In a 6-3 decision in Van Buren v. United States, the Supreme Court rejected the government’s expansive reading of the Computer Fraud and Abuse Act (CFAA), which the Court recognized “would attach criminal penalties to a breathtaking amount of commonplace computer activity.” CDT has long challenged overbroad application of the CFAA and joined computer security researchers and other organizations in filing an amicus brief with the Court explaining that the government’s interpretation would chill vital computer security research. The Court rightly held that liability under the CFAA cannot be based on mere violation of the terms of service or other “purpose-based limits on access.”
The CFAA generally prohibits obtaining information as a result of accessing a computer without authorization or “exceed[ing] authorized access.” The latter phrase has given rise to competing interpretations. The statute defines the phrase to mean “to access a computer with authorization and to use such access to obtain . . . information in the computer that the accesser is not entitled so to obtain.” The government has taken the view that a person otherwise entitled to access a computer who violates a computer use policy, terms of service, or other “circumstance-based access restrictions” exceeds their authorized access. As the Court explained, that reading potentially “criminalize[s] everything from embellishing an online-dating profile to using a pseudonym on Facebook.”
The Court rebuffed that approach and instead concluded that “exceeds authorized access” only “covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend.” Thus, the Court explained, liability “stems from a gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.”
Although the Court’s decision does not remove all ambiguity surrounding the CFAA, it provides some welcome clarity. Security researchers, for example, should not be subject to threats of potential criminal liability under the CFAA for engaging in common practices such as accessing publicly available information or port or network scanning, even if doing so violates restrictions in the terms of service or other written policy. Interpreting the CFAA to effectively empower a computer owner to create criminal liability through a provision in the terms of service or computer use policy was always prosecutorial overreach, and computer users of all stripes will benefit from the Court’s adoption of a more cabined interpretation.