By Jonathan Knowles –

We have previously examined United States v. Van Buren, then pending before the Supreme Court of the United States. On June 3, 2021, the Supreme Court issued its opinion interpreting the Computer Fraud and Abuse Act of 1986. The Court limited violations of the Act to access of information that a person is never authorized to access using a computer. The Court did not, however, fully settle what “authorization” means under the Act.

What Happened?

Nathan Van Buren was a police sergeant in Georgia. Andrew Albo, an acquaintance of Mr. Van Buren, offered $5,000 to Mr. Van Buren if he searched police databases for a certain license plate. Mr. Albo claimed that the plate belonged to a woman he’d met at a strip club, whom he feared was an undercover police officer. Mr. Van Buren took the money and performed the search, knowing that to do so breached the policy of the Police Department.

What Mr. Van Buren didn’t know was that Mr. Albo had acted at the behest of the FBI. Mr. Van Buren was charged with violating the CFAA, convicted, and sentenced to 18 months in prison. He appealed. The Court of Appeals for the 11th Circuit affirmed his conviction.

The issue was whether someone “exceeds authorized access” under the CFAA if, for the wrong reason, he accesses information that he would otherwise be authorized to access. The 11th Circuit held that he does. Other U.S. Courts of Appeal had reached different conclusions, holding that the CFAA only prohibited accessing information that a defendant was not authorized to access.  The Court of Appeals for the Fourth Circuit, which rules on federal appeals from (among other states) Maryland and Virginia, was one of the latter. WEC California Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012). The federal court of appeals for D.C. had not addressed the issue.

How Did the Court Rule?

Justice Barrett wrote the Court’s opinion, which focused on the terms of the CFAA.

The statute is technical and complicated. It punishes one who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information . . . .” 18 U.S.C. § 1030(a)(2). It defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6) (emphasis added).

After extensively considering the grammar of the word “so,” the Court concluded that the best meaning of “exceeds authorized access” was to access information one isn’t authorized to access using a computer, rather than to access information in any manner that was not authorized. Pages 5-9. Justice Barrett also wrote that the word “so” limited the scope of the word “entitled.” Pages 9-10. The Court rejected the more common usage of the word “authorized,” holding that this usage was inconsistent with both the statutory definition and the context of the statute. Pages 11-12 and footnote 7 (page 12). The Court found the structure of the CFAA to support its interpretation. Pages 12-16. Therefore, the Court declined to invoke the rule of lenity. Page 17.

Did the Court Get It Right?

As a matter of policy, this was the right outcome.  That might sound odd, given that the Court acquitted a corrupt police officer who took bribes to undermine an ongoing investigation, but hard cases shouldn’t make bad law.  As the Court recognized, pages 17-19, adopting the government’s position could make outlaws of many unsuspecting Americans.  Taken to its logical conclusion, the government’s approach could impose criminal liability for violating a website’s terms of service.  Page 18.  After all, websites are accessed using computers.  This is not an absurd hypothetical:  as we previously wrote, federal prosecutors have convicted someone for using Myspace to perform cyber bullying.

Even a less extreme approach would criminalize widespread behavior.  We suspect that, at some point, most employees have checked the internet for personal reasons on a work computer.  (We know that our associate did, while his laptop was being repaired.)  It is common, however, for companies to prohibit their workers from using work computers for non-work reasons.  Therefore, under the government’s reading of the CFAA, doing so would be computer fraud.  Pages 17-18.  Because the CFAA also provides for a civil cause of action, such employees would be vulnerable to lawsuits as well as criminal prosecution.

Implicit in the Court’s decision was the understanding that the CFAA is a solution to a specific problem, not a prohibition on all forms of computerized wrongdoing.  For example, Justice Thomas argued in dissent that the majority’s interpretation of “exceeding authorized access” would permit government employees to disclose computer files to a foreign government.  Dissent, page 8.  Transmitting defense information to a foreign government is already a crime, however, and the specific example used by Justice Thomas (giving blueprints for atomic weapons) is punishable by death.  18 U.S.C. § 794(a).  Returning to the facts at hand, it is difficult to believe that Mr. Van Buren did not violate any state or federal laws that prohibit receipt of bribes.  In fact, Mr. Van Buren was convicted of honest-services-fraud, although the Court of Appeals overturned that conviction.  940 F.3d 1192, 1203-05 (11th Cir. 2019).

Accessing information without permission is usually grounds for some kind of punishment.  That punishment may be criminal or may be as simple as getting fired.  Regardless, those sanctions will generally deter improper access to electronic information.  Criminalizing all such access is unnecessary and, given the potential consequences, undesirable.  Even over-extending the CFAA, as the government sought, would not solve the problem.  After all, as Mr. Van Buren pointed out, a person might be able to access the information in physical as well as digital form.  Page  9.  The act would have nothing to say about that.  Even the government admitted that the CFAA wouldn’t prohibit misuse of information that had been properly accessed.  Opinion at 19.

What Remains Unclear About the CFAA?

The Court held that one doesn’t violate the CFAA if one is ever authorized to digitally access the data in question.  What the Court didn’t answer – what it specifically left open –is what constitutes authorization.  Footnote 8 (page 13).  Specifically, does authorization require actual permission to access information or merely the technological ability to do so?  For example, let’s say a company policy prohibits employees from accessing its financial documents, but those documents are saved in a network folder that can be opened (without a password) using any company computer.  If an employee looks at those documents, has he violated the FCAA?

For policy reasons, the best answer seems to be that the person must be technologically prevented from accessing the information. A different interpretation would justify the dissent’s criticism that “the person who plays a round of solitaire is a criminal under the majority’s reading if his employer . . . categorically prohibits accessing the ‘games’ folder in Windows.” Dissent at 8. Policy arguments, however, may not persuade the Court.

The general tone of the Court’s opinion seems to favor the bright-line approach of technological limitations, rather than the more ambiguous question of when a contract or policy authorizes access. There are a few hints that the Court might prefer this approach. The Court used variations of “hack” five times (Pages 9, 13, 15) and cited to an amicus brief arguing for a technological approach. Footnote 8 (page 13). Perhaps most important is the Court’s rejection of common-law principles and ordinary understandings under the CFAA. Footnotes 4 (page 8) and 7 (page 12). If the broader understandings of “authorization” are not given priority, it makes sense to use “authorization” in the computer-specific sense.

For the near future, the meaning of “authorization” will be determined by the Courts of Appeals. The Fourth Circuit has issued two decisions that might indicate a position on the issue. Arguably, it has already held that violating contractual limits violate the CFAA. In 2015, the Court of Appeals considered an employee who had accessed computer systems in a manner that was not authorized, but had also sent and deleted e-mails after being fired. The Court of Appeals found sufficient evidence for a civil jury verdict against her, because

“although Pyles was permitted to use TSI’s email to carry out her duties as human resources manager, she was not authorized to access the server through which the email functioned in the manner she did here. Additionally, her authorization to access the Blackberry terminated with her employment.”
Tech Systems, Inc. v. Pyles, 630 F. App’x 184, 187 (4th Cir. 2015).

One reading of the first sentence, and the only reading of the second, is that legal prohibitions on access could result in a lack of authorization. Tech Systems is not a published decision, however, so its precedential value is limited to the strength of its reasoning. The reasoning in this decision is limited to the two sentences just quoted.

The Court of Appeals suggested a different outcome in a precedential opinion (with far more detailed reasoning). In WEC Carolina Energy, the Court of Appeals considered the same question as in Van Buren. Unlike the Supreme Court, it found the definition insufficiently clear and rested its decision on the rule of lenity. 687 F.3d at 205-06. It also observed that other legal sanctions were available, including forms of redress for aggrieved private parties. Id. at 207 & n.4. The same reasoning suggests that “authorization” means technological authorization. The FCAA does not clearly criminalize violation of an employer’s policy or terms of use, and contract law (as well as other state law claims) would provide a remedy.

Regardless, even the most limited interpretation of the CFAA would not fully resolve an individual’s risk of prosecution. Many States have passed laws of their own restricting unauthorized use of computers. Virginia, for example, criminalizes certain actions under the Virginia Computer Crimes Act. Va. Code § 18.2-152.1 et seq. These laws do not all match the language of the CFAA and may be interpreted differently by courts.