President Bill Clinton earned lasting notoriety for his explanation of why his statement denying a relationship with Monica Lewinsky was truthful (“it depends on what the meaning of the word ‘is’ is”). It is doubtful Justice Amy Coney Barrett’s majority opinion for the Supreme Court last week in Van Buren v. U.S. will earn as much ridicule from late-night comedians, despite putting so much questionable weight on a two-letter word (in this case, the word “so”). But the opinion does finally resolve an issue that has split lower courts and vexed employers, website operators, security researchers, and others for many years: whether the Computer Fraud and Abuse Act (CFAA) can be used to prosecute, or sue civilly, someone who accesses a computer with authorization, but uses that access for an improper purpose. The Court answered that question with a resounding, “No.” But the Court left unresolved a number of other questions, including what sorts of limits on access have to be transgressed in order to give rise to a CFAA violation.
The CFAA prohibits, among other things, intentionally accessing a computer “without authorization” or “exceed[ing] authorized access” and obtaining information. In Van Buren, a police officer had used his patrol car computer to access a law enforcement database to look up a license plate number in exchange for money from a private person who wanted information about a woman he had met at a strip club. The arrangement turned out to be an FBI sting, and after the officer used his valid credentials to look up the license plate number in the database, he was arrested and charged with violating the CFAA. The government alleged that the officer had exceeded his authorized access to the database by accessing it for an improper purpose—i.e., for personal use, in violation of police department policy. The officer was convicted and sentenced to 18 months in prison.
On appeal to the Eleventh Circuit, the officer argued that “exceeds authorized access” in the CFAA reaches only people who are authorized to access a computer, but then access information to which their authorized access does not extend. Several circuits have interpreted this clause in just this way. However, the Eleventh Circuit, like some others, adopted a broader view, holding that the clause also applies to someone who has authorization to access a computer but then uses that access for an inappropriate reason.
The Supreme Court cited such arguments as one reason the broad interpretation of “exceeds authorized access” is “implausib[le].” But the Court’s principal reason for adopting a narrow reading of the phrase turned on the word “so.” The CFAA defines “exceeds authorized access” as “access[ing] a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The Court devoted several pages of linguistic analysis to explaining why the word “so” must be read as restricting the entire definition to persons who are authorized to access a computer, but are not entitled to use that access to obtain or alter certain information, and why the clause cannot be read as applying to people who are authorized to obtain or alter that information but then do so for a prohibited purpose. One might charitably say that this is all a very lawyerly reading of the phrase (as was said about Mr. Clinton’s exegesis of the meaning of “is”). But whatever the case, it is now the law.
Fortunately, the Court ended its opinion with a clearer enunciation of its interpretation of “exceeds authorized access”: “In sum, an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” This makes clear that one cannot violate the CFAA—and therefore be subjected to criminal prosecution or a civil suit—merely by using his authorized access to obtain information for an improper purpose. This may make it more difficult for employers to use the CFAA to go after rogue employees who steal company information for a competing firm, or for website operators to sue competitors who abuse their authorized access to a site’s content by scraping it or otherwise mining it for commercial advantage.
Nevertheless, the Court’s opinion leaves some significant questions unresolved, and therefore still leaves room for effectively using the CFAA in such situations. Notably, the Court explicitly leaves open the question of how a computer owner may limit access to particular information in order to be able to sue for violations of those limits. Some will likely misread the opinion as requiring technological barriers to access. But it may be enough to impose carefully worded limits via contractual or policy terms, as long as they are focused on prohibiting access to the information, not on prohibiting certain uses. It may also be enough to impose limits on access by certain means, while allowing access by other means. Thus, for example, a competitor might have authorization to access a website’s content as a regular user, but if the website’s terms prohibit scraping the same content via automated bots, then such scraping may still give rise to a CFAA violation.
So—while Van Buren will be widely read as limiting the ability of computer owners to use the CFAA as a legal weapon, the reality—for now, at least—is that companies can still use that statute to protect their information, as long as they give careful thought to the ways they limit access to it.