Last week, the United States Supreme Court added United States v. Van Buren to its merits docket for next term. The Court will seek to resolve a circuit-split over whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act (“CFAA”) if the information is accessed for an improper purpose. The answer to this question has sweeping implications as computer access rights of nearly all computer users are governed by access and use policies, including website terms of service and the typical corporate policy that computers can be used only for business purposes. If the Court adopts the “improper purpose” interpretation of CFAA offered below by the Eleventh Circuit, violating commonplace computer use policies can constitute a CFAA violation, thereby transforming seemingly innocuous activities—such as utilizing a work computer to talk with friends, access social media, shop, watch sports highlights—into federal crimes.
The CFAA makes it a federal crime to access a computer without authorization or exceed authorized access on that computer, and in so doing obtain information from any protected computer. Although originally passed as an anti-hacking law, prosecutors have utilized CFAA’s broad statutory language to bring federal criminal charges against individuals premised on terms-of-use violations. Convictions under CFAA carry weighty consequences for defendants, including a felony conviction and up to five years of imprisonment. CFAA also creates a civil cause of action, allowing any person who suffers damage or loss because of a violation of CFAA to sue for damages or equitable relief.
In Van Buren, a Georgia police sergeant became the subject of an FBI sting operation after asking Andrew Albo, an individual known for associating with prostitutes, for a loan. At the FBI’s instruction, Albo requested Van Buren to run a computer search for a license plate number that purportedly belonged to a local exotic dancer he fancied. According to the cover story, Albo wanted to verify that the dancer was not an undercover police officer. Van Buren accessed the Georgia Crime Information Center database, which contains license plate and vehicle registration information. As a law enforcement officer, Van Buren was authorized to access this database for law-enforcement purposes. After running a search for the license plate, Van Buren texted Albo the results; Albo then gave Van Buren $6,000. Van Buren was convicted of violating CFAA. The Eleventh Circuit Court of Appeals upheld the conviction, rejecting Van Buren’s argument that he could not have violated the Act because he had permission to access the databases.
The First, Fifth, and Seventh Circuits are in agreement with the Eleventh Circuit, holding that obtaining information with an improper purpose, i.e., violating employer “use restrictions,” is sufficient for a CFAA conviction. In contrast, the Second, Fourth, and Ninth Circuits have each held that CFAA does not impose criminal liability on a person with permission to access information on a computer and who accesses that information for an improper purpose. Critics of the “improper purpose” interpretation note that limiting the statute’s use to scenarios where an individual is categorically forbidden from accessing particular information on the computer maintains the CFAA’s focus on hacking.
Stay tuned for updates on the Supreme Court’s ruling as it will likely have broad consequences for how employers, companies, website owners, and prosecutors pursue criminal and civil CFAA cases.