Legal Sidebari From Clickwrap to RAP Sheet Criminal Liability under the Computer Fraud and Abuse Act for Terms of Service Violations Updated April 27 2020 Computers and the internet are ubiquitous and so too are contractual restrictions on their use Users of smartphones tablets personal computers social media websites apps online shopping platforms streaming services and more are generally bound by terms of service ToS agreements—contracts that govern the use of a product Often ToS agreements take the form of clickwrap agreements requiring users to click a box indicating that they are aware of and agree to certain terms on a website In other instances ToS agreements may simply amount to a written notification that by using a product the user agrees to be bound by the product’s ToS Either way at least according to some empirical studies users generally do not read TOS agreements That is perhaps unsurprising given that ToS agreements are often lengthy covering everything from the number of authorized users of a product to the types of content that may be shared through a device or service But providers of computer and internet products and services rely on ToS for a variety of purposes including limiting liability protecting proprietary data and preventing their products or services from being used in a harassing threatening or abusive manner Against this backdrop federal courts have diverged on the issue of whether an individual may—under certain circumstances—be criminally liable under federal law for ToS violations The judicial disagreement stems from two conflicting interpretations of the Computer Fraud and Abuse Act CFAA 18 U S C § 1030—a civil and criminal cybersecurity law prohibiting certain computerrelated activities Federal appellate courts are divided on when an individual who violates a ToS agreement runs afoul of the CFAA and is subject to liability under the statute The United States Supreme Court appears poised to weigh in on the issue on April 20 2020 the Court agreed to hear Van Buren v United States an appeal from the Eleventh Circuit This Sidebar begins with background on the relevant provisions of the CFAA before examining the split among the federal appellate courts over when if ever the CFAA imposes criminal liability for violations of ToS agreements It then briefly describes the background and implications of the Van Buren case The Sidebar concludes with some considerations for Congress Congressional Research Service https crsreports congress gov LSB10423 CRS Legal Sidebar Prepared for Members and Committees of Congress Congressional Research Service 2 The CFAA Background and Key Provisions The CFAA prohibits a number of activities where a person illicitly accesses a qualifying computer if he is “without authorization” or if he “exceeds authorized access ” The phrases appear in a number of the CFAA’s subsections such as § 1030 a 2 which prohibits an individual intentionally accessing a computer without authorization or in excess of authorization and obtaining information from a financial institution the federal government or “any protected computer” construed by courts to include any computer connected to the internet Similarly § 1030 a 4 makes it a crime to “knowingly and with intent to defraud access a protected computer without authorization or exceed authorized access” and obtain anything of value or use of the computer itself if that use is worth at least $5 000 a year Other sections use the same language The CFAA was enacted in 1984 to address growing concerns over the dangers of hacking—intrusions or trespasses “into computer systems or data”—and has been primarily used to combat that threat The law protects a broad range of technology including most websites and nearly any “devices with embedded processors and software” other than “typewriters typesetters and handheld calculators ” The CFAA has been amended several times since 1984 but it is still described as an anti-hacking law The law has been invoked in successful hacking prosecutions including in the high-profile case of one hacker who used a phishing scam to access private email and cloud accounts through which he obtained nude photographs of celebrities which were later leaked online Although such examples of hacking fit squarely within the CFAA’s scope federal appellate courts have disagreed over whether the law criminalizes the violation of ToS agreements The circuit split is the result of differing interpretations of the phrases “without authorization” and “exceeds authorized access ” The statute does not define “without authorization ” As for “exceeds authorized access ” § 1030 e 6 defines the phrase as “access ing a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter ” However that definition hinges on the meaning of “with authorization ” which the CFAA also does not define As discussed below the federal appellate courts disagree over the breadth of these phrases and whether they permit criminal liability for ToS violations The Split Criminal Liability for ToS Violations Under a broad interpretation of the two phrases an individual who violates a contract limiting the uses of a computer—such as a ToS agreement—may be acting without authorization or in excess of authorization under the CFAA triggering criminal liability The First Fifth Seventh and Eleventh Circuits have adopted this view often in cases focusing not on ToS violations but rather on employer employee computer use agreements These cases generally involve an employee or former-employee who is authorized to access a work computer for limited purposes but who uses that computer for other reasons For example in United States v Rodriguez an employee accessed his employer’s database to obtain “sensitive personal information” for his personal use despite the employer’s policy prohibiting database use for nonbusiness purposes The Eleventh Circuit concluded in Rodriguez that the employee “exceeded authorized access” under the CFAA because although the employee was authorized to access the database he was not authorized to do so for personal purposes In other words “the concept of ‘exceeds authorized access’ may include exceeding the purposes for which access is ‘authorized ’” Although many of these cases focus primarily on the meaning of “exceeds authorized access ” the broad interpretation has been applied to “without authorization” as well Thus under the broad view if a contract limits authorization to certain uses and a user exceeds the bounds of those contractual restrictions he may have exceeded authorized access or be without authorization in criminal violation of the CFAA Although these courts generally do not expressly articulate a policy rationale in adopting the broad interpretation they appear concerned not just with hacking but also with other computer-based harms Congressional Research Service 3 such as the misappropriation of confidential information by rogue employees or former-employees For example in concluding that CFAA liability could extend to an employee who accessed and removed “highly sensitive and confidential” customer account information that she was not authorized to access the Fifth Circuit noted the harm the employee caused to the employer and its customers While several of the cases adopting the broad interpretation have not arisen in the context of ToS agreements some courts have clarified that the broad interpretation would extend criminal liability under the CFAA to at least some ToS violations For instance the First Circuit observed that “ a lack of authorization could be established by an explicit statement on the website restricting access ” such as a website’s “lengthy limiting conditions ” That said federal district courts in at least one circuit employing the broad interpretation have declined to extend criminal liability to mere ToS violations Several other courts including the Second Fourth and Ninth Circuits have more narrowly interpreted “without authorization” and “exceeds authorized access ” based on an understanding that the CFAA’s central purpose is to criminalize hacking These courts apply CFAA liability only to those who lack any authorization to access a computer or website or those who are “authorized to access only certain data or files” but access “unauthorized data or files ” As a result the narrow view exempts from CFAA liability those who have merely violated ToS agreements These courts have held as such relying on the rule of lenity the canon of construction counseling that penal statutes should “be construed strictly” in favor of “the interpretation least likely to impose penalties unintended by Congress ” According to these courts broadly interpreting “exceeds authorized access” or “without authorization” would risk such unintended consequences As the Ninth Circuit observed the broad interpretation would define authorized access by contract terms that “most people are only dimly aware of ” and are subject to change without notice risking “mak ing criminals of large groups of people who would have little reason to suspect they are committing a federal crime ” For example one court cautioned that the broad interpretation would turn “every conscious ToS violation into a CFAA misdemeanor” under § 1030 a 2 Many of the cases adopting the broad view of the CFAA predate the Second Fourth and Ninth Circuit opinions and do not expressly respond to the concerns expressed in those opinions regarding overcriminalization Nevertheless some jurists have expressed skepticism that the broad view would actually criminalize routine ToS violations Dissenting from a key Ninth Circuit opinion adopting the narrow view of the CFAA two judges observed that even under a broad reading of the CFAA an individual would not be criminally liable unless he acted with the intent required by the statute The judges noted that under § 1030 a 4 —which prohibits “knowingly and with intent to defraud access ing a protected computer without authorization” or doing so in excess of authorization—a defendant would be liable only if he acted with “the requisite mens rea and the specific intent to defraud ” The judges declined however to examine whether such limitations would apply under other CFAA subsections such as § 1030 a 2 which were not at issue in the case Van Buren and Considerations for Congress The case that could potentially resolve the circuit split Van Buren involves former police sergeant Nathan Van Buren’s conviction for among other things violating § 1030 a 2 by using a law enforcement database for purposes prohibited by department policy Van Buren appealed his conviction to the Eleventh Circuit arguing that he did not violate § 1030 a 2 because he accessed “databases that he was authorized to use even though he did so for an inappropriate reason ” The court interpreted Van Buren’s argument as a request to overrule its Rodriguez decision discussed above which adopted the broad interpretation of the CFAA Although the Eleventh Circuit acknowledged criticisms of Rodriguez it affirmed the conviction and declined to overrule its precedent absent a “Supreme Court or en banc decision of this Circuit that abrogates Rodriguez ” Congressional Research Service 4 Van Buren filed a petition for a writ of certiorari with the Supreme Court on whether “a person who is authorized to access information on a computer for certain purposes violates § 1030 a 2 if he accesses the same information for an improper purpose ” In his petition Van Buren noted the circuit split and echoed the concerns of the federal appellate courts that have adopted a narrow interpretation of the CFAA—namely that the rule of lenity supports the narrow view because the alternative turns even “trivial breach es ” of computer-use policies into “a federal crime ” The Court granted the petition on April 20 2020 and is expected to hear arguments in Van Buren in its October 2020 term In Van Buren the Supreme Court will likely hear a range of legal and policy arguments Several commentators have raised concerns that broadly interpreting “exceeds authorized access” and “without authorization” leaves the CFAA vague and susceptible to “ a rbitrary and discriminatory enforcement ” A general concern is that if criminal liability under the CFAA hinges on onerous contracts that few read then the CFAA does not “define criminal offense s under the statute with sufficient definiteness that ordinary people can understand what conduct is prohibited ” At least one court echoed such concerns in adopting the narrow interpretation of the CFAA Relatedly some courts have expressed concern that “by utilizing violations of ToS agreements as the basis for a CFAA crime ” the broad interpretation “makes the website owner-in essence-the party who ultimately defines the criminal conduct ” According to some that not only contributes to the possibility of arbitrary enforcement but it also makes behavior that is traditionally the domain of state tort and contract claims the subject of federal criminal law Criticism of the broad interpretation of the CFAA is not universal For example some individuals and businesses have advocated for the broad interpretation because it permits civil CFAA lawsuits to enforce contractual rights such as those embodied in a ToS agreement Businesses have invoked the CFAA’s civil provisions to remedy injuries relating to contractual violations such as misappropriation of confidential information—often in the context of disputes with rogue employees or former employees who abuse computer privileges at their employer’s expense In public comments a Department of Justice DOJ official agreed that the CFAA should protect against such threats He described opinions adopting the narrow view as an “obstacl e ” to prosecuting such cases which the government has done in the past In addition the Solicitor General has contested the argument that the broad interpretation creates uncertainty and criminalizes commonplace computer behavior maintaining that such concerns are purely hypothetical because of a DOJ policy that limits prosecutorial discretion in CFAA cases The DOJ policy requires among other things that before bringing charges prosecutors consider the defendant’s state of mind when committing the crime In Van Buren if the Court interprets “without authorization” or “exceeds authorized access” in a manner contrary to Congress’ intent assuming away any constitutional concerns driving the Court’s interpretation Congress could respond to clarify the CFAA’s reach Some Members in past Congresses introduced legislation that sought to modify the “without authorization” and “exceeds authorized access” language in the CFAA One example Aaron’s Law was “named in honor of the late Internet innovator and activist Aaron Swartz ” who committed suicide while undergoing CFAA prosecution First introduced in the 113th Congress Aaron’s Law would have replaced the phrase “exceeds authorized access” with “access without authorization ” which it defined as obtaining “information on a protected computer that the accesser lacks authorization to obtain” by “knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information ” That proposal would have limited the CFAA’s breadth in a manner more consistent with the understanding of courts applying the narrow view of the statute No bills have been introduced in this Congress addressing the split Congressional Research Service 5 Author Information Peter G Berris Legislative Attorney Disclaimer This document was prepared by the Congressional Research Service CRS CRS serves as nonpartisan shared staff to congressional committees and Members of Congress It operates solely at the behest of and under the direction of Congress Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role CRS Reports as a work of the United States Government are not subject to copyright protection in the United States Any CRS Report may be reproduced and distributed in its entirety without permission from CRS However as a CRS Report may include copyrighted images or material from a third party you may need to obtain the permission of the copyright holder if you wish to copy or otherwise use copyrighted material LSB10423 · VERSION 5 · UPDATED