Do We Even Need the Computer Fraud & Abuse Act (CFAA)?–Van Buren v. US

Last week, the Supreme Court decided Van Buren v. US. Many hoped the decision would clarify how owners can delimit third-party usage of their computer resources for purposes of the Computer Fraud & Abuse Act (CFAA). Disappointingly, the court explicitly punted on that key question, though the decision probably will prompt lower courts to narrow the CFAA’s scope anyway. To me, the case’s real story is how much the CFAA unhelpfully overlaps with other legal doctrines. Rather than tendentious parsing of the CFAA’s words, we should be asking why we need the CFAA at all.

The Court Decision

Van Buren, a law enforcement officer, was the target of a sting operation. He accepted a bribe to search a law enforcement computer database (that Van Buren had access to as part of his job) and disclose the search results in violation of department policy. The legal question is whether Van Buren exceeded his authorization to access his employer’s computing device by conducting an improperly motivated computer query.

The majority opinion by Barrett and the dissent by Thomas spend most of their time debating the techniques for statutory interpretation. It’s interesting to watch two so-called textualist judges snipe at each other over the words “so” and “entitled.” It’s a reminder that textualism doesn’t have a single canonical set of operating instructions.

Regarding the CFAA, Justice Barrett summarizes the majority holding:

an individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him. The parties agree that Van Buren accessed the law enforcement database system with authorization. The only question is whether Van Buren could use the system to retrieve license-plate information. Both sides agree that he could. Van Buren accordingly did not “excee[d] authorized access” to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose

So Van Buren beats the CFAA charge.

The holding turns on when computer “areas” are “off limits.” Which raises the natural follow-on question: how can the computer owners declare “areas” “off-limits” in a legally binding way? On this front, Justice Barrett made inconsistent statements.

First, she discussed the idea (urged by Van Buren) that “access” in the CFAA depends on “gates up or down.” Unfortunately, this “gates” concept doesn’t really help. The key questions are what constitutes a gate and how does a user know if/when gates are in place, which the majority didn’t explain.

Second, Barrett discussed some policy concerns with attempts to impose non-technological restrictions on computer access:

If the “exceeds authorized access” clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals. Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA. Or consider the Internet. Many websites, services, and databases—which provide “information” from “protected computer[s],” §1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers.

This seemingly suggests that the CFAA recognizes only technological gates. Yet, in FN8, Justice Barrett makes it clear that’s NOT what she’s saying: “we need not address whether this inquiry turns only on technological (or ‘code-based’) limitations on access, or instead also looks to limits contained in contracts or policies.”

So, can computer owners uses “contracts or policies” to delimit computer access for CFAA purposes? Per FN8, the majority didn’t answer that question at all.

Implications

This opinion rejected numerous DOJ positions, so the DOJ will need to reexamine how it interprets the CFAA. Some other common CFAA scenarios:

  • Employees downloading files before departure. Because Van Buren was an employee of the police department, I think courts will become more reluctant to apply the CFAA in the employment context. Recall that the DTSA was enacted in part to take the pressure off the CFAA, so any CFAA scaleback will not leave employers defenseless.
  • Server usage in violation of TOS terms (e.g., US v. Nosal). FN8 made it clear that the court didn’t resolve this issue. Nevertheless, I think courts will reference the majority’s policy discussion to conclude that TOS terms can’t delimit CFAA access.
  • Server usage after the owner sends a cease-and-desist letter (e.g., Facebook v. Power Ventures). The opinion doesn’t touch this issue. For that reason, I think courts are likely to continue treating C&Ds as sufficient to withdraw authorization for CFAA purposes. This stance always strikes me as backwards. It means that C&Ds–unilateral demands from the sender, often only loosely tethered to the law–have greater legal effect than properly formed bilateral contracts (TOSes).
  • IP address blocks. I’ve always felt that IP address blocks were persuasive evidence of withdrawn access, and the majority might consider them technological “gates down”–but possibly only with respect to that IP address. Would they also delimit access if the user uses fresh unblocked IP addresses?
  • Robot exclusion headers. One could argue that REHs are also technological gates. However, they are only voluntary technical instructions, so I’m not sure this opinion will give them more effect.

The CFAA’s Future

Van Buren’s primary legal violations are (1) as a law enforcement officer, he accepted a bribe, and (2) he disclosed private information to a non-permitted recipient. Either of those violations should be enough to ensure his punishment. The fact that Van Buren committed these violations using a computer database feels mostly irrelevant. We’d still want to equally punish Van Buren if he had obtained the verboten information from a hard-copy police record rather than a computer database. For that reason, shoehorning Van Buren’s activity into the CFAA feels gratuitous. (It’s like the typical computer exceptionalism of treating some anti-social behavior as worse because it’s done “by a computer”).

This doctrinal redundancy occurs with many other applications of the CFAA. Employee misappropriation is covered by trade secrets. Scraping is covered by contracts, copyright, and more. Hacking is covered by many other legal doctrines, including the ECPA. The question we should be asking is: what CFAA scenarios are NOT adequately covered by other legal doctrines? While doctrinal overlap isn’t inherently bad, it can be problematic. For example, prosecutorial charge-stacking can lead to unjust outcomes (e.g., the tragic death of Aaron Swartz).

As I wrote in 2013:

Stretching the ancient doctrine of trespass to chattels to apply to Internet activities has been an experiment in law-making.  Unfortunately, I think the experiment has failed completely.  The CFAA and state computer crime laws initially were designed to restrict hackers from breaching computer security—a sensible objective that…should be preserved.  The expansion of these laws to cover all sending or receiving of data from an Internet-connected server hasn’t worked.

My proposed solution in 2013:

1) Repeal most provisions of the CFAA (that don’t relate to government-run computers) and preempt all analogous state laws, including state computer crime laws and common law trespass to chattels as applied online.  Note: without dealing with analogous state laws, reforming the CFAA is an incomplete solution.

2) Retain only the (A) restrictions on criminal hacking, which I would define as the defeat of electronic security measures for the goal of fraud or data destruction (and some of these efforts are already covered by other laws like the Electronic Communications Privacy Act), and (B) restrictions on denial-of-service attacks, which I would define as the sending of data or requests to a server with the intent of overloading its capacity.

3) Eliminate all civil claims for this conduct, so that only the federal government can enforce violations.

4) Specify that any textual attempts to restrict server usage fail unless the terms are presented in a properly formed contract (usually, a mandatory click-through agreement).

(I might rethink #4 nowadays, but it was designed to make sure C&Ds and non-binding online disclosures didn’t delimit access).

Perhaps the Van Buren case will sufficiently curb the CFAA’s doctrinal sprawl over the past 35 years. Otherwise, the CFAA needs a fresh-eyed and holistic review from Congress.

Case Citation: Van Buren v. U.S., No. 19–783 (U.S. Sup. Ct. June 3, 2021)