Richard Newman Quoted by Cybersecurity Dive on Seminal Supreme Court Computer Fraud and Abuse Act Case

Van Buren v. US

On November 30, 2020, Cybersecurity Dive quoted Richard B. Newman about the upcoming oral arguments the Supreme Court will hear involving the Computer Fraud and Abuse Act.  The Supreme Court could determine what constitutes the limits of authorized computer access under the CFAA.

While Van Buren had authorized access to the data, the case questions if he abused his legal access by existing CFAA standards.

In past decisions, courts upheld “that disregarding the computer system owner’s restrictions” for an authorized user “is not sufficient to trigger the CFAA,” Mr. Newman stated.  “Those courts focus on more egregious actions, such as hacking.”

In Van Buren, what’s up for debate is the applicability of Section 1030(a)(2) in the CFAA and the difference between “without authorization” and “exceeds authorized access.”

“Think of the CFAA as a trespass statute. It can be enforced both criminally and civilly,” said Mr. Newman.

See the full article, “A cyber stakeholder’s guide to Van Buren v. US.”

Oral Argument

On November 30, 2020, the Supreme Court held oral argument in this case interpreting the “unauthorized access” provision of the Computer Fraud and Abuse Act.

The issue presented is: “Whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose.”

The defendant Van Buren argued that he is innocent because he accessed only databases that he was authorized to use, even though he did so for an inappropriate reason.  He contended that the CFAA was being interpreted too broadly and that such a precedent could subject individuals to criminal liability merely for violating corporate computer use policies.

During oral argument, Van Buren’s counsel suggested that such a wide interpretation of the CFAA was turning the statute into a “sweeping Internet police mandate” and that the Court shouldn’t construe a statute “simply on the assumption the government will use it responsibly.”

The Government countered that Van Buren’s misuse of access for personal gain was the type of “serious breaches of trust by insiders” that statutory language is designed to cover.

The CFAA does not define “authorization” (but courts have generally interpreted it to mean to access a computer with sanction or permission), but the Act defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6).

In the criminal context circuit courts are split on how to interpret the “unauthorized access” or “exceeding unauthorized access” provisions with respect to accessing a database with an improper purpose or against posted policies.

Although it is a criminal case, the Supreme Court has the opportunity to clarify the meaning of “exceeds authorized access” under the CFAA and perhaps bring more legal certainty to “unauthorized access” claims advanced against entities engaged in unwanted data scraping.

During oral argument, there was an exchange between the Deputy Solicitor General arguing on behalf of the Government and Chief Justice Roberts that touched on what “authorization” means with respect to public websites:

CHIEF JUSTICE ROBERTS: Mr. Feigin, is your friend correct that everyone who violates a website’s terms of service or a workplace computer use policy is violating the CFAA?

FEIGIN: Absolutely not, Your Honor. […] First of all, on the public website, that is not a system that requires authorization. It’s not one that uses required credentials that reflect some specific individualized consideration.

JUSTICE ROBERTS: Okay. Then limit my — my question to any computer system where you have to, you know, log on.

FEIGIN: So, Your Honor, I don’t think all log –all systems that require you to log in would be authorization-based systems because what Congress was driving at here are inside –­

JUSTICE ROBERTS: All right. Well, then every — every system that has a password.

FEIGIN: No, Your Honor, and let me explain why. What Congress was aiming at here were people who were specifically trusted, people akin to employees, the kind of person you — that had actually been specifically  considered and individually authorized.

It will be interesting to see how the Supreme Court interprets “exceeding authorized access” and bring some clarity beyond the criminal context.

Cybersecurity Dive solicited Mr. Newman’s opinion about the issue because he has extensive experience in matters of Internet law and regulation.  Please contact Hinch Newman at 212-756-8777 if you have any questions regarding this matter or the applicability of the CFAA.

Richard B. Newman is an Internet law attorney at Hinch Newman LLP. 

Informational purposes only. Not legal advice. May be considered attorney advertising.