In June 2021, the U.S. Supreme Court narrowed the scope of criminal conduct under the Computer Fraud and Abuse Act (CFAA), which among other things, subjects to criminal liability an individual who “intentionally accesses a computer without authorization or exceeds authorized access.” 18 U. S. C. § 1030(a)(2). In Van Buren v. United States, the Court overturned the conviction of a police officer who accepted a bribe to run a license-plate check as part of an FBI sting operation. The officer was entitled to access the police information system, but violated a department policy by using it for personal purposes. He was convicted and appealed to the Eleventh Circuit. Van Buren argued that “exceeds authorized access” applies to persons who access a computer that they are not entitled to operate, rather than exceeding some scope of permitted conduct in an unauthorized manner. The appeals court upheld his conviction, Van Buren appealed, and the Supreme Court granted certiorari.
Supreme Court Narrows Computer Fraud and Abuse Act
The Court resolved a circuit split over meaning of exceeding authorized access by adopting Van Buren’s proposed “gates-up” versus “gates-down” inquiry to determine criminal liability. Rather than focus on what conduct occurred within a computer system, courts must determine whether the gate is “up” or “down.” That is, “one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.” Justice Barrett, writing for the majority, relied primarily on a textual analysis of the statute’s definition of “exceeds authorized access.” But she also noted that the government’s interpretation of the statute, which would criminalize accessing information in a prohibited manner or circumstances, “would attach criminal penalties to a breathtaking amount of commonplace computer activity.”
The decision will change the focus of prosecutors, defendants, and organizations in relation to section 1030(a)(2) enforcement. For prosecutors and criminal defendants, litigation will shift from whether an individual exceeded authorized access by performing illicit activities, to a more straightforward inquiry of whether the individual was or was not authorized to access files, folders, and databases. Van Buren will also affect organizations’ and corporations’ ability to refer violations of internal computer access and privacy policies to federal law enforcement.
For example, U.S. attorneys have at times used CFAA’s “exceeds authorized access” clause to prosecute employees who improperly use data they come across through the course of their employment. In United States v. John, the Fifth Circuit upheld a conviction under section 1030(a)(2) of a Citigroup employee who had access to customer-account information. John provided her half-brother with customer-account information for dozens of corporate accounts so that they could incur fraudulent charges. Had this conduct occurred after Van Buren was decided, John would not be convicted of exceeding authorized access, because she was entitled to access the database where that customer information was stored.
Van Buren’s influence on organizational privacy and access requirements will reach beyond the courtroom. The Supreme Court did not decide whether limits on access must be technological or contractual, but major changes to how organizations control access will need to be implemented. Corporations and organizations who maintain private or confidential information must take steps to compartmentalize and restrict access to that information, rather than merely penalize illicit interaction with the information after the fact.
The Court’s decision also raises questions about vulnerability-disclosure programs, where network users can report security flaws they discover in their company’s websites and software. Programs like these have gained popularity over the last few years, with the U.S. Department of Justice’s Computer Crime & Intellectual Property Section releasing guidance in 2017 on how to establish a vulnerability-disclosure system. With the Supreme Court changing the determination of criminal liability from an inquiry based on conduct within a restricted system to a gates-up/gates-down inquiry, disclosure programs will need to be reworked. Under the pre-Van Buren system, corporations could monitor user conduct to determine if the access to a system was for a legitimate purpose (e.g., reporting vulnerabilities) or illegitimate purpose and make decisions about whether to refer users to law enforcement accordingly. After Van Buren, organizations may have to limit vulnerability-disclosure programs to a defined set of authorized users, because any activities that a user performs within a system in which they are authorized to operate do not exceed authorized access in the Court’s interpretation of section 1030(a)(2).
Finally, the issue of how “data scraping” will be enforced under the new interpretation of the CFAA is an open question. Data scraping involves passively pulling and compiling information from public websites. In 2019, the Ninth Circuit held in hiQ Labs, Inc. v. LinkedIn Corp. that a user accessing “publicly available data will not constitute access without authorization under the CFAA.” After deciding Van Buren, the Supreme Court vacated and remanded hiQ Labs for further consideration.
In sum, the Supreme Court provided a more clear-cut framework for determining whether a computer user exceeded their authorized access. While this will curtail the government’s ability to prosecute cases under 18 U. S. C. § 1030(a)(2), there are several other legal means by which organizations and the government can protect private information. These include contractual claims, common-law trespass, copyright infringement, fraud statutes, the Defend Trade Secrets Act, and other relevant subsections of the CFAA.