28 January 20214 minute read

Supreme Court dives into circuit split over the Computer Fraud and Abuse Act

What does it mean to “exceed authorized access” to an Internet-connected device?  The answer currently depends on which federal circuit court considers the question – and determines whether one might face jail time or civil liability for violating the Computer Fraud and Abuse Act (CFAA). 

Enacted in its relevant form in 1986, Title 18, United States Code, Section 1030 creates criminal and civil liability for any person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains” virtually any type of information stored on any computer connected to the Internet.

In Van Buren v. United States, the Supreme Court is diving into the substance of the CFAA for the first time in the Act’s 35-year history.  On November 30, 2020, the Court heard oral argument on whether a person “exceeds authorized access” to an Internet-connected device, where he or she uses that access to obtain or alter information for an unauthorized purpose.  The issue has divided the nine circuits that have considered it. 

Whether the CFAA criminalizes purpose-based access to data will likely reshape how individuals and organizations collect, use and protect digital information.  The implications are staggering – consider insider data theft and misuse of company technology; selling or sharing of certain types of consumer data with business partners; cybersecurity research into network vulnerabilities; technology-facilitated newsgathering; and ‘terms of use’ restrictions on digital platforms of all types. 

 In Van Buren, a Georgia police sergeant used his authorized username and password to obtain information from a law enforcement database and sell it to an FBI confidential informant for $6,000.  As part of the FBI sting operation, the informant requested the information for the ostensible purpose of confirming that a woman of romantic interest to him was not an undercover police officer.  Van Buren was authorized to use the database for law-enforcement purposes only.  The jury convicted Van Buren of violating the CFAA and the wire fraud statute.    

The Eleventh Circuit affirmed Van Buren’s conviction under Section 1030(a)(2)(C), finding sufficient evidence that Van Buren “intentionally . . . exceed[ed] authorized access [to a computer] and thereby obtain[ed] . . . information from any protected computer.”  The court noted that Section 1030(e)(6) defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”  Following binding circuit precedent, the court held that Van Buren “exceed[ed] authorized access” when he accessed the database and obtained information for an unauthorized purpose (i.e., to sell it to a third person).  The Eleventh Circuit’s interpretation of the “exceeds authorized access” prong of Section 1030(a)(2) is in accord with decisions of the First, Fifth and Seventh Circuits.

On the other side of the split are the Second, Fourth, Sixth and Ninth Circuits, which have held that employees authorized to access a computer system did not violate the “exceeds authorized access” prong of Section 1030(a)(2) when they obtained information for an unauthorized purpose.  So long as access to the information was not completely unauthorized, these circuits have held that any subsequent use of the information in an unauthorized manner does not violate the CFAA.  Pointing to a “parade of horribles” stretching well beyond the facts of any insider data misuse case, these courts reason that a broader interpretation of Section 1030 could criminalize every violation of policy, terms of use, or contract imposed by a computer owner or Internet platform.  Although it has not so held, the Third Circuit has indicated agreement with this narrower interpretation of Section 1030. 

Much of the November 2020 oral argument at the Supreme Court focused on the tension between Section 1030’s purpose of protecting sensitive digital information from misuse and the potential for sweeping federal criminalization of innocuous, and widespread, Internet activity.  Justices across the ideological spectrum, along with counsel for both sides, struggled to articulate a limiting principle that would avoid overly broad applications of statutory language badly in need of a 21st Century update.    

A decision is expected in Spring 2021.  A defense win on these facts would largely eviscerate the “insider threat” protections that were the original focus of Section 1030’s “exceeds authorized access” prong.  A government win could open the door to potential criminal and civil liability for violating contractual, policy, or other restrictions on the scope of authorized use of any Internet-connected device or platform.  Perhaps the Supreme Court is most likely to follow its 2017 admonition in Packingham v. North Carolina that courts should decide Internet law issues on the narrow facts before them, while remaining “conscious that what they say today might be obsolete tomorrow.”