On June 3, 2021, the Supreme Court issued a 6-3 decision in Van Buren v. United States, narrowing the scope of the Computer Fraud and Abuse Act (CFAA). In resolving a circuit split in favor of a limited interpretation of the phrase “exceeds authorized access,” the Court held that the criminal provisions of the CFAA do not apply to individuals who have authorized access to computer information, but access that information for a reason that is not permitted. The Court’s ruling curtails the federal government’s ability to charge individuals with computer fraud, including the criminalization of commonplace and potentially harmless conduct, such as sending a personal email through a work computer when a company’s policy precludes such use of the computer system.
Background on the CFAA and the Prior Circuit Split
As the main federal anti-hacking statute, the CFAA holds criminally liable anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” The term “exceeds authorized access” is defined in the statute as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
Prior to the Supreme Court’s decision, there was a circuit split over the meaning of “exceeds authorized access,” as discussed in a previous Kramer Levin client alert. The First, Fifth, Seventh and Eleventh Circuits had broadly interpreted “exceeds authorized access” to criminalize obtaining access to computer information for an unpermitted purpose. The Second, Fourth and Ninth Circuits, however, had narrowly interpreted “exceeds authorized access,” holding that defendants violate the statute only if they are prohibited from accessing computer information under all circumstances.
Nathan Van Buren was a small-town Georgia police officer who, on behalf of a private individual, used his law enforcement credentials to run a search for license plate information in a police database in exchange for $5,000. The payment was part of an FBI sting operation, through which the FBI directed a man named Andrew Albo to ask Van Buren to search the law enforcement database for a license plate supposedly belonging to a woman Albo met at a strip club. Van Buren was clearly authorized to search the database for a license plate, but running that search in exchange for money and for non-police business violated the police department’s policy on using the database. Based on this unauthorized purpose, Van Buren was charged under the CFAA for exceeding his authorized access to the police database.
The Court’s Decision
The Supreme Court held that Van Buren did not exceed his “authorized access” because he was authorized to access license plate information and that authorization, not his improper purpose in accessing the information, was what mattered under the CFAA. In so ruling, the Court explained that the CFAA only criminalizes obtaining information from particular areas in the computer to which that person’s permitted computer access does not extend.
Writing for the majority, Justice Barrett engaged in a textual analysis of the CFAA’s definition of “exceeds authorized access,” particularly its definition as pertaining to information the individual was “not entitled so to obtain.” The Court held that the phrase “not entitled so to obtain” was “best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.” In other words, the relevant question was whether Van Buren had been authorized access to the part of the computer system (files, folders or databases) he accessed, and the answer was clearly “yes.” He therefore could not be charged under the CFAA. The Court also observed that the statute provides for civil liability, redressing technological harms to computer systems, and thus is ill-suited to remedying the misuse of information with which the government was concerned.
In addition, the Court cautioned that the government’s broad reading of the statute would criminalize commonplace, innocuous behavior: “If the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals.” For instance, the Court noted that based on the government’s interpretation, an employee who sends a personal email or reads the news using her work computer, a person who embellishes an online-dating profile, and a person who uses a pseudonym on Facebook would all have violated the statute.
In dissent, Justice Thomas focused on the fact that Van Buren lacked a proper law enforcement purpose, and argued that Van Buren was not “entitled” to access the computer data. The dissent pointed to several real-world examples where context or purpose are important to whether a person has access to property. Responding to the majority’s concern that a broad reading would criminalize common, innocuous activity, Thomas wrote: “Much of the Federal Code criminalizes common activity. … It is understandable to be uncomfortable with so much conduct being criminalized, but that discomfort does not give us authority to alter statutes.”
In light of the Supreme Court decision, cyber and privacy practitioners and businesses should note that:
- Motive or purpose for accessing information is not relevant to the “exceeds authorized access” clause under the CFAA.
- Employee actions in violation of internal company policies are not automatically criminalized under the CFAA. The relevant question is whether an employee was authorized to access the part of the computer system she accessed.
- The CFAA does not apply to all cyber misconduct, e.g., an improper, but otherwise authorized, access of computer information.
It is not clear yet whether Congress will consider amending the CFAA or pass other legislation to address the Court’s holding in Van Buren.
 18 U. S. C. §1030(a)(2).
 18 U. S. C. §1030(e)(6).