by Will Cooper
You may want to start paying more attention to the terms of service that govern our increasingly computerized lives. The U.S. Supreme Court will soon decide whether someone who is authorized to use a computer to access information for some purpose, but does so for a different purpose, commits a federal crime. During the Court’s summer break, lawyers in Van Buren v. United States were busy briefing the scope of 18 U.S.C. § 1030(a)(2)(C)’s prohibition on “exceed[ing] unauthorized access, and thereby obtain[ing] information” from a computer. Van Buren, which will be argued on November 30, could affect millions of computer users. But no matter how it comes out, Californians will continue to face similar uncertainty under the state’s Penal Code section 502.
What’s at Stake
Section 1030, heavily amended by the Computer Fraud and Abuse Act of 1986 (“CFAA”), makes it a crime to “intentionally access[] a computer without authorization or exceed[] authorized access, and thereby obtain . . . information from any protected computer.” Federal courts disagree whether the “exceeds authorized access” prong covers a computer user who is authorized to access information for some purpose but accesses the same information for a different purpose. The first appellate courts to weigh in—the First, Fifth, Seventh, and Eleventh Circuits—said yes.[1] More recently, the Second, Fourth, and Ninth Circuits said no.[2]
The issue is important because millions of Americans routinely use computer devices and applications pursuant to terms of service or other rules limiting the purposes for which information can be accessed. If your employer gives you a laptop and makes you sign an Acceptable Use Policy, which you violate by checking personal email or filling out a March Madness bracket, have you committed a crime? What if a student uses a university-provided computer to shop online during a lecture? Or if an employee creates a fake social media account for research purposes? Each of these examples theoretically implicates the circuit split that the Supreme Court will resolve in Van Buren—which is now fully briefed.
The Parties’ Arguments
Van Buren, a police officer convicted of running license-plate numbers for personal financial gain, advocates the narrower view of the statute. He argues that the CFAA covers only persons who have “no right at all” to access information—“outside hackers” (who have no authorization whatsoever to access a computer) and “inside hackers” (who have some right to access a computer but access data they are never entitled to obtain). Textually, Van Buren stresses that the statutory definition of “exceeds authorized access” refers to information that “the accesser is not entitled” to obtain or alter. He also points to legislative history focusing on computer hackers. And perhaps most strongly, he warns that a broad interpretation would expose millions of ordinary Americans to unpredictable liability, raising a host of constitutional issues. Van Buren is supported by amici groups who advocate narrow construction of criminal laws (e.g., the ACLU and the National Association of Criminal Defense Lawyers) and by others, including journalists (who express concern for whistleblowers) and technology companies (who sometimes use “bug bounty programs” to identify security issues through research that technically violates terms of service).
The United States argues for the broader view that § 1030(a)(2)(C) covers persons who had no “right to access computer information in the circumstances in which [they] did.” Textually, the government stresses the “so” in the definition “not entitled so to obtain or alter”—which it argues refers to the “manner or purpose” of access. The United States also cites legislative history suggesting application to non-hackers, including statements during legislative hearings about conduct similar to Van Buren’s. The government further appeals to common-law principles, including that a person can commit theft by using another’s property “in a manner beyond his authority.” Finally, the United States brushes aside Van Buren’s overcriminalization concerns as addressed by separate statutory limitations and insufficient to overcome the text in any event. The government’s amici include a law-enforcement organization and industry groups who argue that a broad interpretation is necessary to deter privacy threats from employees and other insiders.
In his just-filed reply, Van Buren returns to his argument that the CFAA is a hacking statute and stresses the broad range of conduct that could be criminalized under the broader view. He argues that “so” in the statutory definition merely refers to unauthorized access previously described in the statute, and does not “incorporate into the CFAA access or use conditions that are external,” such as terms of service. He also minimizes the legislative history as ambiguous and argues that the government’s cited common-law principles are irrelevant because no statutory language suggests they apply.
Continued Uncertainty in California?
Whatever the Supreme Court decides in Van Buren, uncertainty over the scope of a similar law will continue in California. California Penal Code section 502 prohibits “knowingly and without permission” accessing or taking certain actions on a computer. The California Supreme Court has not construed that statute, and the intermediate appellate courts are split on its scope. One decision held that section 502 did not apply to a police officer who (like Van Buren) used police resources to gather information for an improper purpose, reasoning that section 502 criminalizes only hacking.[3] But six years later, a different court reasoned that the statute applies “beyond external hacking” and “encompass[es] employee misconduct.”[4] Interestingly, despite its place on the pro-defendant side of the CFAA split, the Ninth Circuit has endorsed the more expansive view of section 502. [5] So even after Van Buren settles the scope of the CFAA, the scope of liability under California’s analogous statute will remain uncertain and potentially quite broad.
[1] See, e.g., United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001); United States v. John, 597 F.3d 263 (5th Cir. 2010); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).
[2] United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc); WEC Car. Energy Sols., LLC v. Miller, 687 F.3d 199 (4th Cir. 2012); United States v. Valle, 807 F.3d 508 (2d Cir. 2015).
[3] See Chrisman v. City of Los Angeles, 155 Cal. App. 4th 29, 34-35 (2007).
[4] See People v. Childs, 220 Cal. App. 4th 1079, 1099-1106 (2013).
[5] United States v. Christensen, 828 F.3d 763, 788-89 (9th Cir. 2015).