Technology November 2021
A Narrow Interpretation
A look at how the U.S. Supreme Court construes "exceeds authorized access" in the computer fraud and abuse act
Written by Pierre Grosdidier
In Van Buren v. United States, the U.S. Supreme Court resolved a circuit court split and narrowly construed the Computer Fraud and Abuse Act’s definition of “exceeds authorized access.”1 The issue was that of the “rogue insider.” Clearly, the CFAA criminalizes breaking into a computer, but does a properly credentialed person exceed his or her authorized access by obtaining information for illicit reasons? In its 6-3 decision, the court held “no.”
Former police sergeant Nathan Van Buren traded information garnered from a law enforcement database for money.2 Van Buren had database access credentials but not for this reason. He was convicted under CFAA § 1030(a)(2), which sanctions whoever “intentionally . . . exceeds authorized access.” Under the CFAA § 1030(e)(6),
the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.3
The U.S. Court of Appeals for the 11th Circuit, which has construed “exceeds authorized access” broadly, affirmed the conviction.4 On appeal to the U.S. Supreme Court, Van Buren argued that the CFAA’s “exceeds authorized access” should be construed narrowly. The court agreed.
Sticking closely to the statutory text, the court accepted Van Buren’s argument regarding the importance of the word “so” in the expression “entitled so to obtain.” Van Buren clearly “accessed a computer with authorization” and obtained information. The question was technology whether he was “entitled so to obtain” that information. The court agreed that “so” is a term of reference that relates to the preceding “identifiable proposition,” namely the authorized access to a computer.5 Under this reasoning, “[t]he phrase ‘is not entitled so to obtain’ is best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.”6 Thus, a credentialed computer user authorized to access Folder Y does not violate the CFAA by corruptly tapping into this folder, but does exceed authorized access by obtaining information from off-limit Folder X. Authorized access under the CFAA is ultimately a “gates-up-or-down inquiry—one either can or cannot access a computer system, and [likewise] certain areas within the system.”7
The court rejected the government’s argument that “so” referred more broadly to “the particular manner or circumstances” in which the user obtained the information.8 These circumstances, the government argued, are defined by the terms of access of the information. Under the government’s approach, the court reasoned, the circumstances that render a person’s conduct illicit are not identified in the statute and are potentially overbroad.
The court also noted that this narrow interpretation of “exceeds authorized access” harmonized the CFAA’s §§ (a)(2) and (e)(6), which proscribe accessing a computer without authorization and accessing a computer with authorization and securing information that the user is “not entitled so to obtain.” The law, therefore, targets outside hackers and rogue employees who enter off-limit areas of a computer. The CFAA’s civil liability provision, the court added, supports this interpretation. Civil liability depends on a finding of “damage” or “loss,” i.e., technological harm such as file corruption, which are typically the consequences of computer hacking, not illicit information retrieval that does not damage a database, as was the case with Van Buren.9
The U.S. Supreme Court also observed that a broad construction of “exceeds authorized access” would criminalize the innocuous conduct of “millions of otherwise law-abiding citizens” who use their work-only computers for personal reasons, like checking personal emails, or who stretch the truth on their personal social media pages. This implication “underscore[d] the implausibility of the government’s interpretation,” and was the “extra icing on a cake already frosted.”10 TBJ
This article, which was originally published in Circuits, has been edited and reprinted with permission.
PIERRE GROSDIDIER is an attorney in Houston. He belongs to the first group of attorneys certified in construction law by the Texas Board of Legal Specialization in 2017. Grosdidier’s practice also includes data privacy and unauthorized computer access issues and litigation. Prior to practicing law, he worked in the process control industry. Grosdidier holds a Ph.D. from Caltech and a J.D. from the University of Texas. He is a member of the State Bar of Texas, an AAA Panelist, a registered P.E. in Texas (inactive), a member of the Texas Bar Foundation, a fellow of the American Bar Foundation, and the State Bar of Texas Computer & Technology Section chair- elect for 2021-2022.