High Court Got It Right in Van Buren v. U.S.: Prosecute Hacking, Not Terms of Service Violations

COMMENTARY Courts

High Court Got It Right in Van Buren v. U.S.: Prosecute Hacking, Not Terms of Service Violations

Jun 7, 2021 3 min read
COMMENTARY BY
Michael J. Ellis

Visiting Fellow, Edwin Meese III Center

Michael is a Visiting Fellow for law and technology in Heritage’s Edwin Meese III Center for Legal and Judicial Studies.
Justice Amy Coney Barrett, pictured here on April 23 2021, penned the majority opinion. Erin Schaff-Pool / Getty Images

Key Takeaways

Millions of Americans are no longer in danger of committing a federal crime when they check sports scores at work

The provision applies when a user circumvents restrictions to enter a part of the system where the user lacks access privileges—in other words, hacking.

No American needs to fear the potential of an arbitrary prosecution solely because they violated a widely unread terms of service agreement.

Millions of Americans are no longer in danger of committing a federal crime when they check sports scores at work, fib in an online dating profile, or use a pseudonym on Facebook, thanks to the Supreme Court’s decision last Thursday in Van Buren v. United States.

Van Buren posed the question of whether the 1986 Computer Fraud and Abuse Act made it a crime for an authorized user of a computer system to use their access for an improper purpose. 

Nathan Van Buren, a police officer in Georgia, used his access to a law enforcement database to run a license-plate search in exchange for money. He used valid credentials to log in to the database, and he had been given the right to obtain license-plate information from the database, but police department policy prohibited the use of the database for a “non-law-enforcement purpose.” 

Federal prosecutors charged him with a felony for violating the provision of the Computer Fraud and Abuse Act that subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access” to obtain computer information. 

Writing for a six-justice majority, Justice Amy Coney Barrett agreed with Van Buren that he did not commit a crime under the act. 

Her opinion explained that “exceeds authorized access,” which is defined in the act to mean “to access a computer with authorization and to use such access to obtain … information in the computer that the accesser is not entitled so to obtain,” does not apply when a user can access a computer system and can access certain areas within that computer system. 

Rather, the provision applies when a user circumvents restrictions to enter a part of the system where the user lacks access privileges—in other words, hacking.

In dissent, Justice Clarence Thomas, joined by Chief Justice John Roberts and Justice Samuel Alito, argued that “exceeds authorized access” should be read in light of common law and statutory interpretation principles that access to property is dependent on conditions that a property owner places on access. 

A person who is authorized to enter land for one purpose, then enters for a different purpose, commits trespassing.  Thomas recognized that the criminalization of common activity is an “uncomfortable” result of this interpretation of the Computer Fraud and Abuse Act, “but that discomfort does not give us authority to alter statutes.”

As a result of the ruling in Van Buren, the act can no longer be used to prosecute or seek civil damages against individuals who violate a website’s terms of service—such as, for example, someone who lies on an online dating profile or uses a pseudonym on Facebook—or individuals who violate an employer’s policies about appropriate use of business information technology systems—for example, someone who checks sports scores on their company computer. 

Computer Fraud and Abuse Act prosecutions based on terms of service violations are rare, but, given the complexity of many websites’ terms of service agreements, their rapidly changing nature, and the regularity with which average Americans violate them, Van Buren’s narrow interpretation of the statute will help avoid constitutional vagueness concerns

Website owners, of course, can still seek damages for breach of contract against individuals who run afoul of terms of service agreements, and employers can do the same (or impose disciplinary sanctions) against employees who violate a contractual access restriction. 

Other federal criminal statutes will still punish individuals who steal from their employers under certain circumstances—for instance, when an employee misappropriates trade secrets.

But after Van Buren, no American needs to fear the potential of an arbitrary prosecution solely because they violated a widely unread terms of service agreement or a widely unenforced company information technology policy.   

This piece originally appeared in The Daily Signal.