This summer, the U.S. Supreme Court will consider how to interpret the 1986 Computer Fraud and Abuse Act, a key data protection law. The court’s decision could criminalize common but technically prohibited computer-related conduct, put limitations on a powerful law that punishes insider data theft and abuse like exchange hacks, or come down somewhere in the middle.
At issue in United States v. Van Buren is the interpretation of a provision of the CFAA, [18 U.S.C. § 1030(a)(2)(C)] which makes it a federal crime to “access a computer without authorization or exceed authorized access,” and “thereby obtain information from any protected computer.” To “exceed authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
The case was initiated by a Georgia police officer, Nathan Van Buren, who was authorized to access and search a police database for law enforcement purposes, but instead accessed that database to identify a person in exchange for payment by a private citizen. Van Buren was charged criminally with a violation of the CFAA.
Van Buren argued that “accessing [information] for an improper or impermissible purpose does not exceed authorized access as meant by” the CFAA. The government argued that “a defendant violates the CFAA not only when he obtains information that he has no ‘rightful’ authorization whatsoever to acquire, but also when he obtains information ‘for a nonbusiness purpose.’”
Van Buren was convicted at trial of violating the CFAA. On appeal, his conviction was upheld by the Eleventh Circuit Court of Appeals based on United States v. Rodriguez, which holds that a person with access to a computer for business reasons “exceed[s] his authorized access” when he “obtain[s] … information for a nonbusiness reason.”
This interpretation could also criminalize 51% attacks against public network blockchains.
Not all circuit courts of appeal interpret that provision of the CFAA the same way. The First, Fifth, Seventh, and Eleventh Circuits have imposed liability where an authorized person accesses data on a system with authorization and exceeds that authorization by obtaining information for an improper purpose. The Second, Fourth, and Ninth Circuitshave ruled that a person violates that portion of the CFAA only if he accesses information on a computer that he is prohibited from accessing for any reason.
Van Buren’s appeal asks the U.S. Supreme Court to decide on this split and determine “[w]hether a person who is authorized to access information on a computer for certain purposes violates [the CFAA] if he accesses the same information for an improper purpose.”
What’s at stake
Resolving this conflict is important.
The position taken by the Eleventh Circuit may protect crypto users in case of insider theft. For example, if an insider at a crypto exchange has the right to access customer data or private keys and uses that access for an improper purpose (i.e. to sell that data on the dark web), that insider could be charged under the CFAA and subject to criminal penalties.
However, it has been argued that this interpretation could criminalize common conduct, such as operating March Madness pools on employer-owned computers in violation of company policies, and activities that are not illegal but are contractually prohibited, like lying about your height on an online dating site in violation of the website’s terms of service.
This broad interpretation has been attacked in Van Buren as problematic from a constitutional perspective on the grounds that it can transform a violation of a private agreement into a criminal offense and raise due process issues.
Under this broader interpretation, intermediaries like exchanges or custodians that grant insiders access to valuable information may attempt to protect themselves and their information by updating their policies to expressly prohibit insiders from using that information for any non-business purpose. These companies may also seek to confirm that their insurance policies cover any potential violations.
The outcome could have big implications for the cryptocurrency industry which increasingly relies on legally enforceable privacy rights.
The narrower interpretation promoted by Van Buren would limit the application of the CFAA to access without authorization, regardless of use. This interpretation restricts the application of criminal penalties to conduct that is more like “traditional” hacking, and may reduce the possibility that minor violations of boilerplate agreements could be treated as federal crimes. This interpretation could limit claims against insiders who have the authority to access data and use that data for an improper purpose.
The CFAA can be a powerful weapon against hackers. It could allow civil parties to sue and enable prosecutors to seek criminal penalties, including potential incarceration of violators for up to five years. Limitations on the CFAA’s reach could deprive prosecutors of a tool to punish data breaches and insider attacks.