SCOTUS Adopts Narrow Interpretation of Computer Fraud Act

In Van Buren v. United States, 593 U.S. ____ (2021), the U.S. Supreme Court held that an individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases— that are off-limits to him. The Court’s narrow interpretation of the Computer Fraud and Abuse Act of 1986 (CFAA) resolves an issue that had divided the federal courts of appeal.

Facts of the Case

Former Georgia police sergeant Nathan Van Buren used his patrol-car computer to access a law enforcement database to retrieve information about a particular license plate number in exchange for money. Although Van Buren used his own, valid credentials to perform the search, his conduct violated a department policy against obtaining database information for non-law-enforcement purposes.

Unbeknownst to Van Buren, his actions were part of a Federal Bureau of Investigation sting operation. Van Buren was charged with a felony violation of the CFAA, which subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” Under the CFAA, the term “exceeds authorized access” is defined to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”

A jury convicted Van Buren, and the District Court sentenced him to 18 months in prison. Van Buren appealed to the Eleventh Circuit Court of Appeals, arguing that the “exceeds authorized access” clause applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have. Consistent with Eleventh Circuit precedent, the panel held that Van Buren had violated the CFAA.

Supreme Court’s Decision

The Supreme Court reversed by a vote of 6-3. The Court held that the CFAA covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.

Justice Amy Coney Barrett, writing for the majority, explained that the decision hinged on whether Van Buren was “entitled so to obtain” the license plate number information he accessed. According to Van Buren, the phrase “is not entitled so to obtain” plainly refers to information one is not allowed to obtain by using a computer that he is authorized to access. Meanwhile, the Government argued that “so” should be interpreted more broadly,

contending the phrase “is not entitled so to obtain” refers to information one was not allowed to obtain in the particular manner or circumstances in which he obtained it. According to the Government, the manner or circumstances in which one has a right to obtain information are defined by any “specifically and explicitly” communicated limits on one’s right to access information.

Largely relying on textual analysis, the majority rejected the Government’s arguments in favor of its narrow interpretation of the CFAA. “Van Buren’s account of ‘so’ best aligns with the term’s plain meaning as a term of reference, as further reflected by other federal statutes that use ‘so’ the same way,” Justice Barrett wrote.

In reaching its decision, the Court rejected Government’s argument that Van Buren’s reading renders the word “so” superfluous, with the word only having value if it incorporates all of the circumstances that might qualify a person’s right to obtain information. The Court reached the opposite conclusion, finding that, without “so,” the statute could be read to incorporate all kinds of limitations on one’s entitlement to information.

The Court also rejected the Government’s interpretation of the phrase “exceeds authorized access” to mean that Van Buren “exceed[ed] his authorized access” to the law enforcement database when he obtained license-plate information for personal purposes, concluding that it “would attach criminal penalties to a breathtaking amount of commonplace computer activity.” As Justice Barrett noted, employers commonly state that computers and electronic devices can be used only for business purposes. On the Government’s reading, an employee who sends a personal e-mail or reads the news using a work computer has violated the CFAA.