The Volokh Conspiracy

Mostly law professors | Sometimes contrarian | Often libertarian | Always independent

About The Volokh Conspiracy

Crime

Is the Supreme Court About to Take Its First Big CFAA Case?

Probably. And they certainly should.

|

The Supreme Court recently relisted a petition for certiorari in Van Buren v. United States, No. 18-12024, The petition asks the Justices to resolve the longstanding circuit split on the meaning of the Computer Fraud and Abuse Act, the federal unauthorized access statute. I think it's quite likely the Court will agree to hear the case,  And they certainly should: It's a perfect case to take, and the continuing uncertainty over the CFAA's meaning is pretty mind-boggling.  I thought I would blog about the case and why I think the Court probably will and certainly should take it.

Regular readers of the Volokh Conspiracy know that there is a longstanding circuit split on the fundamental question raised by the CFAA: Does access to a computer become unauthorized and therefore criminal when a person uses a computer in violation of a written restriction like a Term of Service of use policy?  Or is access unauthorized only when a person bypasses some sort of code-based restriction or authentication gate, such as by guessing another user's password or exploiting a security flaw?

I've been writing and blogging about this particular question for 17 years.  It was the subject of the Lori Drew case I blogged a lot about back in 2008 and 2009.  And we still don't have a settled answer.  Instead, we have a clear circuit split.  In 2011, the Eleventh Circuit said that violating the written restriction makes access unauthorized; you can read my post on that decision here.  Meanwhile, several circuits have rejected that view, among them the Second Circuit and the Ninth Circuit.

The split is clear and acknowledged, and it's crazy important.  The CFAA either makes most people or very few people criminals.  Indeed, I have testified under oath that I am a criminal in the Eleventh Circuit.  I violate Facebook's terms of service by giving a false location, which according to the DOJ and the Eleventh Circuit is a federal crime every time I visit Facebook. You probably ignore terms of service, too.  So the stakes are pretty high.  The stock line I have when I lecture about the CFAA is that no one can know what the statute means until the Supreme Court finally resolves the split.  And I've been offering that line for years, as the split has lingered without being resolved.

Why hasn't the split been resolved yet?  Mostly because the Supreme Court hasn't had an opportunity. In criminal cases, the government has stuck to its guns with its broad view of the CFAA.  But it has lost recent cases, and it has decided not to seek review.  When the government loses and doesn't ask for Supreme Court review, it means the Justices don't get a petition to resolve the split.  So the split lingers and gets deeper—and no one has any idea if we're all criminals or not—without the Justices having a chance to clear things up.

Enter the Van Buren case.  Van Buren was a police sergeant who ran a search through a police license plate database for a prohibited reason.  He was supposed to run searches only for official law enforcement reasons, but instead he ran a search for a cash payment from an individual working as part of a police sting.  Van Buren was charged with two offenses: Honest services fraud and violating the CFAA.  He was tried and convicted of both counts by a jury.

On appeal, the Eleventh Circuit overturned the honest services conviction but affirmed the CFAA conviction based the Eleventh Circuit's 2011 precedent.  Van Buren's counsel of record, Stanford Law's Jeffrey Fisher, filed a petition for certiorari seeking review of the CFAA conviction.  (Full disclosure: I have discussed the case with counsel for the petitioner.)

It seems to me that Van Buren is an ideal case for the Court to take.  The question couldn't be presented more cleanly. Van Buren was criminally charged under the CFAA, convicted by a jury, and had his conviction upheld for conduct that several circuits expressly say doesn't violate the CFAA at all.   And it's a clear split, on an issue with great public importance, that is perfectly presented by top-notch lawyers.

The government makes two arguments in its brief in opposition, but they didn't seem at all persuasive to me.

First, the government says the Court should wait and see what happens below with the honest services fraud charge that the government lost on in the Eleventh Circuit. Down the road, the government argues, it may turn out that the CFAA conviction isn't all that important in Van Buren's case.  The Court should wait and see, in other words, because the petition might go away on its own.  But given that the legal issue is so perfectly presented right now, and DOJ hasn't sought review of its circuit court losses on this question, I think the Court would want to take the opportunity right now to answer what the CFAA means.

Second, the government argues that the Court should deny certiorari because the circuit split isn't reflected in the jury instructions.  But I don't think that makes much sense. In general, the question of a statute's meaning can be challenged either through sufficiency challenges or through jury instructions.  But CFAA disputes are more readily brought through sufficiency challenges because trial judges have tended to use extraordinarily vague jury instructions on the meaning of unauthorized access.  Vague jury instructions mean that the jury doesn't see the legal question the appellate courts have to resolve.

The jury instruction in Van Buren was characteristically unilluminating. The access was unauthorized, the jury was told, if the defendant  was "not permitted" to do what he did.  That doesn't address the legal question, though, which is how do you determine what a person is permitted to do for purposes of the statute?  Does the employment policy set permission?  Or does having an account set permission?  That's a matter for a sufficiency challenge based on a legal interpretation of the statute, which is exactly what we have before the Court in Van Buren.

The Van Buren petition was originally scheduled for the Court's April 3rd conference.  It was then relisted for the Court's April 17th conference.  We can't be sure what that means, but often that's a sign that the Justices are very interested in a case and want to make sure everything is all set before they agree to grant it.  I hope that's the case here.