On June 3, 2021, the U.S. Supreme Court released its opinion on the case Van Buren v. United States. The opinion provides clarification regarding how the Supreme Court interprets the 1986 Computer Fraud and Abuse Act, particularly the “exceeds authorized access” language in Section 1030(a)(2). Although the word “privacy” does not appear in the opinion, the holding may have important implications for individual privacy.
Section 1030(a)(2) includes two components: “exceeds authorized access” and “without authorization.” The court in Van Buren examined “exceeds authorized access.” The case LinkedIn v. HiQ, which is pending petition, could examine “without authorization,” bookending the analysis of Section 1030(a)(2) of the CFAA.
The court’s holding
Nathan Van Buren, a police officer, used his police credentials to look up the license plate of an individual for personal reasons on a database to which he had access. He was then charged with violating the CFAA for exceeding authorization under Section 1030(a)(2). The Supreme Court heard oral arguments for Van Buren in November 2020. The Supreme Court overturned the 11th Circuit, holding Van Buren did not violate the CFAA when he accessed the personal records of another using the police database to which he had access. Writing for the 6-3 majority, Justice Amy Coney Barrett’s opinion held the CFAA “does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.”
As part of the holding, the Court interpreted the word “so” as used in a definition in the statute. Section 1030(a)(2) of the CFAA reads in relevant part: “[w]hoever…intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains…information from any department or agency of the United States; or information from any protected computer” has violated the CFAA. Section 1030(e)(6) defines “exceeds authorized access” as meaning “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
Van Buren argued that “so” “plainly refers to information one is not allowed to obtain by using a computer that he is authorized to access.” On the other hand, the government read “so” more broadly to “refer to information one was not allowed to obtain in the particular manner or circumstances in which he obtained it.” The court agreed with Van Buren’s reading of the word, stating that “the phrase ‘is not entitled so to obtain’ is best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.”
While the court does not address the privacy implications of a broad versus narrow interpretation of the CFAA, as raised by the amicus briefs and oral arguments, the court does point out that “commonplace computer activity” could violate the CFAA if the court adopted the government’s interpretation of the statute. In the opinion, the court cited concerns that adoption of the government’s interpretation could criminalize “every violation of a computer-use policy” causing “millions of otherwise law-abiding citizens” to become criminals and violators of the CFAA.
In rejecting the government’s position, the court considered the definitions of “damage” and “loss,” noting they refer to “technological harms” like computer data, program, or system information loss. The court notes these definitions are “ill fitted. . . to remediate’misuse’ of sensitive information that employees may permissibly access using their computers.”
Reactions to the ruling
Commentators were quick to respond to the ruling on both social media and in publications.
As some commentators pointed out, the inclusion of footnote eight means the court will probably need to take on the LinkedIn v. HiQ case. Even LinkedIn, in a supplement brief to the court, pointed out Van Buren’s holding does not resolve the host of issues stemming from statutory interpretation of provision 1030(a)(2) of the CFAA in the lower courts. Other commentators mentioned the case highlights the need for a federal privacy law.
The Electronic Frontier Foundation reacted to the ruling positively and stated it was pleased the Supreme Court chose to construe the CFAA narrowly. As stated in their amicus brief, the EFF worried if the court decided on a broader interpretation of the statute, the decision would risk “turning nearly any user of the Internet into a criminal based on arbitrary terms of service.”
The EFF applauded the court’s decision to preclude the use of “CFAA’s criminal provisions to enforce limitations on how or why you use their service.” The EFF favored the adoption of the court’s “‘gates-up-or-down’ approach: either you are entitled to access the information or you are not. This means that private parties’ terms of service limitations on how you can use information, or for what purposes you can access it, are not criminally enforced by the CFAA.” While the opinion did not narrow the CFAA “as much as EFF would have liked … it provided good language that should help protect researchers, investigative journalists, and others” who violated the terms of service.
The Electronic Privacy Information Center, which submitted an amicus brief in support of the government, reacted to the ruling by pointing out “the outcome of this case highlights the urgent need for comprehensive privacy legislation.” The court’s holding will not prevent a bad actor like Van Buren from accessing personal information if the bad actor has authorized access. According to EPIC, any future privacy legislation addressing the issues raised in the case must include “enforceable rules to prevent improper access to and misuse of personal information contained in both government and private databases.”
Orin Kerr, who submitted an amicus brief and was cited by the court’s majority opinion, tweeted that the government “now has a good argument for a new privacy law to cover rogue insiders who abuse sensitive [government] databases.” This type of statement squares with EPIC’s position that the opinion in Van Buren highlights the need for a federal privacy law. A federal privacy law could include a provision that would make conduct like Van Buren’s a violation of the law while narrowing the scope to avoid misapplication as described by the majority.
However, Kerr also pointed out several questions, such as: “how do you describe the databases that this [federal privacy] law covers? Who is regulated by the law? What’s the mens rea – knowledge/intent as to breaking the rules on use, or maybe that plus knowledge/intent as to the nature of the information obtained?”
Princeton University professor Jonathan Mayer shared his thoughts about the case as well. In his Twitter thread, he described how the court adopted the 4th Circuit’s approach to the scope of the CFAA, which means “liability depends on whether a person has [some] authorized access to information, or as the Court puts it, ‘a gates-up-or-down inquiry.’” One reason Mayer said this is important is because it will impact scraping. In his thread, he argued the holding in Van Buren means “scraping is not a crime. If you have some authorized access to data (e.g., it’s public or you have an account), you can scrape without fear of CFAA.” It is important to note the truth of this statement assumes the individual has authorized access in the first place. What qualifies as authorized access has not been finalized, per the LinkedIn v. HiQ discussion below.
Perhaps even more important than what the court held in Van Buren is what it declined to address. Anticipating this opinion, individuals working in the privacy and technology space hoped the holding of the case would shed light on the Supreme Court’s position on the concept of authorization. Instead, the Supreme Court cabined its discussion in Van Buren to the statutory definition of “exceeds authorization” and did not enter a discussion regarding “without authorization” because the court identified the discussion as “distinct.”
The Van Buren decision has implications on a future case currently pending petition in the court. The case, LinkedIn v. HiQ, comes out of the 9th Circuit. In the case, the issue to be determined is whether “informing someone via contract (or notice) that their conduct on [a website] isn’t welcome or permissible. . . constitute[s] conduct ‘without authorization.’” On June 14, 2021, the Supreme Court decided to remand the case back down to the 9th Circuit with instructions to reconsider in light of Van Buren. However, there is still a chance the case will end up back at the Supreme Court.
One aspect of the Van Buren holding that could be applicable to a future LinkedIn v. HiQ case is the majority held there is a “gates-up-or-down inquiry” involved in examining both what “exceeds authorization” and what is “without authorization.” However, the issue of what qualifies as a gate is still in dispute. The LinkedIn v. HiQ case, if heard by the court, would need to address what constitutes a gate to interpret the “without authorization” statutory language of the CFAA. If heard by the court, LinkedIn v. HiQ would examine whether scraping a public-facing website constitutes “without authorization” and whether LinkedIn’s actions discouraging the scraping can be considered “closing the gate.”
Privacy professionals are focused on both the Van Buren and LinkedIn v. HiQ cases because both examine the CFAA and its framework regarding authorization. As it stands now, the Van Buren decision leaves much to be determined. The IAPP will follow any developments and update you accordingly.
Photo by Claire Anderson on Unsplash
If you want to comment on this post, you need to login.