Today, the Supreme Court handed down a decision significantly narrowing the scope of the Computer Fraud and Abuse Act (“CFAA”), a federal statute that can impose both criminal and civil liability on anyone who “intentionally accesses a computer without authorization or exceeds authorized access”, in its first-ever decision addressing this law.
In a 6-3 opinion in Van Buren v. United States, No. 19-783, authored by Justice Barrett, the Court reversed the Eleventh Circuit’s decision to uphold the conviction of a former police officer who was charged under the CFAA for searching a license plate in a law enforcement database for unofficial purposes. His conviction concerned a provision of the statute that made it illegal “to access a computer with authorization and to use such access to obtain . . . . information in the computer that the accesser is not entitled so to obtain”. The officer appealed, claiming that the CFAA did not cover unauthorized use of a database that he was otherwise authorized to access as part of his job.
Recall that the CFAA, which was passed in 1986, is considered to be the primary anti-hacking law and prosecutorial tool against outside actors who are accused of breaking into computer networks (although the statute has also been litigated recently in the commercial context, including in relation to data scraping). It forbids individuals from intentionally accessing a computer without authorization or “exceed[ing] authorized access.” The Supreme Court granted certiorari to resolve a split in authority among the Courts of Appeal regarding the scope of liability under the CFAA’s “exceeds authorized access” clause.
The majority opinion closely parsed the language of the CFAA and examined the types of activities that constituted “exceed[ing] authorized access.” Ultimately, the Court concluded that the provision that Plaintiff had been convicted under “covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like [Petitioner], have improper motives for obtaining information that is otherwise available to them.” Op. at 1 (emphasis supplied). Justice Barrett’s opinion also focused on the statute’s scope, noting that the government’s broad interpretation would criminalize a “breathtaking amount of commonplace computer activity,” including mundane activities such as using a work computer for personal purposes.
This case is a game changer for pending and future cases brought under the CFAA. As CPW readers will remember, the hiQ/LinkedIn data-scraping saga ongoing in California federal court had been paused pending a ruling from SCOTUS in Van Buren. All eyes will be back on that case now, in light of the circumscribed interpretation of the statute adopted by SCOTUS today. For information as to how that litigation progresses, and how other courts (and litigants) respond to this important decision, stay tuned. CPW will be there to keep you in the loop.