On June 3, 2021, the Supreme Court decided Van Buren v. United States. The six-justice majority had the first opportunity to interpret the vague language of the Computer Fraud and Abuse Act of 1986. This federal statute imposes liability on unauthorized access of computers. Ultimately, the court held the CFAA does not extend to individuals retrieving available information with improper motives but only to those who obtain information not otherwise available or accessible by authorization.
Facts and Procedural Posture
Nathan Van Buren was a former police sergeant in Georgia. As part of an FBI operation, Anthony Albo asked Van Buren to search a state law enforcement database for a specific license plate number in exchange for $5,000. Van Buren, using his valid credentials, searched his patrol car database for the requested entry. He was in breach of department policy which prohibited the use of a law enforcement database for non-law enforcement purposes. Consequently, Van Buren was charged with a felony violation of the CFAA because running the license plate violated the “exceeds authorized access” clause of 18 U.S.C. § 1030(a)(2). The jury convicted Van Buren, and the District Court sentenced him to 18 months in prison. On appeal, the Eleventh Circuit upheld the conviction under the CFAA. Van Buren appealed to the Supreme Court, which granted certiorari in April 2020.
The Supreme Court decided whether Van Buren violated the Computer Fraud and Abuse Act of 1986, which makes it illegal “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” However, the opinion hinges upon linguistical questions. For example, what does “exceeds authorized access” mean? What is the meaning of “is not entitled so to obtain”?
The majority opinion
Justice Barrett, writing for the majority, first addresses a conflict in the circuits regarding the meaning of “exceeds authorized access.” The statute defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain … information in the computer that the accessor is not entitled so to obtain” 1010(e)(6). The definition lends itself to yet another question, what does “is not entitled so to obtain” mean?
Van Buren suggests the phrase mentioned above is best read to mean accessing information that one is under no circumstance entitled to obtain. Thus, getting information from a computer an individual has access to, regardless of purpose, would relieve one of liability under CFAA.
Whereas, the government, taking a different interpretation of the phrase, insists “is not entitled so to obtain,” means obtaining information “one was not allowed to obtain in the particular manner or circumstance in which one obtained it.” It urges the court to adopt a reading that would include liability for obtaining information for an unauthorized or improper purpose.
Justice Barrett ultimately agrees with the petitioner’s textual analysis. On one end of the spectrum, an individual “exceeds authorized access” when a person is not entitled under any circumstance to obtain the information. On the other hand, “an individual [also] “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in specific areas of the computer – such as files, folders, or databases – that is off-limits to him.” The inclusion of the word “so” refers to a previous manner or circumstance cited in the statute itself. Here, it refers to Van Buren’s right to obtain the license-plate information through a manner previously identified in the definition (i.e., accessing a computer with authorization and using that access to obtain information in the computer). Accordingly, Van Buren did not exceed his authorized access, even if he had an improper purpose.
The majority then moves to a structural and historical analysis of the statute. Musacchio v. United States provides two ways 1030(a)(2) can be violated: “accessing a computer without authorization and accessing a computer with authorization and then obtaining information one is not entitled so to obtain”. Van Buren treats these two clauses as consistent with one another, protecting from so-called outside hackers as well as inside hackers. Again, agreeing with the petitioner’s approach, Justice Barrett writes it “makes sense” compared to the many flaws in the government’s reasoning.
Ending with policy arguments, several amici on behalf of Van Buren point to the practical consequences of taking a contrary and broad construction of the CFAA. Trivial breaches by ordinary citizens would lend themselves to expanded criminal liability and a broad prosecutorial reach under the CFAA.
Chief Justice Roberts, joined by Justice Thomas and Justice Alito, takes a narrower interpretation of the CFAA. Justice Thomas also accepts Van Buren’s interpretation of the word “so” but falls in favor of the government due to the word “entitled.” The dissent suggests a circumstance-dependent approach when determining if one is entitled to access the information. However, one’s entitlement is limited by the particular manner previously stated. Here, the manner previously stated is accessing a computer with authorization. The dissent uses the following example to illustrate how one’s entitlement is limited; “an employee who is entitled to pull the alarm in the event of a fire is not entitled to pull it for some other purpose, such as to a delay a meeting for which he is unprepared.”
The dissent states the majority’s reading is at odds with basic principles of property law. An individual’s entitlement is also limited by common conceptions of tort law (i.e., trespass). The privilege to access information on a computer is limited by consent and explicit limitations by employers. For example, Van Buren’s department policy limits his access to strictly law enforcement purposes.
Next, looking at the historical evolution of the statute, the dissent agrees that Congress removed “purpose” to eliminate the prohibition of obtaining information for improper motives. However, the majority views this intentional omission as yet another reason to limit the scope of CFAA liability. Justice Thomas writes that replacing “purpose” with “not entitled” generalizes the scope of the act to cover a larger breadth of conduct.
Lastly, the dissent concludes by addressing similar policy concerns.. According to Justice Thomas, the undesirable consequences that will ostensibly result from a broad interpretation are not grounds for altering the statute. Thus, lending itself to a different conclusion.
The Supreme Court, reversing the Eleventh Circuit’s decision Van Buren v. United States, resolved a circuit split over the scope of the CFAA. While the decision focused on a textual analysis, the court took the opportunity to clarify the vague language and the breadth of liability falling under the act. When technological advancement is ever-expanding, the Supreme Court rightfully acknowledged the dangers of criminalizing every trivial violation of a “computer-use policy.” But, as the majority writes, the Government’s interpretation would implausibly “criminalize everything from embellishing an online dating profile to using a pseudonym on Facebook,” a slippery slope the Court is not willing to open the door to.
So what military practictioner?
TBD? There have been three military cases where a violation of 18 U.S.C. § 1030(a)(2) was charged. The most significant case, and perhaps notorious for other reasons, is United States v. Manning (nka Chelsea E. Manning), 78 M.J. 501 (A. Ct. Crim. App.. 2018), petition den. 79 M.J. 98 (C.A.A.F. 2019).
As an educated guess, the result in Manning would not be different were the case before ACCA or CAAF today; even though Manning’s purpose for obtaining the classified documents was improper similar to Van Buren and they both were considered “insiders.” The court in Manning took a narrow approach to the CFAA and did not consider Manning’s purpose. But how Manning and Van Buren obtained the information is significantly distinct. Van Buren was authorized to obtain license plate information. That information was not “off-limits to him.” On the contrary, in Manning, the use of Wget to retrieve classified State Department information exceeded her authorization. Therefore, Manning still violated the CFAA.
Noelle Peragine from the Supreme Court Desk.
Ed. note: Interested in knowing more about the Manning court-martial and appeal--go here.
CAAFlog 1.0 Archive
-Current Term Opinions
Joint R. App. Pro.
Global MJ Reform
LOC Mil. Law Resources