On June 3, 2021, the United States Supreme Court issued a 6-3 opinion in Van Buren v. United States, No. 19-783, resolving the circuit split regarding what it means to "exceed[] authorization" for purposes of the Computer Fraud and Abuse Act (CFAA). The Court held that only those who obtain information from particular areas of the computer which they are not authorized to access can be said to "exceed authorization," and the statute does not — as the government had argued — cover behavior, like Van Buren's, where a person accesses information which he is authorized to access but does so for improper purposes. This was a long-awaited decision interpreting the CFAA, which has become an important statute in both criminal and civil enforcement relating to computer crime and hacking.

Background

The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030 et seq., was passed in 1986 as a targeted measure to combat a fairly circumscribed category of "computer trespassing" crimes. At that time, computer usage did not remotely resemble what it does today — in 1989, for example, about 15% of American households owned a personal computer and most people had never heard of the Internet. Despite significant changes in technology and an explosion in the use of electronic data since that time, many of the CFAA's provisions have not changed. Nevertheless, in recent years it has become the primary federal law used to prosecute hackers, including in a number of high-profile cases such as WikiLeaks founder Julian Assange, Aaron Swartz (co-founder of Reddit), Gilberto Valle (the "Cannibal Cop"), and Lori Drew (whose MySpace hoax was blamed for the suicide of a 13-year-old neighbor).

The CFAA prohibits accessing a computer "without authorization" or in a manner "exceeding authorized access." 18 U.S.C. §1030(a)(2). "[E]xceeding authorized access" is defined as "access[ing] a computer with authorization and … us[ing] such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter." Id. §1030(e)(6). Notably, the CFAA does not require that the person who accesses the computer actually do anything with the information they see or obtain. For that reason, many had previously expressed concern about the statute, arguing that it was subject to selective prosecution, allowing a prosecutor to bring felony charges even when there was little or no harm, just because the government disapproved of the activity. Those who violate Section 1030(a)(2) face penalties ranging from fines and misdemeanor sentences to imprisonment for up to 10 years. The CFAA also provides a private civil cause of action, which allows persons suffering damage or loss from CFAA violations to sue for money damages and equitable relief.