The Computer Fraud and Abuse Act After Van Buren
Professor of Law, Georgetown University Law Center
Paul Ohm[*]
In Van Buren v. United States,[2] the U.S. Supreme Court at long last waded into a decade-plus-old circuit split it had previously declined to take up. The dispute focused on a core definition at the heart of the Computer Fraud and Abuse Act (CFAA), a federal law criminalizing certain acts by so-called computer hackers.[3] Originally enacted in 1984, the CFAA is without a doubt the most important federal law outlawing hacking, viruses, and ransomware, making it a key weapon in our national arsenal for protecting cybersecurity. The breadth and open-textured language of the law, as well as the fact that it provides civil liability in addition to criminal penalties, has unfortunately also made it a tool for interfering with business competitors, squelching journalists, impeding researchers, and silencing whistleblowers, meaning the ongoing uncertainty created by the circuit split had put a cloud over vital speech, research, and competition online.
The Court brought some clarity to the confusion but stopped short of completely resolving the circuit split. In a 6‒3 opinion authored by Justice Amy Coney Barrett, the Court held that an employee who has been given access to a computer system by an employer does not violate the CFAA—in the parlance of the statute, they do not “exceed[] authorized access”—when they access the computer system for a purpose prohibited by an employment policy.[4] A human resources manual alone does not a criminal computer hacker make, the opinion clarifies. Instead, an employer needs to close a metaphorical “gate” on the area of the computer it wants to declare off-limits to a particular user before the CFAA will have anything to say about the conduct.[5]
Quite importantly, the Court has erased one common path to CFAA liability: purpose-based restrictions. Many courts have found CFAA liability and criminal culpability when employees or computer users have taken steps they were authorized to take by their computers’ operators but for prohibited purposes.[6] In these cases, the CFAA would in essence turn on the thought an individual was thinking when they clicked a mouse button or typed on the keyboard. No longer. Despite protests to the contrary from the government and the dissent, the Court has made clear that purpose-based restrictions do not fit within the meaning of the statute, implicitly overruling many lower court opinions and ridding the statute of one of its most problematic features.[7]
The opinion stopped short of embracing what some amici and scholars had long urged, a more complete so-called “code-based” interpretation of “exceeds authorized access,” under which the CFAA prohibits only activity that circumvents a technological measure such as a password.[8] Lingering uncertainty remains about whether non-code-based methods for restricting access, such as cease-and-desist letters or terms-of-service restrictions, can close a CFAA gate.
The Court’s refusal to limit the statute to code has frustrated some CFAA-watchers, particularly those who advise journalists and academic researchers about their research methods and worry that the ongoing uncertainty chills important speech and conduct online. As one who routinely engages in these kinds of methods (and has taught scores of students to do the same), I understand these concerns but find less to worry about after Van Buren. The reasoning of the opinion suggests that the Court’s gate metaphor will be read narrowly, and lower courts are likely to read Van Buren to rule out problematic examples of CFAA liability triggered by terms of service, for example.
Although Van Buren answers many questions about the CFAA, several remain. One is, does an operator of a publicly accessible computer, such as a website, trigger CFAA liability by sending a cease-and-desist letter to a user engaging in unwelcome conduct instructing them to stop? Many scholars, advocates, and amici decry this possibility, but I offer a novel defense of it, out-of-step with the weight of the commentary: We shouldn’t limit the CFAA to code-based measures alone, lest we unwittingly embrace an unhealthy libertarian misconception about the nature of code, one that treats software like a naturally occurring phenomenon, entitling it to special treatment under the law. If the CFAA gives legal force to passwords, as the code-based approach would allow, it should give the same legal force to cease-and-desist letters, if only we can see past the libertarian fallacy.
The rest of this essay proceeds in three parts. Part I summarizes the Van Buren case and opinion. Part II predicts how Van Buren will be used by the lower courts, explaining the longstanding debates the opinion has resolved and the others that remain unanswered. Finally, Part III will look beyond Van Buren, considering the problematic libertarian argument embedded in the code-based theory and offering proposals for Congress to amend the CFAA after Van Buren.
I. The Opinion
The Court ruled 6‒3 in favor of a criminal defendant, a former police sergeant in Georgia named Nathan Van Buren, who had been convicted by a jury of violating a provision of the CFAA by “exceed[ing] authorized access” to a computer system.[9] Van Buren violated the statute, according to federal prosecutors, when he searched through a police database for the identity of the person connected to a license plate. Although his employer had granted him the ability to search through this database, by policy it had prohibited access for “an improper purpose.”[10] Rather than engaging in official police business, Van Buren had conducted the search at the request of a notorious local figure, a person Van Buren had been warned to avoid, and one whom Van Buren did not know was working with the police to see how far Van Buren would go.[11] This confidential informant had asked Van Buren to find out if the owner of the fictitious license plate was an undercover cop, imbuing the request with a whiff of potential violence that any law-abiding police officer would have recoiled against. The record established that Van Buren had been trained about the computer-use policy and “therefore knew that the search breached” his employer’s rules due to his improper purpose.[12]
By taking this case, the Court waded into a two-decades-plus running interpretative puzzle at the heart of the CFAA: the meaning of the phrase “exceeds authorized access.”[13] In many CFAA cases, there is no doubt that the defendant acts “without authorization,”[14] for example, in the paradigmatic case of an identity thief who steals a password and then uses it to access information or a system he otherwise is not entitled to access. Much more controversial have been cases committed by insiders, faithless employees, or other people entitled by policy, contract, or terms of service to use a system for some purposes but not for others. These users cannot be said to be “without authorization,”[15] so their legal fate turns on whether they have acted in excess of authorized access. Often the line between criminal and non-criminal behavior has been drawn by an employment policy like the one in Van Buren, instead of a technological barrier like a password. In recent years, the circuit courts had split in cases like these, with the Second, Fourth, and Ninth Circuits holding that an employment policy is not enough for CFAA liability or culpability; and the Fifth, Seventh, and Eleventh Circuits holding, to the contrary, that the violation of an employee policy could a CFAA violator make.[16]
Writing for a six-justice majority, Justice Barrett held that the police department’s employment policy alone was not enough to find that Van Buren had exceeded his authorized access by searching for a license plate for an improper purpose. The opinion turned primarily on a detailed (I’d go so far as to say tedious) textualist discussion of the phrase “entitled so to” access within the definition of “exceeds authorized access.”[17] The government had argued that the word “so” should decide the case in its favor. Although Van Buren was “entitled” to access this database for some purposes, the access in question was not one he was “entitled so” to access, given his improper purpose, it argued. The majority refused to read “so” that expansively, finding instead that the “so” in the definition ought to refer back to some other part of the statutory text.[18] Moving beyond the text, the majority found support for its interpretation in the structure and legislative history of the act, rebuffing various arguments from the government and dissent, authored by Justice Clarence Thomas.[19]
The opinion thus resolves at least part of the circuit split, announcing that an employment policy prohibiting the use of a system for limited purposes is not enough to criminalize an employee’s use of a system to which they have been granted access for other purposes and implicitly overruling opinions that held to the contrary.[20] Given the large number of CFAA cases that have centered on employees, this holding brings welcome clarity to the statute.[21]
II. Extending the Van Buren Reasoning
CFAA watchers hoping for a decisive end to the confusion about “exceeds authorized access” have concluded that the Van Buren opinion does not quite get us there.[22] United in the understanding that the Court did not bring perfect clarity to the core puzzle in the CFAA, commentators differ in their assessment of how much the opinion nevertheless cleans up the mud. To distill a large amount of prior legal commentary, two important questions have swirled around CFAA cases for the past twenty years. First, will the CFAA recognize any purpose-based restrictions on computer authorization? In other words, would the CFAA recognize restrictions of the sort: You are authorized to access this information for purpose X, but you exceed your authorized access if you act for purpose Y? Second, can restrictions on authorization be conveyed through non-technical measures such as employment policies, terms-of-service rules, or cease-and-desist letters?
Van Buren clearly and decisively answers the first question with a resounding “no.” Purpose-based restrictions cannot strip users of authorization for purposes of the CFAA, the Court has declared.[23] As to the second question, the Court said much less and sowed additional confusion with a footnote.[24] We simply still do not know if non-code-based restrictions suffice under this law. I predict, however, that the core reasoning of the opinion will lead lower courts to conclude that restrictions found in terms-of-service and employment contracts alone cannot support CFAA liability or culpability. Cease-and-desist letters are more complicated, a topic I take up in the final part of this essay.
A. The End of Purpose-Based and Circumstance-Based Restrictions
The majority opinion unequivocally sweeps away purpose-based or circumstance-based limitations to computer access under the CFAA. The core reasoning of the opinion focuses judicial attention on the parts of a computer an accused was entitled to access rather than the purposes for which access was permitted or the circumstances under which the access was accomplished:
In sum, an individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer— such as files, folders, or databases—that are off limits to him. The parties agree that Van Buren accessed the law enforcement database system with authorization. The only question is whether Van Buren could use the system to retrieve license-plate information. Both sides agree that he could. Van Buren accordingly did not “excee[d] authorized access” to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose.[25]
This crucial paragraph of Van Buren has a spatial focus. In the Court’s explanation—informed by technical dictionary definitions of the word “access”[26]—computers have “areas,” akin to physical spaces, some of which you can enter and others of which are “off limits.”[27] The owner of a shared computer delineates those spaces by using mechanisms (which remain unspecified) to exclude some users from certain “files, folders or databases.”[28] An excluded user who nevertheless finds their way into an off-limits space exceeds authorized access and is thus subject to CFAA’s criminal and civil prohibitions.
In contrast, users do not violate the CFAA when they access a file just because they harbor an improper purpose. Van Buren declares that the CFAA “does not cover those who . . . have improper motives for obtaining information that is otherwise available to them.”[29] The Court repeatedly rebuffs the government’s and dissent’s various arguments in favor of a purpose-based or circumstance-based test.[30] Once a computer owner gives a user access to a file for a single purpose, that user can access that file for any purpose. “The only question is whether” the user can access the specific space.[31]
This is a significant clarification, one with the potential to dramatically decrease the number of CFAA cases brought on both the civil and criminal sides. It removes a significant source of uncertainty about the legality of journalism and academic research. Computer users with legitimate access to a system no longer need to worry about facing federal prosecution or civil liability for using the system for a disfavored purpose. The computer owner can bar you from “areas” of the computer, but once they admit you, they cannot limit the purposes for which you can access any particular area if they expect to harness the CFAA.[32]
B. Whither Terms-of-Service Provisions and Employment Contracts?
Although the Court cleared up significant confusion about the scope of restrictions on access that might give rise to CFAA liability, it said far less about the methods a computer user can use to convey and enforce these restrictions. Must restrictions on access be implemented in software, for example, in the form of a password? Can they instead (or in addition) be communicated through an employment policy, terms-of-service provision, or cease-and-desist letter?
The Court stopped short of embracing what many scholars and advocates had pressed, namely that the text of the CFAA should be interpreted to require the imposition of a code-based or technological barrier—such as a password—as a necessary precondition on liability and culpability.[33] The majority expressly refused to go this far in footnote eight: “For present purposes, we need not address whether this inquiry turns only on technological (or ‘code-based’) limitations on access, or instead also looks to limits contained in contracts or policies.”[34]
Although the case involved an employment policy, we should not read Van Buren to expressly rule out finding CFAA gates in computer access restrictions found in employment policies; none of the Court’s reasoning turns on the fact that an employment policy was involved. Nor does the Court pay any attention to the form or efficacy of the policy, as the Court simply assumed, based on the record, that Van Buren was aware of the policy’s rules.[35]
It would be shortsighted, however, to say that Van Buren says nothing about the appropriate mode or method of a CFAA-worthy restriction. Although the picture is still murky, there are reasons to believe that lower courts will read the opinion to cut back on the use of terms-of-service provisions and employment contracts for CFAA purposes, as so many have urged.
First, the Court specifically rejects (albeit in dicta) premising liability or culpability on certain types of terms-of-service provisions.[36] The Court decries construing the statute in a way that would “criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook.”[37] Without ruling out the use of terms of service to remove authorization under the law, it comes close.
Second, every terms-of-service case that has been brought in the past or hypothesized as a possible CFAA violation by scholars or amici has advanced a “purpose-based” or “circumstance-based” theory of CFAA liability, the kind of authorization that the Van Buren Court has rejected. The “embellishing an online-dating profile” hypothetical is a repeatedly invoked example.[38] Litigated CFAA cases involving terms-of-service restrictions have focused on provisions preventing reusing information to build a competing service[39] or collecting information “using automated means.”[40] These all seem to be the kind of purpose-based or circumstance-based restrictions that Van Buren has declared extra-statutory. There is simply no precedent for a terms-of-service case in which the terms of service provide, “you are not permitted to access this file, folder, or database.” So even though terms-of-service restrictions remain available in theory, in practice, they are not likely often (if ever) to be encountered.
Third, although it is conceivable that a website will draft a term of service that reads, “you may not access this part of our website” categorically, perhaps to squeeze within Van Buren’s reasoning, I predict that, after Van Buren, courts will scrutinize whether CFAA mechanisms communicate the restriction to the user. Consider the metaphor the Court introduced to describe the kind of steps that deserve CFAA attention: “gates-up-or-down.”[41] The next phase of CFAA commentary and litigation will abound with scholarly disquisitions on gates. I think that the concrete and visceral image of a gate will drive lower courts to read “exceeds authorized access” not to extend to obscure provisions buried in unread terms of service. Gates evoke solidity, clarity, and visibility. Gates are open or shut and their state of openness or shut-ness is visible at a distance and not up for nuanced debate. A computer owner who announces a “you shall not pass” restriction by burying it in paragraph seventeen of mind-numbing legalese will be hard pressed to explain to a Court that this constitutes the kind of gate that Van Buren requires.
For these three reasons, I predict that lower courts will rarely, if ever, find CFAA liability or culpability based only on “gates” lowered solely through provisions in terms-of-service documents or employment policies.[42] The hypothetical possibility remains that one of these methods might someday be deemed enough to trigger the CFAA, but it’s likely we’ll never encounter that hypothetical. Those who police the security of computer systems should find other ways to lower gates on the unauthorized if they hope to use the CFAA as a punishment or deterrent for those they wish to exclude.
C. Van Buren Has Significantly Narrowed the CFAA
United in concluding that the Court did not bring perfect clarity to the CFAA, commentators differ in their assessment of how much the opinion nevertheless cleans up the mud. Although initial hot takes on Twitter ranged from frustrated by what the Court left undecided[43] to more optimistic assessments that much had been clarified,[44] the weight of expert commentary following the opinion seems to conclude that the opinion has significantly clarified the law.[45]
I agree that much has been clarified. Although footnote eight might initially embolden plaintiffs and prosecutors to argue that not much has changed, once lower courts dig into the opinion, I predict they will find that the reasoning guides them to a far narrower—and thus less troublesome—version of the CFAA. Van Buren does away with one of the horsemen of the CFAA apocalypse, purpose-based/circumstance-based restrictions. It also gestures to the end of terms-of-service and employment-policy restrictions, two other persistent fears. Journalists and researchers (and the lawyers who advise them) should feel more confident acting in ways that run afoul of purpose-based and other website restrictions.[46]
Amidst all of this welcome clarity there remains an important little smudge of uncertainty: Even if terms-of-service documents and employment policies no longer demarcate the boundaries of the CFAA, what about a cease-and-desist letter? If the owner of a computer musters the time, effort, and legal fees to identify, locate, and contact an unwelcome user to let them know that their access is no longer authorized, will this trigger CFAA liability? The answer may be yes, and at the risk of putting me at odds with many other CFAA commentators, I think this might be a good thing. Let me explain.
III. Web Scraping and the Anti-Libertarian Project
Even if buried terms-of-service provisions can no longer render behavior in excess of authorization under the CFAA, can clearer, more obvious forms of contract or policy alone shut a CFAA gate?[47] Of most importance, consider the facts of another closely watched CFAA case, hiQ Labs v. LinkedIn,[48] for which the Supreme Court denied cert and remanded in the wake of Van Buren.
hiQ Labs is a data analytics company that analyzes data it copies from the service LinkedIn, the professional networking website. LinkedIn objects to hiQ’s copying, although its motives are contested: LinkedIn claims it is defending the privacy of its users; hiQ claims that LinkedIn is acting anticompetitively, because it wants to be the sole source of analysis for LinkedIn data. In addition to taking code-based measures to prevent copying, LinkedIn sent hiQ a cease-and-desist letter, asserting that further copying would violate numerous laws including the CFAA. hiQ filed suit in federal court, seeking a declaratory judgment that it was not violating the CFAA.[49] On remand from the Supreme Court, hiQ Labs poses the question: Is a user agreement backed by a cease-and-desist letter enough to shut a Van Buren gate?
A. Web Scraping and Cease-and-Desist Letters
The fact that Van Buren leaves open the possibility of building CFAA gates with cease-and-desist letters rather than require them to be built solely of code has been the source of criticism and consternation among prominent CFAA watchers.[50] They worry about the chilling effect the threat of CFAA liability imposes on heroic poster children such as journalists and researchers seeking to harvest information from publicly available websites to advance human knowledge and shine the light of transparency on the secret practices of powerful platforms. One tool used by these heroes has been a frequent target of CFAA litigation: web scraping.[51] Web scraping is web browsing with speed and at scale; automated computer programs use the same underlying technologies used by humans wielding web browsers, keyboards, and mice to systematically copy all of the content from the various pages of a website. Journalists and academic researchers scrape the web to shine valuable light on the online technologies driving modern society.
Every hero needs an anti-hero, and in this story it is Clearview AI, a company that has scraped millions of photos from social media sites in order to build a powerful, global facial recognition system, which it sells to law enforcement agencies.[52] Of course, the lines between heroism and anti-heroism can blur, and some might celebrate the cold cases that Clearview’s technology has helped solve,[53] just as others might decry the creepy data harvesting sometimes done in the name of academic research.[54]
What unites many is the belief that the CFAA is the wrong tool to draw the lines between what we want to permit and what we want to prohibit when it comes to web scraping. It is too blunt a tool to proscribe the Clearview AIs of the world while also permitting journalists and researchers to do something similar for noble purposes. One way to narrow the CFAA is to limit it to acts that circumvent technological gates—such as passwords—but to refuse to extend it to acts that defy cease-and-desist-letters. To people advancing this argument, Van Buren sowed unnecessary confusion with footnote eight.
These arguments find their most persuasive presentation in an article by Professor Andy Sellars, writing before Van Buren was decided.[55] Sellars argues in special defense of web scraping. He celebrates web scraping and web scrapers, explaining how they help shine light in dark places, giving researchers, journalists, and ultimately the public information about the important activities of powerful corporations.[56]
I am deeply sympathetic to these arguments, having first scraped a website more than twenty-five years ago, having scraped hundreds and maybe thousands of sites since, and having spent a career training hundreds of law students how to build web scrapers of their own to improve the efficiency of their work and to engage in the kind of acts of heroic transparency that Sellars celebrates.[57] I agree with Sellars that web scraping ought not to be treated as criminal conduct just because a buried term of service or obscure employment policy catches a programmer unawares, meaning I agree that many of the cases he criticizes are wrongly decided. As I have already argued, Van Buren seems to agree, silently disavowing terms-of-service gates, meaning lower courts going forward encountering CFAA web scraping cases should find plenty of ammunition to dismiss cases and charges, and fewer such cases should be brought in the first place.
B. Resisting the Libertarian Critique
But I am not sure I can follow Sellars in cases in which a website owner sends the web scraper a cease-and-desist letter. To Sellars, a cease-and-desist letter is at best a mixed message, telling a web scraper “no” with one hand while maintaining an inherently open website implying “yes” with the other.[58] Although my sympathies lie with Sellars and my fellow web scrapers, by connecting this argument with broader themes I have seen in many other tech law and policy disputes, I become uneasy with this line of argument.
These arguments, perhaps unknowingly, build on a deeply embedded and problematic attitude at the heart of tech law and policy, a pervasive libertarianism that criticizes any attempts to use governmental power to stem our online ills. This libertarian faith in the importance of preventing law from interfering with technological power has been an important driver for so much of what ails modern society: surveillance capitalism, unchecked misinformation and disinformation, income inequality, online hate speech, and more. We need to reassert the rule of law online, and one small step would be to refuse to grant coders special powers under the CFAA.
Is a well-founded cease-and-desist letter fundamentally different than a password? Both unambiguously tell a web scraper, “You shall not pass.” The cyberlibertarian impulse is to disagree, to naturalize the decisions of techies, treating technological choices as forces of nature with which we must cope rather than the collective decisions of teams of individuals supposedly subject to our laws and norms. The libertarians whine about barriers to “permissionless innovation,” by which they mean the laws and regulations enacted by society’s collective institutions,[59] but less rarely whine about parallel permission structures of code created by powerful private parties.
This reeks of a macho, neo-Hobbesian view of the internet as a brutal landscape of all-against-all programmers, who should be left free to attack and counter-attack without being governed by preexisting norms or laws. Sometimes the good guys are winning—meaning more journalism, research, and transparency—and sometimes the bad guys are winning—meaning more opacity and facial recognition power—but the message to non-coders is, “We don’t recognize you as empowered combatants in the battle.” These wars have trapped the rest of us in the crossfire, creating an insecure, nonprivate, non-trustworthy internet.
When we write new laws and when we interpret preexisting laws, we need to act consciously and affirmatively to fight the bias of the subtle and pervasive libertarian ethos that has burrowed into our debates, adopting an affirmatively anti-tech-naturalization, anti-tech-determinism, anti-libertarian attitude, one which refuses to place the actions of coders on a pedestal or to treat their actions as more entitled to legal recognition than the actions of others. This attitude should incline judges to avoid interpreting statutes in ways that embed tech exceptionalism into unambiguously tech-neutral phrases such as “exceeds authorized access.”[60] There is nothing in that phrase that suggests it should recognize ten hours of coding effort but not ten hours of legal work. Giving statutory recognition to the former and not the latter without any textual justification unwittingly fuels the libertarian project. It ratifies a sub rosa Silicon Valley Supremacy Clause that favors the laws of code over the laws of society.[61] We need to reassert the power of the rule of law over the colonizing power of code, and Van Buren’s criticized footnote eight might be a welcome, if unwitting, step in that direction.
To be clear, I’m not arguing that courts ought to interpret the CFAA to treat all cease-and-desist letters as always sufficient to render conduct in excess of authorization. There might be situations when cease-and-desist letters simply ought not do, just as there might be situations in which code-based prohibitions ought not be enough, either. A cease-and-desist letter that states no legal basis (other than the CFAA itself) to support the command to cease scraping might be seen as nothing but empty words that courts ought not interpret to give rise to a federal crime. Similarly, several scholars have argued persuasively that we ought not give CFAA-gate status to information locked behind user accounts and passwords on websites, if those user accounts are given away for free to anyone who requests one.[62]
C. Authorization, Consent, and Revocation
How then do we interpret the CFAA going forward? I start with James Grimmelmann’s argument that the CFAA should be seen as giving effect to online consent mechanisms, code-based or otherwise.[63] Computer owners and operators can close a Van Buren CFAA gate on a previously authorized user only by unambiguously and conspicuously informing the user that they are no longer entitled to access the system or particular parts of the system (“files, folders, or databases”[64]), in other words, by revoking their prior consent. After being so informed, a user acting in defiance of the gate should be found to “exceed authorized access.”[65]
The revocation must be clear and conspicuous, not implied or imputed. As Patricia Bellia argues, “the fact that the CFAA is a criminal statute means that the limits of that consent for purposes of CFAA liability ought to be conveyed clearly—even if other areas of the law might not demand the same degree of clarity.”[66] Laurent Sacharoff makes a similar point based on the mens rea elements of the CFAA, which require that the violator accesses a system in excess of authorization “knowingly.”[67]
Under this approach, and embracing the anti-libertarian reasoning outlined above, a well-founded cease-and-desist letter is a perfectly fine method for revoking consent to access a system.[68] A detailed cease-and-desist letter forbidding its recipient from accessing a computer or specified part of a computer sends a clear and unambiguous message and thus serves the same salutary purpose as a password-based gate and is equally consonant with the statute following Van Buren.[69]
I understand that a code-based CFAA is a narrower CFAA than one that recognizes both code and cease-and-desist letters, and a narrower CFAA means less chill and deterrence for journalists and researchers. The desire for that noble outcome is not enough to justify embracing the libertarian project and reading code-based restrictions into a statute that lacks them. The post-Van Buren CFAA is already an extremely narrowed CFAA, and even with the prospect of giving additional power to cease-and-desist letters, the overall level of chill and deterrence is significantly reduced.
Empowering cease-and-desist letters also allows us to target companies like Clearview AI, attacking its immoral and harmful business model at its source. Many giant platforms, including Facebook, Twitter, and Google, have sent Clearview AI cease-and-desist letters, explaining that Clearview is taking advantage of personal data to develop new methods for abetting law enforcement surveillance, violating their terms of service in ways that are bad for society.[70] Lawyers have entered the neo-Hobbesian wasteland, and the CFAA should recognize the power they have been given by Congress to wield.
D. Amending the CFAA
I have focused until now on the proper interpretation of the CFAA given the current statutory text, legislative intent, computer technological state-of-the-art, and prior precedent. To the standard toolbox of statutory interpretation, I have proposed a new principle—an expressly anti-libertarian approach to combat the unhealthy tendency to undeservedly elevate the acts of technologists.
But I am far from embracing every potential outcome of the narrower, post-Van Buren CFAA from a policy perspective. My analysis to this point has been constrained by the statute Congress has written, and the CFAA leaves much to be desired. I will close with a few possibilities for amending the statute.
First, the CFAA has been weaponized by massive platforms as a means for protecting market power and punishing new entrants and competitors. Thomas Kadri offers numerous examples of Facebook, LinkedIn, Amazon, and others using CFAA lawsuits and threats to unreasonably protect monopoly power, persuasively highlighting the costs to society.[71] Although I endorse his argument, his specific proposal leaves me wanting, because it is not narrowly tailored. Rather than limit massive companies from using the CFAA in abusive ways, he would have Congress declare the entire public web a CFAA-free zone, echoing proposals from other scholars and advocates, and leaving us powerless against companies like Clearview AI.[72] This again is online libertarianism run amok, and I would prefer an amendment tailored to the special problem of platform power.
Here’s a narrower solution to address the same problem: To bring a civil suit under the CFAA, a party must demonstrate “loss,” a term defined in the statute.[73] One common way of establishing the requisite loss is by demonstrating $5,000 in aggregated “reasonable cost[] to any victim,” a laughably microscopic injury threshold for a giant platform.[74] We might amend this provision to set the loss requirement for civil suit much higher for platforms with millions or billions of users, raising the entry stakes for our biggest online companies and making it more difficult for massive platforms to abuse the CFAA.[75]
Second, although I have argued in favor of recognizing cease-and-desist letters as triggers for CFAA liability, not all cease-and-desist letters should be treated the same. Any lawyer can fire off a letter alleging a vague basis not grounded in law. Worse, lawyers engage in circular reasoning, alleging a potential violation of the CFAA itself as the basis for the letter! We might amend the CFAA to require cease-and-desist letters based in some independent area of law, for example an alleged contract breach, statutory injury, or tort. Congress could also provide a process for challenging cease-and-desist letters before a judge and provide sanctions for abusive letters.
Third, we should consider amending the CFAA to provide additional safe harbors for journalists and researchers. We might, for example, declare that journalists and researchers are immune from CFAA liability and prosecution, even in the face of cease-and-desist letters, at least for actions taken on publicly accessible websites. Or we might clarify that password gates are not sufficient to strip journalists and researchers of authorization when passwords are freely accessible to the general public, as others have argued.[76] Changes like these would recognize the important transparency and speech roles these actors play in the platform economy. It would be imperative, however, to define “journalists” and “academic researchers” precisely, to avoid letting the exception swallow the rule.
* * *
With Van Buren, the Court has, at long last, swept away much of the lingering confusion about the CFAA. Although it did not resolve every question about this important law, it cleared away a lot of the conceptual muck. It is a somewhat humbling reminder of the pecking order between legal scholars and Supreme Court justices that a compact judicial opinion has rendered dozens of articles and student notes a bit beside the point.
The Court left us with a CFAA that is easier to understand, smaller, less problematic, and more rationally structured. Most importantly, the Court unambiguously announced that purpose-based and circumstance-based limitations play no role in defining the scope of authorized access. Employees no longer need fear that their workplace IT departments wield the power of small legislatures, defining the scope of federal criminal law on the work network.
As lower courts elaborate the newly diminished CFAA after Van Buren, prosecutors and potential plaintiffs may ask Congress to intervene, restoring some of what has been lost, probably framing the opinion as a threat to cybersecurity at a time when ransomware attacks and massive data breaches rocket across the front page. It would be a mistake to recreate the confusion and ambiguity that predated Van Buren, but if Congress insists on revisiting the statute, it should consider refining it to prevent abuses of platform power and to protect the important transparency-enhancing work of journalists and academic researchers.
[*] Professor of Law, Georgetown University Law Center. For helpful discussions about Van Buren, thanks to Amanda Levendowski, Blake Reid, Andy Sellars, Kendra Albert, Dan Kinney, and the rest of the members of the PLSC rapid response reading group.
[2] Van Buren v. United States, 141 S. Ct. 1648 (2021).
[3] 18 U.S.C. § 1030.
[4] Van Buren, 141 S. Ct. at 1662 (quoting 18 U.S.C. § 1030(a)(1)).
[5] Id. at 1658–59.
[6] For citations to the circuit split that existed prior to the Court’s decision in Van Buren, see infra note 16.
[7] Van Buren, 141 S. Ct. at 1659 (quoting Univ. of Tex. Sw. Med. Ctr. v. Nassar, 570 U.S. 338, 353 (2013)) (noting that the Government’s purpose-based reading of the statute creates “’inconsisten[cies] with the design and structure’” of the CFAA).
[8] Orin Kerr was the first legal scholar to introduce and advocate for a code-based interpretation to the CFAA’s authorization-related terms, Orin S. Kerr, Cybercrime's Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1649 (2003) [hereinafter Kerr, Scope], although he later advocated for a norms-based approach instead. Orin S. Kerr, Norms of Computer Trespass, 116 Colum. L. Rev. 1143, 1164 (2016) [hereinafter Kerr, Norms]. Many other legal scholars and advocates have argued in favor of a code-based interpretation since. E.g. Patricia L. Bellia, A Code-Based Approach to Unauthorized Access Under the Computer Fraud and Abuse Act, 84 Geo. Wash. L. Rev. 1442, 1475–76 (2016).
[9] Van Buren, 141 S. Ct. at 1649 (quoting 18 U.S.C. § 1030(a)(2)).
[10] Id. at 1653.
[11] Id.
[12] Id.
[13] 18 U.S.C. § 1030(e)(6).
[14] Id. § 1030(a)(1).
[15] Id.
[16] United States v. Valle, 807 F.3d 508 (2d Cir. 2015); WEC Carolina Energy Sols. LLC v. Miller, 687 F.3d 199, 202, 207 (4th Cir. 2012); United States v. Nosal, 676 F.3d 854, 862‒63 (9th Cir. 2012) (en banc); United States v. John, 597 F.3d 263, 272 (5th Cir. 2010); United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); Int’l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420‒21 (7th Cir. 2006).
[17] In the CFAA, “the term ‘exceeds authorized access’ means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6) (emphasis added).
[18] Specifically, the majority adopted the defendant’s construction of “so” as referring to the definition’s requirement that the information be obtained through use of a computer. In other words, Congress inserted “so” for the narrow purpose of preventing an insider from asserting a defense that the digital file he stole he could have been legitimately obtained without a computer, for example by making a physical, Xerox copy or a hard-copy equivalent. Van Buren v. United States, 141 S. Ct. 1648, 1656 (2021).
[19] Van Buren, 141 S. Ct. at 1648, 1659–61; id. at 1662 (Thomas, J. dissenting).
[20] Compare id. at 1661 with United States v. John, 597 F.3d 263, 272 (5th Cir. 2010); United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); Int’l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420‒21 (7th Cir. 2006).
[21] Jonathan Mayer, Cybercrime Litigation, 164 U. Pa. L. Rev. 1453, 1480 (2016) (finding fifty percent of civil CFAA lawsuits filed through 2012 to be suits by employers against employees or former employees).
[22] 18 U.S.C. § 1030(a)(1), (e)(6). Orin Kerr, The Supreme Court Reins in the CFAA in Van Buren, Lawfare, (June 9, 2021) (“In the end, Van Buren doesn't answer everything. But it answers a lot.”)
[23] Van Buren, 141 S. Ct. at 1662–63.
[24] Id. at 1659 n.8 (“For present purposes, we need not address whether this inquiry turns only on technological (or ‘code-based’) limitations on access, or instead also looks to limits contained in contracts or policies .”). Kerr, supra note 21 (expressing “puzzlement” at trying to reconcile the opinion’s stance against using the policy to determine liability with footnote eight.).
[25] Van Buren, 141 S. Ct. at 1652 (emphasis added).
[26] Id. at 1657 n.6.
[27] Id. at 1652, 1662 (“This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend.”).
[28] Id. at 1662.
[29] Id. at 1652.
[30] Id. at 1656–57 (critiquing the dissent’s “circumstance dependent” approach); id. at 1660‒61 (contrasting an earlier version of the statute, which did focus on the “purposes to which such authorization does not extend”); id. at 1660 n.11 (rejecting the dissent’s “circumstance-specific approach”); id. at 1662 (criticizing how a purpose-based construction of the CFAA would “stake[] so much on a fine distinction controlled by the drafting practices of private parties”).
[31] Id. at 1662.
[32] See id. at 1662.
[33] Id. at 1659 n.8. Scholars advocating for a code-based interpretation include: Bellia, supra note 7, at 1475–76 (2016); Kerr, Scope, supra note 7, at 1648‒49 (2003); Nicholas R. Johnson, “I Agree” to Criminal Liability: Lori Drew's Prosecution Under § 1030(a)(2)(C) of the Computer Fraud and Abuse Act, and Why Every Internet User Should Care, 2009 U. Ill. J.L. Tech. & Pol'y 561, 570; Cyrus Y. Chung, Note, The Computer Fraud and Abuse Act: How Computer Science Can Help with the Problem of Overbreadth, 24 Harv. J.L. & Tech. 233, 244–45 (2010); Katherine Mesenbring Field, Note, Agency, Code, or Contract: Determining Employees' Authorization Under the Computer Fraud and Abuse Act, 107 Mich. L. Rev. 819, 825–27 (2009). In addition to the petitioner, Professor Kerr as amicus called for a code-based resolution to the Van Buren case. E.g. Brief of Professor Orin S. Kerr as Amicus Curiae in Support of Petitioner at 7, Van Buren, 141 S. Ct. 1648 (No. 19‒783).
[34] Van Buren, 141 S. Ct. at 1659 n.8.
[35] Id. at 1653 (“[T]rial evidence showed that Van Buren had been trained not to use the law enforcement database for ‘an improper purpose,’ defined as ‘any personal use.’ Van Buren therefore knew that the search breached department policy.”).
[36] Id. at 1661.
[37] Id.
[38] See e.g., id.; United States v. Nosal, 676 F.3d 854, 861 (9th Cir. 2012) (en banc).
[39] Craigslist, Inc. v. 3 Taps, Inc., 942 F. Supp. 2d 962, 977 (N.D. Cal. 2013) (“Any access to or use of craigslist to design, develop, test, update . . . or otherwise make available any program, application, or service [relating to] craigslist . . . is prohibited.”) (internal quotation marks omitted).
[40] Facebook, Inc. v. Power Ventures, Inc., No. C 08‒05780 JW, 2010 WL 3291750, at *7 (N.D. Cal. July 20, 2010).
[41] Van Buren, 141 S. Ct. at 1659.
[42] Other experts have made the same prediction. See Eric Goldman, Do We Even Need the Computer Fraud & Abuse Act?, Tech. & Mktg. Blog (June 9, 2021) (“I think courts will reference the majority’s policy discussion to conclude that TOS terms can’t delimit CFAA access.”).
[43] Daphne Keller (@daphnehk), Twitter (June 3, 2021, 11:05 AM) (“Uh . . . so does Van Buren effectively fail to resolve the key question presented?”); Jeff Kosseff (@jkosseff), Twitter (June 3, 1:30 PM) (commenting that the opinion hasn’t helped shrink the CFAA chapter in his textbook).
[44] Jonathan Mayer (@jonathanmayer), Twitter (June 3, 2021, 10:54 AM) (celebrating the opinion’s “terrific implications for researchers, journalists, and others who use scraping methods); James Grimmelmann (@grimmelm), Twitter (June 3, 2021) (calling the Court wise for adding footnote eight).
[45] Aaron Mackey & Kurt Opsahl, Van Buren is a Victory Against Overbroad Interpretations of the CFAA, and Protects Security Researchers, EFF Blog (June 3, 2021); Goldman, supra note 41; Adi Robertson, The Supreme Court Pared Down a Controversial Anti-Hacking Law, Verge (June 5, 2021).
[46] See Michael A. Specter (@mspecter), Twitter (June 3, 2021, 11:09 AM) (“[I]f the Van Buren decision were made a year ago, I would have been far less stressed out over the elections systems vulnerability disclosures I had to go through. I have faith that this is going to massively decrease the chilling effects on security research.”).
[47] Van Buren, 141 S. Ct. at 1659 n.8 (declining to decide whether the CFAA inquiry “looks to limits contained in contracts or policies”).
[48] hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir. 2019), cert .granted, vacated and remanded 2021 WL 2405144 (June 14, 2021).
[49] Id. at 989–92.
[50] Mukund Rathi & Kurt Opsahl, EFF to Ninth Circuit: Recent Supreme Court Decision in Van Buren Does Not Criminalize Web Scraping, EFF Blog (July 19, 2021) (“Our brief explains that neither LinkedIn’s cease-and-desist letter to hiQ nor its attempts to block its competitor’s IP addresses are the kind of technological access barrier required to invoke the CFAA.”).
[51] Andrew Sellars, Twenty Years of Web Scraping and the Computer Fraud and Abuse Act, 24 B.U. J. Sci. & Tech. L. 372, 381-88 (2018) (providing a technical overview of web scraping).
[52] Kashmir Hill, The Secretive Company That Might End Privacy as We Know It, N.Y. Times, (Jan. 18, 2020); Kashmir Hill, What We Learned About Clearview AI and Its Secret ‘Co-Founder’, N.Y. Times (March 18, 2021). The privacy and civil liberties implications of this profit-driven practice are numerous and far-reaching, but beyond the scope of this essay.
[53] Kim Lyons, Use of Clearview AI Facial Recognition Tech Spiked as Law Enforcement Seeks to Identify Capitol Mob, Verge (Jan. 10, 2021) (describing use by law enforcement agencies of Clearview AI service to identify Capitol insurrectionists).
[54] Matthew Rosenberg, Professor Apologizes for Helping Cambridge Analytica Harvest Facebook Data, N.Y. Times, (Apr. 22, 2018) (discussing the role of a Cambridge University professor in collecting information from unknowing users in Facebook/Cambridge Analytica scandal).
[55] Sellars, supra note 50, at 406–07.
[56] Id. at 372–75.
[57] See Paul Ohm, The Philosophy of the Course, Computer Programming for Laws. (Jan. 6, 2018).
[58] Sellars, supra note 50, at 413 (“It is not clear whether courts have fully confronted conflicting authorization under the CFAA, and established a means of mitigating such authorizations.”).
[59] Adam Thierer, Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom (2016).
[60] 18 U.S.C. § 1030(a)(1).
[61] See Larry Lessig, Code: And Other Laws of Cyberspace 2.0 (2006).
[62] Thomas E. Kadri, Digital Gatekeepers, 99 Tex. L. Rev. 951, 990 (2021); Kerr, Scope, supra note 7, at 1646.
[63] James Grimmelmann, Consenting to Computer Use, 84 Geo. Wash. L. Rev. 1500, 1521–22 (2016).
[64] Van Buren v. United States, 141 S. Ct. 1648, 1657–58 (2021).
[65] 18 U.S.C. §1030(a)(1).
[66] Bellia, supra note 7, at 1474.
[67] Laurent Sacharoff, Criminal Trespass and Computer Crime, 62 Wm. & Mary L. Rev. 571, 624 (2020).
[68] For similar reasons, several scholars have argued against a purely code-based test pre-Van Buren. Grimmelmann, supra note 62, at 1511 (“[P]recisely because they convey meaning explicitly rather than implicitly like software, words will often provide the clearest indication of the uses to which the computer owner does and does not factually consent. There is no reason to disregard such probative evidence.”); Jonathan Mayer, The "Narrow" Interpretation of the Computer Fraud and Abuse Act: A User Guide for Applying United States v. Nosal, 84 Geo. Wash. L. Rev. 1644, 1655–56 (2016) (“A mere breach of terms of service or a faithless act will not suffice to establish liability. Rather, a defendant must receive a letter that entirely revokes authorization, or must be terminated from employment such that he or she entirely loses authorized access.”); Sacharoff, supra note 66, at 618 (“A cease-and-desist letter, addressed to her, prohibiting further access, ensures she knows any such further access would be without authorization.”).
[69] Bellia, supra note 7, at 1475 (“The argument here is simply that in the context of a federal criminal statute, the law should require the sort of unambiguous signals of a lack of permission or approval that code-based restrictions convey.”).
[70] Kaixin Fan, Clearview AI Responds to Cease-and-Desist Letters by Claiming First Amendment Right to Publicly Available Data, Harv. Jolt Dig. (Feb. 25, 2020).
[71] Kadri, supra note 61, at 970–87.
[72] Id. at 990, (citing Kerr, Norms, supra note 7, at 1147); see also Sellars, supra note 50, at 412 (advocating for giving “greater scrutiny” to CFAA claims against those scraping “generally-public websites”).
[73] 18 U.S.C. § 1030(g), (e)(11) (authorizing civil lawsuits and defining “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service”).
[74] Id. § 1030(e)(11); cf. Nilay Patel, Facebook’s $5 Billion FTC Fine is an Embarrassing Joke, Verge (July 12, 2019) (noting that “The largest FTC fine in the history of the country represents basically a month of Facebook’s revenue”).
[75] See Paul Ohm, Regulating at Scale, 2 Geo. L. Tech. Rev. 546 (2018) (arguing that regulations should ramp up to account for massive platforms with billions of users).
[76] Kadri, supra note 61, at 990; Kerr, Scope, supra note 7, at 1646.