So, the Supreme Court Preserves Security Research from the CFAA

When courts decide issues applying the law to technology, too often they resort to metaphors for the analog world, or to analogies of what the technology is “like” rather than what it is.  Anticircumvention provisions of the DMCA are characterized as the digital equivalent of “breaking into a locked room in order to obtain a copy of a book”; and Aereo was “like” cable television systems that Congress considered in the 1970s.  On June 3, the Supreme Court decided a case interpreting the reach of one of the oldest computer-related federal statutes, the Computer Fraud and Abuse Act of 1986 (CFAA).  But it reached its conclusion based not on metaphors but on the statutory text alone; indeed, on one of the most mundane words imaginable – the meaning of the word “so.”  

Though the case gives literal meaning to the phrase “plain meaning” interpretation, the implications are far-reaching.  The Court protected otherwise lawful activities like security research, personal uses, and commercial competition from CFAA liability.  And it did so despite a vigorous battle of two textualist interpretations of the same language, between the newest Justice, Amy Coney Barrett, writing for a six-justice majority, and Justice Clarence Thomas writing for himself, Chief Justice Roberts, and Justice Alito.    

In Van Buren v. United States, a police officer was caught in an FBI sting operation when searching a law enforcement license plate database for a private citizen in exchange for money.  As a police officer, Van Buren had the right to access the database, but was charged with a criminal violation of the CFAA for obtaining the database information for unauthorized purposes.  A jury found Van Buren guilty, and the U.S. Court of Appeals for the Eleventh Circuit upheld the conviction.  The Supreme Court granted certiorari to resolve a split among several circuit courts of appeals as to whether the CFAA covers only unauthorized access to information, or also the unauthorized use of information to which the defendant has authorized access.

The CFAA imposes liability on any individual who “intentionally accesses a computer without authorization or exceeds authorized access.”  When originally enacted in 1984, the CFAA only protected against hacking of classified data and financial and credit records in government and financial institution computer systems.  The first person to be indicted and convicted under the CFAA was computer science graduate student Robert Morris, who designed his computer worm to demonstrate security flaws in Unix but unintentionally launched a denial-of-service attack on thousands of networked computers.  Over time, Congress expanded the CFAA to include civil liability, and to broadly cover intrusions into all computer systems used in or affecting interstate commerce.  Now, any computer connected to the internet, whether inside or outside the United States, is potentially covered by the CFAA, and the CFAA prohibits unauthorized access or alteration of virtually any kind of information, for purposes as varied as commercial advantage or government espionage. 

Both Van Buren and the United States agreed that he accessed the database “with authorization” and that he did “obtain” information from it.  The dispute focused on whether his actions “exceed[ed] authorized access” which the CFAA defines as, “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter….”  More narrowly, the question turned on whether “so” in “so to obtain” meant to obtain information that the defendant was not entitled to access (Van Buren’s interpretation); or, to obtain information for a prohibited purpose (the government’s position).

Justice Barrett, writing for the majority, found no indication in the statutory text of a limitation based upon the purpose for which the information was accessed.  When the statute refers to information in a computer that the defendant is not entitled to “so” obtain, the majority interpreted “so” to mean whether the information was acquired through access granted to the user.  The majority rejected the argument of the dissent and the government that Van Buren cannot have been “so” entitled if he was prohibited from obtaining that specific information.  The CFAA, Justice Barrett wrote, imposes “a gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.”  Opinion at 13.  “In sum, an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.”  Id. at 20.    

Supporting her statutory interpretation arguments, Justice Barrett cited amici from various academic, business, policy, and technology disciplines who debated the “breathtaking” implications of imposing criminal liability upon people who exceed the terms of use of a computer, service, or website.  Among the amici, a group of technology companies noted that, under the appellate court’s holding, the CFAA could be used against researchers who accessed a computer site to find bugs or security implementation flaws, or even against consumers or journalists who might sign on to a social media site under a pseudonym. A computer professionals association found determinations of “proper” and “improper” purposes too vague a basis to impose criminal liability, and argued that scientific research required the ability to obtain (“scrape”) data from publicly available web sources.  Public interest groups observed how such a rule could be weaponized for anticompetitive purposes, and would upend a balanced approach to intellectual property law and security research.  And an association representing government whistleblowers explained how the lower court’s rule conflicted with federal protections for those who provide evidence of possible criminal activity to law enforcement.   

However, the Court stopped short of equating the right of access under the CFAA to a technological right of access.  In a footnote, the majority left open the possibility in future cases that access limitations could be imposed subject to the CFAA by contracts or policies.  Opinion at 13 n.8.  A bright-line technology-based rule would have provided a more certain outcome, but the footnote suggests a distinction between insiders and outsiders accessing computer systems.  Insiders would potentially be subject to such contract or policy restrictions, for example in their terms of employment or in commercial transactions.  Outsiders cannot be compelled to agree to such contracts or policies, so will likely face CFAA liability only where they cross the technological access line.  

It will now be left for lower courts to sort out the implications of Van Buren, and the footnote.  But for now, the Court has clarified that security research, fair competition, ordinary consumer uses, and democratic actions should not be threatened with CFAA liability.