Should an individual with authorized access to a computer system be held criminally liable for retrieving information for an improper purpose?
That was the question before the U.S. Supreme Court in Van Buren v. United States, 593 U.S. (2021). The petitioner, Nathan Van Buren, was a former sergeant with the Cumming, Georgia, police department who used the computer in his patrol car to run a license plate search in exchange for money. He was criminally charged for violating the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030.
Originally enacted in 1986 to make computer hacking a crime, the CFAA has been broadened over the years to cover a wide range of conduct. The statute’s wording is vague, and a broad interpretation would attach stiff criminal penalties to everyday computer activities. The First, Fifth, Seventh, and Eleventh Circuits have taken this broader approach, while the Second, Fourth, and Ninth Circuits have favored a narrower reading.
The Supreme Court accepted Van Buren’s case to resolve the circuit split. Through a nuanced analysis of the language of the statute, the Court held that an individual does not violate the CFAA by obtaining information for an impermissible purpose through otherwise authorized access. However, the decision leaves open the question of whether the CFAA applies to individuals who violate content-based access restriction policies.
Van Buren v. United States: Case Background
During his tenure as a police officer, Van Buren struck up a friendship with Andrew Albo, and had helped Albo handle disputes with various women. Van Buren asked Albo for a loan, claiming he needed the money for his son’s medical expenses. Albo recorded the conversation and turned it over to the local sheriff’s department, which passed it along to the FBI.
The FBI set up a sting operation in which Albo paid Van Buren $6,000 to conduct a license plate search. Van Buren used his legitimate credentials to access the Georgia Crime Information Center (GCIC) database, which is connected to the National Crime Information Center (NCIC) maintained by the FBI. It was the department’s policy that the database should not be used for an “improper purpose,” which included “any personal use.”
The FBI arrested Van Buren for violating subsection (a)(2) of the CFAA, which imposes criminal liability for an individual who “intentionally accesses a computer without authorization or exceeds authorized access.” The statute specifically refers to accessing a computer to obtain “information from any department or agency of the United States.”
Van Buren was found guilty in a jury trial and sentenced to 18 months in prison. He appealed to the U.S. Court of Appeals for the 11th Circuit, which upheld the conviction based upon precedent despite being sympathetic to Van Buren’s arguments. Van Buren then appealed to the Supreme Court.
Analyzing the CFAA Law
Subsection (e)(6) of the CFAA defines “exceeds authorized access” as “us[ing] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The government argued that Van Buren’s actions fell within the ambit of the statute because the manner in which he obtained the information exceeded limits that were clearly communicated to him—that is, the police department’s policy.
Van Buren argued that an individual would have to obtain information he was not entitled to access through his authorized use of the computer. Because Van Buren was entitled to access the license plate information, he did not violate the law, even though he used the information for an unauthorized purpose.
In analyzing the language of the statute, the Supreme Court found that both elements of the crime—accessing without authorization and exceeding authorized access—favor a “gates-up-or-down inquiry.” Neither hinges on the intent of the user. If a user is permitted to pull information from Folder A, he may do so for any reason without violating the CFAA. However, if a user’s login credentials do not give him access to Folder B, he violates the CFAA if he obtains that information.
The Court also expressed concern that the government’s reading of the statute would criminalize “every violation of a computer-use policy.” It would also make criminal liability dependent upon the precise wording of such policies drafted by employers and online services.
Impact of the Case
Because the CFAA provides for a private right of action, companies have used it to sue computer system users who misappropriate confidential or sensitive information such as trade secrets. Under the broad definition favored by the First, Fifth, Seventh, and Eleventh Circuits, a departing employee who takes trade secrets could be held liable for exceeding authorized access. Van Buren forecloses that approach.
But while the Supreme Court acknowledged the potential for abuse of the CFAA, the Van Buren ruling does not address computer use policies that are content-based. If a user’s login credentials give him access to Folders A and B, but the user is not permitted to access the content in Folder B for any reason, the CFAA could still apply if the user did access Folder B. That’s because the Court did not specify whether “authorized access” should be defined technically or if policy- or contract-based restrictions were sufficient.
Nevertheless, the Supreme Court resolved the circuit split regarding the CFAA, and provided guidance to companies, practitioners, and courts on how to interpret and apply the statute. The narrower reading of the law reduces the risk that computer users can be criminally charged for retrieving information they are otherwise authorized to access.
Learn More About Technology and the Law
Purdue Global Law School offers an online Executive Juris Doctor for those who wish to further their career by earning an advanced legal education but do not intend to become a practicing attorney. This program features a law and technology track that provides advanced legal training on matters related to cyber law. Single courses in technology and the law are also available.