Update: On November 30, 2020, the Supreme Court held oral arguments in Van Buren v. United States—a case that could resolve the judicial disagreement over whether the Computer Fraud and Abuse Act (CFAA) authorizes criminal liability for the violation of a terms of service agreement. Specifically, the issue before the court is whether an individual may be held criminally liable under the CFAA if he is "authorized to access information on a computer for certain purposes," but accesses that information for unauthorized purposes. At oral argument, questioning by the Justices focused on the policy implications of interpreting the CFAA broadly or narrowly. Justices asked whether a broad interpretation would criminalize routine conduct like lying on a dating website in violation of its terms of service. Other questions focused on whether a narrow interpretation, on the other hand, could jeopardize personal privacy if, for instance, an employee might not be criminally liable under the CFAA for using highly sensitive customer information in ways that are outside the scope of his employment duties.
At oral argument, the attorney for the government argued that the CFAA unambiguously prohibits accessing information for unauthorized purposes—a view adopted by some federal appellate courts, but rejected by others (as discussed below). The defendant's attorney disagreed that the text or legislative history compel such a reading, and countered that a broad interpretation of the CFAA would render the statute unconstitutionally vague and result in arbitrary prosecutions. The attorney for the government disputed that risk, arguing that the government has not obtained CFAA convictions for routine conduct like terms of service violations in the past. However, in recent cases, the Court has declined to rely on prosecutorial discretion to "narrow the otherwise wide-ranging scope" of a criminal statute and has rejected broad interpretations of ambiguous statutory language that would authorize expansive criminal liability.
A decision in Van Buren v. United States is expected before the Court's summer recess.
Computers and the internet are ubiquitous, and so too are contractual restrictions on their use. Users of smartphones, tablets, personal computers, social media websites, apps, online shopping platforms, streaming services, and more are generally bound by terms of service (ToS) agreements—contracts that govern the use of a product. Often, ToS agreements take the form of clickwrap agreements requiring users to click a box indicating that they are aware of, and agree to, certain terms on a website. In other instances ToS agreements may simply amount to a written notification that by using a product, the user agrees to be bound by the product's ToS. Either way, at least according to some empirical studies, users generally do not read TOS agreements. That is perhaps unsurprising given that ToS agreements are often lengthy, covering everything from the number of authorized users of a product to the types of content that may be shared through a device or service. But providers of computer and internet products and services rely on ToS for a variety of purposes, including limiting liability, protecting proprietary data, and preventing their products or services from being used in a harassing, threatening, or abusive manner. Against this backdrop, federal courts have diverged on the issue of whether an individual may—under certain circumstances—be criminally liable under federal law for ToS violations.
The judicial disagreement stems from two conflicting interpretations of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030—a civil and criminal cybersecurity law prohibiting certain computer-related activities. Federal appellate courts are divided on when an individual who violates a ToS agreement runs afoul of the CFAA and is subject to liability under the statute. The United States Supreme Court appears poised to weigh in on the issue; on April 20, 2020 the Court agreed to hear Van Buren v. United States, an appeal from the Eleventh Circuit.
This Sidebar begins with background on the relevant provisions of the CFAA, before examining the split among the federal appellate courts over when, if ever, the CFAA imposes criminal liability for violations of ToS agreements. It then briefly describes the background and implications of the Van Buren case. The Sidebar concludes with some considerations for Congress.
The CFAA: Background and Key Provisions
The CFAA prohibits a number of activities where a person illicitly accesses a qualifying computer if he is "without authorization" or if he "exceeds authorized access." The phrases appear in a number of the CFAA's subsections, such as § 1030(a)(2), which prohibits an individual intentionally accessing a computer without authorization or in excess of authorization and obtaining information from a financial institution, the federal government, or "any protected computer" (construed by courts to include any computer connected to the internet). Similarly, § 1030(a)(4) makes it a crime to "knowingly and with intent to defraud, access[] a protected computer without authorization, or exceed[] authorized access" and obtain anything of value, or use of the computer itself if that use is worth at least $5,000 a year. Other sections use the same language.
The CFAA was enacted in 1984 to address growing concerns over the dangers of hacking—intrusions or trespasses "into computer systems or data"—and has been primarily used to combat that threat. The law protects a broad range of technology including most websites, and nearly any "devices with embedded processors and software" other than "typewriters, typesetters, and handheld calculators." The CFAA has been amended several times since 1984, but it is still described as an anti-hacking law. The law has been invoked in successful hacking prosecutions, including in the high-profile case of one hacker who used a phishing scam to access private email and cloud accounts, through which he obtained nude photographs of celebrities, which were later leaked online.
Although such examples of hacking fit squarely within the CFAA's scope, federal appellate courts have disagreed over whether the law criminalizes the violation of ToS agreements. The circuit split is the result of differing interpretations of the phrases "without authorization" and "exceeds authorized access." The statute does not define "without authorization." As for "exceeds authorized access," § 1030(e)(6) defines the phrase as "access[ing] a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter . . . ." However, that definition hinges on the meaning of "with authorization," which the CFAA also does not define. As discussed below, the federal appellate courts disagree over the breadth of these phrases, and whether they permit criminal liability for ToS violations.
The Split: Criminal Liability for ToS Violations
Under a broad interpretation of the two phrases, an individual who violates a contract limiting the uses of a computer—such as a ToS agreement—may be acting without authorization or in excess of authorization under the CFAA, triggering criminal liability. The First, Fifth, Seventh, and Eleventh Circuits have adopted this view, often in cases focusing not on ToS violations, but rather on employer/employee computer use agreements. These cases generally involve an employee or former-employee who is authorized to access a work computer for limited purposes, but who uses that computer for other reasons. For example, in United States v. Rodriguez an employee accessed his employer's database to obtain "sensitive personal information" for his personal use, despite the employer's policy prohibiting database use for nonbusiness purposes. The Eleventh Circuit concluded in Rodriguez that the employee "exceeded authorized access" under the CFAA because, although the employee was authorized to access the database, he was not authorized to do so for personal purposes. In other words, "the concept of 'exceeds authorized access' may include exceeding the purposes for which access is 'authorized.'" Although many of these cases focus primarily on the meaning of "exceeds authorized access," the broad interpretation has been applied to "without authorization" as well. Thus, under the broad view, if a contract limits authorization to certain uses, and a user exceeds the bounds of those contractual restrictions, he may have exceeded authorized access or be without authorization in criminal violation of the CFAA.
Although these courts generally do not expressly articulate a policy rationale in adopting the broad interpretation, they appear concerned not just with hacking, but also with other computer-based harms such as the misappropriation of confidential information by rogue employees or former-employees. For example, in concluding that CFAA liability could extend to an employee who accessed and removed "highly sensitive and confidential" customer account information that she was not authorized to access, the Fifth Circuit noted the harm the employee caused to the employer and its customers.
While several of the cases adopting the broad interpretation have not arisen in the context of ToS agreements, some courts have clarified that the broad interpretation would extend criminal liability under the CFAA to at least some ToS violations. For instance, the First Circuit observed that "[a] lack of authorization could be established by an explicit statement on the website restricting access . . . ." such as a website's "lengthy limiting conditions." That said, federal district courts in at least one circuit employing the broad interpretation have declined to extend criminal liability to mere ToS violations.
Several other courts, including the Second, Fourth, and Ninth Circuits, have more narrowly interpreted "without authorization" and "exceeds authorized access," based on an understanding that the CFAA's central purpose is to criminalize hacking. These courts apply CFAA liability only to those who lack any authorization to access a computer or website or those who are "authorized to access only certain data or files" but access "unauthorized data or files." As a result, the narrow view exempts from CFAA liability those who have merely violated ToS agreements. These courts have held as such, relying on the rule of lenity, the canon of construction counseling that penal statutes should "be construed strictly" in favor of "the interpretation least likely to impose penalties unintended by Congress." According to these courts, broadly interpreting "exceeds authorized access" or "without authorization" would risk such unintended consequences. As the Ninth Circuit observed, the broad interpretation would define authorized access by contract terms that "most people are only dimly aware of," and are subject to change without notice, risking "mak[ing] criminals of large groups of people who would have little reason to suspect they are committing a federal crime." For example, one court cautioned that the broad interpretation would turn "every conscious [ToS violation into] . . . a CFAA misdemeanor" under § 1030(a)(2).
Many of the cases adopting the broad view of the CFAA predate the Second, Fourth, and Ninth Circuit opinions, and do not expressly respond to the concerns expressed in those opinions regarding over-criminalization. Nevertheless, some jurists have expressed skepticism that the broad view would actually criminalize routine ToS violations. Dissenting from a key Ninth Circuit opinion adopting the narrow view of the CFAA, two judges observed that even under a broad reading of the CFAA an individual would not be criminally liable unless he acted with the intent required by the statute. The judges noted that under § 1030(a)(4)—which prohibits "knowingly and with intent to defraud, access[ing] a protected computer without authorization" or doing so in excess of authorization—a defendant would be liable only if he acted with "the requisite mens rea and the specific intent to defraud . . . ." The judges declined, however, to examine whether such limitations would apply under other CFAA subsections, such as § 1030(a)(2), which were not at issue in the case.
Van Buren and Considerations for Congress
The case that could potentially resolve the circuit split, Van Buren, involves former police sergeant Nathan Van Buren's conviction for, among other things, violating § 1030(a)(2) by using a law enforcement database for purposes prohibited by department policy. Van Buren appealed his conviction to the Eleventh Circuit, arguing that he did not violate § 1030(a)(2) because he accessed "databases that he was authorized to use, even though he did so for an inappropriate reason." The court interpreted Van Buren's argument as a request to overrule its Rodriguez decision (discussed above), which adopted the broad interpretation of the CFAA. Although the Eleventh Circuit acknowledged criticisms of Rodriguez, it affirmed the conviction and declined to overrule its precedent absent a "Supreme Court or en banc decision of this Circuit that abrogates Rodriguez . . . ."
Van Buren filed a petition for a writ of certiorari with the Supreme Court on whether "a person who is authorized to access information on a computer for certain purposes violates [§ 1030(a)(2)] . . . if he accesses the same information for an improper purpose." In his petition, Van Buren noted the circuit split and echoed the concerns of the federal appellate courts that have adopted a narrow interpretation of the CFAA—namely that the rule of lenity supports the narrow view because the alternative turns even "trivial breach[es]" of computer-use policies into "a federal crime." The Court granted the petition on April 20, 2020 and is expected to hear arguments in Van Buren in its October 2020 term.
In Van Buren, the Supreme Court will likely hear a range of legal and policy arguments. Several commentators have raised concerns that broadly interpreting "exceeds authorized access" and "without authorization" leaves the CFAA vague and susceptible to "[a]rbitrary and discriminatory enforcement." A general concern is that if criminal liability under the CFAA hinges on onerous contracts that few read, then the CFAA does not "define . . . criminal offense[s] [under the statute] with sufficient definiteness that ordinary people can understand what conduct is prohibited . . . ." At least one court echoed such concerns in adopting the narrow interpretation of the CFAA. Relatedly, some courts have expressed concern that "by utilizing violations of [ToS agreements] as the basis for [a CFAA] crime," the broad interpretation "makes the website owner-in essence-the party who ultimately defines the criminal conduct." According to some, that not only contributes to the possibility of arbitrary enforcement, but it also makes behavior that is traditionally the domain of state tort and contract claims the subject of federal criminal law.
Criticism of the broad interpretation of the CFAA is not universal. For example, some individuals and businesses have advocated for the broad interpretation because it permits civil CFAA lawsuits to enforce contractual rights, such as those embodied in a ToS agreement. Businesses have invoked the CFAA's civil provisions to remedy injuries relating to contractual violations, such as misappropriation of confidential information—often in the context of disputes with rogue employees or former employees who abuse computer privileges at their employer's expense. In public comments, a Department of Justice (DOJ) official agreed that the CFAA should protect against such threats. He described opinions adopting the narrow view as an "obstacl[e]" to prosecuting such cases, which the government has done in the past. In addition, the Solicitor General has contested the argument that the broad interpretation creates uncertainty and criminalizes commonplace computer behavior, maintaining that such concerns are purely hypothetical because of a DOJ policy that limits prosecutorial discretion in CFAA cases. The DOJ policy requires, among other things, that, before bringing charges, prosecutors consider the defendant's state of mind when committing the crime.
In Van Buren, if the Court interprets "without authorization" or "exceeds authorized access" in a manner contrary to Congress's intent, assuming away any constitutional concerns driving the Court's interpretation, Congress could respond to clarify the CFAA's reach. Some Members in past Congresses introduced legislation that sought to modify the "without authorization" and "exceeds authorized access" language in the CFAA. One example, Aaron's Law, was "named in honor of the late Internet innovator and activist Aaron Swartz," who committed suicide while undergoing CFAA prosecution. First introduced in the 113th Congress, Aaron's Law would have replaced the phrase "exceeds authorized access" with "access without authorization," which it defined as obtaining "information on a protected computer . . . that the accesser lacks authorization to obtain" by "knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information." That proposal would have limited the CFAA's breadth in a manner more consistent with the understanding of courts applying the narrow view of the statute. No bills have been introduced in this Congress addressing the split.
Document ID: LSB10423