Court Adopts Narrow Interpretation of Computer Hacking Statute Frequently Asserted Against Web Scrapers

On June 3, 2021, the U.S. Supreme Court issued its decision in Van Buren v. United States,¹ resolving a decades-old circuit split on the proper interpretation of the Computer Fraud and Abuse Act (CFAA),² a federal anti-hacking law passed by Congress in 1986. The Court held that an individual "exceeds authorized access" to a computer when they access a computer with authorization but then obtain information located in areas of the computer, such as files, folders, or databases, to which their authorized access does not extend. Individuals do not exceed authorized access when they have improper motives for obtaining information to which they otherwise have authorized access.

The CFAA and a Split over "Exceeds Authorized Access"

The CFAA is a criminal law with a private civil remedy. It was enacted in 1986 to address growing concerns about computer hacking with the rise of the internet. The law, among other things, prohibits a person from accessing an internet-connected computer "without authorization" or in a manner that "exceeds authorized access."³ At issue in Van Buren was the meaning of the phrase "exceeds authorized access" within the context of § 1030(a)(2), a provision often invoked by website operators against big data companies that scrape or use other alternative data collection techniques to systematically collect information from websites. "Exceeds authorized access" is defined in the statute as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."⁴

Over the last 20 years, a circuit split emerged over the proper interpretation of "exceeds authorized access." The Second, Fourth, and Ninth Circuits took a narrow approach, holding that under the rule of lenity (a principle of criminal statutory interpretation that requires any unclear or ambiguous law to be applied in the manner most favorable to the defendant), a person with authorized access to a computer for a specific purpose does not exceed authorized access when they use that access for an unauthorized purpose, such as in violation of a policy.⁵ On the other hand, the First, Fifth, Seventh, and Eleventh Circuits reached the opposite conclusion, interpreting the clause to criminalize and give rise to potential civil liability whenever someone used authorized access to obtain information in violation of a policy.⁶

Enter Nathan Van Buren

Former Georgia police sergeant Nathan Van Buren used his valid credentials to access a law enforcement database in order to search for information about a license plate number in exchange for money. Unfortunately for Van Buren, he had walked into an FBI sting operation. Van Buren was convicted of violating the "exceeds authorized access" clause of the CFAA and sentenced to 18 months in prison. Van Buren appealed his conviction to the Eleventh Circuit, arguing that the "exceeds authorized access" clause applies only when a person obtains information to which their computer access did not extend. The Eleventh Circuit had previously taken an expansive view of the disputed clause and thus applied circuit precedent to uphold the conviction. It concluded that Van Buren violated the CFAA when he accessed the law enforcement database using his valid login credentials for an "inappropriate reason."⁷

Van Buren sought review at the U.S. Supreme Court. The Court granted certiorari on April 20, 2020 to resolve the circuit split regarding the scope of liability under § 1030(a)(2)'s "exceeds authorized access" clause.

The Supreme Court Weighs in

In a 6-3 decision (Thomas, J., Alito, J., and Roberts, J., dissenting), the Court reversed the Eleventh Circuit. The Court concluded that the disputed phrase in the definition of "exceeds authorized access"—"is not entitled so to obtain"—should be interpreted narrowly to mean that a person violates the CFAA when he accesses a computer with authorization but then obtains information on that computer that he is not authorized to access.⁸ Writing for the majority, Justice Barrett explained that Van Buren's proposed construction of the statutory clause was simply superior: the "text, context, and structure" all favored his reading.⁹

Because Van Buren had authorization to access both the computer and the license-plate records stored there, he did not run afoul of the statute, even if he then used those records for a purpose that violated workplace policies. In short, what mattered for the analysis was not the purpose of his access, but whether the specific database he accessed was "off limits to him."¹⁰

While the Court agreed with Van Buren's "gates-up-or-down" approach to this inquiry,¹¹ at the same time, it explicitly declined to address whether a limitation on access sufficient to trigger liability under either the "without authorization" or "exceeds authorized access" clause must be a technological limitation or whether a contract or policy prohibiting access could also provide the basis for liability.¹²

Implications

Given that the CFAA provides for both civil and criminal liability, including imprisonment of up to 10 years,¹³ the Court's decision to interpret the law narrowly is significant. In the Court's own words, the broad interpretation of the CFAA advanced by the U.S. government would bring with it the danger of "attach[ing] criminal penalties to a breathtaking amount of commonplace computer activity" carried out by "millions of otherwise law-abiding citizens."¹⁴ For example, reading the news on a work computer in violation of company policy would be a crime. Although the Court disclaimed that this concern was determinative, it's difficult not to see the concern as animating and even guiding the textual analysis.

Moving forward, those accused of violating the CFAA because they used their otherwise authorized access to obtain information for an improper purpose (e.g., in violation of a website's privacy policy or terms of service) can point to the holding in Van Buren as a defense that an improper purpose or policy violation alone is not sufficient to impose CFAA liability. However, big data companies and others must still proceed with caution given that the Court left open the question of whether lack of authorization turns only on technological ("code-based") access restrictions, or whether it may also be based on contractual or policy access restrictions. The Supreme Court currently is weighing whether to grant certiorari in another CFAA case that could resolve this open issue.¹⁵

^[1]No. 19-783, 593 U.S. ___ (2021).

^[2]18 U.S.C. § 1030.

^[3]18 U.S.C. § 1030(a)(2).

^[4]18 U.S.C. § 1030(e)(6) (emphasis added).

^[5]See, e.g., United States v. Nosal, 676 F.3d 854, 863-64 (9th Cir. 2012) (holding that “‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use”).

^[6]See, e.g., United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010) (holding that a defendant “exceeds authorized access” when violating policies governing authorized use of databases).

^[7]United States v. Van Buren, 940 F. 3d 1192, 1208 (11th Cir. 2019).

^[8]Van Buren, No. 19-783, 593 U.S. ___, 5-8 (2021).

^[9]Id. at 17.

^[10]Id. at 20.

^[11]Id. at 13.

^[12] Id. at 13 n.8.

^[13]18 U.S.C. § 1030(c)(2).

^[14]Van Buren, No. 19-783, 593 U.S. ___, 16 (2021).

^[15]hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir. 2019), appeal docketed, No. 19-1116 (U.S. Mar. 12, 2020). In hiQ, the Ninth Circuit interpreted the clause prohibiting access “without authorization,” as opposed to the “exceeds authorized access” clause addressed in Van Buren, holding that the provision does not apply when a person obtains information that is available to the general public. If the Supreme Court grants certiorari, the decision will likely have additional implications for big data and other companies wishing to engage in web scraping.