With an unusual array of votes, the U.S. Supreme Court has narrowed the scope of the Computer Fraud and Abuse Act (CFAA), which is pleasing data scrapers, but raises concerns about trade secret protection. The CFAA, enacted in 1986, provides for civil and criminal penalties against anyone who “intentionally accesses a computer without authorization or exceeds authorized access,” thereby obtaining certain sensitive information. In Van Buren v. United States, the court’s most recently appointed justice, Amy Coney Barrett, wrote that the phrase “exceeds authorized access” only refers to situations in which a person accesses specific areas of the computer, “such as files, folders, or databases” that are off-limits and does not apply to misuse of information.
The CFAA was enacted relatively early in the days of networked computers. Inspired in part by the 1983 movie WarGames, in which a teenager hacks into a NORAD computer, the act was an attempt to provide criminal sanctions as well as civil penalties for unauthorized access to computer systems. This had previously been addressed only by various fraud-related statutes. The CFAA covers most connected computer systems, whether they are inside or outside the U.S., as long as they affect “interstate or foreign commerce or communication.” The act has been amended several times, but the core language of accessing a computer “without authorization” and “exceed[ing] authorized access” has largely remained intact.
As courts have interpreted and applied the CFAA over the years, a difference of opinion has emerged over how broadly the phase “exceeds authorized access” should be interpreted. Some courts have interpreted it narrowly, focusing on the hacking aspect of illegally gaining access to a computer or its systems through bypassing protections that have been put in place. Other courts have interpreted the language more broadly, applying the CFAA in situations where a particular person has access to a computer or its files, but then uses that information outside the scope of their authorized reason for access.
Driver’s License Information
The Van Buren case provides a perfect example of the broader interpretation of the CFAA. Nathan Van Buren was a police officer who had authorized access to a law enforcement database. He was approached by a friend to obtain license plate information pertaining to a third party in return for money. He used his patrol car’s computer and his authorized credentials to retrieve the information, sharing it with the friend, who was part of an FBI sting operation. Van Buren was arrested and charged with a criminal violation of the CFAA.
The case went to an appellate court, with Van Buren advocating for the narrower interpretation of the act, arguing that the information he obtained was within the scope of his “authorized access,” notwithstanding his misuse of it later, and that the CFAA did not apply. The appellate court disagreed and upheld Van Buren’s criminal sentence.
‘Entitled So to Obtain’
The Supreme Court reversed and held that the language of the CFAA makes it clear that it only applies to “information in the computer that the accesser [sic] is not entitled so to obtain.” In deciding how to interpret this language, the court focused on the phrase “entitled so to obtain,” determining that there is a connection between “entitled” to obtain and “actually” obtaining the information. A user, such as Van Buren, gaining authorized access via a password or other system is “entitled” to the information; the entitlement extends to the information that the password allows him to obtain. The court used the example of a person’s password allowing him access to information in “Folder Y,” regardless of his intended use of the information. The violation is if he obtains information from “Folder X,” to which his password does not provide him access.
The court’s opinion is lengthy and contains an extensive and nuanced discussion of the text of the act, with several pages alone dedicated to the word “so” as used in the phrase “entitled so to obtain.” The court also recognized the pitfalls of the broad interpretation of the act, suggesting that it would “attach criminal penalties to a breathtaking amount of commonplace computer activity.” Any violation of a computer use policy, a terms of service click-wrap agreement, or a similar contract could subject a person to the act’s criminal penalties.
The 6-3 Supreme Court opinion was outside of the conservative-liberal split of the court, with conservative justice Barrett joined by liberals Stephen Breyer, Sonia Sotomayor, and Elena Kagan, along with fellow Trump administration appointees Neil Gorsuch and Brett Kavanaugh. The three Trump appointees are largely seen as “textualists” in interpreting and applying statutes—i.e., they focus on the specific language of the text and less so on interpretation, context, or intent. The three liberal justices may have felt for similar reasons that the act simply went too far in criminalizing comparatively commonplace computer activity.
A narrower reading of the act is seen as favorable for engaging in data mining, investigative and journalistic research, and global activism. It is seen as less favorable for companies that rely heavily on terms of service agreements and for the protection of trade secrets. A company can no longer use the CFAA’s criminal or civil penalties against authorized users, such as employees or contractors, who leverage their legitimate access into company databases for their own or a competitor’s use.
One area that seems to remain uncertain is that of data scraping: the use of bots and other automated applications to obtain public information from thousands of databases for various purposes—often marketing, demographics, or competitive intelligence. hiQ Labs v. LinkedIn is a recent case in the 8th U.S. Circuit Court of Appeals in California that involved hiQ’s scraping of public data from LinkedIn profiles to create data analytics products. [See “Data Scraping and the Law,” the Legal Issues column on page 24 of the April 2021 issue of Information Today. —Ed.] LinkedIn claimed that hiQ violated the CFAA even though the information was public, because hiQ violated its terms of service agreement and had been ordered to stop.
On its face, the Supreme Court’s decision in Van Buren would seem to favor hiQ’s activities. However, hiQ’s use of bots, its continued activity after being ordered to stop, and issues involving the rights of LinkedIn users make the answer not so clear-cut.
Terms of Service Contracts
Misuse of information obtained from computer systems can remain legally questionable even if it is no longer a CFAA violation. Terms of service agreements are enforceable contracts. Violating your company’s computer use policy can result in sanctions. Misuse of trade secrets can have potential civil as well as criminal liability without invoking the CFAA. However, it is apparent that in most circumstances, the Supreme Court’s Van Buren decision is a very clear narrowing of the act and takes a significant arrow out of the quiver of companies and others that are trying to protect and control the use of the information on their computer systems.