by Rachel Sang*
The Computer Fraud and Abuse Act (“CFAA”), enacted in 1986, is a federal law that proscribes certain behavior involving unauthorized access to computers. Over time, a circuit split developed regarding the meaning of the CFAA’s “Access Provision.” The Supreme Court resolved this circuit split in its recent decision Van Buren v. United States. In this Contribution, Rachel Sang (’22) argues that although both the majority opinion and the dissent in Van Buren provide convincing textual interpretations of the statute, policy considerations, the rule of lenity, and constitutional concerns weigh in favor of the majority’s construction of the CFAA.
The Computer Fraud and Abuse Act (“CFAA”) imposes liability on anyone who accesses a computer “without authorization” or who “exceeds authorized access.”1 Those who violate the CFAA can incur both civil and criminal liability. While the meaning of “without authorization” is not controversial, what it means to “exceed authorized access” has been a point of contention among circuit courts.2 The term “exceeds authorized access” (the “Access Provision”) appears in the CFAA in section 1030(a)(2), where the statute prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access . . . .”3 The Access Provision is also included in section 1030(a)(4), where it prohibits “knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access, and by means of such conduct furthers [an] intended fraud . . . .”4 Section 1030(e)(6) goes on to define the Access Provision:
The term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser [sic] is not entitled so to obtain or alter.5
Before the Supreme Court had interpreted the meaning of the Access Provision, circuit courts interpreted the provision and its accompanying definition in two main ways. On one side, some circuit courts construed the phrase narrowly: that the Access Provision only applied to people who accessed a part of a computer that they were never authorized to access.6 On the other hand, other circuit courts interpreted the Access Provision more broadly to proscribe situations in which a person was authorized to access certain information but then used that information for an improper purpose.7 The main difference between the two interpretations is that a broad interpretation—one that proscribes the misuse of computer access—embraces the view that an individual’s right to access a computer is an entitlement that can be limited by the manner in which they access that information, including how they ultimately use it; whereas a narrow interpretation views entitlement to access as a binary matter that does not implicate an analysis of authorized use or purpose.
Prior to the Supreme Court’s decision in Van Buren, circuit courts relied on textual evidence, extratextual evidence, and canons of statutory construction to determine their interpretation. As the Court acknowledged in Van Buren, a broader interpretation of the Access Provision has far-reaching consequences, because it creates criminal liability for any misuse of computer access—including seemingly innocuous and common activities such as checking one’s personal email on an employer-owned computer.8 Ultimately, this Contribution argues that the narrow interpretation adopted by the Supreme Court in the Van Buren decision was the correct interpretation from a policy perspective and that canons of statutory interpretation also better support the majority’s conclusion.
The petitioner in Van Buren was a police officer who was charged with exceeding authorized access under the CFAA because he had used his access to a law enforcement database to run a license plate search in exchange for money.9 The question for the Supreme Court was whether Van Buren had indeed “exceed[ed] authorized access” as defined by the CFAA because he was authorized to access the database, but not for that illegitimate purpose. The majority opinion in Van Buren, written by Justice Amy Coney Barrett, and the dissent, written by Justice Clarence Thomas, differed in their interpretations of both the text of the CFAA and the statute’s legislative history.
The textual analysis of both opinions focused on the definition of “exceeds authorized access” as set forth in 18 U.S.C. § 1030(e)(6). The majority opinion focused on the word “so” in the phrase “information in the computer that the accesser [sic] is not entitled so to obtain or alter.”10 The majority endorsed the Fourth and Ninth Circuits’ reasoning that the word “so” operated as a reference to an earlier part of the definition: the words “access a computer with authorization.”11 Under this interpretation, the phrase “exceeds authorized access” solely applies to “inside hackers”—i.e., people who were authorized to access a portion of a computer or its files, but then accessed other portions or files that they were not authorized to access.12 For example, an employee would “exceed authorized access” by using a computer (which they were allowed to use) to obtain information in a particular folder that they were not authorized to open. This “inside hacker” interpretation of the statute limits liability under the CFAA to the specific circumstance in which someone does have authorized access to a computer but is not authorized to obtain all information contained within it. This interpretation leads to a narrower construction of the statute, meaning that the CFAA would not apply to situations in which a person improperly used information that they were otherwise authorized to access. It also avoids the concern of broad liability that would potentially criminalize common behavior, such as violating an employer’s computer use policy to check personal websites.
Justice Thomas’s dissent agreed that “so” operated as a referent to the “means identified earlier in the definition,” meaning that section 1030(e)(6) applies when someone obtains information from a computer and that person is not authorized to access the computer.13 However, the dissent diverged from the majority by focusing more heavily on the word “entitled” in the statute, stating that: “A person is entitled to do something only if he has a ‘right’ to do it.”14 Justice Thomas argued that in order for entitlement to exist, the “condition precedent” of a proper or authorized purpose had to be satisfied, regardless of whether the user was authorized to access the computer in general.15 Therefore, if a person is forbidden from using information for a particular purpose but does so anyway, that behavior should fall within the scope of the CFAA. Under this interpretation, the petitioner in Van Buren—a police officer who improperly used his access to a law enforcement database for personal gain—would be liable under the CFAA, but so too could a common misuser of a work computer who uses it to check their personal email.
Beyond the interpretation of the statute’s text, there are also differing views on how the legislative history of the CFAA further informs the scope of the statute. An earlier version of the statute from 1984 included language that held liable a person who is authorized to access a computer but who “uses the opportunity such access provides for purposes to which such authorization does not extend,” and then obtains or interferes with specified kinds of sensitive information.16 When the statute was amended in 1986, this purpose-oriented language was replaced with the current definition, which does not include the word “purpose” and instead says “to use such access to obtain or alter information in the computer that the accesser [sic] is not entitled so to obtain or alter.”17 Some courts have interpreted the replacement of the word “purpose” with new language as evidence that Congress intended to eliminate the misuse of information as a standalone violation of the CFAA.18 This reasoning was then adopted by the majority opinion in Van Buren.19
Conversely, Justice Thomas’s dissent viewed the current wording of “entitlement” as even broader than the previous language, encompassing both improper use as well as improper access to a computer based on time or location.20 Justice Thomas argues that requiring a user to be “entitled” means that the improper use of information, as well as other kinds of unauthorized behavior, would be a violation of the CFAA.
While both the majority opinion and dissent in Van Buren provide convincing dissections of the text of the CFAA, the plain meaning of the phrase “entitled so to alter” remains elusive. It is not clear whether an “appropriately informed”21 English speaker reading the statutory definition would interpret it as entitlement to access a computer in general, or entitlement to use one’s access for a particular purpose. The fact that several circuit courts disagreed on the textual interpretation prior to Van Buren demonstrates that the text of the Access Provision is less than clear and is susceptible to more than one reasonable interpretation. As such, it is difficult to say whether Justice Barrett’s laser focus on the word “so” or Justice Thomas’s constrained interpretation of “entitled” is a more “natural” interpretation of the language, given that the wording of section 1030(e)(6) is itself quite unnatural and confusing.
There is no clear winner of the legislative history argument, either. The majority opinion highlights the fact that the word “purpose” was removed by the 1986 amendment, and it noted that “[w]hen Congress amends legislation, courts must presume it intends the change to have real and substantial effect.”22 This is a strong argument in favor of eliminating improper use of access from the scope of the CFAA. Yet, the dissent’s argument that the shift from “purpose” to general “entitlement” expands rather than narrows the statute’s scope is perhaps equally valid. Hypothetically, an employee could be authorized to access a database only during certain hours or while in a location that has secure internet connection, and perhaps Congress’ shift to the “entitlement” language was intended encompass those types of restrictions, as well.23
Because both the broad and narrow interpretation seem plausible based on the text and the legislative history, other canons of construction can be used to resolve the ambiguity: the rule of lenity and the canon of constitutional avoidance. The majority describes these arguments as “extra icing on a cake already frosted” since it argues that the “text, context, and structure” already support a narrower reading.24 However, setting aside the majority’s preference for its own textual reading of the statute, the rule of lenity and constitutional avoidance do become relevant when the statute and its history leave it susceptible to more than one reasonable interpretation.25 Because there are valid arguments for both the broad and narrow textual interpretation of the CFAA, the rule of lenity and canon of constitutional avoidance should not be relegated to the redundant role of “icing on the already frosted cake.” Rather, these canons are crucial tools in choosing between two plausible readings of the statute, and they are the reason why the Van Buren majority’s ultimate conclusion—a narrow reading of the CFAA—correctly prevailed.
With regards to the rule of lenity, the Court has previously established that “when [a] choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite.”26 Because violations of the CFAA can be charged as crimes, Congress must be “clear and definite” in defining what exactly it means to “exceed authorized access.” However, the relevant definitional section of the statute lacks clarity. Since there are two reasonable alternative meanings to the Access Provision, the narrow construction—which would criminalize fewer types of behavior—should be chosen. The rule of lenity therefore weighs in favor of the “inside hacker” theory of the statute that proscribes a narrower subset of conduct, instead of criminalizing any and all misuse of computer access, no matter how insignificant.
A broad interpretation of the Access Provision also implicates the canon of constitutional avoidance. As the Court stated in Clark v. Martinez, when there are “two plausible statutory constructions . . . . and one of them would raise a multitude of constitutional problems, the other should prevail.”27 By reading the statute to cover any misuse of computer access, the actions of thousands (if not millions) of Americans would become violations of the CFAA, with the potential for criminal penalties. The Court in Kozminski explained that when an unclear statute is interpreted broadly to cover a “broad range of day-to-day activity,” various constitutional issues arise because it would inevitably mean that not all violations could be prosecuted.28 One constitutional issue is that the statute then delegates authority to determine which actions are “morally reprehensible” enough to be punished from the legislature to prosecutors and juries, in contravention of the private nondelegation doctrine.29 A second constitutional issue implicated by such a statute is that it would “subject individuals to the risk of arbitrary or discriminatory prosecution and conviction.”30 This would render the statute void for vagueness.31 Because this type of criminalization runs the risk of unconstitutionality on multiple fronts, the canon of constitutional avoidance controls its interpretation. Since the statute is equally susceptible to either interpretation, the canon requires that the unclear language of the Access Provision be interpreted in a narrower way to avoid these constitutional concerns.
Sandvig v. Sessions provides an example of how constitutional avoidance should be applied in the context of the CFAA.32 In this case, the district court evaluated the arguments of researchers who sought to create fake profiles, or “bots,” to assess whether websites were discriminating on the basis of race, gender, or other factors.33 The researchers contended that under a broad conception of the CFAA, their work would be considered a violation of the statute because many websites’ Terms of Service prohibit the use of fake profiles or bots.34 The court decided in favor of a narrower “inside hacker” interpretation of the CFAA, meaning that simply violating a website’s Terms of Service would not put those researchers at risk of liability under the CFAA.35 The court also conceded that a “broader reading is not entirely implausible.”36 However, because there was more than one plausible meaning, the Sandvig Court correctly took the additional step of applying the canon of constitutional avoidance and inquired “whether one reading ‘presents significant risk that [constitutional provisions] will be infringed.’”37
In its constitutional analysis, the Sandvig Court cited Kozminski and noted that a purpose-based interpretation would criminalize a “broad range of day-to-day activity.”38 This would, in turn, “delegate to prosecutors and juries the inherently legislative task of determining what type of . . . activities are so morally reprehensible that they should be punished as crimes.”39 Allowing prosecutors and juries to make those decisions implicates the Fifth Amendment, as it would risk “arbitrary or discriminatory prosecution or conviction.”40 If the statute did prohibit using computer access for any unauthorized purpose, it would be unconstitutionally vague because it does not specify what kind of misuse can and should be charged as a crime. Should the government decline to charge the many people who likely check their personal emails at work in violation of their employers’ policies, but then bring charges against people who create research “bots” in violation of a website’s Terms of Service? Without legislative direction as to what types of use-based violations are “reprehensible enough,” there is too much discretion in the hands of prosecutors to make those moral decisions.
A concern with adopting a narrow interpretation of the CFAA is that people like the officer in Van Buren, who misuse or misappropriate their access to information, will not face consequences. However, this concern is mitigated by the fact that other areas of law provide remedies for those aggrieved by people who misuse their computer access. For example, businesses can rely on contract law to protect them when their employees violate a term of their employment.41 The government can also bring enforcement actions against those who misuse certain types of information under statutes such as the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA).42 The fact that any misuse of computer information is not, on its own, covered by the CFAA does not necessarily mean that all such misconduct will go unaddressed. A limited application of the CFAA still allows for other applicable law to provide remedies, while also avoiding widespread criminal liability without the requisite clarity from Congress.
Because large swaths of commonplace behavior would become criminalized under a broad interpretation of the CFAA’s Access Provision, the Supreme Court made the correct policy decision in Van Buren to construe the statute narrowly. While reaching the correct decision, the majority undervalued interpretive tools, namely the rule of lenity and canon of constitutional avoidance, that could have further supported its ultimate decision. Although the majority opinion viewed the wording and legislative history of the CFAA as definitively in favor of a narrow interpretation, the plain meaning of the statute is not as clear-cut as the majority characterized it. Justice Barrett’s portrayal of the rule of lenity and canon of constitutional avoidance as “icing on a cake already frosted” lessens the credibility of the Court’s analysis of the statute.43 Nevertheless, a thorough analysis of those canons still supports the majority’s ultimate conclusion: a narrow, more limited application of the CFAA that does not criminalize any and all misuse of computer access.
* Rachel Sang is a J.D. Candidate (2022) at New York University School of Law. This piece is a commentary on the problem at the 2021 Cybersecurity Moot Court Competition hosted by UCLA School of Law. The question presented was whether a person is liable under Computer Fraud and Abuse Act for using their computer access for an improper purpose. This Contribution is an analysis of the Supreme Court decision that recently resolved the circuit split on the issue in June 2021.
1. 18 U.S.C. § 1030(a)(1), (2), (4).
2. See infra notes 6 and 7.
3. 18 U.S.C. § 1030(a)(2).
4. Id. § 1030(a)(4).
5. Id. § 1030(e)(6).
6. See, e.g., WEC Carolina Energy Sols. LLC v. Miller, 687 F.3d 199, 206 (4th Cir. 2012) (holding that one “exceeds authorized access” when a person “accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access”); United States v. Nosal, 676 F.3d 854, 858 (9th Cir. 2012) (finding a narrower interpretation of the Access Provision to be “more plausible”); United States v. Valle, 807 F.3d 508, 528 (2d Cir. 2015) (refusing to extend the Access Provision to misappropriation of information on grounds of lenity).
7. See, e.g., United States v. John, 597 F.3d 263, 272 (5th Cir. 2010) (finding that a former bank employee who used her access to obtain sensitive and confidential information of bank consumers “exceeded authorized access” because “she was not authorized to access that information for any and all purposes but for limited purposes”), abrogated by Van Buren v. United States, 141 S. Ct. 1648 (2021); United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010) (affirming the conviction of a former employee of the Social Security Administration who violated the CFAA by using his access to personal identifying information for nonbusiness purposes), abrogated by Van Buren v. United States, 141 S. Ct. 1648 (2021); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006) (finding that an employee could have violated the CFAA by erasing all data on a computer lent to him by the employer when he did so for an unauthorized purpose), abrogated by Van Buren v. United States, 141 S. Ct. 1648 (2021); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583 (1st Cir. 2001) (including improper use of access in the meaning of the CFAA and stating that “use—and, indeed, abuse—of proprietary information . . . goes beyond any authorized use of [the plaintiff’s] website”), abrogated by Van Buren v. United States, 141 S. Ct. 1648 (2021).
8. Van Buren, 141 S. Ct. at 1662.
9. Id. at 1649.
10. 18 U.S.C. § 1030(e)(6) (emphasis added).
11. Van Buren, 141 S. Ct. at 1655 (“Van Buren’s account of ‘so’—namely, that ‘so’ references the previously stated ‘manner or circumstance’ in the text of § 1030(e)(6) itself—is more plausible than the Government’s.”); see also Nosal, 676 F.3d at 858 (discussing ways that the word “so” could refer to unauthorized access and not unauthorized use); WEC Carolina Energy, 687 F.3d at 205 (agreeing with the Ninth Circuit’s reasoning that the word “‘so’ referred to the means of obtaining information, not the use of information”).
12. See, e.g., Nosal, 676 F.3d at 858 (finding that under the narrow interpretation, “‘without authorization’ would apply to outside hackers (individuals who have no authorized access to the computer at all) and ‘exceeds authorized access’ would apply to inside hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files)”).
13. Van Buren, 141 S. Ct. at 1663 (Thomas, J., dissenting).
14. Id. (quoting Black’s Law Dictionary 477 (5th ed. 1979)).
15. Id. at. 1664.
16. Comprehensive Crime and Control Act of 1984, Pub. L. No. 98–473, 98 Stat. 1837, 2190–91 (emphasis added).
17. Computer Fraud and Abuse Act of 1986, Pub. L. No. 99-474, 100 Stat. 1213, 1213–1215.
18. See, e.g., Sandvig v. Sessions, 315 F. Supp. 3d 1, 25 (D.D.C. 2018) (“[I]t is notable that Congress did not simply transpose the existing, purpose-oriented language into the definition section—which still would have simplified the language of § 1030(a), as desired—but instead replaced it with new language that focuses on authorization to access particular information.”); United States v. Nosal, 676 F.3d at 858 n.5 (noting that the purpose-oriented language from the 1984 version of the statute “was removed and replaced by the current phrase and definition,” and stating that “[w]ere there any need to rely on legislative history, it would seem to support” an inside-hacker position rather than a purpose-based interpretation).
19. Van Buren, 141 S. Ct. at 1661 (“Congress’ choice to remove the statute’s reference to purpose cuts against reading the statute to capture that very concept.” (internal quotation marks omitted) (citation omitted)).
20. Id. at 1668 (Thomas, J., dissenting) (“By replacing the specific,
limited term ‘purposes’ with the broader, more general phrase ‘not entitled,’ Congress gave force to . . . other kinds of constraints.”).
21. See id. at 1657 (Barrett, J.) (quoting Caleb Nelson, What is Textualism?, 91 Va. L. Rev. 347, 354 (2005)) (arguing that a narrower reading of the statute is consistent with the way an “appropriately informed” speaker of the language would understand the Access Provision).
22. Id. at 1660 (quoting Ross v. Blake, 578 U.S. 632, 641–42 (2016)).
23. Id. at 1666 (Thomas, J., dissenting) (providing a hypothetical in which an employee is instructed not to access a computer while in a country where the network connection is not secure).
24. Id. at 1661 (Barrett, J.) (quoting Yates v. United States, 574 U.S. 528, 557 (2015) (Kagan, J., dissenting)).
25. See United States v. Kozminski, 487 U.S. 931, 952 (1988) (applying the “time-honored interpretive guideline that uncertainty concerning the ambit of criminal statutes should be resolved in favor of lenity” (citations omitted)); cf. Clark v. Martinez, 543 U.S. 371, 385 (2005) (“The canon of constitutional avoidance comes into play only when, after the application of ordinary textual analysis, the statute is found to be susceptible of more than one construction; and the canon functions as a means of choosing between them.” (citations omitted)).
26. United States v. Universal C. I. T. Credit Corp., 344 U.S. 218, 221–22 (1952).
27. 543 U.S. at 380–81.
28. Kozminski, 487 U.S. at 949.
29. Id.; see also Carter v. Carter Coal Co., 298 U.S. 238, 311 (1936) (explaining that a statute which confers legislative authority to private parties is unconstitutional because it violates the Due Process Clause of the Fifth Amendment).
30. Kozminski, 487 U.S. 931 at 949.
31. Johnson v. United States, 576 U.S. 591, 595 (2015) (explaining that a statute violates the Fifth Amendment and is unconstitutionally vague if it “fails to give ordinary people fair notice of the conduct it punishes, or [is] so standardless that it invites arbitrary enforcement”).
32. 315 F. Supp. 3d 1 (D.D.C. 2018).
33. Id. at 9.
34. Id. at 10.
35. Id. at 23–24.
36. Id. at 25.
37. Id. (quoting NLRB v. Catholic Bishop of Chicago, 440 U.S. 490, 502 (1979)).
38. Id. (quoting United States v. Kozminski, 487 U.S. 931, 949 (1988)).
39. Kozminski, 487 U.S. at 949.
40. Sandvig, 315 F. Supp. 3d at 25 (quoting Kozminski, 487 U.S. at 949).
41. See WEC Carolina Energy Sols. LLC v. Miller, 687 F.3d 199, 207 (4th Cir. 2012) (noting that imputing criminal liability to employees who “disregard a use policy” is “unnecessary, given that other legal remedies exist for these grievances”); id. at n.4 (“[N]ine other state-law causes of action potentially provide relief, including conversion, tortious interference with contractual relations, civil conspiracy, and misappropriation of trade secrets.”).
42. See, e.g., Health Insurance Portability and Accountability Act, 42 U.S.C. § 1320d-6; Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g.
43. Van Buren v. United States, 141 S. Ct. at 1661 (quoting Yates v. United States, 574 U.S. 528, 557 (2015) (Kagan, J., dissenting)).