New Draft Article, "Focusing the CFAA in Van Buren"

The Volokh Conspiracy

Mostly law professors | Sometimes contrarian | Often libertarian | Always independent

I have posted a new draft article, "Focusing the CFAA in Van Buren," forthcoming in the Supreme Court Review. It's about the Supreme Court's recent decision in Van Buren v. United States. The article is pretty short by law review standards, 29 pages, so it's not an endless read for those interested in the topic.

Here's the abstract:

Van Buren v. United States (2021) is the United States Supreme Court's first decision interpreting the federal computer crime law known as the Computer Fraud and Abuse Act (CFAA). This essay presents an overview of the decision and its significance for debates over the CFAA's meaning. It analogizes Van Buren to partially focusing a lens: The Court's opinion brings new ground into focus, letting us see a range of landmarks that were blurry before. But it leaves important details hazy, leaving their resolution to future cases that can bring the CFAA into sharper focus. It also argues that Van Buren's reasoning provides substantial support for an authentication-based understanding of CFAA liability.

This is a first draft, and comments are very much invited. No need to offer corrections of typos and the like, as those will be fixed later, but substantive comments and critiques are very welcome. Please send them on to orin [at] berkeley [dot] edu. Thanks!

To get the Volokh Conspiracy Daily e-mail, please sign up here.

NEXT: My New Article on "Rethinking the Supreme Court's Impact on Federalism and Centralization"

Hide Comments (11)

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Comments may only be edited within 5 minutes of posting. Report abuses.

Rev. Arthur L. Kirkland 2 years ago

You deserve better blogmates, Prof. Kerr.

Log in to Reply
1. Rev. Arthur L. Kirkland 2 years ago
  
  Prof. Kerr:
  If you can read Prof. Blackman’s Friday-published work concerning Justice Breyer and conclude that you wish to continue to have your name, reputation, scholarly work, and institution associated with the Volokh Conspiracy . . . what the hell happened to you?
  
  Log in to Reply
LawTalkingGuy 2 years ago

Very tangential, but there could be a whole different article on Federal sting operations involving the CFAA. Seriously…had that often happened before? Prior to van Buren was it something that federal agents actively sought to make happen to investigation targets? Or was this just a rare black swan event of some sort with the perfect suspect to do this too?

Log in to Reply
1. Noscitur a sociis 2 years ago
  
  It’s certainly not unusual to bring in undercover agents/CIs in public corruption cases – this was primarily a wire fraud case at trial, but the 11th circuit threw out that conviction. I assume he would have been charged with that regardless even if he hadn’t used the computer database.
  
  Log in to Reply
  1. LawTalkingGuy 2 years ago
    
    Of course. I’m just curious if and how often the feds deliberately set up a scenario specifically for a felony CFAA violation.
    I mean the $5000 thing really jumped out at me because it reminded me of undercover agents in drug cases creating drug deals/robberies in which the amount of drugs they told defendant was involved would be sure to land in the max for federal sentencing purposes. Here too they engineered it to secure the felony with a fake offer of the exact amount of cash needed. (Although I understand that the $5000 might not have been strictly necessary for this purpose).
    
    Log in to Reply
Peter Gerdes 2 years ago

So in the intro where you indicate that only certain computers are covered gives the reader the impression (at least imo) that only a relatively narrow range of computers might be affected (eg maybe only ones that control particularly high value info or are booked into a government network). My understanding is that virtually a computers are covered so if you going to review the law maybe indicate that.

Log in to Reply
1. Peter Gerdes 2 years ago
  
  Nevermind…I see you deal with this issue immediately afterwards.
  
  Log in to Reply
2. LawTalkingGuy 2 years ago
  
  It was at the time the law was written.
  
  Log in to Reply
Peter Gerdes 2 years ago

This sentence seems not to quite parse for me:. “Second, and equally importantly, Van Buren a single test governs the authorization question in the two prongs of CFAA liability.”
I think you dropped a word somewhere.

Log in to Reply
Peter Gerdes 2 years ago

Excellent article. Having read it however I’m left wondering about how the CFAA applies in the unfortunately all too common situation where the actual password/access practices within a company and the in theory rules regarding whose password it is differ.
For instance, suppose in Van Buren’s police department theoretically only a supervisor was supposed to be able to access that database and this limitation was enforced by a password barrier. However, since it was too time consuming to have a supervisor conduct each query it was common practice for supervisors to share their passwords with all officers and everyone regularly used supervisor passwords to query the database.
In particular, I’m wondering if the CFAA could still “swallow the internet” as you nicely put it simply by companies creating access controls that they know are practically too annoying to access via the approved method while tacitly allowing widespread circumvention (eg password sharing).
Similarly, can internet companies knowingly tolerate some really simple workaround (accessing some hidden url or adding something to the query string) and then turn around and have the ppl who do things they don’t like (eg journalists who report on this) prosecuted?

Log in to Reply
John F. Carr 2 years ago

I remember a sign at the entrace to a privately owned nature preserve warning that violating the owner’s rules constituted criminal trespassing. I hope that is not the law.

Log in to Reply

Please log in to post comments

The Volokh Conspiracy

New Draft Article, "Focusing the CFAA in Van Buren"

Forthcoming in the Supreme Court Review.

Latest

Brickbat: Stop the Music

Congress Yet Again Abuses 'Emergency Spending' for Non-Emergency Purposes

Colorado Bans HOAs From Banning Home Businesses

FCC Set To Reinstate Net Neutrality Rules That Seem More Unnecessary Than Ever

She Only Served 10 Months Behind Bars. Florida Still Slapped Her With A $127,000 Bill.

Recommended

Login Form

The Volokh Conspiracy

Latest

Brickbat: Stop the Music

Congress Yet Again Abuses 'Emergency Spending' for Non-Emergency Purposes

Colorado Bans HOAs From Banning Home Businesses

FCC Set To Reinstate Net Neutrality Rules That Seem More Unnecessary Than Ever

She Only Served 10 Months Behind Bars. Florida Still Slapped Her With A $127,000 Bill.

Recommended