The Computer Fraud and Abuse Act Is Not Nearly As Broad As Some Prosecutors Claim: Van Buren v. U.S.

June 4, 2021

Types : Alerts

I Find Authority Always Wins, or how a police officer – bribed to check a license plate – got SCOTUS to clarify one of the vaguest laws on the books.

The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, provides both criminal penalties and civil remedies for accessing information on a computer system without “authorization.” But because the statute does not define what “authorization” is, the courts have sharply split over what the CFAA covers.

Suppose an employee, who is unquestionably entitled to access his or her employer’s system at the time, uses that pathway to obtain the company’s confidential information and thereafter uses the information to the company’s detriment. Is the employee liable under the CFAA? At the time of the access, he or she had the employer’s authority to use the system – yet the employee’s use was actually a direct betrayal of the employer. Had the employer known what the employee was actually doing, they would never have granted permission.

Or suppose a publicly-available website imposes Terms of Service that require the input of certain information before a user can interact with the site or sets limits on what a user is permitted to do on the site. If a user does not comply with the TOS, but nevertheless uses the website, can they be prosecuted?

Due to a circuit split, liability, or guilt, depended on where the case was filed – until now, thanks to the Supreme Court’s ruling in Van Buren v. United States, Oct. Term 2020 No. 19-783 (June 3, 2021). Van Buren was a police sergeant in Georgia. An acquaintance of his (Albo, who apparently was known to pay certain women to “spend time” with him and then accuse the women of stealing his money) gave Van Buren thousands of dollars in cash and asked him to check law enforcement computer files regarding a woman who had attracted Albo’s attention. Van Buren ran the requested checks, using his duly-issued credentials, only subsequently to learn that Albo was actually cooperating with law enforcement and that the whole thing was a trap. He was convicted of violating the CFAA for “exceeding his authorized access” in running the computer checks, and the 11th Circuit affirmed.

The Supreme Court granted certiorari to consider how to properly interpret the CFAA’s “authorization” element. Van Buren was unquestionably a legitimate user of the police database at the time he checked it and was fully entitled to access the information he obtained. Yet the purpose for which he obtained that information was, just as unquestionably, not that which was intended or expected. So the ultimate question was whether Van Buren could properly be convicted if he had a right to the information for a legitimate purpose, but obtained that information for an illegitimate purpose.

Yesterday, the Court ruled in favor of Van Buren, concluding that since he was authorized to use the database he did not violate the CFAA even though his use was for an improper purpose. In its 6-3 ruling, Justice Comey’s majority opinion relied primarily on the text of the Act itself – in particular, the key phrase “entitled so to obtain” – as crucial to its conclusion that the CFAA is limited by its terms to situations where the method of obtaining the information was unauthorized.

After yesterday’s ruling, there are still plenty of ways to hold the true “hacker” accountable. But the CFAA’s use – both by prosecutors and plaintiffs –  should be curtailed, which is good news for the many Internet users who pay little attention to Terms of Service or have not memorized Acceptable Use policies. For them, failing to read the fine print may have consequences, but they probably won’t be criminal.