Yesterday the Supreme Court issued a decision in Van Buren v. United States, No. 19-783, ruling that a police officer did not violate the Computer Fraud and Abuse Act (“CFAA”) when he obtained information from a law enforcement database that he was permitted to access, but did so for an improper purpose. In so ruling, the Court adopted a relatively narrow reading of the CFAA, and partially resolved a years-long debate concerning the scope of liability under the CFAA.
The CFAA prohibits, inter alia, “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] information from any protected computer.” 18 U.S.C. § 1030(a)(2). What it means to “exceed authorized access” has been the subject of disagreement among lower courts: Some have concluded that this term refers to accessing areas of a computer that the user is not permitted to access under any circumstances—e.g., a student accessing her university’s database of grades that is restricted to only administrator use. Others have concluded that this term also encompasses individuals who are permitted to access an area of a computer for certain purposes, but they do so for an improper purpose—e.g., an administrator accessing the university’s database of grades that she is generally permitted to use, but she does so for the improper purpose of blackmailing a student.
These two interpretations of “exceeds authorized access” were at issue in Van Buren: Nathan Van Buren, a former police officer, was convicted of a felony CFAA violation after he searched a law enforcement database at the request of an acquaintance in exchange for money. Van Buren appealed his conviction, arguing that he did not “exceed authorized access” under the CFAA, because he was permitted to access the law enforcement database at issue. The Government countered that Van Buren was only authorized to do so for law enforcement purposes, and accessing the database for the improper purpose of facilitating a personal financial arrangement exceeded that authorization. The Eleventh Circuit agreed with the Government, affirming Van Buren’s conviction, and the Supreme Court granted cert.
The Court reversed, concluding that “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” Accordingly, the Court held, Van Buren did not “‘excee[d] authorized access’ to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose.” In reaching this conclusion, the Court primarily relied on the text and structure of the CFAA, concluding that the phrase “authorized access” should be understood as a “gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.” Because Van Buren could access the law enforcement database, he did not violate the CFAA by accessing it for an improper reason. The Court also noted that “the Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity,” which “underscores the implausibility” of that interpretation.
While this highly anticipated decision provides critical guidance to courts, practitioners, and scholars interpreting the CFAA, some open questions remain. For example, the Court declined to address whether “exceeding authorized access” refers only to “technological (or ‘code-based’) limitations on access, or instead also looks to limits contained in contracts or policies.” In other words, the Court did not reach the scenario where a student would not need to circumvent any technical controls to access her university’s grade database (such as by guessing a password), but was nevertheless forbidden from accessing the database by the university’s code of conduct. This and other questions will likely be the topic of further litigation as lower courts apply Van Buren, and refine their interpretation of the CFAA.