U.S. Supreme Court to Consider Whether Violating Terms of Service Is Computer Hacking
This week, in United States v. Van Buren, No. 19-783, the United States Supreme Court granted certiorari to determine what constitutes computer hacking, a decision that will have broad impacts across the Internet.
In Van Buren, a Georgia police officer was convicted of violating the Computer Fraud and Abuse Act (CFAA) after running a license plate search in a government database to dig up personal information on an exotic dancer. A jury subsequently convicted him of violating Section 1030(a)(2) of the CFAA, which makes it a crime to attain “information from any protected computer” by “intentionally access[ing] a computer without authorization or exceed[ing] authorized access.” Van Buren was clearly “authorized” to use the license plate database for legitimate law enforcement purposes—he wasn’t a traditional hacker. But, the government argued, he illegally exceeded authorization because he had been trained “on the proper and improper uses of the system” and admitted to investigators that he knew his actions were “wrong.” Upholding the conviction, the Eleventh Circuit held that “even a person with authority to access a computer can be guilty of computer fraud if that person subsequently misuses the computer.” United States v. Van Buren, 940 F.3d 1192, 1208 (11th Cir. 2019), cert. granted, No. 19-783 (U.S. Apr. 20, 2020).
Activity is clearly computer hacking when it involves, for example, a nefarious outsider deploying malware and bypassing security to steal terabytes of someone else’s data. But what about violating the Terms of Service on a social media site, or a security researcher using a service in ways not intended by the provider, or an employee misusing corporate databases? What about scraping data from a publicly available website? In these cases, the user already has access to the data, and the only “hacking” involved is misuse of information or a service.
Courts and scholars have long struggled with whether these cases are violations of the CFAA’s prohibition on “exceed[ing] authorized access.” See, e.g., United States v. Nosal, 676 F.3d 854 (9th Cir. 2012); hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir. 2019) (stating that the CFAA prevents conduct "analogous to breaking and entering"); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583–84 (1st Cir. 2001) (holding that violations of a confidentiality agreement or other contractual restraints could give rise to a claim for unauthorized access under the CFAA); Sandvig v. Barr, No. 16-1368, 2020 WL 1494065 (D.D.C. Mar. 27, 2020) (holding that CFAA's access provision did not actually criminalize violating consumer websites' terms of service). For example, computer crime scholar Orin Kerr long ago wrote that “a contract-based theory of authorization in a criminal context . . . may be constitutionally overbroad, criminalizing a great deal beyond core criminal conduct, including acts protected by the First Amendment.” Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1658 (2003). Kerr and others in the infosec community have long called for courts to reconsider such a broad approach to the CFAA.
In Nosal, the Ninth Circuit pointed out the potential risk of broadly interpreting “exceeds authorized access,” arguing that “[m]inds have wandered since the beginning of time and the computer gives employees new ways to procrastinate . . . . Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes.” 676 F.3d at 860. Therefore, in contrast to the Eleventh Circuit in Van Buren, the Ninth Circuit held that “the phrase ‘exceeds authorized access’ in the CFAA does not extend to violations of use restrictions.” Id. at 863.
The Supreme Court’s decision in Van Buren will have repercussions well beyond criminal prosecutions. Using a computer today generally means using someone else’s computer, whether an employer, a social media site, a cloud service provider, or a business partner. Entities that allow the public to use their computers face challenging questions about how much to open their networks and still protect their intellectual property and confidential information. Relationships with these third parties are often dictated by Terms of Service, Employee Handbooks, and other contractual arrangements that set out the intended rules of the road. Whether violating these rules of the road can also lead to a criminal or civil violation of the CFAA is an open and vital question, and the Supreme Court’s answer will fundamentally shape how we use the Internet and how willing entities will be to allow access to their networks.