From Clickwrap to RAP Sheet: Criminal Liability Under the Computer Fraud and Abuse Act for Terms of Service Violations
Legal Sidebari
From Clickwrap to RAP Sheet: Criminal
Liability Under the Computer Fraud and
Abuse Act for Terms of Service Violations
Updated December 21, 2020
Update: On November 30, 2020, the Supreme Court held oral arguments in Van Buren v. United States—a
case that could resolve the judicial disagreement over whether the Computer Fraud and Abuse Act
(CFAA) authorizes criminal liability for the violation of a terms of service agreement. Specifically, the
issue before the court is whether an individual may be held criminally liable under the CFAA if he is
“authorized to access information on a computer for certain purposes,” but accesses that information for
unauthorized purposes. At oral argument, questioning by the Justices focused on the policy implications
of interpreting the CFAA broadly or narrowly. Justices asked whether a broad interpretation would
criminalize routine conduct like lying on a dating website in violation of its terms of service. Other
questions focused on whether a narrow interpretation, on the other hand, could jeopardize personal
privacy if, for instance, an employee might not be criminally liable under the CFAA for using highly
sensitive customer information in ways that are outside the scope of his employment duties.
At oral argument, the attorney for the government argued that the CFAA unambiguously prohibits
accessing information for unauthorized purposes—a view adopted by some federal appellate courts, but
rejected by others (as discussed below). The defendant’s attorney disagreed that the text or legislative
history compel such a reading, and countered that a broad interpretation of the CFAA would render the
statute unconstitutionally vague and result in arbitrary prosecutions. The attorney for the government
disputed that risk, arguing that the government has not obtained CFAA convictions for routine conduct
like terms of service violations in the past. However, in recent cases, the Court has declined to rely on
prosecutorial discretion to “narrow the otherwise wide-ranging scope” of a criminal statute and has
rejected broad interpretations of ambiguous statutory language that would authorize expansive criminal
liability.
A decision in Van Buren v. United States is expected before the Court’s summer recess.
Computers and the internet are ubiquitous, and so too are contractual restrictions on their use. Users of
smartphones, tablets, personal computers, social media websites, apps, online shopping platforms,
streaming services, and more are general y bound by terms of service (ToS) agreements—contracts that
govern the use of a product. Often, ToS agreements take the form of clickwrap agreements requiring users
Congressional Research Service
https://crsreports.congress.gov
LSB10423
CRS Legal Sidebar
Prepared for Members and
Committees of Congress
Congressional Research Service
2
to click a box indicating that they are aware of, and agree to, certain terms on a website. In other instances
ToS agreements may simply amount to a written notification that by using a product, the user agrees to be
bound by the product’s ToS. Either way, at least according to some empirical studies, users general y do
not read TOS agreements. That is perhaps unsurprising given that ToS agreements are often lengthy,
covering everything from the number of authorized users of a product to the types of content that may be
shared through a device or service. But providers of computer and internet products and services rely on
ToS for a variety of purposes, including limiting liability, protecting proprietary data, and preventing their
products or services from being used in a harassing, threatening, or abusive manner. Against this
backdrop, federal courts have diverged on the issue of whether an individual may—under certain
circumstances—be criminal y liable under federal law for ToS violations.
The judicial disagreement stems from two conflicting interpretations of the Computer Fraud and Abuse
Act (CFAA), 18 U.S.C. § 1030—a civil and criminal cybersecurity law prohibiting certain computer-
related activities. Federal appel ate courts are divided on when an individual who violates a ToS
agreement runs afoul of the CFAA and is subject to liability under the statute. The United States Supreme
Court appears poised to weigh in on the issue; on April 20, 2020 the Court agreed to hear Van Buren v.
United States, an appeal from the Eleventh Circuit.
This Sidebar begins with background on the relevant provisions of the CFAA, before examining the split
among the federal appel ate courts over when, if ever, the CFAA imposes criminal liability for violations
of ToS agreements. It then briefly describes the background and implications of the Van Buren case. The
Sidebar concludes with some considerations for Congress.
The CFAA: Background and Key Provisions
The CFAA prohibits a number of activities where a person il icitly accesses a qualifying computer if he is
“without authorization” or if he “exceeds authorized access.” The phrases appear in a number of the
CFAA’s subsections, such as § 1030(a)(2), which prohibits an individual intentional y accessing a
computer without authorization or in excess of authorization and obtaining information from a financial
institution, the federal government, or “any protected computer” (construed by courts to include any
computer connected to the internet). Similarly, § 1030(a)(4) makes it a crime to “knowingly and with
intent to defraud, access[] a protected computer without authorization, or exceed[] authorized access” and
obtain anything of value, or use of the computer itself if that use is worth at least $5,000 a year. Other
sections use the same language.
The CFAA was enacted in 1984 to address growing concerns over the dangers of hacking—intrusions or
trespasses “into computer systems or data”—and has been primarily used to combat that threat. The law
protects a broad range of technology including most websites, and nearly any “devices with embedded
processors and software” other than “typewriters, typesetters, and handheld calculators.” The CFAA has
been amended several times since 1984, but it is stil described as an anti-hacking law. The law has been
invoked in successful hacking prosecutions, including in the high-profile case of one hacker who used a
phishing scam to access private email and cloud accounts, through which he obtained nude photographs
of celebrities, which were later leaked online.
Although such examples of hacking fit squarely within the CFAA’s scope, federal appel ate courts have
disagreed over whether the law criminalizes the violation of ToS agreements. The circuit split is the result
of differing interpretations of the phrases “without authorization” and “exceeds authorized access.” The
statute does not define “without authorization.” As for “exceeds authorized access,” § 1030(e)(6) defines
the phrase as “access[ing] a computer with authorization and to use such access to obtain or alter
information in the computer that the accesser is not entitled so to obtain or alter . . . .” However, that
definition hinges on the meaning of “with authorization,” which the CFAA also does not define. As
Congressional Research Service
3
discussed below, the federal appel ate courts disagree over the breadth of these phrases, and whether they
permit criminal liability for ToS violations.
The Split: Criminal Liability for ToS Violations
Under a broad interpretation of the two phrases, an individual who violates a contract limiting the uses of
a computer—such as a ToS agreement—may be acting without authorization or in excess of authorization
under the CFAA, triggering criminal liability. The First, Fifth, Seventh, and Eleventh Circuits have
adopted this view, often in cases focusing not on ToS violations, but rather on employer/employee
computer use agreements. These cases general y involve an employee or former-employee who is
authorized to access a work computer for limited purposes, but who uses that computer for other reasons.
For example, in United States v. Rodriguez an employee accessed his employer’s database to obtain
“sensitive personal information” for his personal use, despite the employer’s policy prohibiting database
use for nonbusiness purposes. The Eleventh Circuit concluded in Rodriguez that the employee “exceeded
authorized access” under the CFAA because, although the employee was authorized to access the
database, he was not authorized to do so for personal purposes. In other words, “the concept of ‘exceeds
authorized access’ may include exceeding the purposes for which access is ‘authorized.’” Although many
of these cases focus primarily on the meaning of “exceeds authorized access,” the broad interpretation has
been applied to “without authorization” as wel . Thus, under the broad view, if a contract limits
authorization to certain uses, and a user exceeds the bounds of those contractual restrictions, he may have
exceeded authorized access or be without authorization in criminal violation of the CFAA.
Although these courts general y do not expressly articulate a policy rationale in adopting the broad
interpretation, they appear concerned not just with hacking, but also with other computer-based harms
such as the misappropriation of confidential information by rogue employees or former-employees. For
example, in concluding that CFAA liability could extend to an employee who accessed and removed
“highly sensitive and confidential” customer account information that she was not authorized to access,
the Fifth Circuit noted the harm the employee caused to the employer and its customers.
While several of the cases adopting the broad interpretation have not arisen in the context of ToS
agreements, some courts have clarified that the broad interpretation would extend criminal liability under
the CFAA to at least some ToS violations. For instance, the First Circuit observed that “[a] lack of
authorization could be established by an explicit statement on the website restricting access . . . .” such as
a website’s “lengthy limiting conditions.” That said, federal district courts in at least one circuit
employing the broad interpretation have declined to extend criminal liability to mere ToS violations.
Several other courts, including the Second, Fourth, and Ninth Circuits, have more narrowly interpreted
“without authorization” and “exceeds authorized access,” based on an understanding that the CFAA’s
central purpose is to criminalize hacking. These courts apply CFAA liability only to those who lack any
authorization to access a computer or website or those who are “authorized to access only certain data or
files” but access “unauthorized data or files.” As a result, the narrow view exempts from CFAA liability
those who have merely violated ToS agreements. These courts have held as such, relying on the rule of
lenity, the canon of construction counseling that penal statutes should “be construed strictly” in favor of
“the interpretation least likely to impose penalties unintended by Congress.” According to these courts,
broadly interpreting “exceeds authorized access” or “without authorization” would risk such unintended
consequences. As the Ninth Circuit observed, the broad interpretation would define authorized access by
contract terms that “most people are only dimly aware of,” and are subject to change without notice,
risking “mak[ing] criminals of large groups of people who would have little reason to suspect they are
committing a federal crime.” For example, one court cautioned that the broad interpretation would turn
“every conscious [ToS violation into] . . . a CFAA misdemeanor” under § 1030(a)(2).
Congressional Research Service
4
Many of the cases adopting the broad view of the CFAA predate the Second, Fourth, and Ninth Circuit
opinions, and do not expressly respond to the concerns expressed in those opinions regarding over-
criminalization. Nevertheless, some jurists have expressed skepticism that the broad view would actual y
criminalize routine ToS violations. Dissenting from a key Ninth Circuit opinion adopting the narrow view
of the CFAA, two judges observed that even under a broad reading of the CFAA an individual would not
be criminal y liable unless he acted with the intent required by the statute. The judges noted that under §
1030(a)(4)—which prohibits “knowingly and with intent to defraud, access[ing] a protected computer
without authorization” or doing so in excess of authorization—a defendant would be liable only if he
acted with “the requisite mens rea and the specific intent to defraud . . . .” The judges declined, however,
to examine whether such limitations would apply under other CFAA subsections, such as § 1030(a)(2),
which were not at issue in the case.
Van Buren and Considerations for Congress
The case that could potential y resolve the circuit split, Van Buren, involves former police sergeant
Nathan Van Buren’s conviction for, among other things, violating § 1030(a)(2) by using a law
enforcement database for purposes prohibited by department policy. Van Buren appealed his conviction to
the Eleventh Circuit, arguing that he did not violate § 1030(a)(2) because he accessed “databases that he
was authorized to use, even though he did so for an inappropriate reason.” The court interpreted Van
Buren’s argument as a request to overrule its Rodriguez decision (discussed above), which adopted the
broad interpretation of the CFAA. Although the Eleventh Circuit acknowledged criticisms of Rodriguez, it
affirmed the conviction and declined to overrule its precedent absent a “Supreme Court or en banc
decision of this Circuit that abrogates Rodriguez . . . .”
Van Buren filed a petition for a writ of certiorari with the Supreme Court on whether “a person who is
authorized to access information on a computer for certain purposes violates [§ 1030(a)(2)] . . . if he
accesses the same information for an improper purpose.” In his petition, Van Buren noted the circuit split
and echoed the concerns of the federal appel ate courts that have adopted a narrow interpretation of the
CFAA—namely that the rule of lenity supports the narrow view because the alternative turns even “trivial
breach[es]” of computer-use policies into “a federal crime.” The Court granted the petition on April 20,
2020 and is expected to hear arguments in Van Buren in its October 2020 term.
In Van Buren, the Supreme Court wil likely hear a range of legal and policy arguments. Several
commentators have raised concerns that broadly interpreting “exceeds authorized access” and “without
authorization” leaves the CFAA vague and susceptible to “[a]rbitrary and discriminatory enforcement.” A
general concern is that if criminal liability under the CFAA hinges on onerous contracts that few read,
then the CFAA does not “define . . . criminal offense[s] [under the statute] with sufficient definiteness that
ordinary people can understand what conduct is prohibited . . . .” At least one court echoed such concerns
in adopting the narrow interpretation of the CFAA. Relatedly, some courts have expressed concern that
“by utilizing violations of [ToS agreements] as the basis for [a CFAA] crime,” the broad interpretation
“makes the website owner-in essence-the party who ultimately defines the criminal conduct.” According
to some, that not only contributes to the possibility of arbitrary enforcement, but it also makes behavior
that is traditional y the domain of state tort and contract claims the subject of federal criminal law.
Criticism of the broad interpretation of the CFAA is not universal. For example, some individuals and
businesses have advocated for the broad interpretation because it permits civil CFAA lawsuits to enforce
contractual rights, such as those embodied in a ToS agreement. Businesses have invoked the CFAA’s civil
provisions to remedy injuries relating to contractual violations, such as misappropriation of confidential
information—often in the context of disputes with rogue employees or former employees who abuse
computer privileges at their employer’s expense. In public comments, a Department of Justice (DOJ)
official agreed that the CFAA should protect against such threats. He described opinions adopting the
narrow view as an “obstacl[e]” to prosecuting such cases, which the government has done in the past. In
Congressional Research Service
5
addition, the Solicitor General has contested the argument that the broad interpretation creates uncertainty
and criminalizes commonplace computer behavior, maintaining that such concerns are purely
hypothetical because of a DOJ policy that limits prosecutorial discretion in CFAA cases. The DOJ policy
requires, among other things, that, before bringing charges, prosecutors consider the defendant’s state of
mind when committing the crime.
In Van Buren, if the Court interprets “without authorization” or “exceeds authorized access” in a manner
contrary to Congress’s intent, assuming away any constitutional concerns driving the Court’s
interpretation, Congress could respond to clarify the CFAA’s reach. Some Members in past Congresses
introduced legislation that sought to modify the “without authorization” and “exceeds authorized access”
language in the CFAA. One example, Aaron’s Law, was “named in honor of the late Internet innovator
and activist Aaron Swartz,” who committed suicide while undergoing CFAA prosecution. First introduced
in the 113th Congress, Aaron’s Law would have replaced the phrase “exceeds authorized access” with
“access without authorization,” which it defined as obtaining “information on a protected computer . . .
that the accesser lacks authorization to obtain” by “knowingly circumventing one or more technological
or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that
information.” That proposal would have limited the CFAA’s breadth in a manner more consistent with the
understanding of courts applying the narrow view of the statute. No bil s have been introduced in this
Congress addressing the split.
Author Information
Peter G. Berris
Legislative Attorney
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff
to congressional committees and Members of Congress. It operates solely at the behest of and under the direction of
Congress. Information in a CRS Report should not be relied upon for purposes other than public understanding of
information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role.
CRS Reports, as a work of the United States Government, are not subject to copyright protection in the United
States. Any CRS Report may be reproduced and distributed in its entirety without permission from CRS. However,
as a CRS Report may include copyrighted images or material from a third party, you may need to obtain the
permission of the copyright holder if you wish to copy or otherwise use copyrighted material.
LSB10423 · VERSION 6 · UPDATED