There is a well-worn legal maxim that “hard cases make bad law.” In deciding Van Buren v. United States today, the Supreme Court was faced with the opposite problem: bad laws[i] make hard cases. Specifically, in a 6-3 decision, the Court found that the Computer Fraud and Abuse Act (“CFAA”) does not extend to an individual’s accessing information over the internet for an improper purpose, so long as the individual would be entitled to access for a proper purpose. There’s no question that interpreting the opaquely-worded CFAA forced the Court to choose between two bad options, with a parade of horribles on both sides; it chose the option that clearly decriminalizes everyday behavior (but also would allow abusive use of access that individuals have solely for work purposes).
The CFAA (codified at 18 U.S.C. § 1030) was enacted in 1986, based on a number of hacking incidents as well as — allegedly — Reagan White House viewings of the movie “War Games.” It was originally intended to deter hacking into government computers, financial institution networks, and other “protected computers.” For that reason, it established that a person commits a crime when he or she “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” In that context, “the term ‘exceeds authorized access’ means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” And the term “protected computer” includes any computer “which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.” With the advent of the internet and its expansion into every part of our lives, however, the portion of the law prohibiting exceeding access to protected computers has expanded the scope of the CFAA immensely.
Against the backdrop of this broad law came Sergeant Nathan Van Buren and a set of facts seemingly out of Southern Gothic lore. Sergeant Van Buren was a financially troubled officer in the Cumming, Georgia police department. He (along with the rest of the department) had been warned to stay away from Andrew Albo, a local widower in his sixties with a penchant for much younger women, including prostitutes. But instead of staying away, Van Buren befriended Mr. Albo during an arrest for providing alcohol to a minor and helped him “handle” disputes with young women.
Seeing an opportunity for help with his financial woes, Van Buren told Albo — falsely — that he had substantial medical debts. He then asked Albo for a loan. But instead of appreciating Van Buren’s position, Albo went to the county sheriff’s department with recordings of the request and told them Sergeant Van Buren was shaking him down. The FBI got involved and decided to run a sting operation. First, it had Albo ask Van Buren for help running drugs, but the police sergeant refused. Then, it had Albo ask for information about a female friend that Albo had allegedly met at a strip club (specifically, information regarding whether she was an undercover police officer). Albo offered money in exchange for Van Buren accessing Georgia and national criminal databases to run the woman’s license plates. Van Buren accepted the money and ran the plates, then texted Albo when he had done so. The FBI and Georgia Bureau of Investigation then swept in and arrested Van Buren, who admitted to all of the facts and agreed what he had done was wrong.
The local U.S. Attorney charged Van Buren with honest services fraud and unauthorized access to the government databases in violation of the CFAA. He was convicted on both counts, but the Court of Appeals reversed the honest services fraud verdict on the basis of improper jury instructions. Van Buren then took the CFAA conviction to the Supreme Court.[ii] Specifically, the Supreme Court considered whether a person who is authorized to access information on a computer for certain purposes violates the CFAA if he accesses that information for an improper purpose.
The six-Justice majority, in an opinion written by Justice Barrett, decided that the CFAA would not extend so far. The majority started with the text of the CFAA, and believed that the act was structured so that the two options for the offense (access with authorization or access exceeding the scope of authorization) would be parallel in a binary “gates-up-or-down inquiry.” That is, because the only question for the first part was whether the accesser had authorization or not, the second part should be limited to the question of whether the accesser had authorization to access that information in any circumstance or not. In that sense, Justice Barrett used a physical analogy for the scope of authorization, describing the prohibition as relating to “particular areas of the computer – such as files, folders, or databases – to which their computer access does not extend.” In doing so, she rejected the government’s assertion that the majority’s interpretation would read the word “so” (in the phrase “entitled so to obtain or alter”) from the statutory definition of “exceeds authorized access.” She indicated that the word “so” could be understood to distinguish the situation where an individual is not entitled to see the same information in non-computer-based means (such as, hypothetically, if a person were entitled to see a personnel file in hard copy by not electronically).
The majority also relied on the history of the CFAA’s enactment and a parade of horrible possible applications of the law to reject the government’s reading that it covers access for an improper purpose. The first version of the law that the CFAA replaced explicitly considered the purpose of access and the CFAA did not. However, the legislative history (which neither the majority nor the dissent mentions) expressly stated that the change was not intended to be substantive. In addition, the majority noted that the CFAA as read by the government could be understood to encompass everyday violations of terms of service, such as use of a work computer for personal reasons or embellishing online-dating profiles or using a pseudonym on Facebook. For all of these reasons, the majority held that exceeding authorized access related to computer structures, not terms (or purposes) of access.
Justice Thomas, writing in dissent and joined by Chief Justice Roberts and Justice Alito, disagreed with the outcome of the case primarily based on settled property law considerations. He saw nothing more definitive about the majority’s reading — any more of a “gates-up-or-down” approach — than if exceeding authorized access considered what the circumstances of authorization were. In doing so, he analogized to property law, which generally protects against unlawful entry and unlawful use of property after entry. And he saw nothing more reasonable in decriminalizing access in all circumstances if there is a single exception than prohibiting such access if an authority had explicitly said so. For example, the majority’s reading decriminalizes an IT administrator’s actions in deleting every file on a computer minutes before resigning. Thus, Justice Thomas noted, the majority’s reading of the CFAA constitutes a substantial narrowing of the law.
As a practical matter, the narrow reading of the CFAA shifts power from employers and the government to employees and website visitors. The CFAA previously provided an arrow in the quiver of employers to discourage employees from misusing their access to information or misappropriating trade secrets (it was another criminal offense that could lead to an arrest before the employee disseminated the trade secrets beyond the doors of the company). It also served as the primary basis for the federal government to charge employees who used IRS, Social Security, or law enforcement databases to stalk private citizens. On the other hand, it also chilled some investigative reporting and whistleblowing because of violation of terms of service for websites. Thus, every person who shops on their company computer or uses a fake e-mail address to avoid spam from a website can breathe a little easier. And we can all hope that Congress will take the Court’s decision as a reason to rewrite the CFAA and bring it into the internet age.
Van Buren v. United States (2021)
Opinion by Justice Barrett, joined by Justices Breyer, Sotomayor, Kagan, Gorsuch, and Kavanaugh; dissenting opinion by Justice Thomas, joined by Chief Justice Roberts and Justice Alito
[i] Columbia University Law School professor Tim Wu called the CFAA the “worst law in technology” in a 2013 New Yorker article.
[ii] See United States v. Van Buren, 940 F.3d 1192 (11th Cir. 2019).