Lawsuits Against Cheaters and Hackers Recently Became a Little Harder
Van Buren v. United States
Case No. 19-783
Filed: December 18, 2019 (writ of certiorari)
The Supreme Court issued a 6-3 decision on June 3, 2021, regarding the meaning of the phrase “exceeds authorized access” in the Computer Fraud and Abuse Act (“CFAA”). 18 U.S.C. §1030(a)(2). The case arose when the FBI caught ex police sergeant Nathan Van Buren misusing a law enforcement database to search a license plate for personal gain. The majority found that someone “exceeds authorized access” under the CFAA, when that person accesses a computer with authorization but then access information from off-limit areas of the computer. In 2020, in Sandvig v. Barr, the United States District Court for the District of Columbia determined that merely violating a site’s terms of use cannot create liability under the CFAA. This meant that Van Buren was not guilty of violating the CFAA even though he used the database for personal gain (which was against police policy) because he was an authorized user of the database.
The CFAA was written in 1984 and amended in 1986, so the majority found that the law was dated and did not account for how computers are used in 2021. Prior to this lawsuit there were two definitions of the CFAA applied by courts, a broad definition and the aforementioned narrow definition.
The government argued for the broad definition, which would define “exceeds authorized access” as having been violated when Van Buren used the data base for personal purposes. The majority disagreed with this argument because of the phrase “not entitled to so obtain,” in the statute, taking that to mean it is not an offense if one would be entitled to obtain the information in their normal usage and rejecting an evaluation of purpose in finding violations. 18 U.S.C. §1030(e)(6). Van Buren argued that the broad reading would over criminalize people and that “exceeds authorized access” applies only to obtaining information to which a person’s access does not extend. The majority agreed with Van Buren and expressed worries that under the broader definition the CFAA would criminalize conduct of almost all Americans, for example when someone would use their work computer to check the news. Using the broader definition would also allow site owners to criminalize activity merely by amending their terms of use. Thus the narrow definition became controlling.
The three dissenters disagreed strongly with the majority, finding the majority to have gone against well-established property law concepts, namely that entitlement to use of another’s property is circumstance specific. The dissenters emphasized that a computer is given with particular circumstances required of its usage, and that the purpose of one’s use can change an authorized action to an unauthorized one. The dissent also argued that statutes are supposed to be read as the enacting congress understood it, not modernized in the way the majority did. In defense of the broad interpretation, the dissent argued that there were limitations in the statute which stopped over criminalization, such as a strict intentional mens rea and that the act only applied to information stored in the computer, thus inapplicable to internet access. The dissent also argued the removal of the word “purpose” in the 1986 amendment of the CFAA implied congress was broadening the scope of the CFAA, not removing a circumstantial inquiry. Further, the dissent was harsh towards the majority’s worries about potential over-prosecution under the broad definition and compared it to not enforcing the correct interpretation of a statute because it would criminalize taking a grain of sand from a national mall. 40 U.S.C § 8103(b). The dissent ends on the note that what Van Buren did, to them, is clearly illegal.
Unfortunately for game developers, the majority’s definition also narrows the use of the CFAA in suing hackers and cheaters. The CFAA under the broader definition was a tool for game developers against hackers and cheaters, because under a circumstantial inquiry hackers and cheaters were likely exceeding authorized access according to a game’s terms of use. Under the narrower definition, the hackers and cheaters would have to extend beyond an area of a computer they were authorized to use, to somewhere they were never authorized to access, to raise a CFAA issue. Of course, this does not mean that lawsuits against cheaters and hackers are impossible or will end, there is just one less tool in a game developer’s arsenal.
Check back here for future posts about game related lawsuits and patents!