Published by The Lawfare Institute
in Cooperation With
Does the Computer Fraud and Abuse Act prohibit a police officer who is authorized to access his employer’s computers from using his access in unauthorized ways? On Nov. 30, the Supreme Court picked up the phone to tackle that very question in oral argument in Van Buren v. United States, a case addressing the interpretation of two provisions of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §§ 1030(a)(2)(C) and (c)(2)(B)(i).
Section 1030(a)(2)(C) prohibits users of protected computers (meaning a computer covered by the statute) owned by others from “exceed[ing] authorized access.” Section 1030(e)(6) defines “exceeds authorized access” to mean “access[ing] a computer with authorization and ... us[ing] such access to obtain or alter information in the computer that the accesser [sic] is not entitled so to obtain or alter.”
Nathan Van Buren was a Georgia police officer who, in a sting operation, ran a license plate search for a friend in exchange for money. Van Buren used a police computer to perform the search. The Justice Department didn’t take kindly to Van Buren’s freelancing and charged him under the CFAA, 18 U.S.C. § 1030(a)(2)(C) (and for honest-services fraud).
At trial, Van Buren moved for judgment of acquittal on the ground that a person does not “exceed authorized access” when he “access[es] information that [he has] access to” even if that access is “for an improper or impermissible purpose.” The trial court denied the motion but, on Van Buren’s suggestion, instructed the jury that it must find that Van Buren used his access “to get or change information that [he was] not permitted to get or change.” The jury convicted him, and the trial judge sentenced him to 18 months in prison.
Van Buren appealed, arguing insufficient evidence supported his CFAA conviction. The U.S. Court of Appeals for the Eleventh Circuit disagreed, concluding that it was bound by its 2010 decision in United States v. Rodriguez, which held that a person “exceed[s] authorized access” to a computer when she accesses it for a prohibited use, even if she is authorized to access it for proper purposes. It acknowledged that the Second and Ninth Circuits had held differently but nevertheless stood by the holding in Rodriguez.
Van Buren appealed to the Supreme Court, which granted cert in April.
As Van Buren makes clear in the briefing, his argument at the Supreme Court is grounded in the CFAA’s text and purpose. The statute defines “exceeds authorized access” as, among other things, when someone is “not entitled so to obtain or alter” but does so anyway. The petitioner argues that the court should understand that language as not including misuse of authorized access. Where Congress has sought to prohibit misuse of access, it has done so explicitly—as in, for example, 10 U.S.C. § 923(a)(1), which prohibits retrieving classified information by accessing a government computer “with an unauthorized purpose.” He also argues the CFAA’s purpose is limited to hacking into computers without authorized access; that “only occurs when someone accesses information that he has no right at all to obtain.” Per the petitioner, a contrary interpretation would criminalize everyday activities based on computer owners’ purpose-based restrictions. Filling out a March Madness bracket, for example, would likely violate an employer’s policy against using work computers for personal purposes. (Though not mentioned at argument and cited only in passing in the petitioner’s brief, it bears mention that the same provision of the CFAA was among the charges prosecutors brought against Aaron Swartz, the young computer researcher and open-source activist who killed himself after being charged for using an MIT computer to mass-download papers from JSTOR.) And Van Buren urges the court to adopt his construction to avoid constitutional questions that flow from the Due Process Clause and First Amendment and in adherence to the rule of lenity, which counsels leniency in the application of ambiguous criminal statutes.
The government has a different read of the CFAA’s text and purpose. It argues that the plain meaning of “obtain[ing] ... information in the computer that the accesser [sic] is not entitled so to obtain” includes obtaining information for an unauthorized purpose. Why? The government argues that to be “entitled so to obtain” something, a person must have been “granted a right to do it in the particular manner or circumstance.” The government asserts that its reading of the text is consistent with Congress’s purpose—both in prohibiting malicious insider hackers in addition to external hacking and in extending common-law prohibitions on misuse of unowned property to computer systems. The government argues that other terms in the CFAA limit the expansive future interpretations that Van Buren is concerned about and the constitutional concerns they might raise. It also stresses that the lenity rule is inapplicable because the statute at issue is not ambiguous.
So how did oral argument go?
The summary below omits some repetition of questions by the justices or responses by the advocates. The argument is just over an hour, and if you’ve read this far, you know most of what you need to follow along. Consider giving it a listen.
Jeffrey Fisher is on the phone representing Van Buren. He opens by emphasizing that the CFAA addresses only hacking and warns of the wrongful prosecutions that a contrary interpretation would allow.
Chief Justice John Roberts asks about precedent. In Musacchio v. United States, he notes, the Supreme Court interpreted (a)(2)(C) as “provid[ing] two ways of committing the crime of improperly accessing a protected computer: obtaining access without authorization, and obtaining access with authorization but then using that access improperly.” How would you respond to that quote? Fisher replies that Musacchio was not dealing with the question presented here, so that should be understood merely as a passing “thumbnail” summary and nonbinding. Roberts pushes Fisher further, and Fisher argues that the statutory definition of “exceeds authorized access” goes against the Musacchio reading because it makes no mention of misuse or improper use. To clarify Fisher’s position, Roberts asks: Is it right that a bank employee who looks up customers’ social security numbers to sell to a third party would not be covered by Section 1030(a)(2)(C) under petitioner’s reading? Fisher responds, if she had access to the information, then she would not be covered unless she used someone else’s credentials to obtain the information. But the criminal law isn’t the only possible constraint, he argues—employment contracts and policies can adequately punish that conduct.
Justice Clarence Thomas is next. Given that Rodriguez has been the law of the Eleventh Circuit since 2010, he wants to know whether any of the “parade of horribles” the petitioner cites have come to fruition? No, says Fisher, not in the Eleventh Circuit; but in the Ninth, someone was charged with violating the CFAA for accessing someone’s Myspace account (the case was United States v. Drew in the Central District of California) and someone was sued under the CFAA for unauthorized use of Ticketmaster (that one was Ticketmaster L.L.C. v. Prestige Entertainment West, Inc.). And it’s important, Fisher urges, that courts not interpret statutes on the assumption that the government will use them properly.
Justice Stephen Breyer, next up, asks about legislative history. What should the court make of a 1986 Senate report accompanying the CFAA amendments that created § 1030(a)(2)(C), which suggests the amendments were about clarifying the law rather than changing its meaning? Fisher says other parts of the report that suggest the amendments were about preventing murkier uses of the law, including cases like this. Fisher asserts, the legislative history is, at best, indeterminate for the government’s position.
Then comes Justice Samuel Alito. He asks about several amicus briefs that raised concerns about what the petitioner’s interpretation would mean for personal privacy. Lots of government and bank employees, for example, get access to sensitive personal information in the course of their jobs. Wasn’t that part of Congress’s concern when they enacted this statute? No, Fisher says. Congress was concerned with hacking. Congress could criminalize some of that misconduct separately and avoid the risks of making this statute overbroad. But Alito follows up: Aren’t the examples of possible abuse a bit excessive? Is it really the case that someone who lies on their dating profile “obtain[s] information” under § 1030(a)(2)(C)? Fisher responds that a fibbing Tinder user obtains information by accessing information on the website about possible partners, in violation of the terms of service of the app.
Justice Sonia Sotomayor asks whether the government really needs this reading of the CFAA when other criminal statutes would cover Van Buren’s misconduct. Fisher says no, noting that Van Buren has pending charges for honest-services fraud for the same conduct. He also notes that the Justice Department has proposed limited expansions of the CFAA, which Congress could adopt. But, he says, this expansion of this statute by this court would be bad. Sotomayor asks how the statute could be limited. Fisher says there are lots of ways. The Justice Department has proposed some to Congress, and so did (Lawfare contributor) Orin Kerr in an amicus brief, but those should come from Congress.
Justice Elena Kagan asks what the meaning of “so” is in the statute. Fisher tells her it takes its dictionary definition: “in the manner so described.” She continues, what is it referring back to? Access to a computer with authorization. She moves to another subject: Clarify how your parade of horribles works. How would an employee violate the government’s reading by checking Instagram at work? Viewing photos on the website is “obtaining information,” Fisher answers, and perusing Instagram on a work computer would be an “improper purpose.”
Justice Neil Gorsuch wants to know about the constitutional implications of the parade of horribles that arises under the government’s read. Fisher explains that certain applications would raise First Amendment problems. But many more applications would raise vagueness concerns, because on the government’s reading, the statute must cover one of two things: Either it covers every possible circumstance, including, say, a parent telling his kid, “don’t use your computer to go on Facebook,” or it covers only some indeterminate subset of possible circumstances, in which case it violates basic fair-notice principles. Gorsuch asks next about practicality: Given the abundance of criminal laws available, what do petitioners see as the government losing if the court adopts Van Buren’s reading? Not much, says Fisher. Georgia state law prohibits the conduct at issue, and most of the hypotheticals raised in the government briefs are covered by another provision of federal law. Other forms of punishment, like employment sanctions, would deter offenders. And if Congress wants the CFAA to be available also, it can amend the statute to do so.
Justice Brett Kavanaugh picks up where Fisher left off. He asks: What are the federal statutes that address employees who exceed authorized access to obtain customer or other sensitive information? Fisher points to examples cited in his brief: a statute prohibiting unauthorized access of classified information; one banning unauthorized use of information held by the Social Security Administration; a trade secrets statute that was passed in the same 1986 law that amended § 1030(a)(2)(C) to its current language; and in many cases, the federal wire fraud statute. Kavanaugh asks about the 1986 Trade Secrets Act. If Congress was concerned about insider misuse, why would it limit this provision in 1986, as petitioners say it did? Fisher emphasizes that the amendment sought to remove the sort of murky application of the statute at issue here. Last, Kavanaugh asks whether requiring a mens rea of “willingness” would solve the problem by requiring that a defendant have known that her conduct violated the statute. But Fisher says that reading would still raise concerns about overbreadth.
Justice Amy Coney Barrett characterizes the petitioners view of the law as seeing authorization something as a user either has or doesn’t have, while the government sees it as a scope issue. Why, she asks, should the court understand authorization as a binary? The statute itself does not have a scope component, it merely asks whether the person was authorized to access the information, Fisher says. Barrett pushes back: But courts read in scope considerations in agency law, for example. Why not apply that notion here? Because Congress doesn’t seem to have incorporated it.
In closing, Fisher says the core problem is that if you think the statute is ambiguous, the statute gives no tools to distinguish the concerning scenarios from those that the government wants to pursue here.
Eric Feigin is on the call for the government. Feigin opens by stating that Van Buren used his access to obtain database information that he was not “entitled so to obtain” when he conducted his search. Insider misuse is precisely what § 1030(a)(2)(C) was meant to target. Feigin analogizes to physical property rights: a statute prohibiting those who have access to a warehouse from using that access to acquire items they are not entitled so to obtain would clearly address a person who was allowed to take items for some purposes but not others. He says the statute does not cover the petitioner’s parade of horribles because prosecution for those behaviors is unlikely due to textual restrictions in the CFAA, like the need for an authorization-based system and use of the access to reach otherwise inaccessible data.
Chief Justice Roberts asks, first, whether petitioners are correct to say that anyone who violates a website’s terms of service or a workplace manual’s computer use rules is violating the CFAA? No, Feigin says. Terms of service on a public website are not an authorization-based system because it’s not based on a specific individualized judgment to grant. Roberts interjects: What about every system that has a password? What Congress contemplated were people who were “insiders,” people individually authorized. But Roberts asks for an argument based on the text. Feigin says the government’s reading of the word “authorization” makes sense in this context and is consistent with the dictionary definition that the court adopted in County of Washington v. Gunther (which said that though “the word ‘authorize’ sometimes means simply ‘to permit,’ it ordinarily denotes affirmative enabling action”). It’s also the most natural meaning, Feigin argues. One would not say, for example, that a museum requires authorization when it just requires visitors to put a name on a sign-up sheet. Services like Facebook that will give an account to anyone are not authorization-based systems. This statute is concerned with authorization that’s based on affirmative consideration of an individual.
Justice Thomas asks Feigin to respond to the petitioners’ lenity argument. Feigin offers two answers. First, § 1030(a)(3)(C) is not an adequately ambiguous statute to permit use of the lenity canon. But if the court does think it should apply lenity here, it should apply it to the words “authorization” or “use” (presumably, in the parade of horribles hypotheticals), not the word “so.” Thomas next points out that the original 1984 statute seemed to address the question more directly than its 1986 amendment. Can you explain why, without putting much weight on the legislative history, the amendment doesn’t shrink the meaning? Feigin says that the change was intended to simplify the language, arguing that the previous language might have suggested that there was a need to look to the reasons for the authorization. He says the new language focuses more on the limits inherent in the authorization itself, and the legislative history confirms this reasoning.
Justice Breyer comes in hot: Don’t the terms of service that users accept when creating an online account set the limits on their access? And if not, why? Feigin says no, because of the limits on the meaning of “authorization” in Washington County. But what if my employer says not to use my email for personal purposes and I do, asks Breyer. Feigin responds that there is a second limiting feature in the statute. If an employee has been specifically, individually authorized to use a computer, the term “use” also limits the scope of the statute. It requires the user to do something he couldn’t otherwise do, because the CFAA refers separately to using the computer and using one’s access. That means that “using the access” must be narrower, but § 1030(a)(2)(C) says you have to use the access in order to violate the statute. So if you use your computer to email a friend to schedule lunch, something you could have done from your phone, you’ve “used the computer” but not “used the access.”
Justice Alito says it seems hard to decide the case based on the briefs. The petitioner’s briefs argued that other statutes cover the privacy concerns amici raised, but he says he doesn’t know what they are. The government brief argued that there are limiting interpretations that restrict the danger of the parade of horribles the other side identifies, but he doesn’t know what they are. He asks whether the court should get specific briefing on the meaning of these terms. Feigin replies that the problem arises from how the petitioners have teed up the case. They’ve argued that the only restriction in the statute is the “entitled so to” clause and then trotted out the parade of horribles. There are other restrictions in the statute, but specific briefing here is not appropriate because petitioners acknowledge that Van Buren’s conduct satisfies them. But the parade of horribles is short—and, in the case of one of the examples, maybe not so horrible. The Myspace case resulted in a judgment of acquittal, and the Ticketmaster case involved someone hiring foreign hackers to access a company’s computers. Feigin says that shows that the government generally has understood that this statute does not cover what the petitioners are concerned about.
Justice Sotomayor asks whether the government’s reading makes a separate provision of the CFAA that prohibits accessing a computer “without authorization” superfluous? Feigin says no. If that’s what Congress wanted to pass, it would have passed a statute that criminalized “accessing a computer and obtaining information that the accesser is not authorized to obtain.” But Congress wrote two provisions: one for those who access information “without authorization” (hackers) and one for those who “exceed authorized access” (insiders). Sotomayor asks: What about provisions like § 1030(a)(4), which prohibits exceeding authorized access for a fraudulent purpose—why isn’t that provision superfluous on the government’s theory? Feigin offers an example: (a)(4), but not (a)(2)(C), would cover an Amazon employee who has access to the ordering database and who modifies that database to get an extra item delivered to himself or herself. Roberts moves on to Justice Kagan before he finishes.
Justice Kagan asks: Based on the government’s brief, it seems that the government would concede that if the word “so” was not in the statute, the government would lose this case? It would be tougher, Feigin concedes. Kagan says she understands the petitioner’s argument to mean “by accessing a computer” and the government to say “so” means “by using [one’s] access.” Why is the government’s reading better? Feigin says the government’s reading should win because of the canon against surplusage. If “so” only means that the statute covers someone who could get similar information from a non-computer source, then “so” would be surplusage, because the provision would cover that anyway. But Kagan pushes back: It seems that the petitioners’ reading is that “so” prevents using the statute where a person could access the information in a nondigital manner. Feigin says that limitation is already built into the statute, which is limited to information in the computer based on the fact that the statute covers not only obtaining but also altering.
Justice Gorsuch explains that he sees this case as the latest in a long line in which the government has sought to expand federal criminal jurisdiction in controversial ways. (He mentions Maranello, McDonald, Yates and Bond.) The court has rebuffed the government in each. So, Gorsuch asks, why is the government seeking another expansion by the courts of the federal criminal code? Feigin says the government believes the statute is properly aimed at conduct like Van Buren’s. He explains that the government agrees that the concerning cases petitioners cite, including the Drew case, should not be brought. But Van Buren’s case—a police officer tipping off a criminal with information gleaned from a database—is exactly the type of misconduct Congress wanted the government to be able to go after, because the officer is abusing his trust in having access to these databases.
Justice Kavanaugh wants to talk about the text. “Accesses a computer without authorization,” he says, seems to mean accesses a computer someone is not allowed to be on. Exceeding authorized access and obtaining information seems to mean a person is allowed to use a computer but not to look at certain files, and looks at the files anyway. Misusing the information obtained seems like a distinct act. Why is that reading wrong as a textual matter? Feigin responds that if that’s what that reading of the “exceeds authorized access” provision covers, it would be like saying a cashier can’t go into a store’s petty cash box because he’s not allowed—but that he can take as much money out of the cash register for personal use because he’s entitled to use the register to make change. It’s not just limited to files. It goes to limits of the authorized uses. “Authorization” may be amenable to multiple meanings here. The government believes “authorization” means specific individual access. There might be a question of how specific the authorization has to be, but the basic definition is right. Kavanaugh asks whether the government is stretching the anti-surplusage canon, given Gorsuch’s characterization of the government’s request as seeking an expansive interpretation of the CFAA. Feigin responds that here, “so” really is making sure the statute covers who Congress intended it to: insiders.
Justice Barrett returns to the theme of her questions to the petitioners: the extent to which scope is inherent in authorization. She asks Feigin to explain the government’s view. He says, when a person uses access in a manner not authorized “so to” use it, you’re exceeding a limit on your authorization.
In closing, Feigin urges that the petitioner’s parade of horribles should not lead the court to abandon how it read the statute in Musacchio, lest a variety of misconduct be beyond the reach of federal law enforcement.
In rebuttal, Fisher emphasizes the weight the government is putting on the word “authorization.” But there are problems with that. First, the government uses it to suggest most public websites are accessed without authorization, which itself would give rise to problematic liability under the CFAA. But logging into Westlaw or a work email account, or satisfying an age requirement on Facebook, counts as authorization and shows the breadth of the government’s proposed reading. Last, he notes the level of trust the government is asking for when it says it won’t abuse the statute. “Trust us,” he says, is not enough assurance.