Supreme Court Narrowly Interprets CFAA to Avoid Criminalizing 'Commonplace Computer Activity'

On June 3, 2021, the United States Supreme Court issued a 6-3 opinion in Van Buren v. United States, No. 19-783, resolving the circuit split regarding what it means to "exceed[] authorization" for purposes of the Computer Fraud and Abuse Act (CFAA). The Court held that only those who obtain information from particular areas of the computer which they are not authorized to access can be said to "exceed authorization," and the statute does not — as the government had argued — cover behavior, like Van Buren's, where a person accesses information which he is authorized to access but does so for improper purposes. This was a long-awaited decision interpreting the CFAA, which has become an important statute in both criminal and civil enforcement relating to computer crime and hacking.

Background

The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030 et seq., was passed in 1986 as a targeted measure to combat a fairly circumscribed category of "computer trespassing" crimes. At that time, computer usage did not remotely resemble what it does today — in 1989, for example, about 15% of American households owned a personal computer and most people had never heard of the Internet. Despite significant changes in technology and an explosion in the use of electronic data since that time, many of the CFAA's provisions have not changed. Nevertheless, in recent years it has become the primary federal law used to prosecute hackers, including in a number of high-profile cases such as WikiLeaks founder Julian Assange, Aaron Swartz (co-founder of Reddit), Gilberto Valle (the "Cannibal Cop"), and Lori Drew (whose MySpace hoax was blamed for the suicide of a 13-year-old neighbor).