On June 3, 2021, the Supreme Court decided Van Buren v. United States regarding the Computer Fraud and Abuse Act of 1986 (CFAA) and the interpretation of the phrase “exceeds authorized access” and interpretation of “so” in the definition of the same. 593 U.S. ___ (2021). Nathan Van Buren is a former police sergeant who ran a license-plate search in exchange for money. While he had authorization and appropriate access to run license-plate searches, this particular use of the database obviously exceeded his authority.
The CFAA, enacted in 1986 at the early dawning of computer usage, imposes criminal liability for exceeding authorized access to computer information. The statue was enacted to fill the gaps created by traditional theft and trespass statutes that were ill
suited in addressing hacking and cybercrimes. The CFAA imposes criminal liability for anyone who: “intentionally accesses a computer without authorization or exceeds authorized access,” with “exceeds authorized access” defined as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. §§ 1030(a)(2) and (e)(6). The penalties include fines and misdemeanor sentences for imprisonment up to 10 years and also allow for private causes of action seeking monetary damages and equitable relief. Id. at § 1030(g).
In a scenario that seems better suited for late-night television, then-police sergeant Van Buren approached a man he had crossed paths with on the streets, Andrew Albo, requesting a personal loan. Albo recorded the conversation and took it to the
FBI, who devised a sting operation to see what Van Buren would be willing to do for the money. Albo offered Van Buren $5,000 if Van Buren agreed to run a license plate search on a woman purportedly from a strip club for him. Van Buren used his patrol-car computer to access the law enforcement database using his valid credentials and relayed the license plate information to the man in exchange for the money. At which point he was immediately arrested by the FBI. Van Buren was convicted by a district court jury for breaching department policy and violating the CFAA and was sentenced to 18 months in prison.
Van Buren appealed to the Eleventh Circuit, arguing “exceeds authorized access” only applied to those who obtained information to which their computer access did not extend, not in cases of misuse of access. The Eleventh Circuit upheld the jury’s findings that Van Buren
violated the CFAA by accessing the law enforcement database for an “inappropriate reason.” 940 F. 3d 1192, 1208 (2019).
The Supreme Court’s decision centered around the definition of “exceeds authorized access.” Both parties agreed that Van Buren met the first prong of the statute by “access[ing] a computer with authorization” and “obtain[ing]… information in the computer.” The question was whether he was “entitled so to obtain.” Van Buren was entitled to obtain license plate information from the database, but was he “entitled SO to obtain” the information? Van Buren argued that use of “so” was a term of reference to the same manner as has been stated, or the way or manner described, quoting Black’s Law Dictionary. Said another way, use of “so,” in this context, according to Van Buren, asks whether one has the right, in the same manner as
previously stated, to obtain the relevant information (i.e. via a computer otherwise authorized to access). Under this interpretation, the violation only occurs if the information is obtained from an unauthorized source (such as an unauthorized file). The Government argued that “so” should be interpreted more broadly to refer to information not allowed to be obtained in the particular manner or circumstance in which it was obtained. The Court found Van Buren’s interpretation of “so” to “be more plausible than the Government’s” because it “is not a free-floating term that provides a hook for any limitation stated anywhere [but]… refers to a stated, identifiable proposition from the “preceding” text.” 593 U.S. __ at p. 7. The Court said that the Government’s interpretation largely ignored the inclusion of “so” in the statute, adding nothing to the sentence
in its argued interpretation.
From a more practical perspective, it seems the Court was simply unwilling to broaden the implications of the CFAA. If Van Buren were held criminally liable for misuse, such a holding could impose criminal sanctions for misuse of terms and conditions and violations of policies – such as requirements that a business device not be used for personal purposes and other far-reaching consequences. Such a harsh result was not likely intended by the 1986 statute, which focuses on hacking and cybercrime. This decision seems to slightly narrow the CFAA and trims it back to use to cyberattacks and hacking. Ultimately, it may be time for congress to pass an updated version of the statute to clear up these ambiguities and address considerations for the modern day and age – a lot has changed in the computer and cybersecurity world since 1986.