DOJ Limits Application of Computer Fraud and Abuse Act, Providing Clarity for Ethical Hackers and Employees Paying Bills at Work Alike

On May 19, 2022, the Department of Justice announced it would not charge good-faith hackers who expose weaknesses in computer systems with violating the Computer Fraud and Abuse Act (CFAA or Act), 18 U.S.C. § 1030. Congress enacted the CFAA in 1986 to promote computer privacy and cybersecurity and amended the Act several times, most recently in 2008. However, the evolving cybersecurity landscape has left courts and commentators troubled by potential applications of the CFAA to circumstances unrelated to the CFAA’s original purpose, including prosecution of so-called “white hat” hackers. The new charging policy, which became effective immediately, seeks to advance the CFAA’s original purpose by clarifying when and how federal prosecutors are authorized to bring charges under the Act.

DOJ to Decline Prosecution of Good-Faith Security Research

The new policy exempts activity of white-hat hackers and states that “the government should decline prosecution if available evidence shows the defendant’s conduct consisted of, and the defendant intended, good-faith security research.” The policy defines “good-faith security research” as “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

In practice, this policy appears to provide, for example, protection from federal charges for the type of ethical hacking a St. Louis Post-Dispatch reporter performed in 2021. The reporter uncovered security flaws in a Missouri state website that exposed the Social Security numbers of over 100,000 teachers and other school employees. The Missouri governor’s office initiated an investigation into the reporter’s conduct for unauthorized computer access. While the DOJ’s policy would not affect prosecutions under state law, it would preclude federal prosecution for the conduct if determined to be good-faith security research.

The new policy also promises protection from prosecution for certain arguably common but contractually prohibited online conduct, including “[e]mbellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service.” Such activities resemble the facts of Van Buren v. United States, No. 19-783, which the Supreme Court decided in June 2021. In Van Buren, the 6-3 majority rejected the government’s broad interpretation of the CFAA’s prohibition on “unauthorized access” and held that a police officer who looked up license plate information on a law-enforcement database for personal use—in violation of his employer’s policy but without circumventing any access controls—did not violate the CFAA. The DOJ did not cite Van Buren as the basis for the new policy. Nor did the DOJ identify any another impetus for the change.

To Achieve More Consistent Application of Policy, All Federal Prosecutors Must Consult with Main Justice Before Bringing CFAA Charges

In addition to exempting good-faith security research from prosecution, the new policy specifies the steps for charging violations of the CFAA. To help distinguish between actual good-faith security research and pretextual claims of such research that mask a hacker’s malintent, federal prosecutors must consult with the Computer Crime and Intellectual Property Section (CCIPS) before bringing any charges. If CCIPS recommends declining charges, prosecutors must inform the Office of the Deputy Attorney General (DAG) and may need to obtain approval from the DAG before initiating charges.

©2022 Greenberg Traurig, LLP. All rights reserved.

What’s “So” Important: Computer Fraud and Abuse Act Gets a Close Look from SCOTUS

In a case with significant ramifications for employers concerned with protecting sensitive information, and for employees accused of abusing access to computer networks, the United States Supreme Court (“SCOTUS”) heard oral argument this week in Van Buren v. United States, No. 19-783, a case from the Court of Appeals for the Eleventh Circuit that will require interpretation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030.  The argument was lively.  All of the Justices asked questions, and several expressed concern about vagueness in the CFAA’s definition of covered activity.  Much of the discussion centered on an alleged “parade of horribles,” and on the meaning of the word “so.”  We expect a relatively prompt decision.  Time will tell what SCOTUS will decide, but we would not be surprised to see a reversal and remand.

The CFAA has been a useful litigation tool for employers when confidential or other sensitive information accessed via computer is misappropriated, misused, or otherwise compromised. The CFAA generally prohibits obtaining sensitive information from a computer without authorization, or by exceeding authorized access, and, importantly, confers federal jurisdiction.  While it is a criminal statute, it also provides for a private right of action for those damaged by certain violations.  The issue now before SCOTUS in Van Buren is whether the CFAA is violated when someone with authorized access obtains information for an unauthorized purpose.  For example, when an employee who is authorized to access and use the employer’s computer-stored customer information for business purposes downloads the information to a thumb drive and shares it with a potential new employer, s/he plainly violates company policy.  But does s/he run afoul of the CFAA? Over time, a Circuit split has developed regarding this issue.

Van Buren is a criminal case in which Petitioner Nathan Van Buren, a police sergeant in Cumming, Georgia, was convicted of violating the CFAA.  The Eleventh Circuit affirmed his conviction and SCOTUS granted certiorari.  Briefly stated, as part of his duties Van Buren was granted authorized access to a database containing license plate and vehicle registration information maintained by the Georgia Crime Information Center (“GCIC”).  Training materials supplied to those with access to the GCIC database quite reasonably prohibit use of the database for personal purposes.  However, in return for cash payments, Van Buren agreed to, and did, use his authorized GCIC username and password to access a woman’s license and registration information in order to learn personal information about her on behalf of another individual.  There is no dispute that such use was not within the GCIC guidelines for authorized use. Accordingly, Van Buren used his authorized access to the GCIC database for an unauthorized purpose.  He was charged with, among other things, violating the CFAA.  He was convicted of the CFAA violation, sentenced to 18 months in prison, and he appealed.  The Eleventh Circuit court upheld the conviction, holding, based on precedent within the Circuit, that the unauthorized use of authorized access does constitute a violation of the CFAA.

Because Van Buren was not an outsider or other unauthorized user hacking into the GCIC database, his conviction under the CFAA turns on application of the facts to the CFAA’s prohibition on “exceeding authorized access.” The CFAA defines “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”  18 U.S.C. 1030(e)(6) (emphasis added).  Generally, the First, Fifth, Seventh and Eleventh Circuits construe the definition broadly, finding CFAA violations against employees, for example, who access information they are entitled to obtain for certain purposes, but do so for unauthorized uses.  In other words, courts in those Circuits tend to focus on the purposes of authorized access and require computer users to stay within those purposes in order to avoid violations of the CFAA.  This interpretation would allow an employer to bring an action under the CFAA against an employee who, for example, misappropriates sensitive business information s/he was entitled to access as part of his or her job for use with a subsequent employer.  The Second, Fourth and Ninth Circuits, on the other hand, favor a narrower interpretation, in which there is no violation unless the accessed information at issue is, itself, not information the user is entitled to obtain or access at all.  Under that construction, an employee who obtains information from a database s/he is not otherwise permitted to use (e.g. restricted Human Resources information by someone not within the permitted sphere) would violate the CFAA while someone who misuses information s/he is otherwise entitled to access would not.

Van Buren is the first case to present the issue to SCOTUS.  Petitioner, with robust amici support from organizations like Reporters Committee for Freedom of the Press, National Whistleblower Center and technology companies, largely focused his arguments on the dangers of a “parade of horribles” that could arise from the broader interpretation. (See, e.g., Oral Argument at 8).  Petitioner posited that, for example, computer users who check Instagram on their work computers in violation of their employer’s computer use policies, or those who inflate their characteristics on a dating site, in violation of the stated terms of use of such sites, could be guilty of a federal crime should the Government choose to prosecute.  (Oral Argument 4, 22).  He argued that the CFAA is impermissibly vague and that any changes should be left to Congress.

The Government’s position that the CFAA should be broadly read was also supported by several amici, including the Electronic Privacy Information Center and the Digital Justice Foundation.  The Government contended that, pursuant to the definition, a user “exceeds authorized access” by accessing information that s/he did not have a right to access in the particular manner or circumstances used.  Thus, Van Buren violated the CFAA, according to the Government’s position, because he accessed the GCIC under circumstances other than for law enforcement purposes.  As part of its argument, the Government closely examined the meaning of the word “so” in the definition of “exceeds authorized access,” and contended that a person is “entitled so” to do something only when s/he has a right to do it in the particular manner or circumstance authorized.  Brief for the United States at 13.  Van Buren, on the other hand, contended that “so” refers only to “access[ing] a computer with authorization” such that an individual does not “exceed authorized access” if entitled to access the database in question at all. (Oral Argument at 21).

The questions from the Justices during oral argument closely followed those competing themes, further discussing the proper construction of the word “so,” and examining whether some of the more innocuous-sounding activities would actually constitute violations of the CFAA under the broader construction.  Some expressed concern about the privacy of the public if the CFAA is not construed to encompass, for example, government employees reviewing private information for purposes other than those called for in their jobs.  Oral Argument at 14.  Based on the overall tenor of the argument, SCOTUS may be prepared to agree with the more narrow interpretation currently favored by the Second, Fourth and Ninth Circuits, and to overturn Van Buren’s criminal conviction that turned on the broader interpretation. In any case, we will watch for a decision.

We observe use of the CFAA in civil cases to already be diminished in the last four years.  Passage of the Defense of Trade Secrets provides access to federal courts in circumstances where the CFAA was used to create federal jurisdiction.  And as explained above, use of the CFAA in such cases has been curtailed in several Circuits. It will be interesting to see whether the SCOTUS decision in Van Buren further restricts its utility.


©2020 Epstein Becker & Green, P.C. All rights reserved.
For more articles on computer fraud, visit the National Law Review Litigation / Trial Practice section.