The Supreme Court in a 6-3 decision ruled that people do not exceed authorized access under the Computer Fraud and Abuse Act (CFAA) when they merely access information on a computer for an improper purpose.
The highly-anticipated ruling in Van Buren v. United States has broad implications not only in the criminal context, but in the civil context as well. Violations of the CFAA can be prosecuted criminally and also serve as the basis for civil lawsuits. Moreover, the decision has implications for webscraping activities, which are often challenged as violations of the CFAA. In the ruling authored by Justice Amy Coney Barrett, the Court interpreted the CFAA in a manner designed to ensure that the CFAA could not be used to criminalize the behavior of internet users who use a company’s website in violation of the terms of service or employees who use their workplace computers for personal use in violation of a company policy. In doing so, the opinion reconfirms that the CFAA analysis for webscraping turns on the question of authorization and does not involve the purpose or intended use of the accessed information.
The case arose from the conviction of a former police sergeant. As part of his job as sergeant, Nathan Van Buren had access to a state law enforcement computer database that contained license plate information, but he was trained not to use the database for personal purposes. However, as part of a sting operation, an associate offered Van Buren $5,000 to look up the license plate information of a woman who the associate has purportedly met at a strip club. After Van Buren accepted the offer and performed the lookup, he was eventually charged under the CFAA for “exceed[ing] authorized access” because he used the database for a personal purpose.
The CFAA, created in 1984 as an anti-hacking law, prohibits two main things: when a person “accesses a computer without authorization” or when a person “exceeds authorized access” by using valid access to enter a computer system, then using that access “to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
The case hinged on whether Van Buren was “entitled so to obtain” the license plate information, since he had valid access to the license plate database but was not allowed to use it for a personal purpose.
In resolving the definition of “exceeds authorized access,” the Court determined that a person “exceeds authorized access” under the CFAA only when the individual “accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” The Court’s decision made clear that “exceeding authorized access” does not encompass of the behavior of those who, like Van Buren, have “improper motives for obtaining information that is otherwise available to them.”
In embracing this narrower reading of the CFAA, the Court accepted Van Buren’s view that the entire statute contains a “gates-up-or-down inquiry”—disregarding purpose-based limits and other circumstantial limits like time-or-manner restrictions. Rather than a nuanced question requiring adherence to a variety of terms or conditions—the right to access systems is a binary question—“one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.”
This decision does not directly address all issues around what would constitute authorization for webscraping. Specifically, in footnote 8, the Court left unresolved the question of “whether this inquiry turns only on technological (or ‘code-based’) limitations on access, or instead also looks to limits contained in contracts or policies.” In other parts of the opinion, however, the Court noted that CFAA should not stake so much of its interpretation on “drafting practices of private parties”—perhaps signaling that circumvention of code-based restrictions will eventually be necessary to implicate CFAA.
What the decision does make crystal clear, however, is that its holding is not limited to the question of insider access. Indeed, the Court specifically made clear that the interpretation of “without authorization” is similarly narrow and does not encompass behavior that merely violates website terms and conditions—such as a user lying about her real name on Facebook or falsifying information on a dating profile. The Court noted that an opposite holding “would attach criminal penalties to a breathtaking amount of commonplace computer activity.”
“Many websites, services, and databases—which provide ‘information’ from ‘protected computer[s],’ §1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. And indeed, numerous amici explain why the Government’s reading of subsection (a)(2) would do just that—criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook.”
This was precisely the ruling that ZwillGen attorneys and other commentators expected after the oral argument and one that de-emphasizes the importance of reviewing purpose and use-based provisions terms and conditions in determining whether access to otherwise available data is restricted for the purposes of the CFAA.