The Supreme Court has granted certiorari in its first Computer Fraud and Abuse Act (CFAA) case, Van Buren v. United States. CFAA is the federal anti-hacking law that the criminal defense and civil liberties bars have argued has been used aggressively well beyond what the drafters would have envisioned. The case could define the contours of the CFAA for a generation. The narrow question in the appeal is whether CFAA’s restriction on exceeding authorized access to a computer bars an otherwise valid user from using the system for an improper purpose.
The petitioner is Nathan Van Buren, a former Georgia police officer. Van Buren sought review of his CFAA conviction stemming from a charge that he had exceeded the scope of his authorized access to a law enforcement database. An FBI sting operation recorded conversations between Van Buren and one Andrew Albo. Albo gave Van Buren $5000. Van Buren insisted he offered to return the money. Albo returned later with another $1000, and a fake license plate number. The plate allegedly belonged to the stripper Albo was interested in. Albo wanted to know if she was an undercover police officer. Van Buren insisted he was not charging for helping Albo. He then ran the number through the Georgia Crime Information Center (GCIC) database. Van Buren had a right to access the GCIC, maintained by the Georgia Bureau of Investigation (GBI), as a police officer. The FBI and GBI interviewed Van Buren the day after he ran the license number through GCIC. During the interview, he admitted to conducting the search. He was convicted of violating the CFAA. The Eleventh Circuit, relying on Circuit precedent, rejected his argument on appeal that he had a right to use the database as a police officer. It reasoned that the CFAA conviction was valid because he had used the database for inappropriate reasons.
The CFAA is 34 years old. It dates to a world where few people dealt with computers. Defense attorneys have long complained that the statutory language is too sweeping. In a world of ubiquitous computers, it subsumes too many activities beyond malicious hacking. The statutory language at issue states that anyone who “intentionally accesses a computer without authorization or exceeds authorized access” violates the CFAA. In effect, CFAA Section (a)(2) bars obtaining information from any protected computer by accessing it without authorization or exceeding authorization parameters. Exceeding authorized access is defined as accessing “a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Violation carries both civil and criminal penalties.
The Supreme Court will resolve a significant split. The First, Fifth, Seventh, and Eleventh Circuits, interpret Section 1030(a)(2)’s prohibition on exceeding authorized access to apply to individuals who obtain information on a computer for an improper purpose. The Second, Fourth, and Ninth Circuits interpret Section 1030(a)(2) to cover only those instances in which individuals access information on a computer which they had no right to access for any purpose. It is awkward for the same conduct to be a crime in some parts of the country, but perfectly innocent in others.
CFAA prosecutions are common. Many stem from alleged misuse of resources or access to information. The CFAA has been interpreted and used in many different ways over time. That is why the case has ramifications beyond cybersecurity. For instance, employers can use it against former employees to deter competition. And Judge Reinhardt noted in a dissent in the Ninth Circuit’s Nosal case noted, under an expansive CFAA interpretation, even sharing a Netflix password can be a federal crime. So, theoretically, can be lying about your age on a dating website.
Even in Van Buren, the Eleventh Circuit acknowledged the public policy concerns discussed by the Circuits that require a higher showing. Those Circuits have reasoned that interpreting Section 1030(a)(2) to apply more broadly (such as in Van Buren) could transform ordinary violations of an employer’s computer-use policy, such as an employee utilizing his work computer for personal use, into federal crimes. As a result, these Circuits have interpreted Section 1030(a)(2) narrowly to apply only where an individual accesses information that he has no right to access under any circumstances – for example, by hacking into a computer.
The Supreme Court’s decision, expected in 2021, may resolve the Circuit split on the issue. The holding would significantly affect law enforcement and employers across the nation. Affirming the Eleventh Circuit would make the CFAA the centerpiece of computer lawfare. Van Buren and his supporters insist that such a result would transform the CFAA from an anti-hacker tool to an all-purpose computer usage policing mechanism. Opponents argue that such fears are baseless. They insist that the CFAA has not been used in the First, Fifth, Seventh, or Eleventh Circuits to prosecute routine activities that violate “private computer-use policies.”
In their view, affirming the Eleventh Circuit would enable the government to prosecute, and private sector entities to seek compensation, for the misuse of confidential information for prohibited uses. It would also dampen the exploitation of vulnerabilities in computer systems. In contexts where other legal channels fall short, such as difficulties establishing theft of trade secrets, the CFAA could provide recourse. After 34 years, a Supreme Court decision, expected in 2021, can provide guidance in this highly charged– activist Aaron Schwartz committed suicide during his prosecution – area of the law.