The Supreme Court Reins in the CFAA in Van Buren
A very important ruling.
The Supreme Court handed down its first big decision construing the Computer Fraud and Abuse Act last week, Van Buren v. United States. Van Buren is a major victory for those of us who favor a narrow reading of the CFAA. It doesn't answer everything. But it answers a lot. And it frames the debate over how the CFAA applies going forward on what I think is ultimately the right question.
First, some context. The CFAA criminalizes unauthorized access to a computer. For years, the big question raised by the CFAA is what counts as an unauthorized access. The statute speaks of two ways of violating the statute—"access without authorization" and "exceed[ing] authorized access"—but the cases had not drawn sharp distinctions between them and the government's briefs often had just spoken of 'unauthorized access' as an undifferentiated whole. And the basic concept of authorization was largely up for grabs. What makes an access unauthorized? Is that hacking in? Is that violating terms of service? Or just visiting a computer in circumstances the computer owner wouldn't like?
Before Van Buren, we really didn't know. The facts of Van Buren presented a perfect opportunity to shed light on that. Nathan Van Buren used a government database for personal reasons after being told he could only use it for work reasons. Was he engaging in authorized access (because he had access to the database), or was he engaging in unauthorized access (because he was violating the access policy)?
Van Buren goes a long way toward answering those questions. In the Court's view, the CFAA is all about gates. "Access without authorization" and "exceed[ing] authorized access" both call for the same basic test: A "gates-up-or-down inquiry." To violate the CFAA, a person needs to bypass a gate that is down that the person isn't supposed to bypass. As the court puts it, a person needs to enter "particular areas of the computer— such as files, folders, or databases—that are off limits to him."
Under this view, the two ways of violating the statute work together. The prohibition on "access without authorization" bans entering a computer one is not authorized to access, "targeting so-called outside hackers—those who access a computer without any permission at all." The prohibition on "exceed[ing] authorized access bans "entering a part of the system to which a computer user lacks access privileges." That language "target[s] so-called inside hackers—those who access a computer with permission, but then exceed the parameters of authorized access by entering an area of the computer to which that authorization does not extend."
As the Court puts it, "liability under both clauses stems from a gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system." Van Buren didn't violate the statute because he was provided access to the database; the workplace rule wasn't a closed gate. (Some of the quoted language above is from the Court's description of the petitioner Van Buren's interpretation of the CFAA, rather than the Court's explicit statement of its view, but the Court then says it is persuaded by Van Buren's interpretation and that it is the best reading of the statute. I think means we can treat the Court's description of Van Buren's interpretation as its own.)
The Court also suggests that the basic gates-up-or-down inquiry might rest on authentication, such as bypassing a password gate by giving the correct user credentials. Here's the language, in Footnote 9, which it presents in the course of explaining why the Court is persuaded by Van Buren's gates-up-or-down interpretation:
Van Buren's gates-up-or-down reading also aligns with the CFAA's prohibition on password trafficking. See Tr. of Oral Arg. 33. Enacted alongside the "exceeds authorized access" definition in 1986, the password-trafficking provision bars the sale of "any password or similar information through which a computer may be accessed without authorization." §1030(a)(6). The provision thus contemplates a "specific type of authorization—that is, authentication," which turns on whether a user's credentials allow him to proceed past a computer's access gate, rather than on other, scope-based restrictions. Bellia, A Code-Based Approach to Unauthorized Access Under the Computer Fraud and Abuse Act, 84 Geo. Wash. L. Rev. 1442, 1470 (2016); cf. A Dictionary of Computing, at 30 (defining "authorization" as a "process by which users, having completed an . . . authentication stage, gain or are denied access to particular resources based on their entitlement").
Let's pause and step back. What does it mean?
First and foremost, this is a major victory for those of us who favor a narrow reading of the CFAA. It settles that the CFAA is fundamentally a trespass statute. The basic wrong is bypassing a closed gate, going where you're not supposed to go. The CFAA does not make it a crime to break a promise online. It does not make it a crime to violate terms of service. The statute is all about gates: When a gate is closed to a user, the user can't wrongfully bypass the gate.
But wait, you're wondering: What counts as a "gate" that is "down"? When I first read Van Buren, I was a bit bummed that it didn't answer that as clearly as I hoped. On one hand, Footnote 9 seems to suggest that authentication might be key. But on the other hand, Footnote 8 seemed to leave open what might count as a closed gate. Here's Footnote 8:
For present purposes, we need not address whether this inquiry turns only on technological (or "code-based") limitations on access, or instead also looks to limits contained in contracts or policies. Cf. Brief for Orin Kerr as Amicus Curiae 7 (urging adoption of code-based approach).
My first reaction to this footnote was puzzlement. Isn't the basic issue in Van Buren whether a policy (here, not to use a work database for personal reasons) matters? How can the Court reject the government's view that the policy controls and yet also leave open whether liability looks to policies? How do you reconcile Footnote 8 with the rest of the opinion, especially Footnote 9?
There are a few ways of reconciling Footnote 8 with the rest of the opinion. My best sense at this point runs something like this: With Van Buren casting the CFAA a trespass statute that is all about gates, figuring out what counts as a closed gate on the Internet can be complicated. As I argued in my article Norms of Computer Trespass, once you see the CFAA as a trespass statute, "the challenge for courts is to distinguish provider-imposed restrictions and limits that are at most speed bumps (that cannot trigger trespass liability) from the real barriers to access (that can)." As Norms explains, the line between real barrier and mere speed bump can be subtle. It can rest on "shared views about what invades another's private space and what doesn't." It's not just about technology, but also on social understandings of technology.
One way to read Van Buren—not the only way, but the way that seems most plausible to me at this point—is that it does the major conceptual work of reining in the CFAA by casting it properly as a trespass statute. It now leaves to lower courts the largely interstitial work of figuring out the hard line-drawing of what exactly counts as enough of a closed gate to trigger liability. The authentication test suggested in Footnote 9 is one way to do it. And I personally tend to think it's the right way; for what it's worth, it's the test I argued for in Norms of Computer Trespass. But whatever the specific right answer is, the Court has now directed lower courts to the right question.
In the end, Van Buren doesn't answer everything. But it answers a lot. And I think it focuses the lower courts on the right set of questions going forward.
(Cross-posted at Lawfare)