The Supreme Court’s recent decision in Van Buren v. United States significantly narrows the reach of the Computer Fraud and Abuse Act’s prohibition against exceeding authorization to access information. Before Van Buren, courts were split on the reach of the Act; the First, Fifth, Seventh, and Eleventh Circuits broadly interpreted the CFAA to criminalize misusing information they were otherwise allowed to access. Conversely, the Second, Fourth, and Ninth Circuits adopted a narrow approach limiting criminal liability to instances “in which an individual accessed information off-limits to them.” As a result, “mere misuse of information to which they had authorized access could not constitute a violation.” The Supreme Court granted certiorari to resolve the split and ultimately, they adopted the Second, Fourth, and Ninth Circuits’ narrow reading.
After Nathan Van Buren, a then-police sergeant in Georgia, ran a license plate search in his department’s database in exchange for money, the federal government charged him with violating the Computer Fraud and Abuse Act, or CFAA, 18 U.S.C. § 1030. Van Buren v. United States, 141 S. Ct. 1648, 1652 (2021).
Under the Act, it is illegal to “obtain information by intentionally access[ing] a computer … [by] exceed[ing] authorized access.” 18 U.S.C. § 1030(a)(2). The Supreme Court, quoting § 1030(e)(6), explained that someone exceeds authorized access when they “access a computer with authorization,” but then “use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Van Buren v. United States, 141 S. Ct. 1648, 1652 (2021).
At trial, the government claimed that Van Buren “violated the CFAA ‘concept’ against ‘using’ a computer network in a way contrary to ‘what your job or policy prohibits.’” Van Buren v. United States, 141 S. Ct. 1648, 1653 (2021). Why? Because, according to department policy, officers weren’t allowed to use the database for “personal use.” Id. In turn, the government argued that Van Buren’s use – in contravention of department policy – transformed into an “improper purpose,” thus, violating the Act. Id. In response, Van Buren argued that he didn’t violate the CFAA because he was permitted to access the license plate database.
Van Buren was ultimately convicted for this offense, and the Eleventh Circuit later upheld his conviction, reasoning that Van Buren “violated the CFAA by accessing the law enforcement database for an ‘inappropriate reason.’” Id. at 1654. This holding, based on Circuit precedent, reflected a broad interpretation of the Act’s exceeding authorization clause because, under this approach, accessing a computer for an improper purpose triggered criminal liability. The Eleventh Circuit’s opinion noted that other courts have rejected such an expansive interpretation of “exceeds authorized access,” including the Ninth Circuit’s 2012 decision in United States v. Nosal or the Second Circuit’s 2015 decision in United States v. Valle. In both of those cases, “exceeds authorized access” was limited to accessing information “that he does not have authorization to access for any purpose which is located on a computer that he is otherwise authorized to access.” Valle, 807 F.3d 511.
The Court Narrows the Reach of “Exceeds Authorized Access”
Writing for the majority, Justice Barrett explained that Van Buren’s use of the database didn’t violate the Act because the Act “covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.” Van Buren v. United States, 141 S. Ct. 1648, 1652 (2021). Said less abstractly,
… if a person has access to information stored in a computer—e.g., in “Folder Y,” from which the person could permissibly pull information—then he does not violate the CFAA by obtaining such information, regardless of whether he pulled the information for a prohibited purpose. But if the information is instead located in prohibited “Folder X,” to which the person lacks access, he violates the CFAA by obtaining such information.
Van Buren v. United States, 141 S. Ct. 1648, 1654 (2021).
Ultimately, Van Buren’s holding represents a necessary limitation on the scope of federal prosecutors’ reach because otherwise, the government’s reading of the statute “would attach criminal penalties to a breathtaking amount of commonplace computer activity,” such as checking personal email or updating Instagram. 141 S. Ct. 1648, 1661 (2021). Finally, and most notably, the Court’s holding also reflects shifting attitudes and experiences with computers in general; in particular, one “possibility is that the division among the conservatives is about familiarity with current computer-use norms… including sometimes using work email for personal matters.” While it’s too early to tell how this new generation of justices will approach technological advances, Van Buren suggests that future opinions may reflect a significantly more tech-savvy bench.