The Computer Fraud and Abuse Act (CFAA), a controversial anti-hacking law that prohibits “exceeding authorized access” on a computer system, was reduced by the Supreme Court on Thursday in a 6-3 statement. The court said the law shouldn’t cover people who abuse systems they have access to — and that claiming otherwise would criminalize a “breathtaking amount” of everyday computer use.
The lawsuit, Van Buren v. United States, concerns a former Georgia police officer named Nathan Van Buren. Van Buren accepted $5,000 in exchange for looking up a woman’s license plate in a police database. (The deal was actually an FBI operation, and the license plate was fictitious.) Because the exchange violated department rules, prosecutors said Van Buren “went beyond access” to the system. Van Buren’s lawyers argued that regardless of whether he misused the database or not, he was authorized to access it — and therefore had not violated anti-hacking laws.
The Supreme Court majority opinion, delivered by Judge Amy Comey Barrett, agreed. It supported a “gates-up-or-down” approach to authorization: accessing parts of a system that are specifically prohibited violates CFAA rules, but simply accessing authorized areas in an unapproved manner .
Barrett’s opinion noted that people routinely bend or break the rules of computers and web services. “The government’s interpretation of the ‘exceeds permitted access’ clause would impose criminal penalties on a breathtaking amount of everyday computer activity,” she wrote. “If the ‘exceed authorized access’ clause criminalizes any violation of a computer usage policy, then millions of otherwise law-abiding citizens are criminals.” For example, the law could cover an employee sending a personal email on a work computer, or “criminalize everything from embellishing an online dating profile to using a pseudonym on Facebook.”
Legal experts and civil liberties advocates broadly praised the general ruling. “This is a major victory for civil liberties and civil rights enforcement in the digital age,” said Esha Bhandari, deputy director of the Speech, Privacy, and Technology Project at the American Civil Liberties Union. Electronic Frontier Foundation contributors Aaron Mackey and Kurt Opsahl also called the decision a win, saying the court “provided good language that should protect investigators, investigative journalists and others.” (Both organizations have previously submitted a letter in support of Van Buren.)
CFAA can be used to tackle legitimately malicious hacking, but it’s also notoriously vague, and various charges can include sentences of up to 5, 10, or 20 years in prison. Critics argue that this combination poses a threat to researchers and other people who use freely accessible information in unapproved ways. Federal prosecutors can stack intimidating charges against targets, as was the case with activist Aaron Swartz, who died by suicide in 2013 while being persecuted. Companies can also use it to harass journalists or employees who leak documents.
In theory, prosecutors must now determine that users have actually been given access to parts of a system they were not allowed to access. “I think it’s a really substantial deal,” said James Grimmelman, a professor at Cornell University Law School The edge. “It really makes it clear that employees using disloyal computers is not a CFAA issue, and that blows a huge chunk of criminal and civilian use out of the CAFA.” The ruling could also affect cases related to the scraping or mass collection of publicly available data from websites.
Employees can still commit other offenses, such as stealing trade secrets, Grimmelman says, and data scrapers can be sued by the CFAA if their activities cause a site to become inaccessible. But From neighbours raises the bar for what is considered criminal hacking. “You get rid of a huge amount of stuff that isn’t exactly high-tech, dangerous hacker crime,” he says.
However, the ruling also leaves crucial questions unanswered. Ultimately, the court’s decision was not based on the general impact or validity of the law. It focused on a one-word dictionary definition (“so”) to decide whether “overrunning authorized access” should be defined as a similar ban on computing “without authorization” — which uses the gate metaphor. And while it says violators must have bypassed a metaphorical “gate”, it doesn’t clearly define these gates. On Twitter, Berkeley Law professor and CAFA expert Orin Kerr pointed at a footnote suggesting that gates can be technical barriers or rules in a contract – in the words of Kerr, something as potentially broad as “don’t access this computer for a bad purpose.”
“It’s still an open question whether the restriction on access should be technological or contractual,” said former EFF employee and computer crime attorney Hanni Fakhoury. As Fakhoury points out, the ruling says it’s not necessarily “plausible” for the CAFA to depend on fine semantic differences in private contracts. “It certainly seems to me that they are not comfortable with the idea that the CAFA would somehow become a tool to criminalize contractual obligations,” he concludes. But it leaves this big question to lower courts to debate — at least until another case reaches the Supreme Court.