Van Buren involved a former police sergeant who ran a license plate search in a law enforcement computer database in exchange for money. His department policy authorized him to obtain database information only for law enforcement purposes, which Van Buren clearly violated. At issue, however, was whether Van Buren also violated the CFAA when he ran the license plate search in violation of department policy. The Court held that he did not and reversed his conviction.
In reaching its conclusion, the Court explained it was undisputed that Van Buren accessed the law enforcement database system with authorization (i.e. he used his patrol-car computer and valid credentials to log into the law enforcement database). The only question was whether he could use the system to retrieve license plate information, which both sides agreed he could. Accordingly, the Court found that he “did not ‘exceed authorized access’ to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose.”
The Court further explained that “the government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity.” For instance, in the workplace, employers frequently state that computers and electronic devices can be used only for business purposes. Under the government’s interpretation, “an employee who sends a personal email or reads the news using a work computer has violated the CFAA.” Many websites also authorize a user’s access only upon his or her agreement to follow specified terms of service. Under the government’s interpretation, the CFAA would “criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook.”
Therefore, under Van Buren, if a person has access to information stored in a computer, he or she does not violate the CFAA by obtaining such information, regardless of whether he or she pulled the information for a prohibited purpose.