The Computer Fraud and Abuse Act of 1986 (CFAA) has been used for 35 years to prosecute cybercriminals and recover damages in civil suits. Those bad actors under the CFAA have more and more commonly been employees who violated company policies by accessing information that the technical controls placed on their employer-issued credentials allowed them to access.
The distinction between such employees and other bad actors is that their employers’ policies prohibited them from using the information in a manner that the employer didn’t like. Unlike the third-party hackers that come to mind when you think of computer fraud and cybercriminals, the employees were given credentials to use their employers’ computer systems in order to access the files within.
The core behavior at issue in Van Buren was whether a computer user who has authorized access to the computer system (in a technical sense) runs afoul of the CFAA if the user’s purpose in accessing the data is prohibited by the terms of their computer use policy.
The issue in similar cases led to a hard line split among the Circuit Courts – with the 1st, 5th, 7th, 8th, and 11th Circuits siding with the Government and the 2nd, 4th, 6th, and 9th Circuits siding with employees (or otherwise credentialed computer users).
The Supreme Court’s decision was penned by Justice Amy Coney Barrett in a six vote majority, joined by Breyer, Sotomayor, Kagan, Gorsuch, and Kavanaugh. Chief Justice Roberts joined Justice Alito in Thomas’s dissent.
In Van Buren, the Court held:
An individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off-limits to him.
As a result, the purpose of the access no longer matters. It is purely a question of whether the technical controls permitted the user to access the information in the particular part of the computer system.
The statute at issue is found at 18 USC § 1030(a)(2) and is cited by the Court in relevant part:
The [CFAA] subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access,” and thereby obtains computer information. 18 U. S. C. §1030(a)(2). It defines the term “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” §1030(e)(6).
Van Buren v. United States, No. 19-783, slip op. at 2 (June 3, 2021), https://www.supremecourt.gov/opinions/20pdf/19-783_k53l.pdf.
Overall, the facts seem pretty terrible in this case.
Van Buren was a police sergeant who used his department-issued credentials to access a law enforcement database and retrieve license plate info in exchange for payment. The details of the case make it feel even worse. However, it is fair to say that Van Buren’s use of the computer to obtain police database records in exchange for personal payment was not permitted by department policy. If there was ever a case to tee up on the Government’s side, this seems like a solid set of facts to apply the “exceeds authorized access” language.
So, Did He Exceed Authorized Access?
The Court spent several pages dealing with the meaning of the word “so” in the statute. Was Van Buren “entitled so to obtain?” See §1030(e)(6).
Based on the briefs and the oral argument back in November, we knew the meaning of “so” was going to be a key issue.
Citing Black’s Law Dictionary, Van Buren argued “that ‘so,’ as used in this statute, serves as a term of reference that recalls ‘the same manner as has been stated’ or ‘the way or manner described.'” Van Buren at 5. However, the Government reads the phrase “to refer to information one was not allowed to obtain in the particular manner or circumstances in which he obtained it.” Van Buren at 6. The Government’s interpretation of the meaning of “so” leads to absurd and innately unfair results as hypothesized by the Court:
As the Government sees it, an employee might lawfully pull information from Folder Y in the morning for a permissible purpose—say, to prepare for a business meeting—but unlawfully pull the same information from Folder Y in the afternoon for a prohibited purpose—say, to help draft a resume to submit to a competitor employer.
Van Buren at 6.
Ultimately, the Court found it rather easy to adopt Van Buren’s argument “that the disputed phrase—’is not entailed so to obtain’—plainly refers to information one is not allowed to obtain by using a computer that he is authorized to access.” Van Buren at 6.
The Privilege Escalation Clause and Technical Access
This holding is what I’ve always read in the statute as the privilege escalation clause. In the cybersecurity realm, the need for different levels of access among users is a fundamental tenet of securing systems. We don’t allow just any employee to access every part of the system. One of these reasons is to restrict access to sensitive information (e.g., PHI, PII, trade secrets, etc). Another reason might be to protect key system settings from either accidental misconfiguration or exposure to malware or ransomware.
Sometimes, however, an attacker can gain access to a lower-level user account–either because the attacker is an employee (i.e., an inside threat) or the attacker compromised the employee’s account. The attacker then uses the lower-level account as a foothold in the system and will seek to compromise a higher-level account by finding other vulnerabilities (i.e., privilege escalation).
The Court doesn’t get overly technical in dealing with systems’ security and access controls. However, the Court makes a clear effort to separate the subjective purpose of the user accessing the data from the technical meaning of access controls that serve to limit the user’s reach into the system.
The Court even posits that the Government’s characterization of “exceeds authorized access” could establish a limitation on the user’s purpose if the phrase were not specifically defined to meet this technical access standard.
If the phrase “exceeds authorized access” were all we had to go on, the Government and the dissent might have a point. . . . So, the relevant question is not whether Van Buren exceeded his authorized access but whether he exceeded his authorized access as the CFAA defines that phrase.
Van Buren at 11.
The Court goes on to emphasize that when we’re talking about “access” here, we’re talking about “computer access” – and that has a technical meaning in the field. See, Van Buren at 11-13. “It is thus consistent with that meaning to equate ‘exceed[ing] authorized access’ with the act of entering a part of the system to which a computer user lacks access privileges.” Van Buren at 12. The phrase “exceeds authorized access” now, unmistakably, refers to a credentialed user engaging in privilege escalation.
Technical Damages
The Court also found harmony in Van Buren’s reading of the statute when examining the civil damages provision for harms caused by the offender. The Court noted that “statutory definitions of ‘damage’ and ‘loss’ thus focus on technological harms” and that such “definitions are ill fitted . . . to remediating ‘misuse’ of sensitive information that employees may permissibly access using their computers.” Van Buren at 15. (We’ll come back to this as we discuss data scrapers below.)
Information Misuse and the Power of the Computer Policy Drafter
The Court also made a point to highlight the danger in adopting the Government’s interpretation that would criminalize the purpose of information access under the CFAA. It is a critical difference in the two readings of the statute because the Government’s reading puts the power of drafting policies, which could otherwise be read into federal criminal violations, into the hands of those who draft employee policies.
From a corporate perspective, information access and information misuse are often closely related. And to the untrained eye (which may or may not be drafting the computer use policy), they can seem one and the same.
The Government concedes, as it must, that the “exceeds authorized access” clause prohibits only unlawful information “access,” not downstream information “‘misus[e].’” Brief in Opposition 17 (statute does not cover “‘subsequen[t] misus[e of] information’”). But the line between the two can be thin on the Government’s reading. Because purpose-based limits on access are often designed with an eye toward information misuse, they can be expressed as either access or use restrictions. For example, one police department might prohibit using a confidential database for a non-law-enforcement purpose (an access restriction), while another might prohibit using information from the database for a non-law-enforcement purpose (a use restriction). Conduct like Van Buren’s can be characterized either way, and an employer might not see much difference between the two. On the Government’s reading, however, the conduct would violate the CFAA only if the employer phrased the policy as an access restriction. An interpretation that stakes so much on a fine distinction controlled by the drafting practices of private parties is hard to sell as the most plausible.
Van Buren at 19-20 (emphasis added).
On-Deck: Public Website Data Scraping Under the CFAA
Four days after the Van Buren opinion was issued, LinkedIn filed a supplemental brief to their petition for a writ of certiorari in hiQ Labs v. LinkedIn, which I previously examined in asking whether data scraping public websites is a data breach.
As a short refresher, the Ninth Circuit addressed a dispute between the two companies over hiQ’s business model that involved scraping LinkedIn’s public-facing website. LinkedIn threatened hiQ, claiming that its actions violated the CFAA. In turn, hiQ sought an injunction against LinkedIn and a declaratory judgment that the CFAA didn’t apply. The Ninth Circuit sided with hiQ and LinkedIn petitioned the Supreme Court to hear the case.
With the Van Buren case now decided, what does this more restrictive interpretation of the CFAA mean for LinkedIn’s case against data scrapers?
Technological Harms
As mentioned above, the Court examined how the damages provisions offer plaintiffs a means to recover for “impairment[s] to the integrity or availability of data, a program, a system, or information.” Van Buren at 15. The Court emphasizes these damages are “technological harms,” which helped Van Buren as an authorized user.
Do LinkedIn and other public-facing websites suffer technological harms from the drain on system resources when automated scrapers load webpages and scrape information? I think this is certainly a helpful distinction for LinkedIn’s case.
Criminal Conduct via Terms of Service on the Internet
On the other hand, when highlighting the slippery slope of the Government’s reading of the CFAA, the Court points out that such a broad reading could affect website users and violations of terms of service.
Or consider the Internet. Many websites, services, and databases—which provide “information” from “protected computer[s],” §1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers. And indeed, numerous amici explain why the Government’s reading of subsection (a)(2) would do just that—criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook.
Van Buren at 18.
While this arises in the Opinion dicta, it sure seems like an uphill battle for LinkedIn to challenge the Van Buren majority if its cert petition is granted.
Notably, LinkedIn’s distinguished argument in seeking review is that the question revolves around whether a scraper’s access is “without authorization” – as opposed to the second step of “exceeds authorized access” as in Van Buren. Still, the above quote has to be worrisome for LinkedIn’s cause.
UPDATE 7/13/21 via EPIC.org:
The U.S. Supreme Court has vacated the Ninth Circuit’s decision in LinkedIn v. hiQ Labs but will not decide the merits of the case, instead sending the case back to the Ninth Circuit for a new decision in light of Van Buren v. United States.
Final Thoughts
I found comfort in the Court arriving at this decision as it has been what felt right to me as we saw the case tread along. I’ve always seen this passage as a privilege escalation issue and was happy to see the Court take that stance.
The facts were pretty ugly and the Circuit split certainly made this case more interesting. Of course, the CFAA is hardly cutting edge in its sophistication but the Court gave us a pretty bright-line rule to avoid having employers draft their employees into cybercriminal activities with their computer use policies. I’m a little less comfortable with the LinkedIn case; however, I’m still not sure the current state of the CFAA is the proper way to deal with data scrapers on publicly accessible websites.
What are your thoughts on Van Buren? Did the Court get it right or wrong? What effect will this precedent have on the hiQ Labs v. LinkedIn case?
Leave a Reply