SCOTUS Limits Reach of CFAA

A former Georgia police sergeant, Nathan Van Buren, used his patrol car computer to access license plate information for cash. Clearly wrong for a bunch of good reasons, but the feds chose to prosecute him for a violation of the Computer Fraud and Abuse Act. The CFAA was an anticipatory law, enacted in 1986 at the dawn of public computer use in recognition of these new folks, hackers they were called, breaking in and wreaking havoc. It was, as one might expect, an endless source of confusion as to what the words meant and what constituted a crime.

The Supreme Court, in a 6-3 decision written by Justice Amy Coney Barrett, limited the reach, if not the grasp, of one of the CFAA’s most troubling vagaries, making it a crime to ““to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Barrett, going full textualist, hung the decision on the meaning of the word “so,” as if anyone in Congress put in that much thought as to the phraseology.

Van Buren’s account of “so”—namely, that “so” references the previously stated “manner or circumstance” in the text of §1030(e)(6) itself—is more plausible than the Government’s. “So” is not a free-floating term that provides a hook for any limitation stated anywhere. It refers to a stated, identifiable proposition from the “preceding” text; indeed, “so” typically “[r]epresent[s]” a “word or phrase already employed,” thereby avoiding the need for repetition. 15 Oxford English Dictionary, at 887; see Webster’s Third New International Dictionary 2160 (1986) (so “often used as a substitute . . . to express the idea of a preceding phrase”). Myriad federal statutes illustrate this ordinary usage. We agree with Van Buren: The phrase “is not entitled so to obtain” is best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.

So? So what. While pedants delight, there are some very real practical considerations involved here.

If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers. And indeed, numerous amici  explain why the Government’s reading of subsection (a)(2) would do just that—criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook. See Brief for Orin Kerr as Amicus Curiae.

As Orin argued in his amicus brief, the interpretation of this language in the CFAA spelled the difference between letting a few unsavory uses of computer access, like Van Buren’s, avoid culpability, at least under this law, and criminalizing almost every person’s use of computers in violation of websites’ or platforms’ terms of service, what he called contract-based violations. Did you claim on your dating app to be six feet tall? The TOS require you to be honest, and since you’re just 5’11”, you’ve committed a crime if the CFAA’s coverage included not merely your authority to access, but your use of that access in accordance with the restrictions that come along with it. Like telling the truth or not selling license plate info for cash.

In sum, an individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer—
such as files, folders, or databases—that are off limits to him. The parties agree that Van Buren accessed the law enforcement database system with authorization. The only question is whether Van Buren could use the system to retrieve license-plate information. Both sides agree that he could. Van Buren accordingly did not “excee[d] authorized access” to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose.

Whether Barrett’s textual reliance explains how the Court got there is best left for people who obsess about such things. I do not. However, Justice Clarence Thomas, in dissent, spells out fairly clearly the importance of this decision.

The number of federal laws and regulations that trigger criminal penalties may be as
high as several hundred thousand. Fields & Emshwiller, Many Failed Efforts To Count Nation’s Federal Criminal Laws, Wall-Street Journal (July 23, 2011).* It is understandable to be  uncomfortable with so much conduct being criminalized, but that discomfort does not give us authority to alter statutes.

And his point is well taken, if misapplied. Had the CFAA been more clearly written so as to leave no doubt as to whether authorized computer access used in a manner that varies from what the computer’s owner intended, whether that be a police computer or Bumble, then Thomas’ point would be better taken. If Congress enacted a law that said “we want this incredibly stupid outcome because reasons,” it’s not for the Court to disagree with Congress’ policy. But Congress didn’t say so, and certainly didn’t say so clearly enough to turn pretty much every computer user into a federal criminal.

To be fair to Congress, it was pretty remarkable that they had the foresight to enact the CFAA in 1986 at all. The World Wide Web was pretty much an empty wasteland back then, and the rise of hacking was a very different problem than what it is today, and likely what it might be ten years from now. Who could have foreseen that websites would grant users conditional access subject to terms of service that no one would ever read, know or give a damn about, but would “use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain”?

This isn’t to say that what Van Buren did was cool, as it clearly was an abuse of his authority to access the police license plate database to sell for cash, but letting Van Buren skate on this count means that others, say someone like Aaron Swartz or you, gets to skate as well. Given Thomas’ very real concerns about the number of federal crimes, the burden was upon Congress to write a law that clearly compelled a bad policy conclusion. Since it didn’t, it saved America from being a nation filled with computer criminals in their normal, ordinary daily use.

5 thoughts on “SCOTUS Limits Reach of CFAA

  1. DaveL

    Isn’t the Vagueness Doctrine there specifically to avoid the issue of courts deciding where to draw the line of criminality, in the face of a sloppy statute?

    1. SHG Post author

      Canons of statutory interpretation like the Vagueness Doctrine (and the Rule of Lenity) are most often honored in the breach, unfortunately. Had the Court invoked the doctrine, would it have answered the interpretation question or voided the statute (or a significant portion thereof) for vagueness?

      1. BCP

        It would have voided it for vagueness, and sent congress back to to try again, hopefully with instructions to re-draft a new version before starting happy hour this time. The statute’s problem is less that it is vague and more that it is stupidly overbroad, though. My particular circuit had been applying Justice Thomas’s logic and the outcome has been terrible for justice, but arguably quite correct (until today) under law.

Comments are closed.