Focusing the CFAA in Van Buren
Imagine you are focusing a lens. At first, everything is blurry. As you adjust the lens, however, the picture starts to become clearer. Shapes and colors emerge. Ideally you can reach complete focus and make everything sharp. But maybe you can only go part way. The partially-adjusted image is more revealing than when you started. But the picture is not yet sharp.
Van Buren v. United States1 is the Supreme Court’s first decision interpreting the federal computer-crime statute known as the Computer Fraud and Abuse Act (CFAA).2 Enacted in the 1980s, the CFAA sat unexamined by the Supreme Court during an astonishing societal transformation. Computers and the Internet went from the domain of a few computer geeks to a routine part of daily life for most Americans. During that time, the CFAA’s text became a source of extraordinary uncertainty. The statute might be narrow and apply rarely, the thinking went, or it might be incredibly broad and criminalize a great deal of routine computer use. Before Van Buren, no one knew.
Van Buren is best understood as a partial focusing of the CFAA. On the surface, the Court’s ruling is simple: An employee with access to a computer does not violate the CFAA if he violates a workplace policy banning access for personal reasons.3 But at a more conceptual level, Van Buren limits the CFAA’s possible meanings much like a person sharpens an image by focusing a lens. The opinion’s dialectic structure features a series of contrasting perspectives, starting from the narrowest question and ending with the broadest, that endorses the petitioner’s claims with limited explanation.4 The outcome resembles a vision though a lens that has been adjusted only part way. The Court’s opinion brings new ground into focus, letting us see a range of landmarks that were blurry before. But it leaves important details hazy, leaving their resolution to future cases that can bring the CFAA into sharper focus.
After Van Buren, the critical question of CFAA liability is the test for authorization. The Court frames authorization as a “gates-up-or-down inquiry,”5 but it does not directly answer the key questions: What counts as a gate, and how do you know when it is down? Closely read, however, the opinion leaves a lot of clues to answer those questions. Van Buren’s focusing of the CFAA provides significant support for an authentication-based understanding of CFAA liability. Under that approach, the CFAA is violated only when a user bypasses an authentication gate on access designed to limit access to certain users.6 We will have to wait to see if lower courts take the hint and adopt that reading. But Van Buren’s framework gives lower courts ample grounds to conclude that the CFAA adopts an authentication test.
This Essay proceeds in three parts. Part I introduces the CFAA and explains Van Buren’s facts and legal context. Part II explores the reasoning of the Supreme Court’s decision, showing how it focuses many sections of the statute in part without providing clear answers to what the statute covers. Part III shows how Van Buren helps support an authentication-based understanding of CFAA liability.
Kerr, Orin S.
"Focusing the CFAA in Van Buren,"
Supreme Court Review: Vol. 2021, Article 6.
Available at: https://chicagounbound.uchicago.edu/supremecourtrev/vol2021/iss1/6