June 4, 2021
This week, in United States v. Van Buren, the United States Supreme Court resolved a circuit split over whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act (“CFAA”) if the information is accessed for an improper purpose. The First, Fifth, Seventh, and Eleventh Circuits held that obtaining information with an improper purpose, i.e., violating employer “use restrictions,” is sufficient for a CFAA conviction. Comparatively, the Second, Fourth, and Ninth Circuits held that CFAA does not impose criminal liability on a person with permission to access such information on a computer, even if such information was accessed for an improper purpose. 
In Van Buren, a case on appeal from the Eleventh Circuit, a Georgia police sergeant became the subject of an FBI sting operation after asking Andrew Albo, an individual known for associating with prostitutes, for a loan. At the FBI’s instruction, Albo requested Van Buren to run a computer search for a license plate number that purportedly belonged to a local exotic dancer he fancied. According to the cover story, Albo wanted to verify that the dancer was not an undercover police officer. Van Buren accessed the Georgia Crime Information Center database, which contains license plate and vehicle registration information. As a law enforcement officer, Van Buren was authorized to access this database for law-enforcement purposes. After running a search for the license plate, Van Buren texted Albo the results; Albo then gave Van Buren $6,000. Van Buren was convicted of violating CFAA. The Eleventh Circuit Court of Appeals upheld the conviction, rejecting Van Buren’s argument that he could not have violated the Act because he had permission to access the databases.
In a 6-3 decision authored by the Court’s newest Justice, Amy Coney Barrett, the Court reversed and remanded Van Buren’s conviction. The majority, joined by Justices Breyer, Sotomayor, Kagan, Gorsuch, and Kavanaugh reasoned that a person violates CFAA’s “exceeds authorized access” language when they access files or other information that is off-limits to them on a computer system they are otherwise authorized to use. Since Officer Van Buren had authorized access to the database containing license plate and vehicle registration information—even though he accessed the information in question for improper purposes—he did not violate CFAA. Thus, the majority opinion resolved the circuit split in favor of the Second, Fourth, and Ninth Circuit’s “improper purpose” interpretation, agreeing that too strict of an interpretation of Section 1030(a)(2) would “criminalize every violation of a computer-use policy” and turn “millions of otherwise law-abiding citizens [into] criminals.” In their dissent, Chief Justice Roberts, along with Justices Thomas and Alito, applied a stricter interpretation of the CFAA and agreed with the First, Fifth, Seventh, and Eleventh Circuits. As Justice Thomas wrote, “It is understandable to be uncomfortable with so much conduct being criminalized, but that discomfort does not give us authority to alter statutes.”
The majority’s opinion takes note of the sweeping provisions of the CFAA and recognizes the dangers a strict interpretation of them creates for employers and employees in a highly digitized and computer-oriented world. Not wanting to create a federal case out of every computer-use policy violation, the Court’s majority opinion in Van Buren prevents the CFAA from turning the DOJ and Federal Courts into HR Departments with the power to turn violators into felons and shifts the analysis back towards Congress’ intent: allowing the DOJ and Federal Courts to hold hackers accountable.