The Supreme Court Narrowed the CFAA

In a 6-3 ruling, the Supreme Court just narrowed the scope of the Computer Fraud and Abuse Act:

In a ruling delivered today, the court sided with Van Buren and overturned his 18-month conviction.

In a 37-page opinion written and delivered by Justice Amy Coney Barrett, the court explained that the “exceeds authorized access” language was, indeed, too broad.

Justice Barrett said the clause was effectively making criminals of most US citizens who ever used a work resource to perform unauthorized actions, such as updating a dating profile, checking sports scores, or paying bills at work.

What today’s ruling means is that the CFAA cannot be used to prosecute rogue employees who have legitimate access to work-related resources, which will need to be prosecuted under different charges.

The ruling does not apply to former employees accessing their old work systems because their access has been revoked and they’re not “authorized” to access those systems anymore.


It’s a good ruling, and one that will benefit security researchers. But the confusing part is footnote 8:

For present purposes, we need not address whether this inquiry turns only on technological (or “code-based”) limitations on access, or instead also looks to limits contained in contracts or policies.

It seems to me that this is exactly what the ruling does address. The court overturned the conviction because the defendant was not limited by technology, but only by policies. So that footnote doesn’t make any sense.

I have written about this general issue before, in the context of adversarial machine learning research.

Posted on June 7, 2021 at 6:09 AM20 Comments


echo June 7, 2021 7:52 AM

I personally felt it was a stupid court decision but this is more a comment on the US legal system as a whole than this one case. The basic law itself was correct and no there is no real difference between a technological or policy rule because they are both rules even if they are different forms of rules. The issue really is the threshold between criminality and civil case, and whether there is a case to answer and if there is a case to answer whether it is in the public interest or not.

The UK has the Computer Misuse Act which isn’t much different. The US is a hybrid legal system of civil and common law. The US system can be both a bit literal in legal practice and also the none legal “soft law” which is more about institutional practcies and attitudes. If you judge every single case in the most literal sense against the law as read then pretty much everyone even if it is an accident or simply a means to an end to achieve a proportional and legitimate purpose enabled by other law and policy they will land in jail. This is because all the other steps necessary to evaulate things at a prosecutorial level were not taken. Funnily enough the US Supreme Court takes the exact opposite view with copyright and “fair use”. Fair use equires a number of steps to be taken. You cannot just use something because you see it and if those steps are not taken then even if reproduction is covered by fair use then the reproduction will be unlawful. Why the court did not see that the act was being imposed in a literal way without any due process considering criminal intent and civil liability I do not know then then I am a European not a US lawyer.

I still believe Bruce was wrong to have my post on the US military banning the pride flag deleted without consideration or examination of the legal argument and I am never going to forgive him for this. And by never I really do mean never. There are some things I do not forgive and this is one of them.

Congratulations. You now have a computer misuse law which allows criminals and human rights abusers including those with professional standards and duties of care to uphold with access to sensitive information within a human rights context to get off.

Pass the equality act.

Clive Robinson June 7, 2021 9:43 AM

I’ve already commented on why the law was technically very bad.

But a saliant legal point was that it confused contracts and legislation.

That is it alowed a non legalistive organidation such as a corporation to write a document that had criminal penalties.

That is wrong by any measure.

In the US you get taught that,

A tort arises from a breach of a private duty and a crime arises from a breach of a public duty.

The two should never ever be confused getting on for atleast two millennia of jurisprudence has repeatedly shown that any cross over leads to an escalation of undesirable outcomes and other unintended consequences that easily cascade into what becomes a runaway set of consequences.

But then US legislators have a history going right back to the constirution of at the best antipathy towards democracy right through to ensuring that the citizens have no rights in any form.

The CFAA was an insidious form of the age old game of “Rights Striping” by ensuring a “non equity of arms” which favours those that see themselves as entitled through the holding of property and directly or indirectly other humans as chattels or endentured servitude.

If you are beholdent on another for your right to live equitably in society be it by not being able to own land or earn an independent living by your own labours, then you do not have that right, it can be taken from you at any time.

The US Government is known to consider going through a “Rights Striping” process when ever some one finds “wrong doing” and tries to correct it. The usual argument is that they have a “reporting mechanism” the purpose that actually serves is a Catch-22 if you use it you loose anonymity, if you don’t and you get caught then you are guilty of not following the correct proceadure. So damed if you do, damed if you don’t… Either way you loose as a minimum promotion prospects, often your security clearence if you have one, thus your job or future possibility of a job equitable with your skill set, and indefinate civil proceadure to drive you into bankruptcy. Then there is criminal litigation to be added that is so vague your chances of not going to jail are very small.

You can just imagine how certain corporate types in the likes of say Oracle, salivate at having the avility to wield the equivalent of legaslitive ability not just over their direct employees, but indirect employees and even customers…

Thus I would expect “Corporate Kick Back” over this decision via lobbyists etc on legislators who will simply look at “how thick the green is” before they get behind it against just about every citizens interests…

As our host once pointed out we are heading for a “Feudalism Future”. Which will be one where the old “Estates” become reenacted. With Barons replaced by Corporations and legislation decreed by them and the neo-church along with compliant politicians.

This legislation might have been “knocked back” but it is neither “Knocked Out” or given the “Coup de grace”, and most certainly it’s not had the lid nailed down… So we can expect it to “rise again” all be it in a different form.

Chris June 7, 2021 9:57 AM

“It seems to me that this is exactly what the ruling does address. The court overturned the conviction because the defendant was not limited by technology, but only by policies.”

Not exactly. This case concerned a defendant who was permitted to access a system, but how he could use the system was limited by policy. The majority opinion held that violating a policy on how a given system could be used can’t lead to criminal liability under the CFAA.

The opinion does not address a situation where a defendant doesn’t have access to a system at all. Footnote 8 says the court is not deciding whether “doesn’t have access at all” requires a technological limitation on access or if someone could be prosecuted for accessing a system they’re forbidden to access by policy.

echo June 7, 2021 11:08 AM

The US has two rather strange notions. A.) A contract can overrule rights in law. B.) The decision by a state sector worker (or corporate executive when rights in law are usurped by contract) is treated as if it has force in law.

In the UK you don’t necessarily get rights stripping. What you get is rights appropriation. What happens usually is one state sector dufus gets a stupid idea in their head they want to do something then either crashes through the law or gets a lawyer on the public purse to give them their “legally arguable” interpretation of the law. So they act on this unlawfully via lots of obstructionism and pedantry into forcing citizens into judicial review which doesn’t recieve the pushback it should. Having established this the next state sector worker in another area applies copycat reasons because A.) They’re lazy and don’t want to spend money on lawyers themselves to counter the decision of another authorities action based on secret legal advise or B.) Have a similar agenda so just copycat be damned and laugh at citizens who have to scramble for a judicial review sometimes after another authority has already set a precendent.

Oddly, the people who have no leg to stand on, usually criminals or nuisances, are surrounded by a lot of vested interests who focus solely on maximising their rights and they have a higher threshold in law to meet anyway.

This is how the intent of the Human Rights Act was usurped. It took a major row including old fart judges being pressured during a strike over pay for them to go back and actually read the act and interpret as written.

You also get state sector workers grabbing every human and equality right to themselves yet oddly enough only paying lipservice to this when it comes to decisions effecting citizens.

Let them get away with this and you get legal drift which runs up against more case law the judges are very literal about. Even where “inadequacy” is proven by state sector service there is the old fall back of empty pockets so you get fiscal policy usually made elsewhere being the tail which wags the dog. The threshold for upholding a citizens rights (of which the mentally ill homeless person needing somewhere to live is one example) even where statutory duties exist is so high they have to be danger to society or dead before the judge compels anyone to do anything.

Then there is the dreaded “public enquiry”. Occassionally something happens but it’s usually an exercise in producing a frothing report nobody reads or it is kicked into the long grass only to rumble on as the problems reoccur or some idiot who won’t let go keeps bring judicial reviews for the next few decades. Most public enquiries are full of duties not upheld and red flags missed all over the place hence the dreaded “lessons will be learned” which almost always isn’t what it should be just more meddlers making sure they won’t be caught so easily next time.

At the end of this when the embarassment has been happening for long enough or loud enough some wag will call for more law to fix the problem. Like, we don’t already have enough law and the problem is upholding what we already have?

You can imagine a lot of this is down to some seat filler not admitting they effed anything up, learning what should have been done and fixing the problem, and coughing up any compensation as due. The fact it would have been cheaper and quicker and everyone would have been happier doesn’t enter into it. State jobs for people who won a lottery and forgot why they had the job in the first place must be preserved! Private corporations aren’t much better.

Jordan Brown June 7, 2021 1:16 PM

Is it a crime to walk past a sign that says “Employees only”?

Is it a crime for an employee with a green badge to walk past a sign that says “Red badges only”?

Is it a crime to walk past a sign that says “Entrance allowed only on weekdays”, when it’s Saturday?

When does violating access conditions transition from the crime of trespass to being merely some lesser form of contract violation?

(I’m not asserting answers, but I think they are related questions.)

JonKnowsNothing June 7, 2021 1:58 PM

@Jordan Brown

re: Signs of Signs

When does violating access conditions transition from the crime of trespass to being merely some lesser form of contract violation?

To start, it depends on who owns the signs and who owns the land on which the sign is placed.

If I am the land owner and I put up a No Access, No Hunting, No Trespass and No Solicitation signs it maybe I have more control than if I am only leasing the land or the building or the office or the room.

No Solicitation does not seem to bother Telemarketing, Internet Marketing and other forms of solicitation and it does not apply to people contacting me outside of my locale, state, country.

No Access signs don’t necessarily stop Open Grazing Zones where free wandering cattle, horses, sheep are allowed. They may even be illegal in that zone.

There are zoning issues defined by local, county, state, region, country. If I put up a fence with No Access, that might be illegal because the fence is not permitted in an Open View Zone.

If I want No Hunting in some states in the USA, a sign alone will not suffice. You are required to put up a fence to “fence people out” and color coded fence post indicated access or no, the sign is extra.

Authorized Access is in the eye of the beholder.

A person traveled to a big city Hotel in the USA over the 4th of July.

The wait-staff at the restaurant told them the view from the roof was the best view of the fireworks and the person asked if they could go up to the roof to watch. The wait-staff said it would be OK.

The person went up to the roof and the stair had a sign “Authorized Only Access/Restricted Access” but since they had verbal OK, they went past the sign onto the roof.

In short order the Hotel Security came up and in no uncertain terms told the person to get the H-OUT because they had gone past the signage even though they had been told it was OK. Not only were they kicked off the roof, the Hotel Security dropped the BAN HAMMER on them and they had to pack up their kit and get out of their room in 30 minutes.

Trying to find alternate accommodations, after dark, on the 4th of July was no small chore and they ended up sleeping rough most of the night.

Jordan Brown June 7, 2021 5:06 PM


Yes, there are questions of that sort, of who can impose restrictions and who can authorize access.

But suppose for discussion that it is absolutely clear that the person imposing the restriction has the right to do so, and absolutely clear that there is no authorization overriding that restriction.

When is the violation the crime of trespass, and when is it a contract violation?

Fenner June 7, 2021 5:41 PM

well, CFAA js a really really bad, unconstitutional “law” that the Supremes did almost nothing to address.

But that’s the status quo on most all alleged “Federal Law”.

The rule of law becomes meaningless when there are hundreds of thousands of laws on the books with even more court/prosecutor interpretations of those laws; that’s the situation Americans are in today.

Clive Robinson June 7, 2021 6:18 PM

@ Jordan Brown,

When is the violation the crime of trespass, and when is it a contract violation?

I’ve gone over this on the Friday Squid. But to be more clear,

“Trespass” is a breach of a “private duty” not a “public duty”.

That is it is a civil not criminal offence.

What get’s called “criminal trespass” is a “breach of a public duty” whilst commiting a “breach of a private duty”.

So “stealing whilst trespassing in a building” is the criminal act (stealing) that once used to be covered by the term “burglary” whilst commiting a tort of trespass.

The usage of such language is quite deliberately used to create clarity for the initiated and confusion for the uninitiated. Most pre-20th century “Professions” do this to maintain a “protection barrier” around their incomes. A bog indicator of such nonsense is the use of latin expressions.

Latin was at one time “The Churches” normative language and learning it was a requirment. As prior to around 1850 many Universities were “religiously” controled you had to “ordain” in the priesthood or church as a condition of becoming quallified.

In part this was to maintain the fantasy of the church as “Moral guardian” of society, thus arbiter of that which controled society that was neither legislation or regulation.

To understand why this nonsense started and the current implications on society you need to go back to the notion of the “Estates of man”, in more recent times called,”Estates of the realm”,

It’s all about the “politics” of,

“Land, Money, Power and Status”

If you have none of them then you were in effect a “sub human” and had no rights just duties to the land it’s landlord etc. Worse such things were usually “downwards heritable” if either parent was of lower status, that is what in effect you became unless promoted by the rules of lineage many of which prevented inter status marriages. The result was a “closed stud” breeding system with all the genetic deffects that engenders,like the Habsburg jaw, pyphoria, madness and impotence.

Why did what was in practice incest by marriage happen, it was to keep that land, Money, Power and Status undiluted and the “butchers bill” price was self annihilation…

With such madness in control, is it surprising that what follows on from it is equally as mad or incomprehensible?

echo June 7, 2021 6:54 PM

@Jordan Brown

In the UK decisions made by company directors or managers ipacted customers or the public which were not made lawfully (i.e. they did not have the necessary quorum or authority in their job description) were effectively allowed by judges just because. This… is… irritating…

Our glorious Home Secretary is trying to criminalise trespass along with public protest if is an “annoyance”. Yes, MP’s have attempted to influence the police by complaining about protests outside parliament by complaining they were an “annoyance” interfering with their “work”. The Home Secetary has been reported only within the past few days to have been on the phone with one chief constable pestering and applying pressure over one issue or another. I forget what. Probably immigration or travellers.

Meanwhile a litany of crime continues to be “no crimed” by police or mishandled and blackholed.

“High courts and low courts”…

Jordan Brown June 7, 2021 8:27 PM

Huh. I’d always thought trespass was a crime. Thanks for the info.

By way of analogy, mere unauthorized access to a computer should not be a crime. (Vandalism, theft, et cetera would be a different matter.)

JonKnowsNothing June 7, 2021 9:13 PM

@Jordan Brown, Clive

re: Crimes of Trespass

  But suppose for discussion that it is absolutely clear that the person imposing the restriction has the right to do so, and absolutely clear that there is no authorization overriding that restriction.

  When is the violation the crime of trespass, and when is it a contract violation?

As Clive and others have pointed out there are 2 branches of law: Civil (tort) and Criminal. Where you fall in the definition depends a lot on Who You Are, Where You Are, What You Were Doing, Who Directed You To Do It (if anyone) and Under What Circumstances It Is Allowed-Prohibited.

Contracts are specific legal documents that have many nuances and in today’s Tech World are full of SURPRISE! because the ordinary Schmoe hasn’t a clue what it all means. The folks that draw up the contracts have no problem adding in things that are “acceptable to the courts” as well as things they know to be “unacceptable to the courts” (of that locale).

There is a long history about working contracts that in the USA flows back to the Magna Carta Libertatum of England on which the USA Common Laws are based. Along the millennia, a whole pile of changes have been made and there is a difference in how the 5EY countries dealt with them (or didn’t, or haven’t yet).

When an action by an Employee crosses the Criminal Act line, that’s were things split.

A violation of contract, such as Failure to Perform, leads to the breaking of the contract with penalties as determine within the contract, like the EU vs COVID-19 Vaccine Delivery Contract dispute over Failure to Perform (Deliver). There are remedies and penalties in the contract and they will be duking it out over the finer details.

When actions cross into Criminal Actions, you get The Other Guys. If you steal money, goods, falsify activities like booking sales or work hours you did not perform, it ends up as Theft and Criminal Action.

Nearly everyone has “borrowed long term” pens, paper, paper clips and items of low intrinsic value (shrinkage) and the majority of employers just Look Away or Lock the Supply Cabinet or place a Quota on the items. Paper clips do not cost a lot of money individually but if you “borrow long term” enough of them it’s costly to the employer. Depending on the dollar amounts, the context and election status of the District Attorney (in the USA they are elected), determines if you get charged or just fired.

In many states of the US, there are At Will employment contracts or they maybe defined in State Laws. California is an At Will State. The agreement between Employer and Employee is At Will, either can terminate the agreement at any time; no reason is needed. You do not need to give 2 weeks notice before you leave and your employer will certainly not give you any advanced notice of termination except in those few cases were laws have been enacted that such notice must be given (mass layoffs). In some cases, employers just lock the doors and the 30 day advance notice is posted on the door while the 30days count down is paid off through the mail.

So, if you have signed a Contract to Work for ZComp to do XY work under AB conditions, somewhere in the finer print are the remedies if you Do Not Show Up, You Do Not Perform As Expected (see the mandatory termination of the ranked 5-20% of bottom tier employees often used in Big Tech Corps).

If during your employment period you divert funds, time, equipment, knowledge to someone other than stated in your contract (physical theft, intellectual knowledge theft) you can fall into both the Civil and Criminal statutes.

If during your employment you become aware of such activities, you are FKD. Because in the USA you will have zero protection as a whistleblower and if you do nothing you maybe considered part of a criminal conspiracy along with the others when they are caught.

The laws are applied unevenly and sometimes nothing happens, sometimes you are hailed as a Model Citizen, and then other times you end up dead.


A rich person left valuables unattended in his house. One day some of them went missing. The rich person was certain one of the servants took the items.

When the rich person asked for the servant to be punished, the judge asked who was at fault?

* The rich man for leaving the items out to tempt the poor servant to take them?
* The poor servant for succumbing to temptation?

ht tps://

(url fractured to prevent autorun)

JonKnowsNothing June 7, 2021 9:35 PM

@ Jordan Brown

re: By way of analogy, mere unauthorized access to a computer should not be a crime. (Vandalism, theft, et cetera would be a different matter.)

Using an employer’s equipment, electricity, office space, internet connection for other than approved work, is theft. It is theft of time, materials and paid labor with costs that can be quantified.

It may not seem to be a high threshold, but if you consider what individuals have to pay for internet access in the USA it runs in the thousands of dollars per year. A company paying for high speed access, high end equipment, high end servers with matching services and software can easily pass the “trivial” cost threshold quickly.

Just because the company did not prohibit the actions yesterday, does not mean you cannot cross the line today.

If it is not in your contract, best not even do it. If you find something in your contract that is burdensome, renegotiate your contract to remove it or get out.

  • Often there are clauses about “work created or produced on the employees own time”. Read these very carefully. Tech companies are more than aware that people do their own development outside of work. Early years, companies didn’t care much. Now they care a lot. They can and will claim that anything you do on site or at home belongs to them. They can and will claim all past and future development belongs to them and that you assign them 100% of the rights to your work.

Clive has mentioned a few go rounds with folks attempting to snag his work.

MrC June 7, 2021 11:18 PM

To the extent it’s possible to make any coherent sense out of footnote 8, I believe this is the correct interpretation:

  1. The Court did decide that “limitations on access” consisting solely of words found in contracts/policies cannot give rise to CFAA liability
  2. The Court left for another day the question of whether, in CFAA cases, a court should (a) inquire solely into the technological limitations on access, while totally ignoring the contract/policy limitations, or (b) inquire into technological limitations on access, while also taking into consideration how their context is shaped by the contract/policy limitations.

SpaceLifeForm June 7, 2021 11:47 PM

@ JonKnowsNothing, Jordan Brown, Clive

Knocking on a door is not a crime (port scanning a server with nmap). But, if you find an open door (open UDP or TCP port), what do you do? Best to ignore, If you don’t and then you go in, and do damage or steal, (ransomware, exfiltration, etc), then it is definitely a crime.

You can be abusive with nmap. Just like you can keep knocking on someones door just to be abrasive, even though the occupant knows you are there, they do not want to respond (Drop packet).

Of course, one can knock on the door out of concern too. And maybe you go in to make sure that it is not already a crime scene. Especially if the door is open and you know it would not be.

But, finding an open port and then exploiting it is not the same as checking on an occupants well-being.

That said, I think there are a lot of orgs that really should have someone actually run nmap against their internet exposed servers, provide a report that lists the ports open on various ip addresses, and beat them upside the head with the report.

This is security 101.

Colpipe maybe should have done this long ago.

Clive Robinson June 8, 2021 4:57 AM

@ SpaceLifeForm, JonKnowsNothing, ALL,

I think there are a lot of orgs that really should have someone actually run nmap against their internet exposed servers

Unlikely to happen because of,

1, Plausable deniability by managment.
2, Cost saving by managment.
3, Scape goating by managment.

That is senior managment realy realy do not want to know, and would take very active measures against anyone who tried to tell them.

Because senior managment income is based on percieved cost savings increasing share holder value, which also increases the value of the shares they get given to manage.

That’s a big chunk of personal money they kiss good by to if a port scan was run…

Because knowing there are vulnerabilities would involve moving money that in theory has a good ROI into sunk costs. Shareholder speculators notice such things and would take off in the blink of an eye devaluing the stock and thus senior managment looses their bonuses.

So what happens when it all goes wrong and say “Ransomware” happens through one of those open ports.

Well that is where senior managment say “we did not know” which is kind of true, then the big whopper “An employee hid it from us”. So plausable deniability and scapegoating, and if the employee tries telling the truth, well that employee contract probably has more barbs than an “Iron Maiden” and the enployee will be made bankrupt. Worse senior managment will run a campaign against them to make them look dishonest and delusional and with typical US attitudes the employer not the employee will be believed. Thus the employee faces a very real risk of doing jail time.

Just business the US Way…

Erdem Memisyazici June 8, 2021 5:02 AM

While I absolutely see the dissent’s interpretation of “so” the problem is scale. The Supreme Court considers not just police officers but the guy at work using a Facebook he set up with a false name from being charged with the same law. I believe this would have included Aaron Swartz’s prediciment as well.

Putting a stripper’s life in danger aside selling such sensitive information you are entrusted by the public is disgusting and by doing so Mr. Van Buren has no business wearing that uniform.

It is clear that more specific laws need to be enacted as demonstrated by this decision on state and/or federal levels to assess the damages caused by such instances and charge persons accordingly.

SpaceLifeForm June 8, 2021 5:04 PM

@ Clive, JonKnowsNothing, ALL

I think there are a lot of orgs that really should have someone actually run nmap against their internet exposed servers

Unlikely to happen because of

This can be done sans Management.

There are orgs that are contacted by FBI because they have intel that indicates that the org already has a problem.

But, a proactive approach would make more sense than waiting to spot tells from an org that has already been attacked and compromised.

I’m pretty certain this can be done under a completely legal framework.

No hints. More research.

Clive Robinson June 8, 2021 5:48 PM

@ SpaceLifeForm,

This can be done sans Management.

It can, but… Most employees contracts have “Bringing into disrepute” clauses that are so broad saying you work for XYZ without smiling could get you sacked…

Many years ago I had a series of interviews at British Airports Authority, and had effectively been offered the job. I had let my line manager know at that point I was just waiting to sign the contract.

Then at the equivalent of 5 seconds to midnight, I got told “new procedures” ment yet another interview tgis time with a senior Sales and Marketing person. Which struck me as odd as it was a highly technical position I was being offered and nothing what so ever to do with any sales or marketing functions.

I went along and the woman started asking some bizar questions about my private life and telling people about working for BAA. She appeared genuinely shocked when I told her “I do not discuss work or who employes me ever” when she asked why I said “That is what all my previous employers especially the government required of me”. Vocally emphasising the “required” she did not get the message and asked “Why?” and I said “That was their requirments and I can not discuss them” and further “If you need to discuss it you can speak to the refrences I’ve given”.

She realy did not get it and her colleague who obviously did could not get it over to her that this was “normal for certain employers”…

She obviously decided I was not a suitable candidate and a “We are Sorry to say…” letter arrived the day after.

It was not long after that BAA started runing into avoidable “technical difficulties” and problems spread, and eventually they got bought up cheap by a Spanish organisation.

Even today when I’m at social functions and the “and what do you do?” question comes up I answer it with a question like “What do you know about neural networks?” or similar. Usually I get the “Uh oh one of those” looks. Sometimes though I get surprised, and I’ve had one or two quite in depth conversations… On one occasion somebody tried it on me she was tall realy cute and very obviously intelligent and she said “I do gender reasignment surgery” and I thought OK I’m not squeamish and I’m going to be cool about it and we got chatting. Long story short we became quite good friends.

SpaceLifeForm June 9, 2021 5:47 PM

@ Clive

There is a US Government agency that colpipe CEO Blount does not want to be involved.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.