a duty of loyalty, or a contractual obligation or otherwise acquires an adverse interest to the employer, their authorization to access information stored on an employer’s computer terminates, and all subsequent access is unauthorized or exceeds the scope of authorization, whether or not access is still technologically enabled. Thus, for example, the Seventh Circuit in an opinion by Judge Posner determined that a company adequately stated a cause of action under the CFFA where its employee, who had submitted his resignation, installed a secure-erasure program on his company-issued laptop in order to prevent the recovery of files he had deleted from the computer. Int’l Airport Centers L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006). The Court found that defendant’s resignation terminated his agency relationship, and with it “his authority to access the laptop, because the only basis of his authority had been that relationship.”
In contrast, the Second, Fourth, and Ninth Circuits have adopted a “narrow” approach holding that an employee’s misuse or misappropriation of an employer’s business information is not “without authorization” so long as the employer has given the employee permission to access such information. In other words, courts adopting the narrow approach hold that, once an employee is granted “authorization” to access an employer’s computer that stores confidential company data, that employee does not violate the CFAA, regardless of how he subsequently uses the information.
SCOTUS Steps In
Van Buren involves a former Georgia police officer who was convicted of breaching the CFAA after accepting $5,000 from an acquaintance to check a law enforcement database to determine whether someone was an undercover police officer. Van Buren argued to the Supreme Court that the Eleventh Circuit’s October 2019 decision to uphold the conviction on the basis that the officer “exceeded” his “authorized access” defined the law so as to permit the government seemingly non-criminal behavior, such as where a person lies on a dating website about his or her weight or where a law student misuses a school computer for personal use where he or she was not authorized to do so. In other words, a defendant who obtains information that he had a right to obtain from the computer for certain purposes (like the license plate records at issue in this case) should not face criminal sanctions solely because of the particular way in which he obtained the information, such as the information at issue here.
In contrast, the government argued that Van Buren’s reading of the CFAA eliminates the word “so” from the relevant statutory phrase, which criminalizes obtaining information that the defendant “is not entitled so to obtain or alter.” According to the government, the inclusion of “so” in that phrase means it is a crime if, as is the case here, the defendant was not entitled to obtain or alter the information in a particular way that the defendant did.
At oral argument, the parties repeated the arguments. Counsel for the appellant Van Buren focused on the assertion that the government’s understanding of the CFAA would make many Americans criminals on a daily basis. The appellant gave a number of such examples that were dubbed a “list of horribles.” This term was subsequently adopted by a number of the justices. The appellant also argued that the predecessor to the CFAA, the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984, which altered the language of the statute, also supported this viewpoint. Justice Sotomayor also noted that there are a number of potential federal and state criminal charges that could cover the type of conduct with which Van Buren is accused, and the rule of lenity supports a narrow reading of the statute.
The government argued that the Van Buren situation can be analogized to an employee who has the authority to access a warehouse but doesn’t have the authority to remove items from there. While this situation may be superficially appealing, this brick and mortar comparison actually does not make much sense since, in that case, the defendant would be charged with theft and not trespass, because, at its core, the CFAA is really a computer trespass statute. A number of the Justices, including Justices Gorsuch, Sotomayor and Roberts, said that the Court is being asked to narrow a statute that is “dangerously vague” and ambiguous. “My problem is that you are giving definitions that narrow the statute that the statute doesn’t have,” Sotomayor told the government attorney.
Gorsuch also expressed concern that this is just another case in a long line of cases in which the government has sought to increase the scope and breadth of criminal laws and that had to be curbed by the Supreme Court. Barrett also expressed skepticism about the way the government attempted to define the scope of the law: “It seems to me that you’re attributing an awful lot of specificity to the word ‘authorization’….” The government asserted that the appellant’s argument about the “parade of potential horribles” was overstated.
Alito appeared to be the most supportive of the government’s position, stating that he was interpreting the statute “very, very broadly.” However, he stated that the case was “very difficult to decide based on the briefs we’ve received.” Alito also asked “[w]hat exactly is ‘authorization’?” What exactly does it mean it mean to ‘obtain or alter’ information? What is the statute talking about when it speaks of ‘information in the computer.’?” He added that he doesn’t “really understand the potential scope of the statute, without having an idea about exactly what all of those terms mean.”
On balance, and while it is sometimes difficult to forecast a Supreme Court outcome, the Court seemed extremely troubled by the government’s position, especially that the outcome should rest on the meaning of the word “so.” Moreover, the Court seemed concerned that the CFAA is “dangerously vague” and could criminalize innocuous online activity. As the appellant summed up, the government should not be allowed to claim that citizens should simply trust them not to prosecute cases that involve daily activities, such as sharing a password.
Reading the Tea Leaves
The outcome of this case may have consequences for employees charged with abusing access to networks and ramifications for millions of Americans. The Court appeared skeptical that it is simply not enough that, historically, prosecutors rarely have brought cases of that sort. The Court seemed to leave no doubt that it may be left to Congress to deal with this issue. Based on the oral argument, it appears that a likely reversal should be expected next spring.