Supreme Court Adopts Narrow Reading of Computer Fraud and Abuse Act Urged by AAI
The Supreme Court has reversed an 11th Circuit decision upholding a federal criminal conviction of a police officer under the Computer Fraud and Abuse Act (CFAA) for accessing license plate information in a department computer database in exchange for money. Consistent with the position taken in the amicus brief filed by the R Street Institute, and joined by AAI, Public Knowledge, Lincoln Network, Engine Advocacy, and the Innovation Defense Foundation, the Court construed the CFAA narrowly, avoiding the broad interpretation urged by the government, which amici argued would have hampered interconnectivity and competition.
In Van Buren v. United States, the issue before the Court involves a circuit split over the CFAA’s scope. The statute creates civil and criminal liability for accessing a computer without authorization. Under a narrow interpretation given by some courts, a user becomes liable when she accesses a database that the user does not otherwise have permission to access, such as breaking into a password-protected website or otherwise hacking a computer database. Under a broader construction, other courts have held that authorization is “without access” whenever access occurs in a manner that contravenes the database owner’s expressed preferences, including where the access contravenes the website’s click-through terms of service.
The amici asked the Court to adopt a construction of the CFAA that accounts for competition enabled by platform interoperability. In several past instances, website owners have made data publicly available to users but employed their terms of service to prevent competitive uses of the data by rival firms. If a dominant platform, for example, can selectively wield the CFAA’s liability and injunctive relief provisions by manipulating the terms of service it imposes, it obtains a powerful tool to foreclose competitive interoperable products and services from accessing what may be a key input. Past uses of the CFAA reveal the success of this strategy, including CFAA actions that have had the effect of eliminating rival products dependent on user-permitted platform access, thwarting consumer price-comparison services, and thwarting internet privacy-based products and services.
The brief also argued that the broad construction of the CFAA is inconsistent with competition policy underlying trade secret and copyright law. Trade Secret and copyright law strike a careful balance between allowing information to stay in the public domain, to encourage competitive uses, and protecting special kinds of information in order to encourage investments in innovation. The broad construction of the CFAA allows firms to get IP-like protection for information that would not qualify for protection under trade secret or copyright law, undermining that balance.
Finally, the brief noted that, under a properly narrow construction of the CFAA, database owners still enjoy protection from hacking, as well as protections under contract law. Contract law gives firms remedies for unauthorized use of information but provides competition-preserving limitations that the CFAA lacks.
The brief was written by the R Street Institute’s Director of Technology & Innovation, Charles Duan. AAI Vice President of Legal Advocacy Randy Stutz assisted with certain sections of the brief.