On June 3rd, the Supreme Court issued an opinion clarifying the scope of the controversial Computer Fraud and Abuse Act (CFAA), which has long had a chilling effect on internet competition and research. While the ruling is a victory for internet freedom, it settles less than it appears to.
The CFAA criminalizes accessing a computer without authorization, or exceeding authorized access, to obtain information. Both government prosecutors and litigious companies have taken “exceeds authorized access” to include violating employee policies and website terms of service. This reading imposes criminal penalties on innocent computer use, such as shopping on a work computer or downloading too many academic papers from a university library.
Georgia police officer Nathan Van Buren was convicted of violating the CFAA for misusing his access to state license plate databases to sell personal information. The Supreme Court reversed his conviction in Van Buren v. United States. The Court held that even if Van Buren misused his access to the license plate database for an illicit purpose, he did not exceed his authorized access in the course of his misuse. The Court’s opinion is important because it rebukes overbroad government interpretations of the statute, though a footnote may limit the ruling’s applicability to private misuse.
The CFAA is often abused by established companies to threaten interoperable startups with criminal sanctions. Large social media platforms benefit from network effects – the more users they have, the more attractive their networks become. Without an existing userbase, competitors struggle to win users away from mature firms. One way around this problem is for startups to make their services work with existing networks.
Power Ventures offered a social media service which allowed users to view posts from Facebook, Twitter, Myspace, and other platforms without visiting their websites. However, its automatic retrieval of Facebook user information violated Facebook’s terms of service. Facebook successfully sued Power Ventures for accessing its website without authorization under the CFAA. While no firms have been so bold as to harass users who give login credentials to third parties, third party services are regularly threatened with CFAA liability. In some cases, the mere accusation of a CFAA violation can shutter a small business. A Call of Duty statistics tracking website recently shut down after receiving legal notice from Activision alleging a CFAA violation. Zillow was able to temporarily shutter a popular architectural review blog by invoking the CFAA.
The government argued that Van Buren’s conduct was covered by the CFAA because the way he used the license plate database was not authorized by the database’s owner. Van Buren’s actions “violated a department policy against obtaining database information for non-law-enforcement purposes.” The court rejected the government’s circumstance or purpose dependent argument, noting that it would criminalize everyday computer use.
If the “exceeds authorized access” clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals … consider the Internet. Many websites, services, and databases—which provide “information” from “protected computer[s],” §1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers. And indeed, numerous amici explain why the Government’s reading of subsection (a)(2) would do just that— criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook
Instead, the court adopted a gate-based understanding of authorized access, ruling that because Van Buren was entitled to access license plate information as part of his job, his misuse of the database did not “exceed authorized access” per the CFAA. Instead of looking to a users’ authorization to use data for particular purposes, the court’s gate-based approach examines whether the user is generally allowed to access the data or part of the computer system in question.
The court both adopted a gate rather than circumstance-based understanding of access, and rejected a policy, rather than code-based gate. Code-based gates are limits programmed into a computer system that require deliberate action to bypass. For instance, Google Docs “view,” “edit,” and “suggest” permission levels all allow different levels of control over a document. They are code-based gates. In contrast, Google’s terms of service, or an employer’s policy regarding editing company Google documents, are examples of policy gates. There are other ways to punish Van Buren’s invasion of privacy and misuse of government property, accepting a bribe is illegal regardless of the purpose.
However, footnote 8 of the opinion brings policy gates back into play. Although the court rejected the gate posed by Van Buren’s police department’s policy and cast a skeptical eye on the application of the CFAA to private terms of service, it leaves the door open to policy gates in principle.
For present purposes, we need not address whether this inquiry turns only on technological (or “code-based”) limitations on access, or instead also looks to limits contained in contracts or policies. Cf. Brief for Orin Kerr as Amicus Curiae 7 (urging adoption of code-based approach).
In rejecting one policy gate, but explicitly refraining from generally adopting a code-based approach to access restrictions, the ruling leaves much work for future courts, which will have to determine which, if any, policy gates are backed by the CFAA.
It remains to be seen if the opinion’s rejection of one policy gate will be enough to curb their misuse by dominant firms. On one hand, private policies that restrict access are likely to be more limited than those that restrict purpose. However, as long as the breach of policy gates can give rise to criminal penalties, invoking the CFAA may be enough to quash competition without litigation. Recalling the stat tracking website example, does a Terms of Service agreement that states “Call of Duty API (application programming interface) access is reserved to authorized developers,” create an enforceable policy gate?
Congress could fruitfully resolve the situation by explicating its intent to criminalize the breach of code, not policy, gates within computer networks. Or, guided by the Court’s reasoning, other judges may helpfully find that while the CFAA may theoretically apply to policy gates, in practice, none offer an enforceable prohibition. Dispensing with the government’s purpose-driven reading in favor of a gate-based approach is a step in the right direction. Now, however, someone must decide which gates count.