The CFAA “Gates-Up-or-Down” Metaphor Is Baffling Courts–ACI v. Conservice (Guest Blog Post)
by guest blogger Kieran McCarthy
I have a friend who is a professor of literature. He once joined a book club with other professors of literature dedicated to analyzing James Joyce’s notoriously opaque classic, Finnegan’s Wake. They met weekly and combed through the book line by line, trying to make sense of all the dense metaphors and obscure references. As he told the story, they had planned to go through the entire book together. But they quit after three months, having only made it to page six, realizing that at the rate they were going, it was going to take them more than 26 years to get through the whole book.
This is basically how I feel about the Supreme Court’s opinion in Van Buren v. United States 141 S.Ct. 1648 (2021)—the first and only Supreme Court opinion to interpret the Computer Fraud and Abuse Act. As with Finnegan’s Wake, the most important content of that opinion comes in the form of an opaque metaphor, the “gates-up-or-gates-down inquiry.” And while I may have my own opinions about what that metaphor means (and if it has any meaning at all), every time I read about how others interpret it, the results are different.
Take, for example, the District Court of Utah’s March 3rd opinion in ACI Payments, Inc. v. Conservice, LLC, No. 1:21-cv-00084-RJS-CMR, 2022 WL 622214 (D. Utah, March 3, 2022).
I read the Van Buren opinion as saying that liability under both clauses of the CFAA—both the “without authorization” prong and the “exceeds authorized access” prong—“stem[] from a gates-up-or-down inquiry.” And the reason I think that, is this passage from the Court’s opinion.
Under Van Buren’s reading, liability under both clauses stems from a gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system. This treats the clauses consistently and aligns with the computer-context understanding of access as entry. By contrast, the Government proposes to read the first phrase “without authorization” as a gates-up-or-down inquiry and the second phrase “exceeds authorized access” as dependent on the circumstances—a reading inconsistent with subsection (a)(2)’s design and structure. The Government’s reading leaves unanswered why the statute would prohibit accessing computer information, but not the computer itself, for an improper purpose.
Van Buren at 1658.
Since the Court ruled in favor of Van Buren, I just assumed that the Court had adopted Van Buren’s reading of the CFAA and rejected the Government’s reading. The court never actually declared, “the correct interpretation of the CFAA is that liability under both clauses of the CFAA stems from a gates-up-or-down inquiry.” But that certainly seemed like the logical conclusion based on what they did say.
But that’s not how lower courts are interpreting Van Buren. Since last June, at least six federal district courts have interpreted Van Buren to say that it provides little or no guidance on the “without authorization” clause of the CFAA. Specifically, the court in ACI Payments said:
While Conservice is correct that Van Buren precludes liability under the exceeds authorized access prong for those who use authorized access to a computer for an unauthorized purpose, ACI adequately alleges liability under the without authorization prong. Since Van Buren was decided, numerous district courts have recognized that Van Buren’s holding applies only to the exceeds authorized access prong and did not similarly limit the scope of the other provisions of the CFAA, including the without authorization prong.
ACI Payments at *9.
The District Court of Utah is correct that other district courts are saying this. For example, RyanAir DAC v. Booking Holdings Inc. et al last December said:
The Court does not view Van Buren as preventing Ryanair from bringing any viable CFAA claim against Defendants. Van Buren specifically addressed what it means for a computer user to “exceed[] authorized access,” as that term is used in the CFAA. Ryanair alleges that Defendants acted “without authorization,” which implicates a distinct statutory prohibition that was not at issue in Van Buren.
But it is crazy that district courts have come to this consensus. For one thing, the passage I quoted above from Van Buren strongly implies that the correct reading of the CFAA is to interpret the two clauses under the same standard. But also, if Van Buren provides no guidance on the “without authorization” prong of the CFAA, then why was hiQ Labs, a Ninth Circuit case that was decided under the “without authorization” prong of the CFAA, remanded to the Ninth Circuit “for further consideration in light of Van Buren v. United States”? How can the Ninth Circuit engage in further consideration in light of an opinion that provides no guidance on that “distinct statutory prohibition”? That’s nonsense.
This seems like an obviously-wrong interpretation of Van Buren. But again, six different district courts have reached consensus on that interpretation in the last nine months!
If you think about it, though, how can anyone be wrong when the only instructions we got from the Supreme Court was a metaphor to guide us with future interpretation of the CFAA (along with confusing footnotes on how that metaphor might be interpreted)? That’s the thing about metaphors; you can do whatever you want with them. And that’s what we have to look forward to with future jurisprudence of the CFAA, endless muddled interpretations of an opaque and unhelpful metaphor.
Let’s just hope we can figure out what it all means in less than 26 years.
[Eric’s bonus: one more thing about the “gates-up-or-down” metaphor. Does gates “up” mean that the service has successfully implemented appropriate technological blocking measures, or does it mean the absence of such measures? If the gate is a portcullis, then gates “up” should mean the absence of restrictions. If the gate is a fence, then gates “up” should mean the restriction (i.e., the gate) is present. So I don’t even know if gates “up” is a good or a bad thing for defendants. Such an unhelpful metaphor.]
Pingback: Database Access After Failed Negotiations Didn't Violate the CFAA-Carfax v. Accu-Trade - Technology & Marketing Law Blog()