The Supreme Court Hears Oral Arguments on the Scope of the CFAA
On November 30, 2020, the Supreme Court heard arguments in its first consideration of the scope of the Computer Fraud and Abuse Act(CFAA), 18 U.S.C. § 1030, the most important federal anti-hacking law. The case, Van Buren v. United States, No. 19-783 (U.S.), is before the Supreme Court on a petition for certiorari to review the Eleventh Circuit's decision to uphold the conviction under the CFAA of former police officer Nathan Van Buren for accepting $6,000 to check law enforcement records in a computer database to determine if someone was an undercover police officer.
The CFAA prohibits "intentionally access[ing] a computer without authorization or exceed[ing] authorized access." 18 U.S.C. § 1030(a)(2). "[E]xceeds authorized access" is further defined to mean "access[ing] a computer with authorization and . . . us[ing] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6). As discussed in a previous Enforcement Edge post, courts have been split over the meaning of "authorization" in the statute. The First, Fifth, Seventh, Eighth, and Eleventh Circuits have held that mere improper use of a computer, such as use that violates terms of service, violates the CFAA. In contrast, the Second, Fourth, Sixth, and Ninth Circuits have found a violation of the CFAA only when a person bypasses some sort of code-based restriction, such as by misusing another user's password or exploiting a security flaw.
Oral argument highlighted points from both sides of the split. Justice Neil Gorsuch, Justice Sonia Sotomayor, and Chief Justice John Roberts questioned whether the expansive interpretation was "dangerously vague." Van Buren and amici raised the specter that actions such as lying about one's weight on a dating website or sharing passwords on a website that streams content could give rise to criminal liability. Other justices, however, expressed discomfort that a narrower reading of the statute would remove protections for personal privacy. For example, Justice Samuel Alito pointed to the dangers of misusing the highly personal information that many government employees access in the course of performing their jobs, a concern echoed by Justice Clarence Thomas. In addition to the issues relating to the meaning of "authorization," the Justices also considered whether similar conduct is prosecutable under state law rather than federal law, showing some hesitancy about expanding federal criminal liability under the CFAA.
The Supreme Court may set a national standard for the definition of "exceeds authorized access" under the CFAA. Because the CFAA contains criminal provisions and a civil cause of action, any decision will have substantial implications for criminal and civil computer hacking, fraud, and trade-secret cases. The Court's decision is expected by the end of October Term 2020, likely in June or July 2021.
© Arnold & Porter Kaye Scholer LLP 2020 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.