High Court Interprets "Exceeds Authorized Access" Provision of the Computer Fraud and Abuse Act - VAN BUREN v UNITED STATES

Photo Source

FACTS

Police Sergeant Nathan Van Buren needed money. To satisfy his need, he asked one Andrew Albo (who was reputed to have connections to prostitution and who had prior police contacts) for help. Van Buren's request was reported to the local sheriff and passed on to the Federal Bureau of Investigation (FBI). A sting operation was established whereby Albo was to offer Van Buren $6000.00 in exchange for Van Buren's assistance in looking up a license plate on the Georgia Crime Information Center (GCIC) computer, so as to determine if the owner, a stripper, was in fact an undercover agent.

Van Buren completed the request resulting in his arrest for felony computer fraud under the provisions of Section 1030(a)(2) of the Computer Fraud and Abuse Act [18 U.S.C. § 1030(a)(2)(1986)]. Following a jury trial in the United States District Court (N.D.,GA) Van Buren was found guilty and sentenced to 18 months in Federal prison. An appeal from this conviction was taken to the United States Court of Appeals (11th Cir.) wherein Van Buren claimed that in accessing the GCIC which he had authorized access to but used it for an improper purpose did not constitute a violation of the "exceeds authorized access" provisions of the CFAA. Following precedence, the 11th Circuit upheld Van Buren's conviction [United States v. Van Buren, 940 F.3d 1192 (11th Cir. 2019)].

In the Circuit Courts there was a split in decisions concerning the definition and interpretation of the "exceeds authorized access" provisions of the law. The First, Fifth, Seventh, and Eleventh Circuit Courts have held a broad view of the provision applies such that authorized access of a computer for any improper purpose is a violation of the law. The Second, Fourth, and Ninth Circuits expressed a more narrow view holding there is a violation of the law if an authorized user accesses information they were otherwise prohibited from accessing. [See, e.g. Cloutier, Kevin M.; Poell, David M. "U.S. Supreme Court Case Preview—Van Buren v. United States: Does Use of a Computer for an "Improper Purpose" Violate the Computer Fraud and Abuse Act?". https://www.natlawreview.com/article/us-supreme-court-case-preview-van-buren-v-united-states-does-use-computer-improper. (Accessed June 5, 2021)]. As such, it becomes crystal clear that the decision in this case affects not only law enforcement use of the CFAA but also extends to civil litigants such as employers who seek to utilize its provisions to protect themselves from employee activities that are unauthorized.

Based on the split authority of the Circuit Courts, Van Buren petitioned for certiorari to the United States Supreme Court which certified the case to be heard in April. 2020. Due to the COVID-19 pandemic, oral argument on the case was held by telephone on November 30, 2020.

Photo Source
DECISION AND FINDINGS

In a 6-3 decision issued on June 3, 2021, the Supreme Court reversed and remanded the lower court's ruling [VAN BUREN v UNITED STATES, 593 U.S. ___ (2021), No. 19-783]. Writing for the majority, Justice Barrett ruled that for purposes of the "exceeds authorized access" provision of the CFAA, a person is in violation of the law when they access information on a computer they have authorized access to but the information accessed is off limits to them. As such, the Court adopted the narrower, circumscribed view of the CFAA.

Justice Barrett's opinion easily distinguished this holding from the facts present in VAN BUREN. The information obtained by VAN BUREN was clearly accessed for improper purposes, but the information was obtained within the permitted limits of that which he could access and within his authorization as a Sheriff's Sergeant. As such, he could not be charged with a crime under the provisions of the CFAA [See, e.g. Fung, Brian; de Vogue, Ariane; Cole, Devan. "Supreme Court sides with police officer who improperly searched license plate database". https://www.cnn.com/2021/06/03/politics/supreme-court-cybercrime-law-case/index.html. (Accessed June 6, 2021)]. Agreeing with critics of the CFAA, Justice Barrett noted that the government's argument in the case which would criminalize all violations of computer use policy would make "millions of otherwise law-abiding citizens...criminals" [Geller, Eric; Gerstein, Josh. "Supreme Court narrows scope of sweeping cybercrime law". https://www.politico.com/news/2021/06/03/supreme-court-cybercrime-law-491764 (Accessed June 6, 2021)].

Justice Barrett's opinion closely examined the exact language used in the CFAA as well as the various types of activities constituting "exceeding authorized access". The conclusion reached by the Court was that the provision of the CFAA under which VAN BUREN was convicted ultimately:

“covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like [Petitioner], have improper motives for obtaining information that is otherwise available to them.”

[VAN BUREN v UNITED STATES, 593 U.S. ___ at p. ___ (2021). No. 19-783 at p.1].

The majority opinion likewise examined the scope of the CFAA. Justice Barrett's opinion noted that by utilizing the government's broad interpretation of the statute, criminalization of a huge amount of common place computer usage, including such uneventful activity as utilizing a work computer for personal purposes would occur.

CONCLUSION

The decision in VAN BUREN v UNITED STATES constitutes the Supreme Court's first-ever decision addressing the provisions of the CFAA. It constitutes a game changing view for all pending and future cases addressing the CFAA. The divergence of opinion at the Circuit Court level is now removed and the narrow construction of the "exceeds authorized access" provision of the CFAA has become the law of the land by virtue of this decision.

Posted Using LeoFinance ^Beta