The U.S. Supreme Court will soon decide what it means to exceed authorized computer access. At stake is the constitutionality of the Computer Fraud and Abuse Act (CFAA).
The court heard arguments Nov. 30 in Van Buren v. United States, a case involving a police officer who was convicted of violating the CFAA for looking up a strip club dancer’s license plate number in a police database. Nathan Van Buren was authorized to access the database, but he did so in this situation as a favor in exchange for a loan.
The CFAA prohibits, among other things, intentionally accessing a computer without authorization and exceeding authorized access to obtain information. Although there is no doubt that the statute criminalizes hacking, it is not clear how many different kinds of exceeding authorized access would trigger federal criminal liability.
As examples, would violation of an employer’s prohibition of using a work computer for personal emails—or a violation of a website’s terms of access—impose potential criminal liability on employees and website users?
Concerns of Justices
At oral argument, the justices made clear that they are concerned about the potential breadth of the CFAA. The government characterized the statute as directed only to people who were specifically trusted by the computer owner. But the statute’s definition of exceeding authorized access—“to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter”—does not appear to draw that line.
Justice Sonia Sotomayor stated that the government was “giving definitions that narrow the statute that the statute doesn’t have ... to narrow it from what could otherwise be viewed as a very broad statute and dangerously vague.”
Justice Neil Gorsuch thought that the government’s act of enforcement in this case could result in “perhaps making a federal criminal of us all.”
And Chief Justice John Roberts and Justice Stephen Breyer expressed concern with whether the text of the statute supported the government’s limiting efforts.
Issues With Invalidation
Invalidating the statute, however, raised concerns with other justices.
Justice Samuel Alito emphasized the importance of the privacy rights that the statute protects, such as misuse of credit card information and the harassment of enemies. Justice Clarence Thomas and Alito questioned the premise that the statute, as written, would in fact criminalize the everyday conduct of American citizens, including people failing to follow a website’s terms of access.
This line of inquiry could lead the court to leave the CFAA intact, on the basis that the language clearly covered the actions of Van Buren here, who sold information from a law enforcement database that he had authority to access, but not the authority to access for non-law enforcement purposes. Essentially, although the statute might be overbroad in some applications, it was not so as applied in this case, such that the court need do nothing further than affirm the appellate court’s decision.
Void for Vagueness
But because the language used in the statute does not appear to have a natural interpretation that draws a hard line between Van Buren’s conduct and the conduct of everyday citizens, the court could well rule it is void for vagueness. Such an opinion could be written in a way to invite Congress to pass legislation that is (a) clear about what kind of internal misuse of computer information would be proscribed by the statute and (b) up-to-date.
Because this does not appear to be a partisan issue, this result would enable the legislature to draw the line clearly, which would relieve the court from trying to interpret what is, after all, a statute originally passed in 1984, before modern internet usage. Sotomayor in fact asked whether there were “targeted changes that could be made to limit” the statute’s reach.
A vagueness holding would not necessarily leave all sensitive data unprotected. Sotomayor, Gorsuch, and Justice Brett Kavanaugh inquired about other state and federal criminal laws that protected some such sensitive information contained on computers and could have applied to Van Buren’s conduct here.
This led Gorsuch to question why the solicitor general brought this case in light of a string of recent Supreme Court decisions invalidating attempts to expand the reach of federal criminal statutes. In his words: “I would have thought that the Solicitor General’s Office isn’t just a rubber stamp for the U.S. Attorney’s Offices.”
Given the justices’ collective questions, it seems unlikely that the court will issue an opinion effectively holding that the statute, as written, applies to everyday activities of most Americans. Such an interpretation could have an immediate impact on how people use their work computers, how they interact with various websites, and the manner in which they use computers generally.
Website operators and employers will wish to review carefully the court’s opinion when issued, particularly in the event the court invalidates or chooses to interpret the statute so as to “draw lines” within its language.
Should the CFAA be invalidated, they should watch for any new legislation that may emerge. If such legislation is passed, employers should review their existing rules relating to use of company computers and ensure that they employ language consistent with an amended statute. In that way, companies could best protect themselves from unfaithful employees who exceed their authorized access and misuse company data, while complying with dictates of the amended law.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Mark Srere is co-leader of Bryan Cave Leighton Paisner LLP’s Investigations, Financial Regulation and White Collar group.
Ben Clark is senior trial counsel with Bryan Cave Leighton Paisner LLP and a former federal prosecutor.