U.S. Supreme Court Narrows Focus of Computer Fraud Law

In a diverse six to three decision, the U.S. Supreme Court rejected the U.S. Department of Justice’s (DOJ’s) interpretation of a major computer fraud law in a victory for security researchers.

The case before the Court, Van Buren v. United States, looked at how the Computer Fraud and Abuse Act (CFAA) criminalizes conduct of an individual who “exceeds authorized access” of a computer. The law, enacted in 1986, imposed criminal liability on anyone who “intentionally accesses a computer without authorization or exceeds authorized access.”

The justices held that individuals only exceed their authorized access when they access a computer with authorization but then use that access to obtain information in areas—such as files, folders, or databases—that are restricted to them, wrote Justice Amy Coney Barrett for the majority.

NEW: SCOTUS adopts narrow reading of a key phrase in the Computer Fraud and Abuse Act (specifically, the definition of "exceed authorized access" on a computer). Court tosses the conviction of a police officer who searched an official police database for personal purposes.

— SCOTUSblog (@SCOTUSblog) June 3, 2021

The case reached the court after former Georgia police sergeant, Nathan Van Buren, used his patrol-car computer to access a law enforcement database to look up a license plate number in exchange for money. Van Buren used his own credentials to conduct the search and did not access any information he was not authorized to do so. His conduct, however, was a violation of department policy against obtaining database information for non-law-enforcement purposes.

The incident was part of an FBI sting operation, and Van Buren was charged violating the CFFA and convicted by a jury. Van Buren appealed his case to the Court, which heard oral arguments in November 2020 before issuing a ruling on Thursday.

Van Buren’s legal team argued that the “without authorization clause” of the CFAA was designed to protect computers from “outside hackers,” while the “exceeds authorization clause” of the law protects information within computers by targeting “inside hackers,” according to the opinion.

“Under Van Buren’s reading, liability under both clauses stems from a gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system,” Barrett explained. “This treats the clauses consistently and aligns with the computer-context understanding of access as entry.”

She further added that if the Court were to have accepted the DOJ’s interpretation of the law, many common computer activities would be considered violations of the law and could result in criminal penalties.

“For instance, employers commonly state that computers and electronic devices can be used only for business purposes,” Barrett wrote. “On the government’s reading, an employee who sends a personal email or reads the news using a work computer has violated the CFAA.”

Barrett was joined by Justices Stephen Breyer, Sonia Sotomayor, Elena Kagan, Brett Kavanaugh, and Neil Gorsuch. Associate Justice Clarence Thomas filed a dissenting opinion, which was joined by Chief Justice John Roberts, Jr., and Samuel Alito.

“Both the common law and statutory law have long punished those who exceed the scope of consent when using property that belongs to others,” Thomas wrote. “A valet, for example, may take possession of a person’s car to park it, but he cannot take it for a joyride. The Computer Fraud and Abuse Act extends that principle to computers and information. The act prohibits exceeding the scope of consent when using a computer that belongs to another person.”

The majority ruling received praise from a variety of researchers and technology rights groups, including the Electronic Frontier Foundation (EFF)—which filed briefs encouraging the Court to take the case and to make clear that violating terms of service is not a crime. The second brief explained that the government’s “broad interpretation” of the CFAA put computer security researchers at risk for “engaging in socially beneficial security testing through standard security research practices,” the EFF said in a press release.

The Supreme Court’s Van Buren decision is especially good news for security researchers, whose work discovering security vulnerabilities is vital to the public interest but often requires accessing computers in ways that contravene terms of service. https://t.co/rXE16IbOVH

— EFF (@EFF) June 4, 2021

“Today’s win is an important victory for users everywhere,” the EFF added. “The Court rightly held that exceeding authorized access under the CFAA does not encompass ‘violations of circumstance-based access restrictions on employers’ computers.’” 

The American Civil Liberties Union (ACLU) also praised the Court’s ruling, calling it an important victor for civil liberties and civil rights enforcement.

“The Supreme Court’s decision will allow researchers and journalists to use common investigative techniques online without fear of CFAA liability,” said Esha Bhandari, deputy director of the ACLU’s Speech, Privacy, and Technology Project. “It clears away a major barrier to online anti-discrimination testing and research, which is necessary to hold powerful companies and platforms accountable.”