Last week the Supreme Court’s decision in Van Buren v. United States resolved a decade-long circuit split concerning the “exceeds authorized access” clause of the Computer Fraud and Abuse Act (“CFAA”). Taking up the issue of whether an individual who has legitimate access to a computer network but accesses it for an improper or unauthorized purpose violates the CFAA, the Court ultimately found that such a use was not a violation of the statute. Significantly, the decision in Van Buren endorses the narrower reading of CFAA adopted by the Second, Fourth, and Ninth Circuits,[1] while rejecting the more expansive reading of CFAA that had been the law of the land in the First, Fifth, Seventh, and Eleventh Circuits.[2]
One of the circuit splits that Van Buren appears to resolve, or provide guidance for resolving, is the question of whether violating a website’s terms of service constitutes a CFAA violation. Prior to Van Buren, several courts within the Third, Fourth, Fifth, Eighth, and Ninth Circuits had found that terms of service violations could implicate the CFAA,[3] while other courts within the Fourth, Seventh, Tenth, and D.C. Circuits had found that individuals were not subject to criminal liability under CFAA by violating terms of service.[4] The majority opinion in Van Buren, authored by Justice Amy Coney Barrett, adopts the latter reading. Opining on the Government’s broad interpretation of the statute, the Court noted: “Many websites, services, and databases—which provide “information” from “protected computer[s],” §1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers.” Op. at 18 (emphasis supplied). This language appears in the Court’s broader analysis expressing concern over the scope of the Government’s interpretation of the statute, which the Court found “would attach criminal penalties to a breathtaking amount of commonplace computer activity.” Op. at 17.
This language, as well as the policy concerns articulated by the Court supporting the narrower interpretation of CFAA, are anticipated to make it challenging to assert claims under CFAA for terms of service violations, including for misuse of data or information contained on a company’s website that would likely have constituted “exceed[ing] authorized access” under prior precedent. However, companies seeking vindication for terms of service violations may still pursue other, previously available legal remedies. This will be circumstance-dependent on the violation involved, including potential causes of action for copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy.
The Court’s narrow interpretation of the CFAA is also likely to impact individuals and companies engaging in data scraping, or the process of using a program to extract data from a codebase or another program. Many public-facing websites include provisions in their terms of service that limit both their own customer’s and third-parties’ use of the data contained on those websites. Prior to Van Buren, some courts had found that data scraping constituted a violation of CFAA, particularly when the data being scraped was protected by some form of access permissions, such as a username or password requirement.[5] This interpretation afforded entities with a remedy under the CFAA to protect the data against being scraped, as those entities could arguably assert claims under CFAA relying on that favorable precedent that data scraping “exceeds authorized access” of the website because the data was intended to be protected using access authorizations. Some privacy advocates had also favored this broader interpretation of the CFAA as better protective of individual privacy. [6]
While Van Buren does not affirmatively allow for data scraping, the Supreme Court’s narrower reading of CFAA in the decision will likely limit the legal remedies that may be available for data scraping. As a result, companies engaged in data collection may wish to develop more stringent contractual policies for potential consumers, or take additional action to revoke authorization to their websites for parties violating the terms of service. To afford the same protections previously available under CFAA, these companies may want to consider, to the extent they do not already have them, liquidated damages and injunction relief provisions in their contracts with other businesses. This, of course, will not remedy violations committed by third parties that access their information by other means. For that, a legislative fix may be necessary.
*Thomas J. Lloyd also contributed to this article as a co-author.
[1] See United States v. Valle, 807 F.3d 508, 523-28 (2d Cir. 2015); WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 204 (4th Cir. 2012); LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009); United States v. Nosal, 676 F.3d 854, 856-63 (9th Cir. 2012) (en banc).
[2] See EF Cultural Travel B.V. v. Explorica, Inc., 274 F.3d 577, 583 (1st Cir. 2001); United States v. John, 597 F.3d 263, 271 (5th Cir. 2010); Int’l Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006); United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010).
[3] See, e.g., America Online v. LCGM, Inc., 46 F. Supp. 2d 444, 451 (E.D. Va. 1998); United States v. Nosal, 844 F.3d 1024, 1033-38 (9th Cir. 2016); Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1066-69 (9th Cir. 2016); Southwest Airlines Co. v. Farechase, Inc., 318 F. Supp. 2d 435, 439-40 (N.D. Tex. 2004); Am. Online, Inc. v. Nat’l Health Care Disc., Inc., 174 F. Supp. 2d 890, 899 (N.D. Iowa 2001); United States v. Lowson, No. 10-114 (KSH), 2010 U.S. Dist. LEXIS 145647, at *11-18 (D.N.J. 2010).
[4] See, e.g., Sandvig v. Barr, 451 F. Supp. 3d 73, 76 (D.D.C. 2020); Cvent, Inc. v. Eventbrite, Inc., 739 F. Supp. 2d 927, 932-34 (E.D. Va. 2010); Koch Indus., Inc. v. Doe, No. 2:10CV1275DAK, 2011 U.S. Dist. LEXIS 49529, at *19-25 (D. Utah. May 9, 2011); Bittman v. Fox, 107 F. Supp. 3d 896, 900-01 (N.D. Ill. 2015).
[5] See, e.g., HiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985, 999-1004 (9th Cir. 2019); Explorica, 274 F.3d at 582-84.
[6] See, e.g., HiQ Labs, Inc., 938 F.3d at 1003 (noting that CFAA is violated when an individual scrapes data by “circumvent[ing] a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer” as that data has been marked as “private”); see also id. at 1001-03 (discussing legislative history of CFAA and intent to increase privacy protections for online information).