by Kristen Knauf
On June 3, 2021, the U.S. Supreme Court resolved a Circuit split and narrowly construed the phrase “exceeds authorized access” as used in the Computer Fraud and Abuse Act of 1986 (“CFAA”).[1] There is no question that the CFAA criminalizes breaking into a computer (e.g., hacking). The CFAA also prohibits individuals with a certain level of authorized access (e.g., employees) from exceeding their authorization to those systems. But when a person has the required credentials, does that person violate the CFAA by using their access for illicit reasons? In a 6-3 decision, the U.S. Supreme Court said “no.”
Former Georgia police sergeant Nathan Van Buren ran a license-plate search on his patrol-car computer in exchange for money.[2] Van Buren used his own valid credentials to perform the search, but his conduct violated a department policy against obtaining database information for non-law-enforcement purposes.[3] Unbeknownst to Van Buren, his actions were part of a FBI sting operation, and Van Buren was changed with a felony violation of the CFAA.[4] The CFAA imposes criminal liability on anyone who “intentionally accesses a computer without authorization or exceeds authorized access.”[5] The term “exceeds authorized access” is defined as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”[6]
The Eleventh Circuit, which had previously construed “exceeds authorized access” broadly, affirmed Van Buren’s CFAA conviction.[7] On appeal to the U.S. Supreme Court, Van Buren argued that “exceeds authorized access” applies only to those who do not have authorized access to a computer, not to those who misuse this access. The Court agreed.
Justice Barrett wrote the majority opinion that focused on Van Buren’s argument regarding the significance of the word “so” in the expression “entitled so to obtain.” Obviously, Van Buren “accessed a computer with authorization” and obtained information. The only question was whether Van Buren was “entitled so to obtain” that information. The Court agreed with Van Buren’s argument that “so” is a term of reference that relates to the preceding “identifiable proposition,” here, the authorized access to a computer.[8] Logically, it follows that “[t]he phrase ‘is not entitled so to obtain’ is best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.”[9] Therefore, a credentialed computer user authorized to access Folder Y does not violate the CFAA by using the information in Folder Y for illicit purposes, but does violate the CFAA by obtaining information from off-limit Folder X. Authorized access under the CFAA, therefore, is a “gates-up-or-down inquiry – one either can or cannot access a computer system and one either can or cannot access certain areas within the system.”[10] The Court left the issue of whether these “gates” must be technological (“code-based”) or contractual for another day.[11]
The Court rejected the Government’s argument that “so” broadly referred to “the particular manner or circumstances” in which the user obtained the information.[12] First, the circumstances that distinguish between a user’s permissible and impermissible conduct are not identified in the statute. Second, Justice Barrett stated that the broader CFAA interpretation “would attach criminal penalties to a breathtaking amount of commonplace computer activity,”[13] including sending personal email or reading the news on an office computer.
Following this narrow interpretation of the CFAA, Employers may decide to cut back on authorized access to computer data and review their policies to ensure they are clearly communicating what portions of the employer’s computer system employees are authorized to access. For Supreme Court watchers, the decision provides insight into a possible split between Justices who will look solely at the plain meaning of a statute and those who will look to the purpose of the acts covered by the law.
____________________
Kristen Knauf is a Senior Attorney at the American Heart Association. She can be reached at kristen.knauf@heart.org.
____________________
[1] Van Buren v. United States, No, 19-783, 141 S.Ct. 1648 (June 3, 2021); 18 U.S.C. §1030.
[2] Van Buren, 141 S.Ct. at 1652.
[3] Id.
[4] Id.at 1653.
[5] 18 U.S.C. §1030(a)(2).
[6] Id. at §1030(e)(6).
[7] United States v. Van Buren, 940 F.3d 1192, 1208 (11th Cir. 2019) (citing United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010) (broad construction of “exceeds authorized access”)); compare United States v. John, 597 F.3d 263 (5th Cir. 2010) (broad construction), with United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc) (narrow construction).
[8] Van Buren, 141 S.Ct. at 1655.
[9] Id. at 1656.
[10]Id. at 1658-1659
[11] Id. at 1659, n.8.
[12] Id. at 1656.
[13] Id. at 1661.
____________________
Articles on the DAYL website are provided for informational use only, and are in no way intended to constitute legal advice or the opinions or views of the DAYL.