Skip to site navigation Skip to main content Skip to footer content Skip to Site Search page Skip to People Search page

Alerts and Updates

SCOTUS Limits Scope of Computer Fraud and Abuse Act, Which Could Impact Terms of Use Agreements

June 21, 2021

SCOTUS Limits Scope of Computer Fraud and Abuse Act, Which Could Impact Terms of Use Agreements

June 21, 2021

Read below

On June 3, 2021, in Van Buren v. United States, the Supreme Court resolved the circuit split in favor of the narrow view, placing new limits on criminal prosecutions under the CFAA.

The Computer Fraud and Abuse Act (CFAA) subjects anyone who “intentionally accesses a computer without authorization or exceeds authorized access” to criminal prosecution. 18 U.S.C. § 1030 (a)(2). The statute—enacted in 1986 and originally meant to prosecute hackers—defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. §1030(e)(6). Over the years, a circuit split emerged regarding the definition of “exceeds authorized access.” More expansive readings of “exceeds authorized access” had previously been used in civil actions and in high-profile prosecutions of social media cyberbullies, a Social Security Administration employee and Reddit co-founder Aaron Swartz’s mass download of articles from the JSTOR database.

On June 3, 2021, in Van Buren v. United States, the Supreme Court of the United States resolved the circuit split in favor of the narrow view, placing new limits on criminal prosecutions under the CFAA. In a 6-3 decision authored by Justice Amy Coney Barrett, the Court backed a “gates-up-or-down” approach, holding that “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off-limits to him.” As a result, accessing of authorized areas for improper purposes no longer creates a CFAA violation.

The Underlying Case

In the underlying case, former Georgia police Sergeant Nathan Van Buren was prosecuted for accessing a law enforcement database to look up a particular license plate number in exchange for money. Van Buren used his own, valid credentials to access the database, but in doing so, he violated a department policy prohibiting use of the database for purposes other than police business. Van Buren was eventually charged with and convicted of a felony violation of the CFAA and sentenced to 18 months in prison.

Van Buren appealed his case to the Eleventh Circuit Court of Appeals, arguing that authorized access for an unauthorized purpose did not violate the exceeds authorized access clause. In reliance on prior Eleventh Circuit precedent, the Court of Appeals upheld his conviction, reasoning that Van Buren violated the CFAA by accessing the database for an “inappropriate reason.” The Supreme Court granted Van Buren’s petition for certiorari.

The Court’s Concerns About Criminalization of Common Activities

In overturning Van Buren’s conviction, Justice Barrett’s opinion noted that most workplaces have policies limiting computer use to business purposes; so, under an expansive definition of “exceeds authorized access,” anyone who agrees to such a policy and then sends a personal email or reads the news from his work computer will have committed a felony violation of the CFAA. The opinion also noted that many websites require users to agree to detailed terms of service as a condition of access, and that the expansive reading would thus “criminalize everything from embellishing an online-dating profile to using a pseudonym on [social media].” Faced with this reality, Justice Barrett concluded that, “If the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals.”

Important Questions Remain Unanswered, but the Court Provides Clues

Prior to this decision, numerous scholars and tech luminaries have noted the chilling effect created by the expansive reading of the exceeds authorized access clause, particularly as applied to the CFAA’s parallel civil enforcement provisions. The Van Buren opinion does not definitively resolve the question of whether unauthorized access must be barred by a hardware or software gateway or if activity can become unauthorized merely through a contractual ban. Largely for that reason, the practical effects on the civil enforcement provisions remain to be seen.

Justice Barrett’s heavy reliance on the expansive reading’s real world effects, however, provides clues to future rulings interpreting the CFAA. All five of the newest justices and Justice Breyer joined to limit the CFAA’s application based in large part on the real world conditions regarding terms of service and employee computer-use policies.

What the Ruling Means for Companies

Companies that are heavily dependent on terms of use and internal corporate policies to protect sensitive data should stay abreast of continued developments in the law and consult legal counsel to determine whether best practices now require the institution of additional technological “gating” within their systems.

For More Information

If you have any questions about this Alert, please contact Shannon Hampton Sutherland, Seth Kugler, any of the attorneys in our Computer Software and Systems Litigation Group or the attorney in the firm with whom you are regularly in contact.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.