SCOTUS: User’s Authorized Access to Obtain Digital Information Even if Done with “Improper Motives” Does Not Violate the CFAA

BACKGROUND

Nathan Van Buren was a police sergeant in Georgia. He accepted $5,000 from an acquaintance in exchange for running a license plate search using his patrol car computer. Van Buren was authorized to run such searches but knew from police department trainings that searches could not be conducted for personal use. Unaware the acquaintance was working with the Federal Bureau of Investigation (FBI), Van Buren ran the search and was subsequently charged with a felony violation of the CFAA for computer fraud (as well as a bribery charge, not at issue in this case), tried by a jury and sentenced to 18 months in prison.

While Van Buren clearly violated police department policies, it was less clear whether he also violated the CFAA, an act designed to combat computer hacking. Circuits have previously split on the issue of just how far the CFAA extends.

Following Van Buren’s unsuccessful appeal to the 11th Circuit, SCOTUS accepted certiorari to address the breadth of the Act and determine whether authorized computer access for improper purposes constitutes­­­ a violation of the CFAA. The majority has now held that it does not.

OPINION OF THE COURT

Justice Amy Coney Barrett, writing for a majority made up of Justices Stephen Breyer, Sonia Sotomayor, Elena Kagan, Neil Gorsuch and Brett Kavanaugh, focused on the language of the CFAA but also addressed the CFAA’s structure, case precedent and statutory history and policy arguments.

First, the Court addressed the CFAA’s text. The CFAA makes it a crime to obtain information by “intentionally access[ing] a computer without authorization or exceed[ing] authorized access.” 18 U.S.C. § 1030(a)(2). The Act defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain … information on the computer that the accesser is not entitled so to obtain . . .” § 1030(e)(6) (emphasis added). The parties did not dispute that Van Buren was authorized to access the license plate database or that he obtained information from it. They disputed whether he exceeded his authorized access in obtaining such information. Van Buren maintained that the “exceeds authorized access” clause of the CFAA applies only to those who obtain information to which their computer access does not extend and does not apply to a person who misuses computer access that they otherwise have.

Also invoking the specific language of the CFAA, the government argued that the use of “so” in “…is not entitled so to obtain…” suggests the Act prohibits access to “information one was not allowed to obtain in the particular manner or circumstances in which he obtained it” (emphasis in original). Justice Barrett explained the government’s proposed construction by example: An employee may have access to information in Folder Y and properly access it in the morning to prepare for a meeting, yet improperly access that same Folder Y in the afternoon to prepare his resume to apply for a job with a competitor.

On the other side, Van Buren argued that the use of “so” in “…is not entitled so to obtain…” refers to information that a person is not entitled to obtain via a computer, which is a computer that the person is otherwise authorized to use. Extending her metaphor, Justice Barrett summarized Van Buren’s argument with an example in which an employee may be authorized to access Folder Y on a computer but may be prohibited from accessing Folder X. Under this construction, the employee is always authorized to access Folder Y and never “entitled so to obtain” information in Folder X; the CFAA does not contemplate the purpose (even if improper) for which the employee accesses Folder Y so long as the employee has been granted access. The Court agreed with Van Buren’s interpretation of “so.”

Second, the Court’s opinion addressed the structure of the CFAA, specifically, the impact and meaning created by the interplay between two clauses of subsection (a)(2), which specifies two distinct means of obtaining information unlawfully: Namely, “without authorization” and “exceeds authorized access.” The Court agreed with Van Buren’s construction of “exceeding authorized access,” meaning that the Act protects the computer itself from unauthorized users and also provides protection for specific files within the computer from users who are not authorized to access those specific files. The Court contrasted this with what it deemed to be the government’s inconsistent reading of subsection (a)(2), in that examining the particular manner or circumstances in which information is obtained thereby imposes “purpose-based limits” only when information is obtained by a means of exceeding authority but not when obtained through means of unauthorized access. Therefore, due to its stronger internal consistency, the majority again favored Van Buren’s construction and interpretation of the Act.

Third, the Court quickly dispensed of the government’s precedent and statutory history arguments. The government raised Musacchio v. United States, a 2016 SCOTUS case that also addressed the CFAA but as to the standard of review for instructional error. Justice Barrett therefore explained that Musacchio did not address the issue at hand and that the Court is not bound by its dicta. The government also argued that an early draft of the CFAA had criminalized computer access for improper purposes, suggesting that Congress intended the CFAA to encompass authorized access for improper uses. The majority was not convinced and found that the government “[got] things precisely backward,” noting that Congress’ choice to amend its draft and specifically remove such improper purpose language cuts against the government’s interpretation of Congress’ intent.

Finally, the Court addressed policy implications. Justice Barrett clarified that Van Buren’s construction was persuasive in terms of the CFAA’s text and structure, thereby making policy arguments superfluous. Nonetheless, the Court found that the government’s construction of the Act “would attach criminal penalties to a breathtaking amount of commonplace computer activity” (such as sending a personal email or reading the news from a work computer) and “inject arbitrariness into the assessment of criminal liability.”

According to the majority, Van Buren’s actions, though problematic, were not the type of computer activity contemplated by the CFAA, so the Court reversed the judgment of the 11th Circuit and remanded for further proceedings.

DISSENT

Justice Clarence Thomas, joined by Chief Justice John Roberts and Justice Samuel Alito, issued a dissent that would have held Van Buren clearly “exceeded the scope of his authority,” within the plain meaning of the phrase. Interpreting the “not entitled so to obtain” language, the dissent focused on the word “entitled,” not “so,” and explained that the inclusion of “entitled” necessarily requires an analysis of surrounding circumstances. Under the dissent’s interpretation of the Act, Van Buren was not given authority to access the license plate database for personal use, so he was not “entitled” to access it for his acquaintance. Additionally, the dissenters argued that the majority’s construction ran afoul of principles of property law, which hold that “a person’s authority to use his access to property is circumstance dependent.”

The dissent also agreed with the government that the congressional record that referenced purpose-based factors suggested Congress intended the CFAA to criminalize improper use. Finally, the dissent took issue with the majority’s lengthy policy-based concerns about the breadth of the government’s construction since much of US law “criminalizes common activity” and violating the CFAA typically results only in a misdemeanor.

Kat Lynch, a summer associate in the Chicago office, also contributed to this article.