A case that the Supreme Court handed down on Thursday, Van Buren v. United States, centers on the federal Computer Fraud and Abuse Act (CFAA) — a law so old it’s practically antediluvian by the standards of the tech industry.
Enacted in 1986, the law is intended to prevent individuals from accessing computer systems or individual files that they are not permitted to see — think of it as an anti-hacking law. But the law was also enacted more than three decades ago, long before the internet shifted much of human society to the virtual world. As such, many of its provisions weren’t exactly drafted with our modern, online society in mind.
The facts of Van Buren are fairly straightforward — although the case has very broad implications that stretch far beyond these facts. Nathan Van Buren, a former police sergeant, accepted a $5,000 bribe to search a law enforcement database to see if a particular license plate number belonged to an undercover cop, and then to reveal what he found to the person who bribed him.
At the time, Van Buren was working as a police officer and was allowed to search this database — although he obviously wasn’t supposed to use it to sell confidential police information for personal profit. The question in Van Buren was whether he violated a provision of the CFAA that makes it a crime “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
The question of whether Van Buren can be prosecuted under this federal statute turns out to have profound implications. Imagine, for example, that the popular dating app Tinder requires its users to “provide only accurate information in their user profiles if they wish to access our service.”
If someone lies on their Tinder profile and claims they are two inches taller than their actual height, they’ve violated Tinder’s rules. And if they then read other Tinder users’ profiles, they’ve technically accessed information that they are not entitled to obtain. But should that really be a federal crime?
Indeed, Justice Amy Coney Barrett’s majority opinion, which holds that Van Buren did not violate the federal law when he accessed a law enforcement database for an improper purpose, lists a wide range of fairly ordinary activity that could become a crime if the CFAA is interpreted broadly — including “using a pseudonym on Facebook” or even sending a personal email from a work computer.
Barrett’s narrow construction prevents most, but not all, of these absurd results — as Justice Clarence Thomas points out in a dissenting opinion, Barrett’s interpretation of the CFAA could still lead to criminal charges against an employee who plays video games on their work computer.
But the Court’s 6-3 opinion in Van Buren, at the very least, prevents many prosecutions against individuals who commit minor transgressions online. As Barrett warns, the approach advocated by Thomas’s dissent could potentially lead to the conclusion that “millions of otherwise law-abiding citizens are criminals.”
The two opinions in Van Buren, briefly explained
Textualism, the belief that judges should interpret statutes primarily by looking at a law’s text, is fashionable among the kind of conservative judges that dominate the federal judiciary. So Justice Barrett devotes the bulk of her majority opinion to a close reading of the CFAA’s text.
This is, to be perfectly frank, the least convincing part of her opinion. It rests on a persnickety deep dive into the meaning of the word “so” that is so convoluted and difficult to summarize concisely that I won’t even attempt to do so here. (If you care to read this part of the Court’s decision, it starts at page five of Barrett’s opinion.)
Recall that the text in question makes it a crime to access a computer that someone is allowed to access but then to “use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Barrett argues that this reference to information “that the accesser is not entitled so to obtain” refers only to information that they cannot access for any purpose whatsoever.
Think of it this way. Suppose that Vox Media intentionally gives me access to a server that contains confidential information about our business plans and our strategy to woo advertisers. Now suppose that I access this information and sell it to a competitor. Under the majority’s approach in Van Buren, I have not violated the CFAA (although I would no doubt be fired for such a transgression), because Vox Media permitted me to access this information on its own server.
Now suppose that I log in to this Vox Media server and hack into files that the company does not permit me to see no matter what — maybe I decide to read the CEO’s emails. Under Van Buren, such a hack would violate the CFAA because I am accessing information that I am “not entitled so to obtain” under any circumstances.
Justice Thomas’s dissent, for its part, argues for a much more expansive reading of the CFAA. As he notes, many laws punish “those who exceed the scope of consent when using property that belongs to others.” Thus, a valet “may take possession of a person’s car to park it, but he cannot take it for a joyride.” Or an “employee who is entitled to pull the alarm in the event of a fire is not entitled to pull it for some other purpose, such as to delay a meeting for which he is unprepared.”
Thomas is, of course, correct that many laws do sanction individuals who use someone else’s property in a way that the property owner did not consent to. But the question in Van Buren is not whether property laws typically forbid individuals from using someone else’s property in unexpected ways. The question is what the CFAA prohibits. So Thomas’s decision to focus on laws other than the CFAA is more than a little odd.
That said, lower court judges have split between these two possible readings of the CFAA. Neither Barrett nor Thomas makes a slam-dunk case for their reading of the law because the CFAA isn’t a well-drafted statute. So reasonable judges can disagree about the best way to read its naked text.
So what’s really at stake in this case?
While textualism can’t really answer the question of how to read the CFAA, there are profound practical reasons to prefer Barrett’s approach to Thomas’s. If federal law makes it a crime to access any digitalized information in a way the owner of that information forbids, then, in Barrett’s words, “millions of otherwise law-abiding citizens are criminals.”
Facebook’s terms of service, for example, require its users to “create only one account.” Thus, if someone creates two Facebook accounts and uses both of them to search for information on Facebook’s website, they have technically accessed information that they are not entitled to under Facebook’s terms of service.
And, under Thomas’s reading of the CFAA, they have potentially committed a federal crime.
Similarly, Facebook also expects users to “use the same name that you use in everyday life.” So, if a person who uses the name “Jim” in their everyday interactions signs up for Facebook using the name “James,” they could also potentially be prosecuted under a broad reading of the CFAA.
Or what if a website imposes truly bizarre terms of service on users? In an amicus brief submitted in Van Buren, Berkeley law professor Orin Kerr imagines what would happen if a website’s terms of service forbade people with the middle name “Ralph” from accessing the site, or people who have visited the state of Alaska.
“Any computer owner or operator is free to say that no one can visit his website who has been to Alaska,” Kerr writes, “but backing up that wish with federal criminal law delegates the extraordinary power of the criminal sanction to a computer owner’s whim.” And yet, under the broad reading of the CFAA, people who have traveled to Alaska could potentially face criminal sanctions.
It’s worth noting that the majority opinion in Van Buren does not foreclose any possibility that someone will be prosecuted for a trivial transgression.
Recall that, under Barrett’s approach, the CFAA is violated if someone accesses a computer file, and the owner of that file does not permit them to access it for any purpose. In his dissenting opinion, Thomas warns of an employee who “plays a round of solitaire” on their work computer if their employer “categorically prohibits accessing the ‘games’ folder in Windows.” Such an employee could potentially face criminal charges under the majority’s interpretation of the CFAA.
But while Van Buren won’t protect all computer users from extremely overzealous prosecutors, Barrett’s opinion does prevent some of the more absurd outcomes that Kerr and others warned about in their briefs.
Ideally, Congress would update the 35-year-old Computer Fraud and Abuse Act to make sure that minor transgressions — the sort that are best addressed by company human resources departments and not by federal prosecutors — do not lead to criminal charges. But the United States Congress isn’t exactly a fully functional body right now.
And so, in the absence of a working legislature, Barrett’s opinion provides some relief to anyone who is afraid they might be arrested for not being entirely honest on their Tinder profile.