Is the Supreme Court About to Take Its First Big CFAA Case?

Probably. And they certainly should.

|The Volokh Conspiracy |

The Supreme Court recently relisted a petition for certiorari in Van Buren v. United States, No. 18-12024, The petition asks the Justices to resolve the longstanding circuit split on the meaning of the Computer Fraud and Abuse Act, the federal unauthorized access statute. I think it's quite likely the Court will agree to hear the case,  And they certainly should: It's a perfect case to take, and the continuing uncertainty over the CFAA's meaning is pretty mind-boggling.  I thought I would blog about the case and why I think the Court probably will and certainly should take it.

Regular readers of the Volokh Conspiracy know that there is a longstanding circuit split on the fundamental question raised by the CFAA: Does access to a computer become unauthorized and therefore criminal when a person uses a computer in violation of a written restriction like a Term of Service of use policy?  Or is access unauthorized only when a person bypasses some sort of code-based restriction or authentication gate, such as by guessing another user's password or exploiting a security flaw?

I've been writing and blogging about this particular question for 17 years.  It was the subject of the Lori Drew case I blogged a lot about back in 2008 and 2009.  And we still don't have a settled answer.  Instead, we have a clear circuit split.  In 2011, the Eleventh Circuit said that violating the written restriction makes access unauthorized; you can read my post on that decision here.  Meanwhile, several circuits have rejected that view, among them the Second Circuit and the Ninth Circuit.

The split is clear and acknowledged, and it's crazy important.  The CFAA either makes most people or very few people criminals.  Indeed, I have testified under oath that I am a criminal in the Eleventh Circuit.  I violate Facebook's terms of service by giving a false location, which according to the DOJ and the Eleventh Circuit is a federal crime every time I visit Facebook. You probably ignore terms of service, too.  So the stakes are pretty high.  The stock line I have when I lecture about the CFAA is that no one can know what the statute means until the Supreme Court finally resolves the split.  And I've been offering that line for years, as the split has lingered without being resolved.

Why hasn't the split been resolved yet?  Mostly because the Supreme Court hasn't had an opportunity. In criminal cases, the government has stuck to its guns with its broad view of the CFAA.  But it has lost recent cases, and it has decided not to seek review.  When the government loses and doesn't ask for Supreme Court review, it means the Justices don't get a petition to resolve the split.  So the split lingers and gets deeper—and no one has any idea if we're all criminals or not—without the Justices having a chance to clear things up.

Enter the Van Buren case.  Van Buren was a police sergeant who ran a search through a police license plate database for a prohibited reason.  He was supposed to run searches only for official law enforcement reasons, but instead he ran a search for a cash payment from an individual working as part of a police sting.  Van Buren was charged with two offenses: Honest services fraud and violating the CFAA.  He was tried and convicted of both counts by a jury.

On appeal, the Eleventh Circuit overturned the honest services conviction but affirmed the CFAA conviction based the Eleventh Circuit's 2011 precedent.  Van Buren's counsel of record, Stanford Law's Jeffrey Fisher, filed a petition for certiorari seeking review of the CFAA conviction.  (Full disclosure: I have discussed the case with counsel for the petitioner.)

It seems to me that Van Buren is an ideal case for the Court to take.  The question couldn't be presented more cleanly. Van Buren was criminally charged under the CFAA, convicted by a jury, and had his conviction upheld for conduct that several circuits expressly say doesn't violate the CFAA at all.   And it's a clear split, on an issue with great public importance, that is perfectly presented by top-notch lawyers.

The government makes two arguments in its brief in opposition, but they didn't seem at all persuasive to me.

First, the government says the Court should wait and see what happens below with the honest services fraud charge that the government lost on in the Eleventh Circuit. Down the road, the government argues, it may turn out that the CFAA conviction isn't all that important in Van Buren's case.  The Court should wait and see, in other words, because the petition might go away on its own.  But given that the legal issue is so perfectly presented right now, and DOJ hasn't sought review of its circuit court losses on this question, I think the Court would want to take the opportunity right now to answer what the CFAA means.

Second, the government argues that the Court should deny certiorari because the circuit split isn't reflected in the jury instructions.  But I don't think that makes much sense. In general, the question of a statute's meaning can be challenged either through sufficiency challenges or through jury instructions.  But CFAA disputes are more readily brought through sufficiency challenges because trial judges have tended to use extraordinarily vague jury instructions on the meaning of unauthorized access.  Vague jury instructions mean that the jury doesn't see the legal question the appellate courts have to resolve.

The jury instruction in Van Buren was characteristically unilluminating. The access was unauthorized, the jury was told, if the defendant  was "not permitted" to do what he did.  That doesn't address the legal question, though, which is how do you determine what a person is permitted to do for purposes of the statute?  Does the employment policy set permission?  Or does having an account set permission?  That's a matter for a sufficiency challenge based on a legal interpretation of the statute, which is exactly what we have before the Court in Van Buren.

The Van Buren petition was originally scheduled for the Court's April 3rd conference.  It was then relisted for the Court's April 17th conference.  We can't be sure what that means, but often that's a sign that the Justices are very interested in a case and want to make sure everything is all set before they agree to grant it.  I hope that's the case here.

 

NEXT: Don’t Follow China’s Example on COVID-19

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. ‘Mind-blogging’ is a nice coinage, but perhaps not intended?

    1. Perhaps “blog-boggling” would be more accurate.

    2. Fixed — thanks!

  2. That doesn’t address the legal question, though, which is how do you determine what a person is permitted to do for purposes of the statute?

    I look at a very big difference between a sworn police officer abusing his office and you lying to Farcebook. (I think every loyal American has a *duty* to lie to Farcebook….)

    This case scares me because I could see SCOTUS upholding the EUA and that would be truly scary. Conversely, you don’t want police releasing what essentially is classified information, no more than you want Edward Snowdon doing it. SCOTUS isn’t going to license that, so what recourse does it have but to uphold the 11th Circuit position?

    It’s said that bad cases make bad law — and this will be very bad law — Farcebook is bad enough as it is now.

    1. They will get plenty of briefing telling them exactly how broad the government’s construction is

    2. The problem is that the statute doesn’t let you draw that distinction. The same rule applies to all computers of any kind. So either you have to cover TOS, or else you need a new court-made jurisprudence in which the federal courts identify which written restrictions are binding and which are not, based on principles not yet known.

  3. “The access was unauthorized, the jury was told, if the defendant was “not permitted” to do what he did.”

    That’s like saying that, if you’re in the grocery story, change your mind about buying an item, and leave it on the shelf in the wrong aisle, you’re now trespassing in the store. They might both be wrongs, but they’re not the SAME wrong.

    1. EXACTLY, although trespassing is a bad analogy because (with certain exceptions) any property owner has the right to trespass anyone whom he damn well pleases.

      Hence, I suggest, would be stealing the item — although the way a lot of EUAs are written, it seems like they’d compare it to murdering the storekeeper and burning down the store.

      End user agreements need to be addressed through consumer protection legislation if they are held to be criminally (as opposed to civilly) enforceable.

  4. What a shame we can’t name the case Aaron Swartz v United States.

    1. I realize that some people link Swartz and the CFAA, but the dispute over the meaning of the CFAA long predated Swartz’s case and wasn’t actually raised in Swartz’s case.

  5. Just wondering; as a matter of contract law, will both parties be equally bound by what is decided? If the cop goes down, is Facebook suddenly liable for all the TOS violations it commits?

    1. Good point — and as this is criminal law, it means each and every Farcebook employee involved…

      I keep thinking that the cop was charged with the wrong crime.

      1. If you are actually a doctor (which could include a medical degree, a doctorate in law, a Ph.D…or even an honorary degree), I wonder what value you see in renaming to “Farcebook.” You are not the first to do this. You are not the one millionth person to do this. But it strikes me as a very odd type of idiocy to make a conscious decision to put in terms like Rethuglican, DemocRat, KKKlinton, etc etc. Sure, if one is a 3rd grader, then I encourage such wordplay…it will develop that child’s ability to play with, and use, the English language, which will come in handy in her or his adult life.

        But when adults do it, in any context where it’s conceivable that a goal is to persuade, then it is so counter-productive that it makes me question the intelligence (or, at least, the judgment) of the person doing it. I mean, does any person say, “I was anti-choice for women. But your post talked about Rethuglican politicians, and that was uber-clever…totally changed my mind about women’s reproductive rights, and now I support abortion rights.”???

        Maybe my problem is that I hang around with really bright conservative and liberal friends, and they all respond with contempt and pity when seeing such dopey terms. Is it more successful with less educated, or less sophisticated, or less intelligence audiences? (My guess is that it’s not successful with any persuadable audience, but perhaps I’m wrong about this.)

        In other words, Ed; I think you’re better than this. Even if you don’t think so about yourself.

  6. The CFAA criminalizes both unauthorized access, and access exceeding authorization. Van Buren is accused of violating the second prong since he was authorized to use the license plate database for law enforcement purposes but allegedly used it for a private purpose. The Court could resolve only the narrow question of whether violating these kinds of “purpose of use” conditions constitutes exceeding authorization for CFAA purposes, and avoid addressing other terms of use violations. The lying-to-Facebook scenario for example doesn’t involve a purpose of use restriction, it is closer to gaining access by misrepresentation.

    1. They are charging him with the wrong crime — instead he should be charged with violating the Driver’s Privacy Protection Act of 1994, Title 18 USC, Chapter 123.

      https://www.law.cornell.edu/uscode/text/18/2721

      It was passed after Rebecca Schaeffer was murdered by a fan and an abortion doctor was harassed by prolife activists — both using formerly public M/V information to locate them. It ought to apply here.

      And I can’t help but wonder if the Feds are attempting a version of “sue & settle” — knowing that SCOTUS can’t say that what he did was right and hence has to rule it wasn’t.

      1. Now the law does only have a fine which appears to apply to the state and not the state’s actor — but I can’t imagine that California didn’t turn around and write a state law that applies here.

        https://www.law.cornell.edu/uscode/text/18/2723

    2. I disagree. The two prongs mean the same thing and hinge on the same thing, and efforts to distinguish between them border on the metaphysical. Take a website TOS. Do you say that everyone is authorized to visit the website but then can’t “use” it for an unlawful purpose based on the TOS? Or do you say that no one can visit the website at all unless they comply with the TOS? What is the distinction between visiting, using, and accessing?

      1. No, let’s not distinguish those at all. I’ll rephrase: he was authorized to access the license plate database for law enforcement purposes but allegedly accessed it for a private purpose.
        Either way it seems to me the Court may choose to address only the effect of a purpose-of-access restriction, since that is the question before it, and leave Facebook fibbing in limbo.

  7. CFFA is a mess and so are the court decisions interpreting it, but is seems to me that a police officer violating department or state rules which should be a criminal act under state law, is far different from a violation of TOS by a private individual.

    It’s also unclear from the document I’ve reviewed what the purpose of the “unauthorized access” was.

    1. I’ve looked up the underlying facts.

      It seems van Buren needed money he was trying to get money from a guy who was well known to the local police. Van Buren approached the guy about a “loan”. The guy said wanted to find out if a girl he met at a strip club was an undercover cop and paid van Buren to run a tag, however the guy had already been in contact with the FBI and the whole thing was a “sting”. The tag number was fake.

      Why this wasn’t a straight up bribery case seems odd to me.

      1. The cop was also *stupid* — at least in Massachusetts (and I presume all other states) the plates that undercover cops use are “not on file” — they’re not in the computer, for this very reason. HOWEVER, if you run them, the notices that and tells on you.

        A not-so-bright former Mass State Trooper found that out the hard way when she ran her trooper ex-boyfriend through the computer.

  8. “there is a longstanding circuit split on the fundamental question”

    I should say so, if there’s a van Buren involved! This sounds like it’s been in the courts longer than that Indian case.

  9. Taking an interlocutory petition (pending retrial on the vacated conviction) that overlays the painfully convoluted jurisprudence of Honest Services with CFAA to the degree that it barely avoids Blockberger (presumably CFAA’s omission of fraud as an element?) would be like an exchange student reading Finnegan’s Wake to work on his phonics. Only looked at it for 5 minutes, but this might be the worst vehicle since the ’61 Corvair.

    Mr. D.

    1. Turtle, thanks for commenting. Can you say what is “interlocutory” about the CFAA case, though? The jury convicted, and the defendant appealed. True, the government messed up a second charge, which isn’t raised in the petition and wouldn’t be implicated in a CFAA case before SCOTUS. But why should the government’s mistake on an unrelated count be to its benefit here? As for the CFAA issue “barely avoiding Blockberger,” I’m confused. What is even related about the two counts? The CFAA is a computer trespass charge, that Van Buren broke into the database by accessing it without authorization. The honest services charge that wouldn’t be raised in the case doesn’t have anything to do with that, at least as far as I can tell. What’s the connection?

      1. Thanks for the reply — for the interlocutory arguments, see the U.S. brief in opposition at 8 es (“The interlocutory posture of the case of itself alone furnishes sufficient ground for the denial of the petition.”) Aside from the arguments from custom and mechanics, note that the retrial is specifically testing the petitioner’s relationship with the computer system, as the circuit reversed saying that the question was whether the decision to blow the cover of the undercover was an administrative determination. If it was, the access might not be malum in se — like someone who has the keys to a room using it for an improper purpose. If not, the access is would be even more illicit. (Essentially shifting between unauthorized access and access in excess.) That’s precisely the record to be developed in June, plague permitting.

        As for the overlay of the offenses: Honest Services centers on the inchoate scheme or artifice to defraud of of honest services. The scheme and, in a real sense, the artifice, was checking the computer to see if the undercover’s license plate was there. Absent the intent to illicitly access the system for private financial gain (CFAA felony elements), there’s no scheme or artifice. It’s against the law in both cases because the deft acted for gain without authority. Now my five-minute skim of the bio and subsequent skim of the circuit holding hasn’t given me a firm enough footing to actually work through whether the elements of the two offenses are translations of each other, but my point is the broader one, that the identity of the actus reus and the legal calls surrounding it for the two offenses can’t help but to blend Honest Services thinking with CFAA thinking, and Scotus still gets a collective nervous twitch at the names of Skilling & McDonnell, and McNally.

        Surely there’s a way to test “TOS v. hack” without conflating it with a heretofore unrelated area of law. Not legal advice. Cheers.

        Mr. D.

        1. Thanks for the reply.

          The first problem with your argument, I think, is that the two counts are really unrelated. As I understand it, honest services fraud is about cheating your employer of the time you should have spent working for them. In contrast, the CFAA count is about breaking into a computer that wasn’t operated by your employer, and what it means to break in to that computer. I suppose they’re related in that they are involving acts that occurred on the same day, but the elements are different, the victims are different, the harm is different, the act is different, and the nature of the offense is different Given that the defendant was tried and convicted by a jury of violating the CFAA, I don’t get why you need “factual development” of a different crime not related to the CFAA count to be able to assess the CFAA issue.

          Second, in the cases implicating this interpretive question, the government *always* charges the CFAA with a different crime. That’s mostly because it’s not really the CFAA that is the problem; they always throw in the CFAA with fraud or something else that gets to the underlying harm. Under your theory, I’m not sure you could ever get Supreme Court review of the CFAA because there would always be another count at issue.

          1. Aha. No, playing Pong on the employer’s time wouldn’t be theft of honest services. If I remember White Collar right, in Skilling, the Court limited it to bribery and kickbacks. (See: https://crsreports.congress.gov/product/pdf/R/R45479 ) The theory here is that verifying the undercover was a discretionary function of the policeman, and that they took 6K, ran the plates in the computer, and passed on the data. The Honest Services wrong was in accessing and transmitting the data in exchange for the bribe. (See 11th Circuit slip at 20)

            You might be right about the second bit, especially as you’re the leading expert. But if that’s true, and in practice its never freestanding, shouldn’t the law be like using a firearm in a felony rather than a freestanding crime? That would at least set a lower bound. Here, though, it’s not like hacking into the casino’s security system to get into the vault, it’s like being charged with hacking into the casino’s system and violating the gaming laws by improperly giving people the password. The thing being tried is almost identical.

            Thanks for the discussion — allowed me to switch out of dissertation mode for a bit. Cheers.

            Mr. D.

  10. There’s something attractive about heading down to Georgia, Alabama or Florida and living a life of crime. (It certainly made our sex better.) Unfortunately if the Court agrees with the other circuits those days will be over.

  11. “Does access to a computer become unauthorized and therefore criminal when a person uses a computer in violation of a written restriction like a Term of Service of use policy?”

    It better not mean that.

    I despise EULAs. They are often far too vague and allow publishers to change the terms at any time without your consent. If you refuse to accept the changes, you’ve just lost access to everything you paid for prior. The issue hardly receives coverage because EULAs are most brazenly abused in games and other consumer software where the abuses are not earth shattering issues. Nobody is going to organize a class action suit over losing content in a video game. I feel it is very warped that a company can decide how you use their product that you legally paid for and strip you of possession if you don’t do as they command, and more generally the principle of avoiding genuine conflicts between the consumer and producer by hiding behind a EULA.

    1. “Nobody is going to organize a class action suit over losing content in a video game.” This will come as a big surprise to the many people who have organized class-action suits over losing access to content in videogames. Granted, the ones who phrased their cause of action using 1A terminology shouldn’t have filed their suits, but claiming they don’t exist is a bit of handwaving. Your complaint is not really about EULA, but rather, with contracts of adhesion. The thing is that copyright does give the owner some absolute legal power to exclude. which means you take the license on the owner’s terms or you do without access.

  12. Everybody seems to agree that this portion of CFAA is a mess. It needs to be ripped up, and replaced with a law with a target.

    Could SCOTUS striked down the entire CFAA as vague?

  13. Hmm. Idaho passed computer crime law around the same time that I think is arguably broader without the same confusing language:
    (1) Any person who knowingly accesses, attempts to access or uses, or attempts to use any computer, computer system, computer network, or any part thereof for the purpose of: devising or executing any scheme or artifice to defraud; obtaining money, property, or services by means of false or fraudulent pretenses, representations, or promises; or committing theft; commits computer crime.
    (2) Any person who knowingly and without authorization alters, damages, or destroys any computer, computer system, or computer network described in section 18-2201, Idaho Code, or any computer software, program, documentation, or data contained in such computer, computer system, or computer network commits computer crime.
    (3) Any person who knowingly and without authorization uses, accesses, or attempts to access any computer, computer system, or computer network described in section 18-2201, Idaho Code, or any computer software, program, documentation or data contained in such computer, computer system, or computer network, commits computer crime.

    I’m pretty sure Orin would be accessing facebook with the intent to defraud, right?

    1. Never mind, I forgot the definition of defraud. I suppose the issue would come up under subsection 2 and what it means to “alter” without authorization the various computer related things listed. And subsection 3 and accessing those things without authorization. Right? So same issue- what sets the limits of authorization.

  14. I commend you for your perseverance, Prof. Kerr. You are doing yeoman’s service to the bench and bar, and to the public at large, on this little-known but very important issue.

    Carry on, sir, and please continue keeping us informed.

  15. Assuming the Court grants cert, is the primary argument going to be that the Congressional purpose compels a narrow scope or that any other reading renders it unconstitutionally vague?

  16. I can confirm: the 11th Circuit is a genuine shitshow.

    If you need a further example, see what a panel did yesterday to the Crime Victims’ Rights Act in a mandamus petition from one of Jeffrey Epstein’s victims.

    Personally, I blame Florida for everything.

    Also, Roll Tide!

    1. Is “Roll Tide” shorthand for ‘first in football, last in education . . . and that’s the way we like it?’

      1. You watch your filthy mouth. That’s my nourishing mother.

        1. Was she good at football?

  17. “…no one can know what the statute means until the Supreme Court finally resolves the split…”

    Well, there is this other branch called “Congress”, which can replace the law with a clearer law. But since there’s no way to make partisan hay out of CFAA I doubt Congress will be interested.

    1. Before Congress can pass a better law, somebody has to figure out how to write it better.
      And our current Congress can’t pass anything unless the D’s in the House see it as clearly advantageous to D’s going forward, and the R’s in the Senate see it as clearly advantageous to R’s going forward. Since at least one of these groups does not see whatever is good for the country as good for their party, I wouldn’t expect anything useful from Congress until at least one more election cycle.

  18. I haven’t reached strong conclusions about any of this, but I am glad Prof. Kerr is thinking about it. Any time a conservative is contributing productively to public debate is welcome.

  19. Defining “unauthorized” shouldn’t be difficult. Use of the computer system either is authorized or it isn’t. To resolve the question, the court should look to authorization procedures. For a database access, there would be expected to be computer-enforced limitations put in place, but there should be a mechanism whereby some person actually signs off on access. Consider a computerized facilities-access system. A new employee gets hired, and their manager turns in a form requesting that the new hire be issued a security badge that opens the front door and whatever other doors inside the building that the new hire needs to be able to open to do their work. Now, how can that system be subverted. You could get violations because the person with the badge actually opening doors isn’t the person the badge was issued to, or somebody could have used their otherwise-authorized access to the system to allow that badge to open doors the employee doesn’t actually need to have access to. You could also make a false badge

    1. This isn’t a novel concept. Ownership of property generally allows the owner to decide how it is used and when someone else interferes with the owner’s decision and/or power to decide it’s a trespass. CFAA is an attempt to criminalize what would otherwise just be a tort of trespass to chattel. to sort out what “unauthorized” means they should look to tort law of trespass as a source. “Unauthorized use of a vehicle” is criminalized trespass to chattel that similarly requires a definition of “unauthorized” and contains the same bifurcation as does CFAA… you can be “unauthorized” by way of never having had any authorization, or by exceeding the authorization you actually did have.

Please to post comments

Comments are closed.