On Thursday, June 3, 2021, the United States Supreme Court, in a 6-3 opinion, narrowed the scope of the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §§ 1030. In Van Buren v. United States, the Supreme Court reversed the United States Court of Appeals for the Eleventh Circuit’s ruling affirming the conviction of a former Georgia police officer for violating the CFAA.
Nathan Van Buren asked the Supreme Court to interpret two provisions of the CFAA. The first, 18 U.S.C. § 1030(a)(2)(C) prohibits users of computers owned by others from “exceed[ing] authorized access” to those computers. The second, § 1030(e)(6), defines “exceeds authorized access” to mean accessing a computer “without authorization,” and “using such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Mr. Van Buren had been authorized to search computer license plate records for law enforcement purposes. During an FBI sting operation, he unwittingly ran a license plate search for an FBI informant in exchange for money. The Department of Justice charged Mr. Van Buren, among other counts, with computer fraud under the CFAA. The Eleventh Circuit upheld his conviction, citing its earlier precedent holding that a person “exceed[s] unauthorized access” to data when accesses it for a prohibited use, even if he is authorized to access it for other purposes.
Mr. Van Buren argued to the Supreme Court that the CFAA only applies if a defendant obtains information that he was not under any circumstances entitled to obtain. In other words, the CFAA does not prohibit misuse of authorized access. Any other reading, Mr. Van Buren argued, could criminalize everyday activities that might violate purpose-based restrictions. For example, taking Mr. Van Buren’s analysis to its logical conclusion, an employee who obtains data for personal use from a work computer in violation of company policy might face liability under the CFAA.
By contrast, the United States government argued that the plain meaning of “obtain[ing] information in the computer that the accesser is not entitled so to obtain” includes obtaining information for an unauthorized purpose. The government argued that to be “entitled so to obtain” information, the person must have been “granted a right to do it in a particular matter or circumstance.”
The Supreme Court, in a 6-3 opinion authored by newest Justice Amy Coney Barrett, sided with Mr. Van Buren, holding that the CFAA only prohibits only access to areas in a computer, such as file folders or databases, that users are not authorized to access. “It does not cover those who … have improper motives for obtaining information that is otherwise unavailable to them.” Rather than focus on the policy arguments, majority, which included the three recently appointed Justices, and the three most liberal justices, focused on the text of the CFAA. In her opinion, Justice Barrett noted that an overly broad interpretation of the CFAA would penalize every-day computer activity such as employees sending personal emails or checking sports scores on work devices. In other words, if the law “criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals,” Justice Barrett wrote.
The opinion is consistent with briefs of amici curiae from a cross-section of cybersecurity experts, free press advocates, and libertarians that argued that upholding Mr. Van Buren’s conviction would create precedent that criminalizes innocuous or even innocent computer activity. The opinion ensures that, at least as it relates to the CFAA, mundane behavior won’t rise to the level of a federal offense.