Case No. 19-783 | 11th Cir.
November 30, 2020
Preview by Kevin Coleman, Articles Editor
In Van Buren v. United States, the Supreme Court will determine whether someone who is authorized to access information on a computer for one purpose “exceeds authorized access” in violation of the Computer Fraud and Abuse Act (“CFAA”) when that person accesses the same information for a different, unauthorized purpose. 18 U.S.C. 1030 (2018).
Nathan Van Buren was a Georgia police officer who developed a problematic relationship with Andrew Albo, a “volatile” individual who was a “frequent subject of police action.” Brief for the United States, at 7, Van Buren v. United States, No. 19-783 (U.S. filed Aug. 27, 2020). The two first met when Van Buren arrested Albo for providing alcohol to a minor. Thereafter, Van Buren would often handle disputes between Albo and “women whom he paid to spend time with him.” Id. at 7–8. Experiencing financial difficulties, Van Buren lied to Albo that Van Buren’s son had $15,000 in medical expenses, and he asked Albo for a loan. Albo—who surreptitiously recorded the conversation—told his priest about Van Buren’s request. Albo’s priest connected him with the local sheriff, who brought in the FBI. Then, at the FBI’s request, Albo approached Van Buren, told him that he had met a woman at a strip club and wanted to know if she was an undercover police officer. In exchange for several thousand dollars in cash, Van Buren agreed to search the woman’s license plate number in a police database that Van Buren was permitted to access “only for law-enforcement purposes.” Id. at 7–9. Van Buren conducted the search, and he ultimately was convicted on one count of honest services wire fraud (bribery) and one count of exceeding authorized access in violation of the CFAA. The Eleventh Circuit vacated Van Buren’s honest services fraud conviction and affirmed his CFAA conviction. The Supreme Court granted certiorari on the CFAA issue.
Under the CFAA, a person who “accesses a computer without authorization or exceeds authorized access, and thereby obtains information” from the computer is subject to criminal prosecution. § 1030(a)(2)(C). A person “exceeds authorized access” when he or she “access[es] a computer with authorization and . . . use[s] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). Van Buren urges the Court to adopt the position of the Ninth, Fourth, and Second Circuits by holding that this language only prohibits obtaining information from a computer that a person is not entitled to access for any purpose. Brief for Petitioner at 8–9, 17–19, Van Buren v. United States, No. 19-783 (U.S. filed Jul. 1, 2020) (citing United States v. Nosal, 676 F.3d 854, 856–57 (9th Cir. 2012); WEC Carolina Energy Sols. LLC v. Miller, 687 F.3d 199, 202, 207 (4th Cir. 2012); United States v. Valle, 807 F.3d 508, 528 (2d Cir. 2015)). Van Buren contends that a person is “entitled so to obtain” information when he or she has a right to acquire it via computer; the word “so” dictates the method of, instead of the purpose for, obtaining the information. See id. at 17–19. Thus, according to Van Buren, mere misuse or misappropriation of information that one is legally entitled to obtain via computer for any reason does not, without more, violate the CFAA. Id. at 18–19. Van Buren warns of the consequences of a broad interpretation; namely, that the statute would criminalize any action that violated a website’s terms of service or an employer’s computer use policy. Id. at 26–29. Van Buren explains that under the Government’s interpretation of the CFAA, if your employer prohibits the use of company computers for personal purposes and you create a March Madness bracket on your work computer, then you have committed a federal crime. Id. at 28. Van Buren implores the Court to avoid this broad construction, emphasizing that “[t]he CFAA is not an all-purpose statute covering any misdeed that occurs on a computer.” Id. at 23.
The Government asks the Court to conclude that accessing information to which one is entitled for one purpose with another, unauthorized purpose, violates the CFAA. See Brief for United States at 20; United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); United States v. John, 597 F.3d 263 (5th Cir. 2010); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001). Also invoking § 1030(e)(6), the Government contends that someone is “entitled so” to do something “only when he has been granted a right to do it in a particular manner or circumstance.” Brief for United States at 13, 18. Therefore, the operative question is whether Van Buren was entitled to access the police database “in the [particular] circumstances in which he did.” Id. at 13. Of course, the Government argues that he was not. See id. Finally, the Government rejects the “parade of horribles” invoked by Van Buren as hypothetical scenarios unlikely to be subject to federal prosecution. See id. at 40–42.
While the parties’ arguments—and those of most amici—focus on the “not entitled to so obtain” language of § 1030(e)(6) and the interpretive consequences thereof, UC Berkley law professor and computer crime expert Orin Kerr, in an amicus brief, asks the court to focus on the more fundamental question of what constitutes “authorization” in the first place. See Brief of Professor Orin S. Kerr as Amicus Curiae in Support of Petitioner, at 2–3, Van Buren v, United States, No. 19-783 (U.S. filed Jul. 8, 2020). Specifically, Professor Kerr asserts that “verbal limits” on computer use—where “computer owners often allow others to use their computers subject to verbal restrictions on how that use can proceed”—should never be the basis for CFAA liability, regardless of whether those limits are “purpose-based,” as in Van Buren. Id. at 3, 5–6. According to Professor Kerr, to do otherwise would criminalize terms of service agreements and “mak[e] most Americans criminals for entirely innocuous conduct.” Id. at 26. Whatever the Supreme Court ultimately decides, Van Buren makes clear that the CFAA’s “exceeds authorized access” provision is a deeply imperfect solution to the “insider problem” of non-hacking malfeasance committed by persons entitled to sensitive electronic data, and a legislative revision to the CFAA may be required. See id. at 23–27.