Supreme Court Overturns Overbroad Interpretation of CFAA, Protecting Security Researchers and Everyday Users

EFF has long fought to reform vague, dangerous computer crime laws like the CFAA. We're gratified that the Supreme Court today acknowledged that overbroad application of the CFAA risks turning nearly

any user of the Internet into a criminal based on arbitrary terms of service. We remember the tragic and unjust results of the CFAA's misuse, such as the death of Aaron Swartz, and we will continue to fight to ensure that computer crime laws no longer chill security research, journalism, and other novel and interoperable uses of technology that ultimately benefit all of us.

EFF filed briefs both encouraging the Court to taketoday's case and urging it to make clear that violating terms of service is not a crime under the CFAA.In the first, filed alongsidetheCenter for Democracy and Technologyand New AmericasOpen Technology Institute, we argued that Congress intended to outlaw computer break-ins that disrupted or destroyed computer functionality, not anything that the service provider simply didnt want to have happen. Inthe second, filed on behalf of computer security researchers and organizations that employ and support them,we explained that the broad interpretation of the CFAAputs computer security researchersat legalrisk for engaging in socially beneficial security testingthrough standard security research practices, such as accessing publicly available data in a manner beneficial to the public yet prohibited by the owner of the data.

Today's win is an important victory for users everywhere. The Court rightly held that exceeding authorized access under the CFAA does not encompass violations of circumstance-based access restrictions on employers computers. Thus, an individual exceeds authorized access when he accesses a computer with authorization but then obtains information located in particular areas of the computer such as files, folders, or databasesthat are off limits to him. Rejecting the Governments reading allowing CFAA charges for any website terms of service violation, the Court adopted a gates-up-or-down approach: either you are entitled to access the information or you are not. This means that private parties terms of service limitations on how you can use information, or for what purposes you can access it, are not criminally enforced by the CFAA.