On June 3, 2021, the Supreme Court decided Van Buren v. United States regarding limits on the Computer Fraud and Abuse Act of 1986 (CFAA) for conduct that colorably "exceeds authorized access" by determining that Van Buren was not prohibited, by virtue of improper motive, "so to obtain" information otherwise available to him. 593 U.S. ___ (2021). The decision seemingly reins in the CFAA, focusing it on traditional cybersecurity and hacking violations, while highlighting ambiguities in the language of the CFAA as currently written and the importance of a more limited focus within the broader spectrum of federal laws in this space, including the Economic Espionage Act and Defend Trade
Secrets Act, some of which have bled together over time.
The CFAA, enacted in 1986, imposes criminal liability for exceeding authorized access to computers and computer information. The statute was enacted to fill the gaps left by traditional theft and trespass statutes ill-suited to address hacking and cybercrimes and was originally directed at government and financial computer networks. It was expanded in later years so that it now also includes computers used simply in interstate commerce, i.e., most every other computer. The CFAA imposes criminal liability for anyone who: "intentionally accesses a computer without authorization or exceeds authorized access," with "exceeds authorized
access" meaning "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. §§ 1030(a)(2) and (e)(6). The penalties include fines and misdemeanor sentences for imprisonment up to 10 years and allows for private causes of action seeking monetary damages and equitable relief. Id. at § 1030(g).
In a scenario that seems better suited for late-night television, then-police sergeant Nathan Van Buren approached a man, Andrew Albo, with whom he had crossed paths on the streets, and requested a personal loan. Albo recorded the conversation and took it to the FBI, which devised a
sting operation in which Albo offered Van Buren $5,000 to run a license plate search for him. Working through his patrol-car computer, Van Buren used his valid credentials to access the law enforcement database and obtain the license plate information. Upon apprising Albo thereof, Van Buren was arrested by the FBI and thereafter convicted for breaching department policy and violating the CFAA, and he was sentenced to 18 months in prison.
On appeal to the Eleventh Circuit, Van Buren argued that "exceeds authorized access" only applied to those who obtained information to which their computer access did not extend, not for misuse of such access. Rejecting such reasoning (which had been accepted
by several other Circuit Courts), the Eleventh Circuit upheld the jury’s findings that Van Buren violated the CFAA by accessing the law enforcement database for an "inappropriate reason." 940 F. 3d 1192, 1208 (2019).
The Supreme Court’s reversal centered on the definition of "exceeds authorized access" and the specific question of whether Van Buren was "entitled so to obtain" the record in question. The parties agreed Van Buren was entitled to obtain license plate information from the database but contested whether he was "entitled so to obtain" such information.
Van Buren argued that the use of "so" was a term of reference to the same manner as has been stated, or the way or manner described, quoting Black’s Law Dictionary. Said another way, use of "so," in this context and according to Van Buren, asks whether one has the right, in the same manner as previously stated, to obtain the relevant information (i.e., via a computer otherwise authorized to access). Under this interpretation, a violation only occurs if the information is obtained from an unauthorized source (such as an unauthorized file) – and the accesser's purpose is not relevant.
The Government argued that "so" should be
interpreted more broadly to refer to information not allowed to be obtained in the particular manner or circumstance in which it was obtained, making the propriety of the accesser's purpose, including "as defined by any 'specifically and explicitly' communicated limits on one's right to access information," id. at 10, highly relevant.
The Court found Van Buren’s interpretation of "so" to "be more plausible than the Government’s" because it "is not a free-floating term that provides a hook for any limitation stated anywhere [but]… refers to a stated, identifiable proposition from the 'preceding' text." 593 U.S. __ at p. 7. The Court said that the Government’s interpretation
largely ignored the inclusion of "so" in the statute, adding nothing to the sentence in its argued interpretation.
The dissent, by Justice Thomas with Chief Justice Roberts and Justice Alito joining, argued that common law has long punished those that exceed the scope of consent when using property that belongs to others. Just as a valet cannot take a car for a joyride despite having authorization and access to the car and keys, the CFAA punishes those who exceed the scope of consent when using a computer. The dissent further argues that even if "so" applies to the preceding clause, Van Buren did not have authorization to access the computer in the way in which he did, and therefore it is
irrelevant that he was authorized to access the computer in some ways. The question is whether what he did in this instance was authorized, and it, indeed, was not.
From a more practical perspective, the Court’s majority may have been unwilling to broaden the prohibitions of the CFAA to "limits on one's right to access information" beyond the statute, cautioning against "attach[ing] criminal penalties to a breathtaking amount of commonplace computer activity." Id. at 21. Amici in the case argued that if Van Buren’s conviction were upheld, criminal sanctions might then apply for violations of, e.g., website terms of service or common policies prohibiting the use of company
facilities or devices for personal purposes, among other far-reaching consequences. Such harsh results were not likely intended by the 1986 statute, which focuses on hacking and cybercrime.
This decision seems likely to limit the scope of CFAA, focusing it on activities like cyberattacks and hacking, thereby removing potential redundancies and confusion between the patchwork of existing laws in this space. Ultimately, it may be time for Congress to revisit the statute to clarify such ambiguities and address considerations relevant to computing and criminal defense in the 21st Century – a lot has changed in the computer and cybersecurity world since 1986.
If you have any concerns regarding data security, privacy breaches, cyber attacks, hacking, white-collar crimes, or the Computer Fraud and Abuse Act, please reach out to any of the attorneys listed below.
PDF
