EFF filed briefs both encouraging the Court to taketoday's case and urging it to make clear that violating terms of service is not a crime under the CFAA.In the first, filed alongsidetheCenter for Democracy and Technologyand New AmericasOpen Technology Institute, we argued that Congress intended to outlaw computer break-ins that disrupted or destroyed computer functionality, not anything that the service provider simply didnt want to have happen. Inthe second, filed on behalf of computer security researchers and organizations that employ and support them,we explained that the broad interpretation of the CFAAputs computer security researchersat legalrisk for engaging in socially beneficial security testingthrough standard security research practices, such as accessing publicly available data in a manner beneficial to the public yet prohibited by the owner of the data.
Today's win is an important victory for users everywhere. The Court rightly held that exceeding authorized access under the CFAA does not encompass violations of circumstance-based access restrictions on employers computers. Thus, an individual exceeds authorized access when he accesses a computer with authorization but then obtains information located in particular areas of the computer such as files, folders, or databasesthat are off limits to him. Rejecting the Governments reading allowing CFAA charges for any website terms of service violation, the Court adopted a gates-up-or-down approach: either you are entitled to access the information or you are not. This means that private parties terms of service limitations on how you can use information, or for what purposes you can access it, are not criminally enforced by the CFAA.