Opinion: Violating a website’s terms of service is not a federal crime

Justices Amy Coney Barrett and Clarence Thomas
Supreme Court Justice Amy Coney Barrett, shown in October shortly before being sworn in, wrote the majority opinion Thursday in a case involving federal computer law. Justice Clarence Thomas wrote the dissent.
(Patrick Semansky / Associated Press)

When a cop takes a bribe to look up someone’s license plate number on a restricted-access law enforcement database, that’s corruption. But it’s not hacking.

Nor is it hacking when employees use their corporate accounts to download company data and share it with a competitor. Or when a woman cruelly cyberbullies a teen on a social network.

All of those misdeeds have one or more legal remedies, but the federal Computer Fraud and Abuse Act isn’t among them. And on Thursday the U.S. Supreme Court finally made that clear, after prosecutors spent years stretching the act far beyond its proper boundaries.


Technically, the court’s ruling applied only to the case of Nathan Van Buren, a former police sergeant in Georgia who got caught in an FBI sting operation. An informant offered Van Buren $5,000 to look up a license plate to help determine whether its owner was an undercover cop; after Van Buren used the computer in his patrol car to run the plate, federal prosecutors charged him with violating the 1986 Computer Fraud and Abuse Act, which targets anyone who “intentionally accesses a computer without authorization or exceeds authorized access” and uses that access to obtain information that’s not freely available.

Van Buren clearly was authorized to log into and use the plate database; the Justice Department contended that he exceeded his authorized access because he wasn’t permitted to grab plate information for sale. But as the high court noted Thursday, that’s not what the act means by “access.”

Writing for the 6-3 majority, Justice Amy Coney Barrett explained that in the context of computing, “access” refers to entering a computer or the content it stores. “It is thus consistent with that meaning to equate ‘exceed[ing] authorized access’ with the act of entering a part of the system to which a computer user lacks access privileges,” she wrote, later adding, “In sum, an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer — such as files, folders, or databases — that are off limits to him.”

The Justice Department argued that Congress passed the CFAA to criminalize not just malicious computer hacking, but also behavior like Van Buren’s that violated a site’s terms of service. No question, the sergeant wasn’t authorized to collect license plate data for the purpose of selling the information and fattening his wallet. But if the CFAA extends beyond unauthorized access to unauthorized use, then suddenly a raft of actions that may or may not violate state laws become federal crimes.

Imagine this: You log in to the L.A. Times’ website and find a picture of the Clippers’ Paul George that was available exclusively to subscribers. So you copy it and print it on dozens of t-shirts to sell outside Staples Center during the playoffs. That’s a copyright violation, which exposes you to a lawsuit with some hefty damages. But it also violates this site’s terms of service, which could be considered a federal crime under the Justice Department’s expansive view because you exceeded the uses we authorized.

That’s just too broad a reading of the law. Happily, courts in many parts of the country have stopped prosecutors when they’ve overstepped that way — witness U.S. District Judge George Wu’s decision in 2009 to toss out the conviction of Lori Drew, a Missouri woman who cyberbullied a teenage girl who later committed suicide. Drew is nobody’s hero, but the CFAA wasn’t designed for egregious behavior like hers.


But some courts had embraced the Justice Department’s aggressive use of the CFAA. And besides, simply being charged with a federal crime can be powerfully traumatic, even if the courts may ultimately vindicate you. It’s worth recalling the case of Aaron Swartz, an online activist who was charged with violating the CFAA because he downloaded thousands of copyrighted articles from an academic database — far more than he was authorized to use — with the intent of making them available for free. Swartz may or may not have been convicted, but we’ll never know; he committed suicide shortly before his trial.

At any rate, Barrett’s opinion should help contain the CFAA within its intended boundaries. She was joined in the ruling by two other textualists on the court — Justices Neil Gorsuch and Brett Kavanaugh — and the court’s three liberals, but not by three of their fellow conservatives: Chief Justice John G. Roberts Jr. and Justices Clarence Thomas and Samuel A. Alito Jr.

The two sides disagreed on what the law meant by “exceeds authorized access.” Writing for the dissenters, Thomas argued that “Van Buren never had a ‘right’ to use the computer to obtain the specific license plate information.” But that’s just another way of saying that the law governs what computer users do with the information they are authorized to access on a site, which eradicates the act’s boundaries. The majority rightly held that the law prohibits people from getting into computers or files that the computer owner hasn’t opened to them, not those who violate the terms the computer owner has imposed.