The Supreme Court in Van Buren Decision Limits the Scope of the Computer Fraud and Abuse Act
Van Buren v. United States, No. 19-783, 2021 WL 2229206 (U.S. 2021)
On June 3, 2021, the Supreme Court issued an opinion reversing the Eleventh Circuit’s holding that former police sergeant Nathan Van Buren had violated the Computer Fraud and Abuse Act of 1986 (CFAA) by accessing the law enforcement database to obtain information in exchange for money. In a 6-3 majority decision, the Court found that the CFAA does not apply to situations where a person, who has authorization to access information for work purposes, accesses that information for improper purposes.
Congress had passed the CFAA, codified at 18 U.S.C. § 1030, in response to a series of highly publicized hackings due to the technological advances brought at the dawn of the 1980s. The CFAA makes it illegal for anyone who “intentionally accesses a computer without authorization or exceeds authorized access,” and thereby obtains information in the computer. 18 U.S.C. § 1030(a)(2). The phrase “exceeds authorized access” is defined as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” Initially written to protect mainly the government and financial institutions, the CFAA has since been expanded to cover any information from any computer “used in or affecting interstate or foreign commerce or communication.” As a result, the CFAA now applies to all information from all computers that connect to the Internet. Those who violate § 1030(a)(2) face penalties ranging from fines and misdemeanor sentences to imprisonment for up to 10 years. The CFAA also provides a private civil cause of action, which allows persons suffering damage or loss from CFAA violations to sue for money damages and equitable relief.
Van Buren, while in his position as police sergeant in Georgia, had developed a friendly relationship with a man named Andrew Albo, who was regarded as very volatile by Van Buren’s department. Van Buren had asked Albo for a personal loan, but Albo secretly recorded the request and turned it in to the sheriff’s office. The recording eventually ended up at the Federal Bureau of Investigation (FBI). The FBI created a sting operation to see how far Van Buren would go. In conducting the operation, Albo promised $5,000 to Van Buren if Van Buren searched the state law enforcement computer database for a license plate supposedly belonging to a woman Albo had met at a strip club. Van Buren agreed and provided information by using his patrol-car computer to access the database with his valid credentials. Van Buren’s conduct had clearly violated his department's policy which authorized him to obtain database information only for law enforcement purposes. The FBI criminally charged Van Buren with violation of the CFAA.
At trial, the jury convicted Van Buren and the District Court sentenced him to 18 months in prison. Van Buren appealed to the Eleventh Circuit, arguing that (1) the “exceeds authorized access” clause applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have and (2) the “not entitled so to obtain” clause refers to information one is not allowed to obtain by using a computer that they have access to. The Government disagreed, arguing that (1) the “exceeds authorized access” clause applies so that one cannot obtain information in a way contrary the authorization granted through one’s job policy and (2) the “not entitled so to obtain” clause refers to information one is not allowed to obtain in the particular manner or circumstances in which they obtained it.
At the time, the Circuits were split on how to read the provisions. While several Circuits see them in Van Buren’s way, the Eleventh Circuit had a broader view. Consistent with its precedent, the Eleventh Circuit panel held that Van Buren violated the CFAA by accessing the law enforcement database for an inappropriate reason. The Supreme Court granted certiorari to resolve the split in authority.
Supreme Court Opinion
The majority reversed the Eleventh Circuit’s decision, rejecting the broader interpretation of the CFAA. The Court construed the text of the CFAA provisions to create a “gates-up-or-down inquiry” – (1) whether one can or cannot access a computer system and (2) whether one can or cannot access certain areas within that system. The second-part of the inquiry is limited to the question of whether the accessor had authorization to access that information in any circumstance or not. In light of that analysis, the majority makes clear that the CFAA provision criminalizes only those who obtain information from particular areas in the computer, such as files, folders, or databases, to which their computer access does not extend. It does not criminalize those who have improper motives for obtaining information that is otherwise available to them.
If a person has access to information stored in Folder Y of a computer from which the person could permissibly pull information, then they do not violate the CFAA by obtaining such information, regardless of whether they pulled the information for an improper motive. However, if the information is instead located in prohibited Folder X, to which the person lacks access, they violate the CFAA by obtaining information from Folder X.
The Government’s reading would criminalize every violation of a computer-use policy and terms of service from an online source. Millions of otherwise law-abiding citizens would be criminals. For example, an employee who sends a personal e-mail or visits a non-work related website, such as a news website, using their work computer would have violated the CFAA.
Therefore, under Van Buren, it would be irrelevant, in obtaining information, whether a person exceeded their scope of access assigned to them so long as they accessed the computer with valid credentials and obtained the information in a computer area which their access allowed them. As a result of the decision, Congress may propose new legislation or elect to redraft the CFAA. Government agencies and employers may decide to establish clearer restrictions and regulations on computer use and access. Regardless of the Van Buren decision, Van Buren’s conduct and other similar conduct may still constitute a violation of other federal and state statutes or a breach of existing computer use and access policies already exercised by an employer, service provider, institution, etc. The Van Buren decision does not create a free pass so that one can partake in improper or fraudulent conduct with information obtained through valid access or credentials.