from the it's-a-start dept
For many years we’ve written about the problems with the CFAA. That’s the supposedly “anti-hacking” law, with both civil and criminal components, that makes it a violation to use a computer in a manner that “exceeds authorized access.” Law enforcement and the courts in the past often (though not always) took an extremely broad read of “unauthorized access” in a such a manner that basically all sorts of cases that involved a computer included CFAA claims. And even if all the other claims fell away, the CFAA claims often lasted, which is why it has been dubbed “the law that sticks.” Part of the underlying issue is that law enforcement and some courts wanted to read “unauthorized access” to include using a computer system you had legitimate access to, but for unauthorized purposes.
Famously, this has included cases around not abiding by terms of service that were never read, seemingly benign password sharing, scraping your own data off a web page, and perhaps most troubling of all, downloading too many files.
This week, the Supreme Court finally ruled on the CFAA and its limits in the Van Buren case, which we’ve covered before, including why the Supreme Court needed to push back on some courts’ broad interpretation of the law.
The case involved Nathan Van Buren, a former police sergeant who abused his access to law enforcement databases to run a search that he had no legitimate law enforcement reason for. Now, there are all sorts of reasons people should condemn Van Buren for abusing his power. But the key question in the case was whether or not doing so violated the CFAA and was a form of hacking because the access was unauthorized.
Thankfully, the Supreme Court correctly rules that this particular use did not violate the CFAA. While it may have violated the police department’s policies, that does not make it “exceed authorized access.”
Beyond that, though, the 6 to 3 decision is… well… a bit of a mess. It could have clearly stated that merely violating a policy while having full practical access to a computer system means there’s no CFAA violation. And at times, it seems to suggest that’s what it’s saying. But it doesn’t say that entirely clearly… and, in fact, there’s a weird footnote (footnote 8) that seems to undermine that premise.
For present purposes, we need not address whether this inquiry turns
only on technological (or ?code-based?) limitations on access, or instead
also looks to limits contained in contracts or policies.
This has raised some eyebrows among many commentators, though it’s all too common with the Roberts Supreme Court these days, in which the court declines to make a clear bright line rule on things it easily could, instead trying to narrowly limit the decisions. Of course, sometimes that’s good, but unfortunately it often muddles things as may be the case here.
The actual reasoning behind the decision is interesting in its own way, and includes a detailed discussion on the meaning of the word “so.” Specifically, what does “so” mean here:
?to access a computer with
authorization and to use such access to obtain . . . information in the computer that the accesser is not entitled so
And thus, you get a debate over what exactly that “so” is doing in there (regulation drafters beware!):
The parties agree that Van Buren ?access[ed] a computer
with authorization? when he used his patrol-car computer
and valid credentials to log into the law enforcement database. They also agree that Van Buren ?obtain[ed] . . . information in the computer? when he acquired the license-plate
record for Albo. The dispute is whether Van Buren was ?entitled so to obtain? the record.
?Entitle? means ?to give . . . a title, right, or claim to
something.? Random House Dictionary of the English Language 649 (2d ed. 1987). See also Black?s Law Dictionary
477 (5th ed. 1979) (?to give a right or legal title to?). The
parties agree that Van Buren had been given the right to
acquire license-plate information?that is, he was ?entitled
to obtain? it?from the law enforcement computer database.
But was Van Buren ?entitled so to obtain? the license-plate
information, as the statute requires?
Van Buren says yes. He notes that ?so,? as used in this
statute, serves as a term of reference that recalls ?the same
manner as has been stated? or ?the way or manner described.? Black?s Law Dictionary, at 1246; 15 Oxford English Dictionary 887 (2d ed. 1989). The disputed phrase ?entitled so to obtain? thus asks whether one has the right, in
?the same manner as has been stated,? to obtain the relevant information. And the only manner of obtaining information already stated in the definitional provision is ?via a
computer [one] is otherwise authorized to access.? Reply
Brief 3. Putting that together, Van Buren contends that the
disputed phrase??is not entitled so to obtain??plainly refers to information one is not allowed to obtain by using a
computer that he is authorized to access. On this reading, if
a person has access to information stored in a computer?
e.g., in ?Folder Y,? from which the person could permissibly
pull information?then he does not violate the CFAA by obtaining such information, regardless of whether he pulled
the information for a prohibited purpose. But if the information is instead located in prohibited ?Folder X,? to which
the person lacks access, he violates the CFAA by obtaining
The Government agrees that the statute uses ?so? in the
word?s term-of-reference sense, but it argues that ?so?
sweeps more broadly. It reads the phrase ?is not entitled so
to obtain? to refer to information one was not allowed to obtain in the particular manner or circumstances in which he
obtained it. The manner or circumstances in which one has
a right to obtain information, the Government says, are defined by any ?specifically and explicitly? communicated limits on one?s right to access information. Brief for United
States 19. As the Government sees it, an employee might
lawfully pull information from Folder Y in the morning for
a permissible purpose?say, to prepare for a business meeting?but unlawfully pull the same information from Folder
Y in the afternoon for a prohibited purpose?say, to help
draft a resume to submit to a competitor employer.
The Government?s interpretation has surface appeal but
proves to be a sleight of hand. While highlighting that ?so?
refers to a ?manner or circumstance,? the Government simultaneously ignores the definition?s further instruction that
such manner or circumstance already will ??ha[ve] been
stated,?? ??asserted,?? or ??described.?? Id., at 18 (quoting
Black?s Law Dictionary, at 1246; 15 Oxford English Dictionary, at 887). Under the Government?s approach, the relevant circumstance?the one rendering a person?s conduct
illegal?is not identified earlier in the statute. Instead, ?so?
captures any circumstance-based limit appearing anywhere?in the United States Code, a state statute, a private
agreement, or anywhere else. And while the Government
tries to cabin its interpretation by suggesting that any such
limit must be ?specifically and explicitly? stated, ?express,?
and ?inherent in the authorization itself,? the Government
does not identify any textual basis for these guardrails.
Brief for United States 19; Tr. of Oral Arg. 41.
Van Buren?s account of ?so??namely, that ?so? references
the previously stated ?manner or circumstance? in the text
of ?1030(e)(6) itself?is more plausible than the Government?s. ?So? is not a free-floating term that provides a hook
for any limitation stated anywhere. It refers to a stated,
identifiable proposition from the ?preceding? text; indeed,
?so? typically ?[r]epresent[s]? a ?word or phrase already employed,? thereby avoiding the need for repetition. 15 Oxford
English Dictionary, at 887; see Webster?s Third New International Dictionary 2160 (1986) (so ?often used as a substitute . . . to express the idea of a preceding phrase?). Myriad
federal statutes illustrate this ordinary usage. We agree with Van Buren: The phrase ?is not entitled so to obtain? is
best read to refer to information that a person is not entitled
to obtain by using a computer that he is authorized to access.
The Government?s primary counterargument is that Van
Buren?s reading renders the word ?so? superfluous. Recall
the definition: ?to access a computer with authorization and
to use such access to obtain . . . information in the computer
that the accesser is not entitled so to obtain.? ?1030(e)(6)
(emphasis added). According to the Government, ?so? adds
nothing to the sentence if it refers solely to the earlier
stated manner of obtaining the information through use of
a computer one has accessed with authorization. What
matters on Van Buren?s reading, as the Government sees
it, is simply that the person obtain information that he is
not entitled to obtain?and that point could be made even
if ?so? were deleted. By contrast, the Government insists,
?so? makes a valuable contribution if it incorporates all of
the circumstances that might qualify a person?s right to obtain information. Because only its interpretation gives ?so?
work to do, the Government contends, the rule against superfluity means that its interpretation wins. See Republic
of Sudan v. Harrison, 587 U. S. ___, ___ (2019) (slip op., at
But the canon does not help the Government because Van
Buren?s reading does not render ?so? superfluous. As Van
Buren points out, without ?so,? the statute would allow individuals to use their right to obtain information in nondigital form as a defense to CFAA liability. Consider, for example, a person who downloads restricted personnel files
he is not entitled to obtain by using his computer. Such a
person could argue that he was ?entitled to obtain? the information if he had the right to access personnel files
through another method (e.g., by requesting hard copies of
the files from human resources). With ?so,? the CFAA forecloses that theory of defense. The statute is concerned with
what a person does on a computer; it does not excuse hacking into an electronic personnel file if the hacker could have
walked down the hall to pick up a physical copy.
This clarification is significant because it underscores
that one kind of entitlement to information counts: the right
to access the information by using a computer. That can
expand liability, as the above example shows. But it narrows liability too. Without the word ?so,? the statute could
be read to incorporate all kinds of limitations on one?s entitlement to information. The dissent?s take on the statute
It then goes into a rebuttal of the dissent, which takes on a different interpretation of “so” but feels that it can get to a reasonable outcome by focusing, instead, on “entitled.” But the majority decision notes that such a reading results in problems:
The dissent?s approach to the word ?entitled? fares fine in
the abstract but poorly in context. The statute does not refer to ?information . . . that the accesser is not entitled to
obtain.? It refers to ?information . . . that the accesser is not
entitled so to obtain.? 18 U. S. C. ?1030(e)(6) (emphasis
added). The word ?entitled,? then, does not stand alone, inviting the reader to consider the full scope of the accesser?s
entitlement to information. The modifying phrase ?so to obtain? directs the reader to consider a specific limitation on
the accesser?s entitlement: his entitlement to obtain the information ?in the manner previously stated.? Supra, at 7.
And as already explained, the manner previously stated is
using a computer one is authorized to access. Thus, while
giving lipservice to Van Buren?s reading of ?so,? the dissent,
like the Government, declines to give ?so? any limiting function.
The dissent cannot have it both ways. The consequence
of accepting Van Buren?s reading of ?so? is the narrowed
scope of ?entitled.? In fact, the dissent?s examples implicitly
concede as much: They all omit the word ?so,? thereby giving ?entitled? its full sweep. See post, at 3?4. An approach
that must rewrite the statute to work is even less persuasive than the Government?s.
The majority also points out that the government’s own focus on “exceeds authorized access” is equally problematic, first in that it ignores the definition in the actual law:
The Government falls back on what it describes as the
?common parlance? meaning of the phrase ?exceeds authorized access.? Brief for United States 20?21. According to
the Government, any ordinary speaker of the English language would think that Van Buren ?exceed[ed] his authorized access? to the law enforcement database when he obtained license-plate information for personal purposes. Id.,
at 21. The dissent, for its part, asserts that this point ?settles? the case. Post, at 9.
If the phrase ?exceeds authorized access? were all we had
to go on, the Government and the dissent might have a
point. But both breeze by the CFAA?s explicit definition of
the phrase ?exceeds authorized access.?
But, more importantly, the government’s approach creates a series of ridiculous interpretations:
By contrast, the Government?s reading of the ?exceeds authorized access? clause creates ?inconsistenc[ies] with the
design and structure? of subsection (a)(2). University of
Tex. Southwestern Medical Center v. Nassar, 570 U. S. 338,
353 (2013). As discussed, the Government reads the ?exceeds authorized access? clause to incorporate purposebased limits contained in contracts and workplace policies.
Yet the Government does not read such limits into the
threshold question whether someone uses a computer
?without authorization??even though similar purpose restrictions, like a rule against personal use, often govern
one?s right to access a computer in the first place. See, e.g.,
Royal Truck & Trailer Sales & Serv., Inc. v. Kraft, 974 F. 3d
756, 757 (CA6 2020). Thus, the Government proposes to
read the first phrase ?without authorization? as a gates-up-or-down inquiry and the second phrase ?exceeds authorized
access? as one that depends on the circumstances. The Government does not explain why the statute would prohibit
accessing computer information, but not the computer itself, for an improper purpose.
The Government?s position has another structural problem. Recall that violating ?1030(a)(2), the provision under
which Van Buren was charged, also gives rise to civil liability. See ?1030(g). Provisions defining ?damage? and ?loss?
specify what a plaintiff in a civil suit can recover.
??[D]amage,?? the statute provides, means ?any impairment
to the integrity or availability of data, a program, a system,
or information.? ?1030(e)(8). The term ?loss? likewise relates to costs caused by harm to computer data, programs,
systems, or information services. ?1030(e)(11). The statutory definitions of ?damage? and ?loss? thus focus on technological harms?such as the corruption of files?of the
type unauthorized users cause to computer systems and
data. Limiting ?damage? and ?loss? in this way makes
sense in a scheme ?aimed at preventing the typical consequences of hacking.? Royal Truck, 974 F. 3d, at 760. The
term?s definitions are ill fitted, however, to remediating
?misuse? of sensitive information that employees may permissibly access using their computers. Ibid. Van Buren?s
situation is illustrative: His run of the license plate did not impair the ?integrity or availability? of data, nor did it otherwise harm the database system itself.
Finally, and rightly, the majority opinion recognizes just how much the CFAA would criminalize under the government’s interpretation:
To top it all off, the Government?s interpretation of the
statute would attach criminal penalties to a breathtaking
amount of commonplace computer activity…..
If the ?exceeds authorized access? clause criminalizes
every violation of a computer-use policy, then millions of
otherwise law-abiding citizens are criminals. Take the
workplace. Employers commonly state that computers and
electronic devices can be used only for business purposes.
So on the Government?s reading of the statute, an employee
who sends a personal e-mail or reads the news using her
work computer has violated the CFAA. Or consider the Internet. Many websites, services, and databases?which
provide ?information? from ?protected computer[s],?
?1030(a)(2)(C)?authorize a user?s access only upon his
agreement to follow specified terms of service. If the ?exceeds authorized access? clause encompasses violations of
circumstance-based access restrictions on employers? computers, it is difficult to see why it would not also encompass
violations of such restrictions on website providers? computers. And indeed, numerous amici explain why the Government?s reading of subsection (a)(2) would do just that?
criminalize everything from embellishing an online-dating
profile to using a pseudonym on Facebook
The majority was written by new Justice Amy Coney Barrett, and joined by Justices Breyer, Sotomayor, Kagan, Gorsuch, and Kavanaugh. The dissent was written by Justice Thomas, with Chief Justice Roberts and Justice Alito.
Overall, the thrust of the decision is good, with a few oddities and that one weird footnote. But it’s much better than simply accepting the government’s warped interpretation of the CFAA.
Filed Under: authorized access, cfaa, exceeds authorized access, supreme court, van buren