Fighting Insider Abuse After Van Buren
- June 11, 2021
- No comments
The U.S. Supreme Court’s decision in Van Buren v. United States on June 3 was a significant victory for civil liberties groups, researchers, the defense bar and others troubled by the broad reading of the Computer Fraud and Abuse Act (CFAA) urged by the government. Writing for the majority, Justice Amy Coney Barrett correctly, in our view, struck down the “broad” view of the CFAA in a 6-3 vote. The majority rejected the government’s expansive interpretation of the statute that would have empowered private companies, simply by the way they drafted employee policies or terms of service, to criminalize “a breathtaking amount of commonplace computer activity.” The Van Buren decision established that, going forward, to violate the CFAA, a user must access data from part of a device or network to which the user is not permitted access. This is a far steeper bar than the government’s preferred reading of the CFAA, which would have criminalized “misuse” of data—to which the user had authorized access—under policies dictated by the data owner.
On its face, the Van Buren ruling puts in a difficult position data owners who rely on the CFAA to protect against insider and outsider threats. But this view is accurate only if data owners rely exclusively on law to prevent abuse of their data and systems and protect their intellectual property. We argue that modern technological controls can protect these interests better than a broad interpretation of the CFAA did, all while avoiding the damage to civil liberties and open internet research that the broad interpretation had threatened.
Post-Van Buren code is indeed better than law, both to protect these vital data owner interests and to safeguard civil liberties. By embracing newly available technological controls, data owners can turn the Van Buren decision into a win-win.