The Supreme Court overturned the conviction of a former police officer who was accused of violating the country's core anti-hacking statute by accessing information in a law enforcement database in exchange for money. The decision stands to substantially limit tech companies' ability to enforce their terms of service against users who violate them.
The 6-3 decision in Van Buren v. United States marks the first time the court has ruled on the Computer Fraud and Abuse Act. In a narrow interpretation of the law, the court essentially interpreted the CFAA as a prohibition on breaking into a computer system, whether that's as an outside hacker or as an authorized user breaking into some gated part of that system.
"This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend," the majority opinion reads. "It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them."
The case has been closely watched in tech and privacy circles due to its implications on the legal interpretation of the CFAA, a notoriously vague law that forbids accessing a computer "without authorization or exceeding authorized access." The U.S. government argued that the former police officer, Nathan Van Buren, did just that when he accepted a bribe and improperly accessed a woman's license plate information in a government database as part of what turned out to be an FBI sting. While Van Buren was an authorized user of that database, the state argued he had exceeded his authorization in using it for that purpose.
But Van Buren argued that was an overly broad interpretation of the law. If a user of a computer system is breaking the law simply by violating the terms of that system, he argued, then anyone could be found guilty of violating the CFAA for, say, using their work computer for personal reasons. Recently tech giants like Facebook have sought to shut down research projects for violations of their terms of service, and groups like the Electronic Frontier Foundation that sided with Van Buren argued that expanding the interpretation of CFAA could make it easier for companies to exert legal power over their users.
The court ultimately sided with Van Buren. "The Government's interpretation of the 'exceeds authorized access' clause would attach criminal penalties to a breathtaking amount of commonplace computer activity," the opinion, written by Justice Amy Coney Barrett, reads. "For instance, employers commonly state that computers and electronic devices can be used only for business purposes. On the Government's reading, an employee who sends a personal e-mail or reads the news using a work computer has violated the CFAA."
Defining the word 'so'
The CFAA is pretty clear about what it means to break into a computer system as an unauthorized user. But the Van Buren decision creates an important clarification about what it means to be an authorized user who exceeds that authorized access. The decision rests in part on a close read of the statute, which defines exceeding authorized access to mean accessing a computer "with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."
The question was whether Van Buren was, in fact, "entitled so to obtain" the information in the database he accessed. The government read the clause broadly, interpreting it to mean that authorized users of a computer system could exceed authorized access by accessing readily available information in certain unauthorized circumstances. But Van Buren argued, and the court agreed, that he would only be violating the statute if he had used the computer to access gated information he shouldn't have had access to.
What's less clear from this decision, as Berkeley Law professor Orin Kerr pointed out on Twitter, is how exactly the court defines a gate. "Does there need to be a technological gate, or can a gate of words ('do not access this computer for a bad purpose') suffice?" Kerr asked.
Not everyone viewed the court's framing as particularly helpful and called instead for more extensive reform of CFAA. "We're now going to have an endless string of debates about what the hell 'areas of a computer' means, as though that is a meaningful mental model for thinking about how computers actually work," tweeted Blake Reid, a professor of technology policy at Colorado Law. "I guess the upside is that the court says we're now going to use a sort of geographically oriented frame for that analysis, looking at *what* you're authorized to access and not deeply examining the reasons why."
Still, the majority opinion appears to substantially impact tech companies' ability to argue that its users — all authorized to access their platforms — have violated the CFAA by disobeying their terms of service, which often forbid activities like data scraping or creating false identities. Researchers have argued both tactics are essential to better understanding online platforms.
In his dissent, Justice Clarence Thomas offered a broader interpretation of what it means to exceed authorized access. "The question here is straightforward: Would an ordinary reader of the English language understand Van Buren to have 'exceed[ed] authorized access' to the database when he used it under circumstances that were expressly forbidden?" Thomas wrote. "In my view, the answer is yes."
Thomas also took issue with the court's concerns about criminalizing all kinds of benign behaviors. "Much of the Federal Code criminalizes common activity," Thomas wrote. "It is understandable to be uncomfortable with so much conduct being criminalized, but that discomfort does not give us authority to alter statutes."
This story has been updated to include additional information from the court's decision.