The high court ruled 6-3 in favor of the former Cumming, Georgia, police sergeant, Nathan Van Buren, and limited the conduct that can be prosecuted under the Computer Fraud and Abuse Act of 1986 (CFAA). The law makes it illegal to access a computer without authorization or to use authorized access to obtain or alter information a person is not entitled to.
Justice Amy Coney Barrett, the court’s newest member, wrote the majority opinion and was joined by fellow Trump appointees Justices Neil Gorsuch and Brett Kavanaugh, as well as liberal Justices Stephen Breyer, Elena Kagan and Sonia Sotomayor. Chief Justice John Roberts and Justice Clarence Thomas and Samuel Alito ruled against the former police officer.
In its decision, the high court said Van Buren did not violate the computer crime law, as it does not cover people like him who have “improper motives for obtaining information that is otherwise available to them.”
“An individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer — such as files, folders or databases — that are off limits to him,” Barrett wrote.
The case, known as Van Buren v. U.S., stems from Van Buren’s time as a police sergeant in Georgia, during which he was unknowingly part of a FBI sting operation in 2015. Under a scheme devised by the bureau, a man named Andrew Albo would ask Van Buren to search a state law enforcement computer database for a license plate that purportedly belonged to a woman Albo met at a local strip club and wanted to make sure wasn’t an undercover officer. In exchange for the search, Albo would pay Van Buren approximately $5,000.
Van Buren did just that — he used the computer in his patrol car and his valid credentials to access the database and search for the license plate provided by Albo, the entry for which was created by the FBI. Van Buren was then charged with a felony violation of the cybercrime law, as running the license plate ran afoul of a provision subjecting to criminal liability anyone who “exceeds authorized access” to a computer, since he had been trained not to use the database for “an improper purpose.”
A jury convicted Van Buren, and he was sentenced to 18 months in prison. The officer appealed his conviction to the 11th U.S. Circuit Court of Appeals, arguing the clause that defines “exceeds authorized access” does not apply to those who misuse access they otherwise have. The appeals court, however, found Van Buren violated the CFAA because he accessed the law enforcement database for an “inappropriate reason.”
While both sides agreed that Van Buren accessed his patrol-car computer with authorization, using his credentials to log into the database, and obtained the license plate record, they were at odds over whether the ex-police officer was “entitled so to obtain” the information under the cybercrime law.
The differing views from Van Buren and the government turned in part on the interpretation of the word “so,” and the Supreme Court agreed with the officer “that the phrase ‘is not entitled so to obtain’ is best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.”
Writing for the majority, Barrett warned that the government’s interpretation of the law “would attach criminal penalties to a breathtaking amount of commonplace computer activity.”
“If the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals,” she said. “Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA.”
Joined in dissent by Roberts and Alito, Thomas, however, said Van Buren disregarded a limitation on his access to the government database when he used it to access the license plate information for Albo.
“The question here is straightforward: Would an ordinary reader of the English language understand Van Buren to have ‘exceed[ed] authorized access’ to the database when he used it under circumstances that were expressly forbidden?” he wrote. “In my view, the answer is yes. The necessary precondition that permitted him to obtain that data was absent.”
Oral arguments in the case were heard remotely November 30, 2020. The Supreme Court is set to wrap up its term in the coming weeks.