On April 20, the Supreme Court agreed to review the Eleventh Circuit’s decision in United States v. Van Buren,[1] which broadly interpreted the Computer Fraud and Abuse Act (CFAA), the main federal anti-hacking statute, as prohibiting otherwise authorized access of electronically stored information when that access occurred for an improper purpose or outside the scope of the authorization. The Supreme Court will resolve a circuit split over the meaning of criminal “unauthorized access.”
Circuits Split Over the CFAA’s Scope
Spurred by concern over hackers’ ability to access private and public computing systems, in 1984, Congress passed the CFAA to deter and criminalize what was then a “new dimension of criminal activity.”[2] Subsequently amended and codified at 18 U.S.C. § 1030, the CFAA provides that “[w]hoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information” from a “protected computer” is guilty of a federal crime.[3] Courts have interpreted a protected computer to mean “any computer with Internet access.”[4]
To date, seven circuit courts have weighed in on the scope of the CFAA. The First, Fifth, Seventh and Eleventh Circuits have broadly interpreted the statutory meaning of accessing information “in excess of authorization” and criminalized access to a computer (use that is otherwise authorized) when that occurred for an improper purpose. In contrast, the Second, Fourth and Ninth Circuits have narrowly interpreted the CFAA, holding that a defendant violates the statute only if she is prohibited from accessing the computer under all circumstances. This varied approach has created prosecutorial uncertainty, when the same conduct could lead to criminal prosecution in some jurisdictions but is entirely permissible under the circuit court decisions of other jurisdictions. The problem is compounded by the nature of the internet and cloud-based networks, where certain networks, applications, computer systems or data may reside across multiple jurisdictions.
Litigation Background
In the current case before the Supreme Court, Petitioner Van Buren was a small-town police sergeant in Georgia who came to know a man named Albo, who solicited prostitutes and on occasion reported the prostitutes to the police for theft. Fearing retaliation from the prostitutes, Albo sometimes asked the local police officers to search allegedly suspicious license plate numbers. In 2015, the Petitioner asked Albo for a loan, and unbeknownst to Petitioner, Albo recorded their conversations and shared them with other local authorities, who referred the matter to the FBI. The FBI created a sting operation in which Albo offered the sergeant money to search fictitious exotic dancers’ license plate numbers on the Georgia Crime Information Center (GCIC) database, which Petitioner was authorized to access for “law enforcement purposes.”
The government charged Petitioner in the Northern District of Georgia with felony computer fraud under the CFAA. After the government presented its case at trial, Petitioner moved for judgment of acquittal, arguing that the CFAA should be narrowly interpreted and he had not exceeded his authorization to access the GCIC database. The Northern District of Georgia denied Petitioner’s motion, and a jury convicted Petitioner of violating the CFAA. On appeal, the Eleventh Circuit affirmed the Petitioner’s conviction, noting it was enough under the CFAA that he had accessed the GCIC database for “inappropriate reasons.”
The case will be heard by the Supreme Court during the October 2020 term.
Implications of the Supreme Court’s Decision
As the main federal anti-hacking statute, the CFAA plays a critical role in punishing and deterring unauthorized access of information electronically stored on a computer and within computer networks. However, a broad interpretation of the statute could create criminal liability for what may be otherwise commonplace and generally harmless conduct that would not ordinarily be considered “hacking.” For example, virtually all employees are subject to restrictions and terms of use imposed by their employers when using employer computers, electronic devices and networks. These terms of use policies dictate what information an employee can access appropriately from the computers or network. Under First, Fifth, Seventh and Eleventh Circuit precedent, an employee who violates her employer’s terms of use by accessing a prohibited website (e.g., something as harmless as a social media site or third-party cloud-based private email account) arguably might be liable for unauthorized access because that access exceeds that which the employer has authorized. That conduct would not be criminal under the narrower approach taken by the Second, Fourth and Ninth Circuits. The Supreme Court will hopefully resolve the current uncertainty regarding the scope of criminal liability under the CFAA.
[1] 940 F.3d 1192 (11th Cir. 2019).
[2] H.R. Rep. No. 98-894, at 10 (1984).
[3] 18 U.S.C. § 1030(a)(2).
[4] See Petition for a Writ of Certiorari, Van Buren v. United States, No. 19-783, at 3 (Dec. 18, 2019) (quoting United States v. Nosal, 676 F.3d 854, 859 (9th Cir. 2012) (en banc)).