On June 3, 2021, the Supreme Court issued its opinion in Van Buren v. United States, Case No. 19-783. Van Buren is a former police sergeant from Georgia. Relevant to the case, Van Buren accepted money to use his patrol car computer to access a database and retrieve information about a license plate. He was indicted and convicted for violating the Computer Fraud and Abuse Act of 1986, or the “CFAA.” His appeal eventually reached the United States Supreme Court who reversed his conviction and held that the government read the CFAA too expansively to convict Van Buren. Resultingly, the Court restricted the CFAA’s scope of liability which could make computer crimes more difficult to prosecute or pursue civilly unless database owners take steps to preserve required evidence.
The Facts
Van Buren is an ex-sergeant in a Georgia police department. The FBI began investigating Van Buren after receiving a recorded conversation where Van Buren “shook down” an undercover informant for cash. The FBI initiated an undercover operation to, as the Court put it, “see how far Van Buren would go for money.”
The FBI directed the informant, while wired, to ask Van Buren to search a law enforcement database for a license plate that the informant wanted information about in exchange for $5,000. The story was the informant met the woman who owned the plate at a strip club, and he needed to know that she was not an undercover officer.
Van Buren complied by using his patrol car computer. Van Buren’s department policy did not permit any such searches for anything but a legitimate law enforcement purpose. The Government’s theory was the breach of department policy exceeded Van Buren’s authorization under the CFAA and Van Buren was charged and convicted of violating the CFAA.
On appeal, the Eleventh Circuit affirmed, criminalizing Van Buren’s access for an “inappropriate reason.” The Supreme Court granted certiorari to resolve a circuit split concerning the scope of liability under the CFAA’s “exceeds authorized access” clause.
The History of the CFAA
The CFAA was borne out of necessity. As Justice Barret recited in the Court’s opinion, trespass and similar actions failed to capture internet crimes and hacking during the 1980’s technology boom.
The CFAA creates criminal liability for “intentionally access[ing] a computer without authorization or exceed[ing] authorized access” and obtaining information as a result. Over time, amendments expanded the scope of information subject to protection from initially only financial information to anything “used in or affecting interstate or foreign commerce or communication.” Therefore, in the Court’s words, the CFAA protects “all information from all computers that connect to the internet.”
The CFAA created civil and criminal responsibility for violators. On the civil side, persons suffering “damage” or “loss” from a CFAA violation may sue for money damages and equitable relief. Prosecutions may result in punishments ranging from misdemeanor sentences and fines to a potential of up to ten years in prison for more egregious violations of the statute.
The Supreme Court’s Analysis and Holding
The Court’s analysis began by analyzing the text of the statute. The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain . . . information in the computer that the accesser is not entitled so to obtain.” There was no dispute Van Buren accessed the information; rather the question before the Court was whether he was “entitled so to obtain” that license plate information.
The Court engaged in a lengthy determination of what the word “so” means in “entitled so to obtain.” Van Buren argued it meant “the same manner as has been stated” or “the way or manner described” previously in the statute. Thus, in Van Buren’s construction, “so” means “whether one has the right, in ‘the same manner as has been stated [in the statute],’ to obtain the” license plate information. In practice, Van Buren read the statute to mean that the CFAA criminalizes accessing information one is not allowed to obtain on a computer that one is authorized to access. The Government argued “so” means more and that the CFAA should criminalize accessing information that is not permitted to be obtained in the particular method or manner in which it was obtained, i.e., as a product of a bribe. The Court agreed with Van Buren’s interpretation and read “is not entitled so to obtain” to “refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.”
To drive this point home, the Court rejected all of the Government’s counterarguments. Importantly, the Court held that the Government’s untenable reading would result in prosecutions where an employee accesses a company computer which imposes a “business use only” restriction. Under the Government’s reading, an employee who uses a company computer to read the news or send a personal email could be subject to criminal liability. The Court’s opinion limited the statute’s reach and, now, “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer – such as files, folders, or databases – that are off limits to him.” Because Van Buren was authorized to use his patrol car computer and obtain license plate information, he could not be convicted for violating the CFAA.