Information Today, Inc. Corporate Site KMWorld CRM Media Streaming Media Faulkner Speech Technology Unisphere/DBTA
Other ITI Websites
American Library Directory Boardwalk Empire Database Trends and Applications DestinationCRM EContentMag Faulkner Information Services Fulltext Sources Online InfoToday Europe Internet@Schools Intranets Today KMWorld Library Resource Literary Market Place OnlineVideo.net Plexus Publishing Smart Customer Service Speech Technology Streaming Media Streaming Media Europe Streaming Media Producer Unisphere Research



News & Events > NewsBreaks
Back Index Forward
Twitter RSS Feed
 



Supreme Court Narrows the Scope of the Computer Fraud and Abuse Act
by
Posted On June 22, 2021
With an unusual array of votes, the U.S. Supreme Court has narrowed the scope of the Computer Fraud and Abuse Act (CFAA), which is pleasing data scrapers, but raises concerns about trade secret protection. The CFAA, enacted in 1986, provides for civil and criminal penalties against anyone who “intentionally accesses a computer without authorization or exceeds authorized access,” thereby obtaining certain sensitive information. In Van Buren v. United States, the court’s most recently appointed justice, Amy Coney Barrett, wrote that the phrase “exceeds authorized access” only refers to situations in which a person accesses specific areas of the computer, “such as files, folders, or databases” that are off-limits and does not apply to misuse of information.

WarGames

The CFAA was enacted relatively early in the days of networked computers. Inspired in part by the 1983 movie WarGames, in which a teenager hacks into a NORAD computer, the act was an attempt to provide criminal sanctions as well as civil penalties for unauthorized access to computer systems. This had previously been addressed only by various fraud-related statutes. The CFAA covers most connected computer systems, whether they are inside or outside the U.S., as long as they affect “interstate or foreign commerce or communication.” The act has been amended several times, but the core language of accessing a computer “without authorization” and “exceed[ing] authorized access” has largely remained intact.

As courts have interpreted and applied the CFAA over the years, a difference of opinion has emerged over how broadly the phase “exceeds authorized access” should be interpreted. Some courts have interpreted it narrowly, focusing on the hacking aspect of illegally gaining access to a computer or its systems through bypassing protections that have been put in place. Other courts have interpreted the language more broadly, applying the CFAA in situations where a particular person has access to a computer or its files, but then uses that information outside the scope of their authorized reason for access.

Driver’s License Information

The Van Buren case provides a perfect example of the broader interpretation of the CFAA. Nathan Van Buren was a police officer who had authorized access to a law enforcement database. He was approached by a friend to obtain license plate information pertaining to a third party in return for money. He used his patrol car’s computer and his authorized credentials to retrieve the information, sharing it with the friend, who was part of an FBI sting operation. Van Buren was arrested and charged with a criminal violation of the CFAA.

The case went to an appellate court, with Van Buren advocating for the narrower interpretation of the act, arguing that the information he obtained was within the scope of his “authorized access,” notwithstanding his misuse of it later, and that the CFAA did not apply. The appellate court disagreed and upheld Van Buren’s criminal sentence.

‘Entitled So to Obtain’

The Supreme Court reversed and held that the language of the CFAA makes it clear that it only applies to “information in the computer that the accesser [sic] is not entitled so to obtain.” In deciding how to interpret this language, the court focused on the phrase “entitled so to obtain,” determining that there is a connection between “entitled” to obtain and “actually” obtaining the information. A user, such as Van Buren, gaining authorized access via a password or other system is “entitled” to the information; the entitlement extends to the information that the password allows him to obtain. The court used the example of a person’s password allowing him access to information in “Folder Y,” regardless of his intended use of the information. The violation is if he obtains information from “Folder X,” to which his password does not provide him access.

The court’s opinion is lengthy and contains an extensive and nuanced discussion of the text of the act, with several pages alone dedicated to the word “so” as used in the phrase “entitled so to obtain.” The court also recognized the pitfalls of the broad interpretation of the act, suggesting that it would “attach criminal penalties to a breathtaking amount of commonplace computer activity.” Any violation of a computer use policy, a terms of service click-wrap agreement, or a similar contract could subject a person to the act’s criminal penalties.

Textualism

The 6-3 Supreme Court opinion was outside of the conservative-liberal split of the court, with conservative justice Barrett joined by liberals Stephen Breyer, Sonia Sotomayor, and Elena Kagan, along with fellow Trump administration appointees Neil Gorsuch and Brett Kavanaugh. The three Trump appointees are largely seen as “textualists” in interpreting and applying statutes—i.e., they focus on the specific language of the text and less so on interpretation, context, or intent. The three liberal justices may have felt for similar reasons that the act simply went too far in criminalizing comparatively commonplace computer activity.

A narrower reading of the act is seen as favorable for engaging in data mining, investigative and journalistic research, and global activism. It is seen as less favorable for companies that rely heavily on terms of service agreements and for the protection of trade secrets. A company can no longer use the CFAA’s criminal or civil penalties against authorized users, such as employees or contractors, who leverage their legitimate access into company databases for their own or a competitor’s use.

Data Scraping

One area that seems to remain uncertain is that of data scraping: the use of bots and other automated applications to obtain public information from thousands of databases for various purposes—often marketing, demographics, or competitive intelligence. hiQ Labs v. LinkedIn is a recent case in the 8th U.S. Circuit Court of Appeals in California that involved hiQ’s scraping of public data from LinkedIn profiles to create data analytics products. [See “Data Scraping and the Law,” the Legal Issues column on page 24 of the April 2021 issue of Information Today. —Ed.] LinkedIn claimed that hiQ violated the CFAA even though the information was public, because hiQ violated its terms of service agreement and had been ordered to stop.

On its face, the Supreme Court’s decision in Van Buren would seem to favor hiQ’s activities. However, hiQ’s use of bots, its continued activity after being ordered to stop, and issues involving the rights of LinkedIn users make the answer not so clear-cut.

Terms of Service Contracts

Misuse of information obtained from computer systems can remain legally questionable even if it is no longer a CFAA violation. Terms of service agreements are enforceable contracts. Violating your company’s computer use policy can result in sanctions. Misuse of trade secrets can have potential civil as well as criminal liability without invoking the CFAA. However, it is apparent that in most circumstances, the Supreme Court’s Van Buren decision is a very clear narrowing of the act and takes a significant arrow out of the quiver of companies and others that are trying to protect and control the use of the information on their computer systems.


George H. Pike is the director of the Pritzker Legal Research Center and a senior lecturer at the Northwestern University School of Law. He teaches legal research, intellectual property, and privacy courses at the School of Law in both the J.D. and Northwestern’s innovative Master of Science in Law program. Prof. Pike is a frequent lecturer on issues of First Amendment, copyright, and Internet law for library and information professionals. He is also a regular columnist and writer for Information Today, publishing a monthly column on legal issues confronting information producers and consumers. Previously, Prof. Pike was director of the Law Library at the University of Pittsburgh School of Law, and held professional positions at the Lewis and Clark Law School and at the University of Idaho School of Law, and was a practicing attorney in Idaho Falls, Idaho. Prof. Pike received his B.A. degree from the College of Idaho, his law degree from the University of Idaho, and his Masters in Library Science from the University of Washington. He is a member of the American and Idaho State Bar Associations, the American Association of Law Libraries, and the American Intellectual Property Lawyers Association.

Email George H. Pike

Related Articles

1/12/2021What to Expect From the New Supreme Court Term
3/23/2021'EFF to Supreme Court: Users Must Be Able to Hold Tech Companies Accountable in Lawsuits When Their Data Is Mishandled'
4/13/2021Open Government Under the Biden Administration
4/8/2021Access Partnership: 'U.S. Supreme Court Rules on API Copyrights and Trump's Use of Twitter'
5/11/2021FTC's Ability to Obtain Financial Relief for Consumers Hampered by Supreme Court


Comments Add A Comment

              Back to top