The Volokh Conspiracy

Mostly law professors | Sometimes contrarian | Often libertarian | Always independent

New Draft Article, "Focusing the CFAA in Van Buren"

Forthcoming in the Supreme Court Review.


I have posted a new draft article, "Focusing the CFAA in Van Buren," forthcoming in the Supreme Court Review. It's about the Supreme Court's recent decision in Van Buren v. United States.  The article is pretty short by law review standards, 29 pages, so it's not an endless read for those interested in the topic.

Here's the abstract:

Van Buren v. United States (2021) is the United States Supreme Court's first decision interpreting the federal computer crime law known as the Computer Fraud and Abuse Act (CFAA). This essay presents an overview of the decision and its significance for debates over the CFAA's meaning. It analogizes Van Buren to partially focusing a lens: The Court's opinion brings new ground into focus, letting us see a range of landmarks that were blurry before. But it leaves important details hazy, leaving their resolution to future cases that can bring the CFAA into sharper focus. It also argues that Van Buren's reasoning provides substantial support for an authentication-based understanding of CFAA liability.

This is a first draft, and comments are very much invited.  No need to offer corrections of typos and the like, as those will be fixed later, but substantive comments and critiques are very welcome.  Please send them on to orin [at] berkeley [dot] edu. Thanks!

NEXT: My New Article on "Rethinking the Supreme Court's Impact on Federalism and Centralization"

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. You deserve better blogmates, Prof. Kerr.

    1. Prof. Kerr:

      If you can read Prof. Blackman's Friday-published work concerning Justice Breyer and conclude that you wish to continue to have your name, reputation, scholarly work, and institution associated with the Volokh Conspiracy . . . what the hell happened to you?

  2. Very tangential, but there could be a whole different article on Federal sting operations involving the CFAA. Seriously…had that often happened before? Prior to van Buren was it something that federal agents actively sought to make happen to investigation targets? Or was this just a rare black swan event of some sort with the perfect suspect to do this too?

    1. It's certainly not unusual to bring in undercover agents/CIs in public corruption cases - this was primarily a wire fraud case at trial, but the 11th circuit threw out that conviction. I assume he would have been charged with that regardless even if he hadn't used the computer database.

      1. Of course. I’m just curious if and how often the feds deliberately set up a scenario specifically for a felony CFAA violation.

        I mean the $5000 thing really jumped out at me because it reminded me of undercover agents in drug cases creating drug deals/robberies in which the amount of drugs they told defendant was involved would be sure to land in the max for federal sentencing purposes. Here too they engineered it to secure the felony with a fake offer of the exact amount of cash needed. (Although I understand that the $5000 might not have been strictly necessary for this purpose).

  3. So in the intro where you indicate that only certain computers are covered gives the reader the impression (at least imo) that only a relatively narrow range of computers might be affected (eg maybe only ones that control particularly high value info or are booked into a government network). My understanding is that virtually a computers are covered so if you going to review the law maybe indicate that.

    1. Nevermind...I see you deal with this issue immediately afterwards.

    2. It was at the time the law was written.

  4. This sentence seems not to quite parse for me:. "Second, and equally importantly, Van Buren a single test governs the authorization question in the two prongs of CFAA liability."

    I think you dropped a word somewhere.

  5. Excellent article. Having read it however I'm left wondering about how the CFAA applies in the unfortunately all too common situation where the actual password/access practices within a company and the in theory rules regarding whose password it is differ.

    For instance, suppose in Van Buren's police department theoretically only a supervisor was supposed to be able to access that database and this limitation was enforced by a password barrier. However, since it was too time consuming to have a supervisor conduct each query it was common practice for supervisors to share their passwords with all officers and everyone regularly used supervisor passwords to query the database.

    In particular, I'm wondering if the CFAA could still "swallow the internet" as you nicely put it simply by companies creating access controls that they know are practically too annoying to access via the approved method while tacitly allowing widespread circumvention (eg password sharing).

    Similarly, can internet companies knowingly tolerate some really simple workaround (accessing some hidden url or adding something to the query string) and then turn around and have the ppl who do things they don't like (eg journalists who report on this) prosecuted?

  6. I remember a sign at the entrace to a privately owned nature preserve warning that violating the owner's rules constituted criminal trespassing. I hope that is not the law.

Please to post comments