DOJ’s Revised CFAA Policy Clarifies Prosecutorial Strategy on “Exceeds Authorized Access” Language

Earlier this week, we discussed DOJ’s revised policy directing prosecutors not to charge “good-faith” security research with violating the CFAA. In addition to giving “white hat hackers” some calm, the revised policy also provides some clarity on DOJ’s approach to the CFAA’s elusive “exceeds authorized access” language. The CFAA makes it a crime if someone “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” 18 U.S.C. § 1030(a)(2). A “protected computer” is any computer “used in or affecting interstate or foreign commerce or communication,” meaning that the CFAA applies to virtually any computer device or network connected to the Internet.

The revised policy comes after courts and commentators raised significant concerns that DOJ could use the CFAA expansively to target individuals who embellish online dating profiles, pay personal bills while at work, or violate network terms of service. Over the years, we’ve written about how courts have struggled with whether the CFAA’s “exceeds authorized access” language applies to Zoom-bombing and misuse of legitimately accessed proprietary information. And last year, the Supreme Court clarified in Van Buren v. United States that the “exceeds authorized access” language of the CFAA does not reach individuals who have authorized access to particular information but use that authorization for an unauthorized purpose. Employees who check sports scores or shop online on their work computers breathed a collective sigh of relief.

DOJ’s revised policy responded to concerns articulated in Van Buren. According to the announcement, DOJ will focus its resources “on cases where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer — such as one email account — and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails.”

The issue of how a website’s Terms of Service interacts with the CFAA raises vexing questions about web scraping and other data collection, either for public-oriented ends or for private gain. While the policy articulates that prosecution may not be brought solely on a theory that an individual violated a website “term of service with an Internet service provider or web service available to the general public—including public websites (such as social-media services) that allow for free or paid registration without human intervention,” DOJ’s revised policy does name specific scenarios in which written contracts, agreements, or policies may result in a CFAA prosecution. These include situations where:

• a person accesses a multi-user computer or web service and is authorized to access only his own account but instead accesses someone else’s account; or
• service providers expressly revoke authorization through unambiguous written cease and desist communications to the person.

One reminder is that DOJ’s revised prosecutorial policy does not alter the potential scope of civil liability under the CFAA’s civil provisions or any state hacking or cybersecurity laws.

If you have questions about this new policy, please contact any of the authors or members of Arnold & Porter’s Privacy, Cybersecurity & Data Strategy group. We’ll continue to update you about new developments related to the CFAA here on Enforcement Edge. 

© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.