This article has been written by Aashish Mittal pursuing the Diploma in US Corporate Law and Paralegal Studies from LawSikho.
Everything comes with pros and cons. Undoubtedly, technological developments have made our work as well as our life easier, but there are certain limitations. To bridge the gap between its usage and the limitations certain checks and balances need to be taken care of. One such legislation in the USA is the Computer Fraud and Abuse Act (CFAA) which has paved its way to criminalize the conduct of accessing other computers without authorization and other such activities of similar nature.
Recently the US Supreme Court has held a historical judgment where it has resolved the Split decision between the Circuit Courts in the case of Van Buren v. United States [593 U.S._(2021)]. The circuit courts have relied on two different interpretations of sec 1030(a)(2) of CFAA for a very long time which shall be discussed in this article and how the Supreme Court had held a judgment resolving the split.
In this article, firstly a brief introduction to the legislation CFAA is given, further as to consequences which brought this matter to the Supreme Court and the court siding with the narrower interpretation of the circuit split decision will be discussed. The court’s analysis while deciding the matter also gives a view upon such conducts CFAA is not applicable will be dealt with along the CFAA being the criminal legislation, and lastly the author’s analysis about the court’s decision.
What is CFAA?
The Computer Fraud and Abuse Act (CFAA) is an act codified at 18 U.S.C. 1030, and it was originally enacted by Congress in 1986 to combat and criminalize different forms of computer crimes. Among other things mentioned in the act, this act criminalizes intentionally accessing the computer without the concerning authorization.
Technological advancements are witnessed and are still increasing which requires time to time amendments and updated regulations to pace with such technology. CFAA has also been amended and modified multiple times to achieve the very objective for which the act was enacted.
In 1994 CFAA spread its hands in civil matters. The amendment allowed the corporations to bring civil actions against the persons who have gained unauthorized access to the company’s information and used it against them.
This Act prohibits individuals from obtaining or accessing different categories of information mentioned in the act. The act defines the word “exceeds authorized access” which means accessing a computer without authorization which involves the sort of activities like hacking, password theft, or any similar activities to break into a system or acquire the access credential of the computer; and another term “exceeds authorized access” under section 1030(a)(2) of the CFAA is also defined which is less clear from the given Act’s language and its interpretation is very conflicting, the conduct where an individual access a computer “with authorization” and then obtains the information which he is not entitled to obtain.
A brief overview of why this matter came to the court
The Circuit Court had two different views related to the legal issue ‘whether an individual under the CFAA has exceeded authorized access by obtaining information from a computer for an improper or unacceptable purpose, for which the same information was not authorized such as misappropriating it or for the purposes such as personal, regional, or unrelated to the access granted’.
Van Buren, a police Sergeant used the law enforcement database to track down a license number plate of an individual to find out the same individual if he is an undercover officer in exchange for consideration and this act of his was considered to be considered violation of CFAA under sec 1030(a)(2) and the matter came to the Eleventh circuit who broadly interpreting the same held sergeant liable for which sergeant appealed to the Supreme Court in the case accepted the Certiorari of the defendant and the same matter had been taken upon by the court to resolve the split circuit decision and to clear the legislative interpretation of the same.
The above issue had different answers on where the Van Buren claim was litigated and upon which there is a split circuit decision.
- First, Fifth, Seventh, and Eleventh Circuit favored broader interpretation of the term “exceeds authorized access.” It states that when there is conduct which a person is authorized to do under CFAA in the computer system such as access files and folders, but the same conduct if used for improper wants, requirements, motives, such as personal or unrelated to the purpose for which such authorization had been granted, than it can be deemed to violate CFAA irrespective of the fact that such persons were legitimately entitled to or has been authorized to access the information for certain purposes.
- The second interpretation is a narrower one in which the Second, Fourth, and Ninth Circuit were of the opinion that the conduct of a person to access and to use the information for the purposes not related to the access granted does not violate the provisions of CFAA. This is because prima facie the person was authorized to access the data and consequently the motive to use such data for unrelated purposes is immaterial for liability.
The legal issue before the Supreme Court
The long-standing debate of the term ”exceeding authorized access” has been cleared and put an end by the supreme court in the case of Van Buren vs. the United States with a decision in favor of the Ninth circuit narrower interpretation had been favored by the Supreme Court where the issue before the court was whether a person who is authorized to access information on a computer for certain purposes exceeds that access under sec 1030(a)(2) if he accesses the same information for an improper purpose.
Supreme Court decision and its analysis
The Supreme Court in Van Buren’s Case has taken up some constructions and sided with the narrow perspective of interpretation of the Ninth Circuit. A 6:3 majority ruled in favor of the appellant and provided him the liberty to put up the hypothecation of the two terms “without authorization” and “exceeds authorized access.” part deals with a conclusion that the person can access or cannot access certain areas of the computer database. If he can then the intent behind the same as to how or for what purpose he wants to use is not of value, as prima facie he has the authority to access the same, otherwise broader interpretation will lead to a chance of havoc. This is because it would allow an employer to bring an action against every employee who wishes to work for someone else.
The Court before concluding has to lay their hands on different constructions to satisfy both themselves and the parties as to why the narrower interpretation is more convenient and progressive in the long run:
- The statutory construction for which the language of the definition of “exceeding authorized access” in the CFAA has some words which while construing creates some confusion as to whether such terms are of analysis based on intent or otherwise. ‘That the accessor is not entitled so to obtain or alter the words “entitled” and “so” in the language of the definition have been construed by the court and sided with the opinion that irrespective of the intent the same access, if not required in the first place, would not have brought up the question of analysis of intent or any motive. Since the same information was allowed to be accessed by the Sergeant then the intent behind it to use it for any purpose is not required.
- Policy Arguments from the side of the government which came up with an issue that whether a broad interpretation is against the congressional intent behind the CFAA and would disrupt statutory harmony with related provisions. If yes, will it grant the side of the government an enormous power and authority to criminalize every act of the employee under the purview of the similar arguments. So, to come up with a better solution and a progressive front the answer to the given issue was to favor the narrower interpretation.
- Common Sense as to whether the conduct of the sergeant’s breach of employment policy and his unethical behavior falls within the ambit of CFAA.
After due consideration and listening to the arguments of both sides the court held that CFAA covers and hold those individuals in violation who have to obtain information from those computer databases or files or folders from which their computer does not provide them access and finally stating the reasoning for the same that it “Does not cover the likes of Van Buren, who have improper motives for obtaining information that is otherwise available to them”.
Analysis of the decision of the Supreme Court
The Supreme Court analyzed and put an end to a long-standing Circuit Split of the CFAA for which the court has reversed the Eleventh Circuit conviction order of Van Buren under the CFAA. It has also provided the interpretation of “exceeding authorized access” which has brought numerous cases under the purview of broader interpretation and passed the orders like in the United States v. John (597 F.3d 263, 271-72 (5th Cir. 2001)) in which an employee downloads confidential information which she was allowed to access for some other purpose unrelated to work, and the court held her to violate CFAA and saying that the defendant exceeded his authorized access by improperly using information that he was authorized to access.
The Supreme Court judgment has opened many gates for researchers and other professionals who require public databases and want to use them for their research as it would dissolve them of the liability from the cybersecurity. Further, creating a narrow liberal interpretation has also made criminal liability on the authorized accessors to know the limit upon which their conduct is protected and what they should and should not do to know that they are not in violation of the same.
It is a progressive step towards the future of computer cybersecurity and also it will protect and prevent employers who harass their present and past employees. In light of the narrower interpretation, the intent behind the definition of “exceeding authorized access’ is to prohibit those accessors who access files from a computer database which they are not allowed i.e., unauthorized access to computers which will result in hacking the system entirely and committing violations of other statutes too.
The Supreme Court is entrusted with a duty to give decisions using the very basic understanding of the issues involved in any case and which satisfies the need of the legal issue as well as provide justice to the parties involved at the same time. It so happens sometimes that some provisions of statutes require interpretation and also to understand the purpose of the Congress behind such provision the courts have to break the language of such provision and try to make the ends meet. In the case of Van Buren v. United States in which the Supreme Court has interpreted Sec 1030(a)(2) of the CFAA which defines the term “exceeding authorized access” which has modified and created the value of the provision as social welfare.
The Supreme Court has not only protected the employment interests but also has kept in mind the greater good which the judgment will provide as it will allow the development in the fields of research projects, university case studies, and other similar activities which involve the users to access public data and details which are sensitive information and will be allowed only if the access of data is granted by the concerned authority. The narrower interpretation of the term “exceeding authorized access” which the Supreme Court has made, has created a place to harbor development in different fields by making the accessors work with liberty and under no threat of criminal prosecution which will also increase productivity and efficiency.
In the events of such a drastic step to give a liberal way to the accessors to use the information in the way as they think fit, the judgment says that motive behind such information, if the access is granted, is immaterial and will surely in future, increase the chances to evade the liability under the CFAA. The Statute still requires some changes to counter the issue where accessing information and using the same for unwarranted purposes will evade the liability only because the access was provided for the information initially.
Development and crime go hand in hand and where one finds a way, the other will also prevail, so lawmakers keep on coming with the amendments and changes to balance both. So, to create a balance between development and crime the Supreme Court in choosing the narrower interpretation of the CFAA term “exceeding authorized access”, it is the duty of the lawmakers to come up with a counter solution to not allow the accessors of the information to get away with the liability every time they face criminal prosecution. The statute requires some progressive steps in the area of liability in terms of the motives and the intent to criminalize the potential actions which can damage the other side.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: