Supreme Court dives into circuit split over the Computer Fraud and Abuse Act
What does it mean to “exceed authorized access” to an Internet-connected device? The answer currently depends on which federal circuit court considers the question – and determines whether one might face jail time or civil liability for violating the Computer Fraud and Abuse Act (CFAA).
Enacted in its relevant form in 1986, Title 18, United States Code, Section 1030 creates criminal and civil liability for any person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains” virtually any type of information stored on any computer connected to the Internet.
In Van Buren v. United States, the Supreme Court is diving into the substance of the CFAA for the first time in the Act’s 35-year history. On November 30, 2020, the Court heard oral argument on whether a person “exceeds authorized access” to an Internet-connected device, where he or she uses that access to obtain or alter information for an unauthorized purpose. The issue has divided the nine circuits that have considered it.
In Van Buren, a Georgia police sergeant used his authorized username and password to obtain information from a law enforcement database and sell it to an FBI confidential informant for $6,000. As part of the FBI sting operation, the informant requested the information for the ostensible purpose of confirming that a woman of romantic interest to him was not an undercover police officer. Van Buren was authorized to use the database for law-enforcement purposes only. The jury convicted Van Buren of violating the CFAA and the wire fraud statute.
The Eleventh Circuit affirmed Van Buren’s conviction under Section 1030(a)(2)(C), finding sufficient evidence that Van Buren “intentionally . . . exceed[ed] authorized access [to a computer] and thereby obtain[ed] . . . information from any protected computer.” The court noted that Section 1030(e)(6) defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Following binding circuit precedent, the court held that Van Buren “exceed[ed] authorized access” when he accessed the database and obtained information for an unauthorized purpose (i.e., to sell it to a third person). The Eleventh Circuit’s interpretation of the “exceeds authorized access” prong of Section 1030(a)(2) is in accord with decisions of the First, Fifth and Seventh Circuits.
Much of the November 2020 oral argument at the Supreme Court focused on the tension between Section 1030’s purpose of protecting sensitive digital information from misuse and the potential for sweeping federal criminalization of innocuous, and widespread, Internet activity. Justices across the ideological spectrum, along with counsel for both sides, struggled to articulate a limiting principle that would avoid overly broad applications of statutory language badly in need of a 21st Century update.
A decision is expected in Spring 2021. A defense win on these facts would largely eviscerate the “insider threat” protections that were the original focus of Section 1030’s “exceeds authorized access” prong. A government win could open the door to potential criminal and civil liability for violating contractual, policy, or other restrictions on the scope of authorized use of any Internet-connected device or platform. Perhaps the Supreme Court is most likely to follow its 2017 admonition in Packingham v. North Carolina that courts should decide Internet law issues on the narrow facts before them, while remaining “conscious that what they say today might be obsolete tomorrow.”