Van Buren Decision Provides (Some) Much-Needed Clarity Around Hacking Law

Today, the Supreme Court issued its opinion in Van Buren v. United States. At issue in the case was former Georgia police officer Nathan Van Buren’s conviction for violating the Computer Fraud and Abuse Act (CFAA) when he was caught taking money to run license plate numbers through law enforcement databases. Van Buren’s conviction wasn’t based on him hacking into the Georgia Crime Information Center (GCIC) database. Instead, he was convicted for using the access he already had as an officer to look up data for non-police purposes. Doing so was a violation of official policy.

In a 6-3 decision, the Court provided much-needed clarity around the definition of "exceeding authorized access" in the CFAA. In ruling that “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him,” the Court made clear that courts must “take note of terms that carry ‘technical meaning[s].’” Adding that “‘Access’ is one such term, long carrying a ‘well established’ meaning in the ‘computational sense,’” the Court further agreed with arguments made by New America’s Open Technology Institute (OTI) and others in an amicus filing, finding that overbroad interpretations of access to a computer missed the law’s original intent of preventing computer break-ins and destruction of data and hardware. The majority found that such interpretations “would attach criminal penalties to a breathtaking amount of commonplace computer activity.”

The CFAA was originally written in the mid-1980s—before the invention of the web—to address fears surrounding computer crime. Despite a few updates over the years, the law was written for a fundamentally different internet. It contains a number of different sections, but broadly speaking it prohibits intentionally accessing a computer without authorization or in excess of authorization—think of someone using stolen account credentials or a security flaw to get into a computer. It seems clear Congress was thinking about certain kinds of crimes when they wrote it. A House Judiciary Committee report accompanying the precursor 1984 legislation, which the CFAA updated in 1986, called the movie War Games a “realistic representation of the… access capabilities of the personal computer.” The threat they were addressing involved breaking into computer systems in order to alter, destroy, or otherwise make data inaccessible.

Van Buren's conviction for computer crimes under the CFAA was troubling not because a police officer selling his access to license plate data is okay, but because it is the wrong criminal charge for what he did. Interpreting the CFAA’s overly vague definition of “exceeding authorized access” to include violations of a system’s terms of service, without other break-ins or intentional destruction of data or hardware, is not the sort of thing the CFAA, with its possible felony punishments, was meant for. It risks turning the CFAA into a mechanism for policing bad behavior on the internet. It could make things illegal simply because an employer or service provider decided someone broke the rules. Because Van Buren did not alter or destroy the data, the Court found that “his run of the license plate did not impair the ‘integrity or availability’ of data, nor did it otherwise harm the database system itself,” and therefore couldn’t be liable for “damage” or “loss.”

In our amicus brief, OTI argued that such a risk will in turn create a chilling effect for those engaged in valuable security research. Observing a similar concern, an amicus brief filed by several security researchers noted that it is not uncommon for a researcher to break the written terms of service in the process of looking for security holes or data leaks, and that vague meanings of "authorized access" could turn the CFAA into a tool used to go after good-faith security researchers. An increased use of this interpretation of "authorized access" would most likely limit research to only those individuals and organizations with a stomach for legal risk. While the opinion does not mention the potential chilling effect on research, the deference to technical definitions of words like “access” and their affirmation of the interpretation that “one either can or cannot access a computer system, and one either can or cannot access certain areas within the system” suggests that breaking technical access restrictions, rather than policy access restrictions, is the line for triggering a CFAA violation.

We agree with the Court that searching a database you have legitimate permission to access, but for an inappropriate reason, is different than, for instance, using stolen credentials to gain access to that same information. A non-digital analog to this would be if someone in the HR department at your job were to go into the file room and look at files that they weren't supposed to. This person may well have committed a fireable offense, but because they access the file room for other parts of their job, it wouldn't make sense to say that they were also criminally trespassing.

Clearly, what Van Buren was accused of doing is serious. His use of GCIC access was a violation of written department policies, as well as a violation of the basic public trust we put in law enforcement. It may even count as public corruption. But the existing laws and policies should be sufficient to hold Van Buren to account, without relying on non-technical interpretations of the CFAA's use of well understood technical terms like “access” and the risk of broadening those definitions to include every web site and most modern software products. As the majority decision points out, if the “‘exceeds authorized access’ clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers.”

In deciding to place limits on the definition of authorized access, the court has correctly determined that simply breaking the terms of service for a website or other digital platform—but not actually breaking in or destroying anything—is neither fraud nor abuse under the CFAA. While we had hoped, on behalf of security researchers, for greater clarity around what kinds of good-faith unauthorized access may be allowed, we are optimistic that this decision will allow security researchers more confidence that breaking terms of service to find security holes in the software we use everyday will not result in charges under the CFAA. By favoring well-established technical definitions, we also hope this decision will bring future CFAA enforcement closer to the law’s original intent of addressing computer break-ins and crime.