Interpreting the Computer Fraud and Abuse Act: An Analysis of the Supreme Court’s Recent Decision in Van Buren v. United States

The Computer Fraud and Abuse Act of 1986 (CFAA) subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” 18 U. S. C. §1030(a)(2). The term “exceeds authorized access” is defined to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” §1030(e)(6). The CFAA was originally enacted to address hacking amidst growing concerns about the lack of criminal laws available to fight emerging computer crimes, and as a follow-up to the Comprehensive Crime Control Act of 1984. In the CFAA, Congress attempted to strike an “appropriate balance between the Federal Government’s interest in computer crime and the interests and abilities of the States to proscribe and punish such offenses.” See S. Rep. No. 99-432, at 4 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2482. The CFAA was further amended as recently as in 2008 to address increasingly sophisticated computer crimes.

However, there is one main issue which remains: The CFAA fails to define what “without authorization” means. This lack of clear guidance has led to a split between the various U.S. Courts of Appeals as to what type of conduct constitutes a CFAA violation. Specifically, courts have struggled with the question whether the CFAA places the focus on how the individual accessed the information, rather than how or under what circumstances the individual used the information. For example, some Circuits have interpreted “exceeding authorized access” to include using information on a computer in violation of a confidentiality agreement or accessing information on a computer for a purpose prohibited by an employer. In U.S. v. Rodriguez, for example, the Eleventh Circuit has held that a defendant “exceeded his authorized access” under the CFAA by improperly using information that he was authorized to access. 628 F.3d 1258 (11th Cir. 2010). In contrast, other Circuits have adopted a narrower interpretation of “exceeding authorized access”, holding that liability cannot be imposed on a person who has permission to access information on a computer and who then uses that information for an improper purpose. For example, in the case of U.S. v. Nosal, the Ninth Circuit held that improper use of information that was acquired by individuals with authorization to access such information is not a CFAA violation. 676 F.3d 854 (9th Cir. 2012).

The Supreme Court has now narrowed the scope of the CFAA on exactly this contentious question in its recent decision in the case of Van Buren v. United States. 593 U. S. ____ (2021). In that case, Georgia police officer, Nathan Van Buren, agreed to search license-plate records in exchange for a $5,000 payment from a man who turned out to be an F.B.I. informant. Evidently, Mr. Van Buren’s searches were not done in connection with his duties as a law enforcement officer as defined by department policy. Consequently, Mr. Van Buren was indicted for violating the CFAA, convicted and sentenced to 18 months in prison.

On appeal, however, Justice Amy Coney Barrett, writing for the majority, found that Mr. Van Buren’s conduct did not violate the CFAA. Specifically, Justice Barrett stated:
[§1030(e)(6)] covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.
Ibid. Justice Barrett drew reference to “commonplace computer activity” and stated that “[i]f the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals.” Ibid. For example, in the workplace “[e]mployers commonly state that computers and electronic devices can be used only for business purposes. So, on the government’s reading of the statute, an employee who sends a personal email or reads the news using her work computer has violated” the CFAA. Ibid. For this reason, according to Justice Barrett, following the government’s approach might “criminalize everything from embellishing an online dating profile to using a pseudonym on Facebook.” Ibid.

Justice Barrett also noted that Van Buren had authority not only to access the computer but also had authority to run license plates. “The only question is whether Van Buren could use the system to retrieve license plate information. Both sides agree that he could.” Ibid. In the view of the majority, the motive for accessing the information was irrelevant. Since Van Buren legitimately had access to the system and was authorized to run license plates. The fact that he did so, even for an improper purpose, did not violate the CFAA.

In his dissent, Justice Clarence Thomas noted that “much of the federal code criminalizes common activity”, but most violations of the CFAA would be charged as misdemeanors if they were pursued at all. Ibid. He further noted that “[a] valet, for example, may take possession of a person’s car to park it, but he cannot take it for a joy ride”, or “[a]n employee who is entitled to pull the alarm in the event of a fire is not entitled to pull it for some other purpose, such as to delay a meeting for which he is unprepared.” Ibid. He further wrote “to take an example closer to this statute, an employee of a car rental company may be ‘entitled’ to ‘access a computer’ showing the GPS location history of a rental car and ‘use such access’ to locate the car if it is reported stolen”. “But it would be unnatural to say he is ‘entitled’ to ‘use such access’ to stalk his ex-girlfriend.” Ibid.

The Supreme Court’s narrow interpretation of “exceeding authorization”, however, may not end with this recent decision. HiQ v. LinkedIn which involves a business using automated bots to scrape information from public LinkedIn profiles including name, work history, job titles and skills, and using the information to yield “people analytics” in order to sell such information to its clients. LinkedIn argued that accessing LinkedIn’s data violated the CFAA because HiQ continued to access LinkedIn data after receiving a cease-and-desist letter. The District Court granted LinkedIn’s preliminary injunction finding that HiQ’s accessing of LinkedIn was “without authorization”. The injunction was affirmed on appeal by the Ninth Circuit Court of Appeals. On June 14, 2021, the Supreme Court vacated the Ninth Circuit’s decision and remanded the case for reconsideration in light of Van Buren v. United States.

As a practical matter, in determining whether there has been a violation of the CFAA and whether a defendant has accessed a computer “without authorization”, it is important to focus on the defendant’s actual authorization. If the defendant was, in fact, allowed to access the computer and retrieve the information retrieved, his or her motive for accessing the computer is irrelevant, and there is no violation of the CFAA. On the other hand, if the defendant accesses a file which he or she is not permitted to access, then the CFAA is violated. The focus, however, is on the “authorization”, not the motive for accessing the file.

Accusations of violations of the CFAA frequently occur in the context of an employment relationship. Often, the employee will access he employer’s computer system in an attempt to obtain information that will help the employee if his or her new job. Van Buren would seem to suggest that if the computer is accessed while the employee is still employed and the employee had access to the computer and the information, there would be no violation of the CFAA. If, however, the employee used his or her credentials to access the computer after the employee’s employment ended, the CFAA would be violated.

In event, one should not lose sight of other potential violations. If information would constitute a “trade secret”, accessing or disclosing that information could violate the Economic Espionage Act, 18 U. S. C. § 1831, et seq. All cases are different, and anyone who finds him or herself with and issue related this area of the law should consult an experienced and knowledgeable attorney.