We have previously written about the thorny questions surrounding the Computer Fraud and Abuse Act (“CFAA”), including how its ambiguous language concerning what computer use is “authorized” has divided the Circuits and how its provisions are, and are not, applied by prosecutors in practice. The Supreme Court declined to address the circuit split in 2017, but yesterday the Court granted cert in Van Buren v. United States to squarely resolve the issue.
As a reminder, the CFAA (18 U.S.C. § 1030) provides for both criminal and civil penalties for accessing a computer or protected computer “without authorization” or in a manner “exceeding authorized access.” 18 U.S.C. § 1030(a)(2). “[E]xceeding authorized access” is defined as “access[ing] a computer with authorization and . . . us[ing] such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” Id. § 1030(e)(6).
According to the Second, Fourth, and Ninth Circuits, a person may be convicted under the CFAA under the “exceeding authorization” prong only if the person obtains or alters information they have no permission to access. For example, in United States v. Gilberto Valle, the infamous “cannibal cop” case, the Second Circuit interpreted the CFAA narrowly and held that the police officer did not “exceed[ his] authorized access” when he used government databases to research sensitive information about his potential victims. The Second Circuit reasoned that because the officer already had access to various restricted government databases through his employment with the NYPD, he could not be convicted under the CFAA. In other words, under the Second Circuit’s ruling, even though official NYPD policy provided that the databases could be used only for legitimate law-enforcement purposes, Valle’s violation of NYPD policy did mean that he “exceeded authorized access” under CFAA.
But the First, Fifth, Seventh, and Eleventh Circuits have held otherwise. In those Circuits, accessing a computer to “obtain or alter information” in a way or for a purpose that is not permitted suffices to violate the statute—such as downloading information from a database you have permission to use, but for a reason you don’t have permission to use it for.
The case in which the Supreme Court will decide the circuit split is Van Buren v. United States. The case is an appeal by Nathan Van Buren, a small-town Georgia police sergeant who, by virtue of his job, had access to the Georgia Crime Information Center (GCIC) database. Van Buren was authorized to access the database “for law-enforcement purposes.” In a sting operation, the FBI recruited an acquaintance of Van Buren’s to offer a total of $6,000 to run searches in the database for certain license plate numbers. After Van Buren did so, he was arrested and charged with honest services fraud and a CFAA violation. Under controlling Eleventh Circuit precedent holding that a defendant exceeds authorized access and violates the CFAA when he accesses a computer database for an improper purpose, Van Buren was convicted of violating § 1030(a)(2), and the Eleventh Circuit later affirmed his conviction.
Van Buren’s conviction now presents the Supreme Court with the opportunity to define the contours of CFAA liability with respect to the authorization prong. We will continue to provide updates as the Court considers the case.