Van Buren v. U.S.: Using computer database for improper purpose does not violate Computer Fraud and Abuse Act if person had lawful access to database
Even though a police officer used a computer database to which he had access for an improper purpose, this did not violate the Computer Fraud and Abuse Act, the U.S. Supreme Court held June 3 in Van Buren v. United States.
The CFAA only criminalizes obtaining information from particular areas of a computer – such as files, folders, or databases – to which the user’s computer access does not extend.
Nathan Van Buren, a Georgia police officer, ran a license-plate search in a law enforcement database in exchange for money. This use violated the department’s policies, which authorized use of the database for law enforcement purposes only. Van Buren had access to the database through his law enforcement work.
Van Buren was convicted of violating the CFAA, 18 U.S.C. Sec. 1030(a)(2), which makes it illegal to “intentionally access a computer without authorization or exceeds authorized access.” The CFAA defines “exceeds authorized access” to mean “to access a computer without authorization and to use such access to obtain or alter information in the computer that they accesser is not entitled so to obtain or alter.”
The 11th Circuit affirmed his conviction. The Supreme Court granted cert. to resolve a split in authority of the meaning of “exceeds authorized access.”
The Court reversed 6-3, in an opinion by Justice Barrett.
The Court held, as a matter of statutory interpretation, that “if a person has access to information stored in a computer – e.g., in ‘Folder Y,’ from which the person could permissibly pull information – then he does not violate the CFAA by obtaining such information, regardless of whether he pulled the information for a prohibited purpose.”
“But if the information is instead located in prohibited ‘Folder X,’ to which the person lacks access, he violates the CFAA by obtaining such information.”
“[T]he Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity,” the Court said.
“If the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals,” the Court said.
“Employers commonly state that computers and electronic devices can be used only for business purposes,” the Court explained. “So on the Government’s reading of the statute, an employee who sends a personal email or reads the news using her work computer has violated CFAA.”
In addition, the Government’s reading of the statute would criminalize violation of websites terms-of-use agreements. It would “criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook,” the Court said.
Justice Thomas, joined by Chief Justice Roberts and Justice Alito dissented.