Supreme Court Finally Limits Widely Abused Computer Hacking Law... But Just A Bit
For many years we've written about the problems with the CFAA. That's the supposedly "anti-hacking" law, with both civil and criminal components, that makes it a violation to use a computer in a manner that "exceeds authorized access." Law enforcement and the courts in the past often (though not always) took an extremely broad read of "unauthorized access" in a such a manner that basically all sorts of cases that involved a computer included CFAA claims. And even if all the other claims fell away, the CFAA claims often lasted, which is why it has been dubbed "the law that sticks." Part of the underlying issue is that law enforcement and some courts wanted to read "unauthorized access" to include using a computer system you had legitimate access to, but for unauthorized purposes.
Famously, this has included cases around not abiding by terms of service that were never read, seemingly benign password sharing, scraping your own data off a web page, and perhaps most troubling of all, downloading too many files.
This week, the Supreme Court finally ruled on the CFAA and its limits in the Van Buren case, which we've covered before, including why the Supreme Court needed to push back on some courts' broad interpretation of the law.
The case involved Nathan Van Buren, a former police sergeant who abused his access to law enforcement databases to run a search that he had no legitimate law enforcement reason for. Now, there are all sorts of reasons people should condemn Van Buren for abusing his power. But the key question in the case was whether or not doing so violated the CFAA and was a form of hacking because the access was unauthorized.
Thankfully, the Supreme Court correctly rules that this particular use did not violate the CFAA. While it may have violated the police department's policies, that does not make it "exceed authorized access."
Beyond that, though, the 6 to 3 decision is... well... a bit of a mess. It could have clearly stated that merely violating a policy while having full practical access to a computer system means there's no CFAA violation. And at times, it seems to suggest that's what it's saying. But it doesn't say that entirely clearly... and, in fact, there's a weird footnote (footnote 8) that seems to undermine that premise.
For present purposes, we need not address whether this inquiry turnsonly on technological (or code-based") limitations on access, or insteadalso looks to limits contained in contracts or policies.
This has raised some eyebrows among many commentators, though it's all too common with the Roberts Supreme Court these days, in which the court declines to make a clear bright line rule on things it easily could, instead trying to narrowly limit the decisions. Of course, sometimes that's good, but unfortunately it often muddles things as may be the case here.
The actual reasoning behind the decision is interesting in its own way, and includes a detailed discussion on the meaning of the word "so." Specifically, what does "so" mean here:
to access a computer withauthorization and to use such access to obtain . . . information in the computer that the accesser is not entitled soto obtain."
And thus, you get a debate over what exactly that "so" is doing in there (regulation drafters beware!):
The parties agree that Van Buren access[ed] a computerwith authorization" when he used his patrol-car computerand valid credentials to log into the law enforcement database. They also agree that Van Buren obtain[ed] . . . information in the computer" when he acquired the license-platerecord for Albo. The dispute is whether Van Buren was entitled so to obtain" the record.
Entitle" means to give . . . a title, right, or claim tosomething." Random House Dictionary of the English Language 649 (2d ed. 1987). See also Black's Law Dictionary477 (5th ed. 1979) (to give a right or legal title to"). Theparties agree that Van Buren had been given the right toacquire license-plate information-that is, he was entitledto obtain" it-from the law enforcement computer database.But was Van Buren entitled so to obtain" the license-plateinformation, as the statute requires?
Van Buren says yes. He notes that so," as used in thisstatute, serves as a term of reference that recalls the samemanner as has been stated" or the way or manner described." Black's Law Dictionary, at 1246; 15 Oxford English Dictionary 887 (2d ed. 1989). The disputed phrase entitled so to obtain" thus asks whether one has the right, inthe same manner as has been stated," to obtain the relevant information. And the only manner of obtaining information already stated in the definitional provision is via acomputer [one] is otherwise authorized to access." ReplyBrief 3. Putting that together, Van Buren contends that thedisputed phrase-is not entitled so to obtain"-plainly refers to information one is not allowed to obtain by using acomputer that he is authorized to access. On this reading, ifa person has access to information stored in a computer-e.g., in Folder Y," from which the person could permissiblypull information-then he does not violate the CFAA by obtaining such information, regardless of whether he pulledthe information for a prohibited purpose. But if the information is instead located in prohibited Folder X," to whichthe person lacks access, he violates the CFAA by obtainingsuch information.
The Government agrees that the statute uses so" in theword's term-of-reference sense, but it argues that so"sweeps more broadly. It reads the phrase is not entitled soto obtain" to refer to information one was not allowed to obtain in the particular manner or circumstances in which heobtained it. The manner or circumstances in which one hasa right to obtain information, the Government says, are defined by any specifically and explicitly" communicated limits on one's right to access information. Brief for UnitedStates 19. As the Government sees it, an employee mightlawfully pull information from Folder Y in the morning fora permissible purpose-say, to prepare for a business meeting-but unlawfully pull the same information from FolderY in the afternoon for a prohibited purpose-say, to helpdraft a resume to submit to a competitor employer.
The Government's interpretation has surface appeal butproves to be a sleight of hand. While highlighting that so" refers to a manner or circumstance," the Government simultaneously ignores the definition's further instruction thatsuch manner or circumstance already will ha[ve] beenstated,'" asserted,'" or described.'" Id., at 18 (quotingBlack's Law Dictionary, at 1246; 15 Oxford English Dictionary, at 887). Under the Government's approach, the relevant circumstance-the one rendering a person's conductillegal-is not identified earlier in the statute. Instead, so"captures any circumstance-based limit appearing anywhere-in the United States Code, a state statute, a privateagreement, or anywhere else. And while the Governmenttries to cabin its interpretation by suggesting that any suchlimit must be specifically and explicitly" stated, express,"and inherent in the authorization itself," the Governmentdoes not identify any textual basis for these guardrails.Brief for United States 19; Tr. of Oral Arg. 41.
Van Buren's account of so"-namely, that so" referencesthe previously stated manner or circumstance" in the textof 1030(e)(6) itself-is more plausible than the Government's. So" is not a free-floating term that provides a hookfor any limitation stated anywhere. It refers to a stated,identifiable proposition from the preceding" text; indeed,so" typically [r]epresent[s]" a word or phrase already employed," thereby avoiding the need for repetition. 15 OxfordEnglish Dictionary, at 887; see Webster's Third New International Dictionary 2160 (1986) (so often used as a substitute . . . to express the idea of a preceding phrase"). Myriadfederal statutes illustrate this ordinary usage. We agree with Van Buren: The phrase is not entitled so to obtain" isbest read to refer to information that a person is not entitledto obtain by using a computer that he is authorized to access.
The Government's primary counterargument is that VanBuren's reading renders the word so" superfluous. Recallthe definition: to access a computer with authorization andto use such access to obtain . . . information in the computerthat the accesser is not entitled so to obtain." 1030(e)(6)(emphasis added). According to the Government, so" addsnothing to the sentence if it refers solely to the earlierstated manner of obtaining the information through use ofa computer one has accessed with authorization. Whatmatters on Van Buren's reading, as the Government seesit, is simply that the person obtain information that he isnot entitled to obtain-and that point could be made evenif so" were deleted. By contrast, the Government insists,so" makes a valuable contribution if it incorporates all ofthe circumstances that might qualify a person's right to obtain information. Because only its interpretation gives so" work to do, the Government contends, the rule against superfluity means that its interpretation wins. See Republicof Sudan v. Harrison, 587 U. S. ___, ___ (2019) (slip op., at10).
But the canon does not help the Government because VanBuren's reading does not render so" superfluous. As VanBuren points out, without so," the statute would allow individuals to use their right to obtain information in nondigital form as a defense to CFAA liability. Consider, for example, a person who downloads restricted personnel fileshe is not entitled to obtain by using his computer. Such aperson could argue that he was entitled to obtain" the information if he had the right to access personnel filesthrough another method (e.g., by requesting hard copies ofthe files from human resources). With so," the CFAA forecloses that theory of defense. The statute is concerned withwhat a person does on a computer; it does not excuse hacking into an electronic personnel file if the hacker could havewalked down the hall to pick up a physical copy.This clarification is significant because it underscoresthat one kind of entitlement to information counts: the rightto access the information by using a computer. That canexpand liability, as the above example shows. But it narrows liability too. Without the word so," the statute couldbe read to incorporate all kinds of limitations on one's entitlement to information. The dissent's take on the statuteillustrates why.
It then goes into a rebuttal of the dissent, which takes on a different interpretation of "so" but feels that it can get to a reasonable outcome by focusing, instead, on "entitled." But the majority decision notes that such a reading results in problems:
The dissent's approach to the word entitled" fares fine inthe abstract but poorly in context. The statute does not refer to information . . . that the accesser is not entitled toobtain." It refers to information . . . that the accesser is notentitled so to obtain." 18 U. S. C. 1030(e)(6) (emphasisadded). The word entitled," then, does not stand alone, inviting the reader to consider the full scope of the accesser'sentitlement to information. The modifying phrase so to obtain" directs the reader to consider a specific limitation onthe accesser's entitlement: his entitlement to obtain the information in the manner previously stated." Supra, at 7.And as already explained, the manner previously stated isusing a computer one is authorized to access. Thus, whilegiving lipservice to Van Buren's reading of so," the dissent,like the Government, declines to give so" any limiting function.
The dissent cannot have it both ways. The consequenceof accepting Van Buren's reading of so" is the narrowedscope of entitled." In fact, the dissent's examples implicitlyconcede as much: They all omit the word so," thereby giving entitled" its full sweep. See post, at 3-4. An approachthat must rewrite the statute to work is even less persuasive than the Government's.
The majority also points out that the government's own focus on "exceeds authorized access" is equally problematic, first in that it ignores the definition in the actual law:
The Government falls back on what it describes as thecommon parlance" meaning of the phrase exceeds authorized access." Brief for United States 20-21. According tothe Government, any ordinary speaker of the English language would think that Van Buren exceed[ed] his authorized access" to the law enforcement database when he obtained license-plate information for personal purposes. Id.,at 21. The dissent, for its part, asserts that this point settles" the case. Post, at 9.
If the phrase exceeds authorized access" were all we hadto go on, the Government and the dissent might have apoint. But both breeze by the CFAA's explicit definition ofthe phrase exceeds authorized access."
But, more importantly, the government's approach creates a series of ridiculous interpretations:
By contrast, the Government's reading of the exceeds authorized access" clause creates inconsistenc[ies] with thedesign and structure" of subsection (a)(2). University ofTex. Southwestern Medical Center v. Nassar, 570 U. S. 338,353 (2013). As discussed, the Government reads the exceeds authorized access" clause to incorporate purposebased limits contained in contracts and workplace policies.Yet the Government does not read such limits into thethreshold question whether someone uses a computerwithout authorization"-even though similar purpose restrictions, like a rule against personal use, often governone's right to access a computer in the first place. See, e.g.,Royal Truck & Trailer Sales & Serv., Inc. v. Kraft, 974 F. 3d756, 757 (CA6 2020). Thus, the Government proposes toread the first phrase without authorization" as a gates-up-or-down inquiry and the second phrase exceeds authorizedaccess" as one that depends on the circumstances. The Government does not explain why the statute would prohibit accessing computer information, but not the computer itself, for an improper purpose.
The Government's position has another structural problem. Recall that violating 1030(a)(2), the provision underwhich Van Buren was charged, also gives rise to civil liability. See 1030(g). Provisions defining damage" and loss"specify what a plaintiff in a civil suit can recover.[D]amage,'" the statute provides, means any impairmentto the integrity or availability of data, a program, a system,or information." 1030(e)(8). The term loss" likewise relates to costs caused by harm to computer data, programs,systems, or information services. 1030(e)(11). The statutory definitions of damage" and loss" thus focus on technological harms-such as the corruption of files-of thetype unauthorized users cause to computer systems anddata. Limiting damage" and loss" in this way makessense in a scheme aimed at preventing the typical consequences of hacking." Royal Truck, 974 F. 3d, at 760. Theterm's definitions are ill fitted, however, to remediatingmisuse" of sensitive information that employees may permissibly access using their computers. Ibid. Van Buren'ssituation is illustrative: His run of the license plate did not impair the integrity or availability" of data, nor did it otherwise harm the database system itself.
Finally, and rightly, the majority opinion recognizes just how much the CFAA would criminalize under the government's interpretation:
To top it all off, the Government's interpretation of thestatute would attach criminal penalties to a breathtakingamount of commonplace computer activity.....
If the exceeds authorized access" clause criminalizesevery violation of a computer-use policy, then millions ofotherwise law-abiding citizens are criminals. Take theworkplace. Employers commonly state that computers andelectronic devices can be used only for business purposes.So on the Government's reading of the statute, an employeewho sends a personal e-mail or reads the news using herwork computer has violated the CFAA. Or consider the Internet. Many websites, services, and databases-whichprovide information" from protected computer[s],"1030(a)(2)(C)-authorize a user's access only upon hisagreement to follow specified terms of service. If the exceeds authorized access" clause encompasses violations ofcircumstance-based access restrictions on employers' computers, it is difficult to see why it would not also encompassviolations of such restrictions on website providers' computers. And indeed, numerous amici explain why the Government's reading of subsection (a)(2) would do just that-criminalize everything from embellishing an online-datingprofile to using a pseudonym on Facebook
The majority was written by new Justice Amy Coney Barrett, and joined by Justices Breyer, Sotomayor, Kagan, Gorsuch, and Kavanaugh. The dissent was written by Justice Thomas, with Chief Justice Roberts and Justice Alito.
Overall, the thrust of the decision is good, with a few oddities and that one weird footnote. But it's much better than simply accepting the government's warped interpretation of the CFAA.