Supreme Court Finally Limits Widely Abused Computer Hacking Law... But Just A Bit
from the it's-a-start dept
For many years we've written about the problems with the CFAA. That's the supposedly "anti-hacking" law, with both civil and criminal components, that makes it a violation to use a computer in a manner that "exceeds authorized access." Law enforcement and the courts in the past often (though not always) took an extremely broad read of "unauthorized access" in a such a manner that basically all sorts of cases that involved a computer included CFAA claims. And even if all the other claims fell away, the CFAA claims often lasted, which is why it has been dubbed "the law that sticks." Part of the underlying issue is that law enforcement and some courts wanted to read "unauthorized access" to include using a computer system you had legitimate access to, but for unauthorized purposes.
Famously, this has included cases around not abiding by terms of service that were never read, seemingly benign password sharing, scraping your own data off a web page, and perhaps most troubling of all, downloading too many files.
This week, the Supreme Court finally ruled on the CFAA and its limits in the Van Buren case, which we've covered before, including why the Supreme Court needed to push back on some courts' broad interpretation of the law.
The case involved Nathan Van Buren, a former police sergeant who abused his access to law enforcement databases to run a search that he had no legitimate law enforcement reason for. Now, there are all sorts of reasons people should condemn Van Buren for abusing his power. But the key question in the case was whether or not doing so violated the CFAA and was a form of hacking because the access was unauthorized.
Thankfully, the Supreme Court correctly rules that this particular use did not violate the CFAA. While it may have violated the police department's policies, that does not make it "exceed authorized access."
Beyond that, though, the 6 to 3 decision is... well... a bit of a mess. It could have clearly stated that merely violating a policy while having full practical access to a computer system means there's no CFAA violation. And at times, it seems to suggest that's what it's saying. But it doesn't say that entirely clearly... and, in fact, there's a weird footnote (footnote 8) that seems to undermine that premise.
For present purposes, we need not address whether this inquiry turns only on technological (or “code-based”) limitations on access, or instead also looks to limits contained in contracts or policies.
This has raised some eyebrows among many commentators, though it's all too common with the Roberts Supreme Court these days, in which the court declines to make a clear bright line rule on things it easily could, instead trying to narrowly limit the decisions. Of course, sometimes that's good, but unfortunately it often muddles things as may be the case here.
The actual reasoning behind the decision is interesting in its own way, and includes a detailed discussion on the meaning of the word "so." Specifically, what does "so" mean here:
“to access a computer with authorization and to use such access to obtain . . . information in the computer that the accesser is not entitled so to obtain.”
And thus, you get a debate over what exactly that "so" is doing in there (regulation drafters beware!):
The parties agree that Van Buren “access[ed] a computer with authorization” when he used his patrol-car computer and valid credentials to log into the law enforcement database. They also agree that Van Buren “obtain[ed] . . . information in the computer” when he acquired the license-plate record for Albo. The dispute is whether Van Buren was “entitled so to obtain” the record.
“Entitle” means “to give . . . a title, right, or claim to something.” Random House Dictionary of the English Language 649 (2d ed. 1987). See also Black’s Law Dictionary 477 (5th ed. 1979) (“to give a right or legal title to”). The parties agree that Van Buren had been given the right to acquire license-plate information—that is, he was “entitled to obtain” it—from the law enforcement computer database. But was Van Buren “entitled so to obtain” the license-plate information, as the statute requires?
Van Buren says yes. He notes that “so,” as used in this statute, serves as a term of reference that recalls “the same manner as has been stated” or “the way or manner described.” Black’s Law Dictionary, at 1246; 15 Oxford English Dictionary 887 (2d ed. 1989). The disputed phrase “entitled so to obtain” thus asks whether one has the right, in “the same manner as has been stated,” to obtain the relevant information. And the only manner of obtaining information already stated in the definitional provision is “via a computer [one] is otherwise authorized to access.” Reply Brief 3. Putting that together, Van Buren contends that the disputed phrase—“is not entitled so to obtain”—plainly refers to information one is not allowed to obtain by using a computer that he is authorized to access. On this reading, if a person has access to information stored in a computer— e.g., in “Folder Y,” from which the person could permissibly pull information—then he does not violate the CFAA by obtaining such information, regardless of whether he pulled the information for a prohibited purpose. But if the information is instead located in prohibited “Folder X,” to which the person lacks access, he violates the CFAA by obtaining such information.
The Government agrees that the statute uses “so” in the word’s term-of-reference sense, but it argues that “so” sweeps more broadly. It reads the phrase “is not entitled so to obtain” to refer to information one was not allowed to obtain in the particular manner or circumstances in which he obtained it. The manner or circumstances in which one has a right to obtain information, the Government says, are defined by any “specifically and explicitly” communicated limits on one’s right to access information. Brief for United States 19. As the Government sees it, an employee might lawfully pull information from Folder Y in the morning for a permissible purpose—say, to prepare for a business meeting—but unlawfully pull the same information from Folder Y in the afternoon for a prohibited purpose—say, to help draft a resume to submit to a competitor employer.
The Government’s interpretation has surface appeal but proves to be a sleight of hand. While highlighting that “so” refers to a “manner or circumstance,” the Government simultaneously ignores the definition’s further instruction that such manner or circumstance already will “‘ha[ve] been stated,’” “‘asserted,’” or “‘described.’” Id., at 18 (quoting Black’s Law Dictionary, at 1246; 15 Oxford English Dictionary, at 887). Under the Government’s approach, the relevant circumstance—the one rendering a person’s conduct illegal—is not identified earlier in the statute. Instead, “so” captures any circumstance-based limit appearing anywhere—in the United States Code, a state statute, a private agreement, or anywhere else. And while the Government tries to cabin its interpretation by suggesting that any such limit must be “specifically and explicitly” stated, “express,” and “inherent in the authorization itself,” the Government does not identify any textual basis for these guardrails. Brief for United States 19; Tr. of Oral Arg. 41.
Van Buren’s account of “so”—namely, that “so” references the previously stated “manner or circumstance” in the text of §1030(e)(6) itself—is more plausible than the Government’s. “So” is not a free-floating term that provides a hook for any limitation stated anywhere. It refers to a stated, identifiable proposition from the “preceding” text; indeed, “so” typically “[r]epresent[s]” a “word or phrase already employed,” thereby avoiding the need for repetition. 15 Oxford English Dictionary, at 887; see Webster’s Third New International Dictionary 2160 (1986) (so “often used as a substitute . . . to express the idea of a preceding phrase”). Myriad federal statutes illustrate this ordinary usage. We agree with Van Buren: The phrase “is not entitled so to obtain” is best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.
The Government’s primary counterargument is that Van Buren’s reading renders the word “so” superfluous. Recall the definition: “to access a computer with authorization and to use such access to obtain . . . information in the computer that the accesser is not entitled so to obtain.” §1030(e)(6) (emphasis added). According to the Government, “so” adds nothing to the sentence if it refers solely to the earlier stated manner of obtaining the information through use of a computer one has accessed with authorization. What matters on Van Buren’s reading, as the Government sees it, is simply that the person obtain information that he is not entitled to obtain—and that point could be made even if “so” were deleted. By contrast, the Government insists, “so” makes a valuable contribution if it incorporates all of the circumstances that might qualify a person’s right to obtain information. Because only its interpretation gives “so” work to do, the Government contends, the rule against superfluity means that its interpretation wins. See Republic of Sudan v. Harrison, 587 U. S. ___, ___ (2019) (slip op., at 10).
But the canon does not help the Government because Van Buren’s reading does not render “so” superfluous. As Van Buren points out, without “so,” the statute would allow individuals to use their right to obtain information in nondigital form as a defense to CFAA liability. Consider, for example, a person who downloads restricted personnel files he is not entitled to obtain by using his computer. Such a person could argue that he was “entitled to obtain” the information if he had the right to access personnel files through another method (e.g., by requesting hard copies of the files from human resources). With “so,” the CFAA forecloses that theory of defense. The statute is concerned with what a person does on a computer; it does not excuse hacking into an electronic personnel file if the hacker could have walked down the hall to pick up a physical copy. This clarification is significant because it underscores that one kind of entitlement to information counts: the right to access the information by using a computer. That can expand liability, as the above example shows. But it narrows liability too. Without the word “so,” the statute could be read to incorporate all kinds of limitations on one’s entitlement to information. The dissent’s take on the statute illustrates why.
It then goes into a rebuttal of the dissent, which takes on a different interpretation of "so" but feels that it can get to a reasonable outcome by focusing, instead, on "entitled." But the majority decision notes that such a reading results in problems:
The dissent’s approach to the word “entitled” fares fine in the abstract but poorly in context. The statute does not refer to “information . . . that the accesser is not entitled to obtain.” It refers to “information . . . that the accesser is not entitled so to obtain.” 18 U. S. C. §1030(e)(6) (emphasis added). The word “entitled,” then, does not stand alone, inviting the reader to consider the full scope of the accesser’s entitlement to information. The modifying phrase “so to obtain” directs the reader to consider a specific limitation on the accesser’s entitlement: his entitlement to obtain the information “in the manner previously stated.” Supra, at 7. And as already explained, the manner previously stated is using a computer one is authorized to access. Thus, while giving lipservice to Van Buren’s reading of “so,” the dissent, like the Government, declines to give “so” any limiting function.
The dissent cannot have it both ways. The consequence of accepting Van Buren’s reading of “so” is the narrowed scope of “entitled.” In fact, the dissent’s examples implicitly concede as much: They all omit the word “so,” thereby giving “entitled” its full sweep. See post, at 3–4. An approach that must rewrite the statute to work is even less persuasive than the Government’s.
The majority also points out that the government's own focus on "exceeds authorized access" is equally problematic, first in that it ignores the definition in the actual law:
The Government falls back on what it describes as the “common parlance” meaning of the phrase “exceeds authorized access.” Brief for United States 20–21. According to the Government, any ordinary speaker of the English language would think that Van Buren “exceed[ed] his authorized access” to the law enforcement database when he obtained license-plate information for personal purposes. Id., at 21. The dissent, for its part, asserts that this point “settles” the case. Post, at 9.
If the phrase “exceeds authorized access” were all we had to go on, the Government and the dissent might have a point. But both breeze by the CFAA’s explicit definition of the phrase “exceeds authorized access.”
But, more importantly, the government's approach creates a series of ridiculous interpretations:
By contrast, the Government’s reading of the “exceeds authorized access” clause creates “inconsistenc[ies] with the design and structure” of subsection (a)(2). University of Tex. Southwestern Medical Center v. Nassar, 570 U. S. 338, 353 (2013). As discussed, the Government reads the “exceeds authorized access” clause to incorporate purposebased limits contained in contracts and workplace policies. Yet the Government does not read such limits into the threshold question whether someone uses a computer “without authorization”—even though similar purpose restrictions, like a rule against personal use, often govern one’s right to access a computer in the first place. See, e.g., Royal Truck & Trailer Sales & Serv., Inc. v. Kraft, 974 F. 3d 756, 757 (CA6 2020). Thus, the Government proposes to read the first phrase “without authorization” as a gates-up-or-down inquiry and the second phrase “exceeds authorized access” as one that depends on the circumstances. The Government does not explain why the statute would prohibit accessing computer information, but not the computer itself, for an improper purpose.
The Government’s position has another structural problem. Recall that violating §1030(a)(2), the provision under which Van Buren was charged, also gives rise to civil liability. See §1030(g). Provisions defining “damage” and “loss” specify what a plaintiff in a civil suit can recover. “‘[D]amage,’” the statute provides, means “any impairment to the integrity or availability of data, a program, a system, or information.” §1030(e)(8). The term “loss” likewise relates to costs caused by harm to computer data, programs, systems, or information services. §1030(e)(11). The statutory definitions of “damage” and “loss” thus focus on technological harms—such as the corruption of files—of the type unauthorized users cause to computer systems and data. Limiting “damage” and “loss” in this way makes sense in a scheme “aimed at preventing the typical consequences of hacking.” Royal Truck, 974 F. 3d, at 760. The term’s definitions are ill fitted, however, to remediating “misuse” of sensitive information that employees may permissibly access using their computers. Ibid. Van Buren’s situation is illustrative: His run of the license plate did not impair the “integrity or availability” of data, nor did it otherwise harm the database system itself.
Finally, and rightly, the majority opinion recognizes just how much the CFAA would criminalize under the government's interpretation:
To top it all off, the Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity.....
If the “exceeds authorized access” clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals. Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA. Or consider the Internet. Many websites, services, and databases—which provide “information” from “protected computer[s],” §1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers. And indeed, numerous amici explain why the Government’s reading of subsection (a)(2) would do just that— criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook
The majority was written by new Justice Amy Coney Barrett, and joined by Justices Breyer, Sotomayor, Kagan, Gorsuch, and Kavanaugh. The dissent was written by Justice Thomas, with Chief Justice Roberts and Justice Alito.
Overall, the thrust of the decision is good, with a few oddities and that one weird footnote. But it's much better than simply accepting the government's warped interpretation of the CFAA.
Filed Under: authorized access, cfaa, exceeds authorized access, supreme court, van buren