Friday, June 4, 2021

What Does it Mean to Exceed Authorized Access?

After years of debate and prosecutorial overreach, the Supreme Court has now narrowed the Computer Fraud and Abuse Act (CFAA). In Van Buren v. U.S., the Court ruled that obtaining information by "exced[ing] authorized access" is limited to information on the computer that one is not authorized to access at all, rather than to information simply gathered for an improper purpose.

To explain, consider the facts of Van Buren. Van Buren had rightful access to a database of DMV license plate information. He accessed that database using valid credentials, but looked up information for an improper purpose. He was convicted under the CFAA for exceeding his authorized access. I have blogged about this issue before. The broad reading that sent him to jail is a really scary interpretation of the statute, one in which many ordinary people could go to jail for innocuous use of the internet.

The Court narrowed the meaning, and held that the language of the statute: "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” cannot be read to cover the purpose of gathering the information. Instead, "entitled so to obtain" must mean entitled to obtain in the manner prior referenced, which means obtained by access to a computer with authorization. Based on this reading, Van Buren cannot be guilty because he accessed records that he was already entitled to access. But he might have been guilty if he looked at personnel files on the same computer.

The Court leaves open the question whether access to other information must be barred by code or merely policy. In the hypo above, if Van Buren bypasses a password on the computer to which he has access in order to obtain the personnel records, there's no question that such conduct would be barred. But what if the files were there for all to see if they merely looked, and it was simply policy that barred access? The court leaves that question open. The legislative history, which I discuss here, makes clear that the policy based bar was contemplated at the time of the statute, because "exceeds authorized access" was left out of some provisions of the CFAA to keep unwary employees from being ensnared: "It is not difficult to envision an employee or other individual who, while authorized to use a particular computer in one department, briefly exceeds his authorized access and peruses data belonging to the department that he is not supposed to look at. This is especially true where the department in question lacks a clear method of delineating which individuals are authorized to access certain of its data." (S. Rep. 99-472)

This brings me to my discomfort with the opinion. I'm thrilled at the outcome. The CFAA is much too broad, and this is one way to narrow the scope of it. Otherwise, it made all sorts of innocuous activity illegal. But from a textual standpoint, I've never been convinced that this is the proper reading of the words of the statute.

So long as the Court allows policy-based access restrictions (which is not crazy given the legislative history, even if it's not great policy), my view continues to be that the actual statutory interpretation part of it is not nearly as clear as the Court would have it. 

As noted above, the Court envisions two situations: 

    1. You may access the computer. You may access file A but (by policy) not file B, even though technically your access to the computer allows you to download file B. This exceeds authorized access. 

    2. You may access the computer. You may access file A, but (by policy) only for a particular purpose, even though technically your access to the computer allows you to download file A for any purpose. This does not exceed authorized access. 

For many policy reasons this is a better outcome than saying No. 2 exceeds authorized access. But the Court offers little support for the conceptual (or textual) notion that these two scenarios are distinct. There is nothing in the “entitled so to obtain” discussion that differentiates what is entitled by access once given and what is not. Both of these scenarios are types of information you could get with your access, but have no right to get under the terms of your access. 

The only difference is that as a matter of policy we don’t want to impose a purpose based limitation on that right. Even if you accept the Court’s reading of the statute wholesale, you do not get to (quoting the Court's new rule): “an individual 'exceeds authorized access' when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.”  So long as “off-limits” is not code based, this is a common law gloss rather than a textual one. I’m fine with that, but would rather the Court say that, or alternatively limit liability for all policy based breaches.

To illustrate the point that we cannot differentiate policy limits, as I noted in this post years ago: what is to stop everyone from rewriting their agreements conditionally: "Your access to this server is expressly conditioned on your intent at the time of access. If your intent is to use the information for nefarious purposes, then your access right is revoked." Problem solved, Van Buren goes to jail. If this seems far-fetched, consider Google's terms of service at the time of the Nosal case:  "You may not use the Services and may not accept the Terms if . . . you are not of legal age to form a binding contract with Google . . . .”  That sounds like an access restriction to me. I can see everyone rewriting policy to match; but this shows the folly of it all.

As a final note, the Court's appeal to the civil provisions is unavailing – standard hacking, captcha breaking, password guessing and any number of other things that might give unauthorized access to information are illegal yet cause no damage or loss as the Court describes those provisions. Further, the Court ignores the ridiculous, “we spent money finding the leak and that’s loss” that lower courts have upheld. That type of loss would apply to a broader definition of "exceeds authorized access" as well. 

In sum, this is a good outcome even if I'm not entirely convinced it's the technically proper one. I'm good with that.