By Gwyneth K. Shaw
Berkeley Law Professor Orin Kerr has spent much of his career thinking, writing about, and discussing the Computer Fraud and Abuse Act — from blog posts aimed at the average social media user and scholarship published in top law journals to testimony before Congress and advocacy in court.
So when the U.S. Supreme Court decided last year to take the Van Buren v. United States case, which hinges on the 1986 law, it was akin to Kerr’s Super Bowl.
Kerr, an expert in criminal procedure and computer crime law — and a faculty co-director of the Berkeley Center for Law & Technology — filed an amicus curiae brief in the case. He argues that former Georgia police officer Nathan Van Buren didn’t violate the CFAA when he took money to run a license plate through a police database. While the move was against department policy, Van Buren was allowed to use the database, making his actions a violation of the contract-based rules.
In the brief, as he had in previous articles, Kerr urged the justices to reject the contract-based approach, in part because extending the CFAA to those types of restrictions “would either criminalize the way millions of Americans use the Internet or require courts to draft a new statute.”
The Court voted 6-3 in Van Buren’s favor. Justice Amy Coney Barrett penned the opinion, which cites Kerr’s brief as well as his 2003 New York University Law Review article “Cybercrime’s Scope: Interpreting ‘Access’ and ‘Authorization’ in Computer Misuse Statutes.”
Below, Kerr explains the controversy, the ruling, and what could come next.
Q: The CFAA has been called “the worst law” because of its scope and imprecision. What are some of the law’s problems?
Kerr: The law makes unauthorized access to a computer a federal crime, and pretty much everything with a microchip counts as a computer. But no one has known what it means to engage in unauthorized access. Is that hacking in? Is that violating terms of service? These days, you might access hundreds of remote computers a day when you surf the Internet or check social media: What makes those accesses authorized and legal or unauthorized and criminal? Until Van Buren, it wasn’t clear.
Q: In your amicus brief, you recount a tiny way you violate the law: By not being truthful about where you live in your Facebook profile. Can you explain why that could be a CFAA violation?
Kerr: Some courts have said that access is unauthorized when it violates written terms on access. Facebook says you have to be truthful with your biographical information, which includes where you live. According to some courts, a person who lies about where they live — violating Facebook’s rule that you have to tell the truth — would be engaging in an unauthorized access to Facebook when they use Facebook and therefore committing a federal crime. The question in Van Buren was whether the Supreme Court agreed with those courts.
Q: What did the Supreme Court do in Van Buren, and what do you think of the ruling?
Kerr: The Court ruled that the CFAA is not violated by merely violating written terms on access. To violate the CFAA, a person needs to bypass some kind of access gate: They need to go to a part of the computer that was off-limits to them. The opinion isn’t exactly clear on what counts as a gate, or what makes a part of the computer off-limits. But it sounds like the Court is saying that a technological access gate like a password gate generally has to be bypassed. In other words, the CFAA is violated by actually hacking in, not just violating terms of service.
I’m a fan of the ruling, although I have a lot of priors on this question. I have been arguing for that basic interpretation of the CFAA for almost 20 years.
Q: Are there other areas of the CFAA that remain problematic? What are they, and are they likely to come through the courts as well?
Kerr: Van Buren leaves some big questions unanswered. The big question is, what exactly counts as a sufficient “gate”?
Q: If you were writing this law from scratch, what would you want it to do?
Kerr: I would make a lot of different changes to the law, as I think it’s too broad in some places and redundant in others. But Van Buren is a big step toward the needed reform. The decision focuses on the law’s core role as an anti-hacking statute designed to protect privacy, and keeps it from being a super-broad law that criminalizes all breaking of promises online.