Supreme Court narrows Computer Fraud and Abuse Act: Misusing access not quite the same as breaking in

The US Supreme Court on Thursday limited the scope of the 1986 Computer Fraud and Abuse Act (CFAA) in a ruling that found a former sergeant did not violate the law by misusing his access to a police database.

When he was a police officer in Georgia, Nathan Van Buren used his credentials to log into the computer in his patrol car to access a license plate database at the request of an acquaintance – who, unbeknownst to Van Buren, was participating in an FBI sting operation.

Van Buren provided the acquaintance with information from the database, and the FBI arrested Van Buren on the basis that the database search, done outside of the scope of his duties and contrary to department policy, violated the CFAA's "exceeds authorized access" clause of 18 U. S. C. §1030(a)(2).

In 2017, a jury convicted Van Buren, and he subsequently received an 18-month prison sentence. Van Buren appealed, arguing that the CFAA does not apply to misuse of existing system access, but the Eleventh Circuit Court of Appeals upheld his conviction.

The CFAA prohibits accessing a protected computer "without authorization" and accessing a protected computer in a way that "exceeds authorized access." The problem with these ill-defined terms is that there's been disagreement in different courts over whether the law imposes criminal liability for violating Terms of Service (ToS) agreements.

Some US courts have taken the statute to mean that ToS violations constitute criminal offenses, whereas others interpret the law more narrowly to apply only when there's some element of hacking or breaking into a system.

• Supreme Court mulls whether a cop looking up a license plate for cash is equivalent to watching Instagram at work
• CFAA latest: Supremes to tackle old chestnut of what 'authorized use' of a computer really means in America
• Infosec big names rally against US voting app maker's bid to outlaw unsanctioned bug hunting via T&Cs
• Infosec big names rally against US voting app maker's bid to outlaw unsanctioned bug hunting via T&Cs

"Access 'without authorization' is understood to require some kind of breaking in," said Orin Kerr, law professor at UC Berkeley School of Law, via Twitter. "The question here is whether 'exceeds authorized access' does, too."

That question was mostly resolved in the Supreme Court's 6-3 decision today in Van Buren v. US [PDF]. Writing for the majority, Associate Justice Amy Coney Barrett said Van Buren, though he flouted departmental policy, did not violate the CFAA by abusing his computer system access.

"This provision [of the CFAA] covers those who obtain information from particular areas in the computer — such as files, folders, or databases — to which their computer access does not extend," Associate Justice Barrett wrote. "It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them."

Qualified support

The ruling was welcomed by the Electronic Frontier Foundation, which has argued for years that the vaguely worded statute needs to be clarified.

"EFF has long fought to reform vague, dangerous computer crime laws like the CFAA," said EFF Senior Staff Attorney Andrew Crocker in a statement to The Register. "We're gratified that the Supreme Court acknowledged that overbroad application of the CFAA risks turning nearly any user of the Internet into a criminal based on arbitrary terms of service.

"We remember the tragic and unjust results of the CFAA's misuse, such as the death of Aaron Swartz, and we will continue to fight to ensure that computer crime laws no longer chill security research, journalism, and other novel and interoperable uses of technology that ultimately benefit all of us."

The ruling means that the violation of ToS rules alone is not a criminal offense under the CFAA, and solidifies lower court rulings that came to that same conclusion, such as Sandvig v. Barr last year. In that case, the US District Court for the District of Columbia ruled that researchers providing false information to employment websites to test for discriminatory algorithms did not violate the CFAA, even if doing so violated the site's ToS.

"I am elated that the Supreme Court made clear today that violations of websites’ terms of service alone do not constitute violations of the Computer Fraud and Abuse Act," said Alan Mislove, one of the plaintiffs in Sandvig, and a professor of computer science at Northeastern University, in a statement issued by the ACLU.

"This decision removes a significant cloud of uncertainty and legal risk for researchers who perform online civil rights testing."

This decision removes a significant cloud of uncertainty and legal risk for researchers who perform online civil rights testing

At the same time, the ruling doesn't entirely clarify the CFAA. Kerr observes that in a footnote, the court appears to adopt an authentication test – whether a user's credentials remove a gate to access. Yet in a different footnote, he points out, the Court says it doesn't need to address whether permissible access depends only on code-based limitations or whether limitations spelled out in contracts or policies come into play.

To resolve the CFAA's ambiguity, the Congressional Research Service argued last September [PDF] that, "regardless of what the Court does in Van Buren," Congress should revise the law to make it clearer. The CRS report, as an example, points to Aaron’s Law, a bill introduced in honor of late internet activist Aaron Swartz, that proposed replacing the ill-defined CFAA "exceeds authorized access" language so criminal charges are only applicable when there's knowing circumvention of technological or physical access methods.

In a statement, US Senator Ron Wyden (D-OR), one of the authors of Aaron's Law, echoed that sentiment.

"The Supreme Court recognized today that the terribly written CFAA crossed the line by criminalizing everyday activities like using your work computer to read the news or send personal emails," he said.

"Today's ruling helps rectify the damage caused by that reactionary law. However, today's case highlights the pressing need for Congress to pass comprehensive privacy legislation and to protect users against corporate employees who abuse their access to databases of sensitive personal information." ®