Supreme Court Limits Scope of Computer Crime Law

Nathan Van Buren was a police officer in rural Georgia. As such, he had lawful access to both the National Crime Information Computer (NCIC) and the Georgia Crime Information Center (GCIC) with the understanding that he could use the computer for “law enforcement purposes only.” When a man asked Van Buren to run a license plate number for an exotic dancer in return for $1000, Van Buren used the access he was lawfully provided to run the plate.

Unfortunately for Sgt. Van Buren, the person asking to run the plate was working with the FBI on a sting operation. So, was Sgt. Van Buren a “hacker,” and can the government use the federal hacker law to prosecute him for violating the rules on using the Georgia database? On June 3, 2021, the United States Supreme Court overturned Van Buren’s criminal conviction for violation of the federal Computer Fraud and Abuse Act, Title 18 USC 1030, a 1986 law that made it a crime to “access” a computer without authorization or to exceed the scope of authorization to access a computer and thereby obtain information.

In doing so, the Court, led by Justice Amy Comey Barrett at least partially resolved a split among the federal courts over the meaning and intent of the law, and specifically whether a person can be turned into a criminal simply for violating a contract-based term or condition.

T’s and C’s

The purpose of the federal computer crime law—at least when it was originally passed in 1984 and subsequently amended in the mid 1990s—was to permit the prosecution of computer hackers and to close a loophole in trespass and theft laws whereby a physical trespass into a building or dwelling was a crime, but an electronic trespass into a computer network, without more, was not. The law attempted to parallel the law of trespass, criminalizing the “unauthorized access” (breaking in) to a computer. This prohibition was later expanded to include as a crime “exceeding authorized access.” But “exceeding authorized access” can mean that you have authorized access to go to place A, but you instead use that authorization to go to place B, where you are not authorized to go. Alternatively, it could mean having authorization to go to place A for one purpose but going to place A for a different purpose. Or, having authorization to go to place A for one purpose, going to place A for that purpose but then doing something that is not the same purpose. Or, finally, having authorization to access place A for one purpose, going there for that purpose and accessing files and records for the authorized purpose. You later use those documents or records for another purpose. In short, the term “unauthorized access” or “exceeding authorized access” can mean many different things, based on the circumstances.

The Supreme Court held that the law must be read narrowly to accomplish the purposes for which the statute was enacted—to prevent computer hacking. To exceed authorized access, the Court noted, would require proof of some technological effort (such as password cracking, phishing, etc.) to bypass a security measure to prevent or restrict access. Merely doing something that the system you operated did not want you to do, or lawfully accessing a database for unlawful or unpermitted purposes may be a crime—but it’s not hacking prohibited by statute.

The majority emphasized that the statute was primarily an “anti-hacking” statute, and not an “anti-use of stolen information” statute. Civil provisions in the statute which allow litigants to sue for violations also focus on issues like “damage” and “loss” resulting from the “hacking,” something that the majority of the Court found could not be an issue with respect to Van Buren’s lawful access to the Georgia police database.

Indeed, the vast majority of cases referencing the Computer Fraud and Abuse Act are not criminal cases, but are disputes between businesses over the use of electronic data. They are suits by employers against departing employees for accessing the employers database to take information that they then use to compete, or suits by a company against another for things like “scraping” data from the competitor (like pricing data or otherwise public data) and using that data to undercut the competitor in violation of a Terms of Service of Terms of Use agreement on a website. All of these civil lawsuits are now suspect after the Van Buren decision. The Supreme Court majority also noted that “the Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity.” In fact, the government has, in the past, criminally prosecuted people for things like giving incorrect information to a social media company in violation of their terms of service and terms of use. The Court majority pointed out that, if the “exceeds authorized access” clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals.

Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So, on the Government’s reading of the statute, an employee who sends a personal email or reads the news using their work computer has violated the CFAA. Or consider the Internet. Many websites, services, and databases—which provide “information” from “protected computer[s],” §1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers.

Most people’s access to computers, databases or information online are dictated by terms of service, terms of use, software license agreements, acceptable use policies, data privacy and data security policies, or the terms of employment or access agreements. These agreements can be hundreds of pages of legalese, and contain obscure, confusing and even contradictory or ambiguous terms that dictate what you may or may not do online. For example, an acceptable use policy may prohibit the use of a computer, network or social media account for “abusive” or “improper” purposes, or for harassment, or to post information that is false, defamatory or otherwise prohibited.

So, if you link a Facebook or Twitter post to a broadcast by Fox News about Dominion Election Systems (which is now the subject of a multi-billion dollar defamation lawsuit), there is no doubt that the social media companies can determine that the posting violates their AUP, and restrict the posting. But can they have you arrested for “exceeding your authorization to access” their computer? I mean, when you signed up for Facebook, you agreed not to post false material; Facebook determined that the material was false (a factual issue you can dispute at your criminal trial); your access to Facebook was conditioned on your adherence to the AUP; you violated the AUP; therefore, you “exceeded your authorization” to access Facebook or Twitter. The slope is mighty slippery.

Because the federal computer crime statute provides for both civil and criminal penalties and, in many cases, permits companies affected by a violation to sue the alleged violator, many of these criminal computer trespass lawsuits have arisen in the context of business disputes. An employee of a company accesses company confidential information (sales information, prospects, etc.) and either gives it to another company, sells it, or uses it after they leave the company. The employee is permitted to access the company’s database for the business of the company, and therefore the “access” to their own email, or information they would otherwise be lawfully entitled to becomes in excess of their authorization when the use the data (or the access to that data) for an unpermitted purpose.

So, if your company prohibits the use of personal email on a corporate computer, accessing your Gmail account becomes a hacking offense. If the company prohibits personal use of corporate email, your solicitation of coworkers to buy Thin Mints becomes a federal crime. The dissent, led by Justice Thomas, together with Chief Justice Roberts and Justice Alito, disagreed with the Court’s narrowing of the traditional “real world” definition of “trespass” pointing out that, in the “physical” world, one commits a trespass not only when one enters onto the property of another without permission, but when one does so for a prohibited purpose. A person with bad motive or bad purpose has no “permission” to do what they do, and is therefore criminally trespassing—both in the real world and in the virtual world.

Access Without Authorization

To prove access without authorization, the Court majority noted, the plaintiff or government would have to prove some effort to bypass a technological measure or to falsely hold oneself out as being authorized to access (e.g., use stolen credentials). To “exceed” authorization, it would have to be proven that, at least with respect to the access to the computer or network, that the user who may have had access to a part of the network lacked permission to access the portion of the network or data that they accessed—not that they simply used lawful access for a prohibited purpose.

The case may have wide implications, particularly for the use of the CFAA in civil disputes like unfair competition, breach of contract and employment disputes. Congress could, of course, write a broader law that would include as a crime mere “permission” based or “breach of Terms of Service” offenses—it’s just that the Court holds that, when Congress wrote and amended the anti-hacking statute, they did not.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark