When a person who is authorized to access information on a computer for certain purposes accesses the information for another, improper purpose, does that amount to a federal crime? The U.S. Supreme Court is set to decide that question after recently granting a petition for certiorari to resolve a circuit split regarding the scope of the Computer Fraud and Abuse Act (“CFAA”).1
In the case before the Court, Van Buren v. United States, a former Georgia police officer was convicted under the CFAA for searching the Georgia Crime Information Center database for the license plate number of an exotic dancer.2 A man had asked the officer, Nathan Van Buren, to run the license plate in exchange for $1000.3 Unbeknownst to Van Buren, the man who requested the search was working with the FBI as part of a sting operation.4
Van Buren had access to the Georgia Crime Information Center database as a law enforcement officer and was authorized to access this database “for law-enforcement purposes.”5 Van Buren conducted the license plate search and texted the man the information he had found.6 The FBI arrested Van Buren after he admitted that he had run the license plate search for his own financial gain.7 In affirming Van Buren’s conviction, the Eleventh Circuit reiterated its view that a person violates Section 1030(a)(2) of the CFAA if he uses a computer to access information that he is otherwise authorized to access but does so for an improper purpose.8
In 1984, Congress passed a law criminalizing computer hacking,9 which became known as the CFAA in 1986.10 The CFAA makes it a crime to exceed authorized access and thereby obtain information from a “protected computer,”11 which is defined as any computer with Internet access.12 To exceed authorized access is “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”13 The statute includes a civil cause of action14 and imposes criminal penalties,15 including a felony if “committed for purposes of commercial advantage or private financial gain.”16
Since its passage, the CFAA has become a popular tool for prosecutors and civil litigants. As a result, commentators have noted that the CFAA has been applied to many scenarios that do not look like traditional hacking.17 Looking past his nefarious intent, Van Buren certainly did not “hack” into the Georgia Crime Information Center.
The courts of appeals are divided four-to-three over whether a person with permission to access information on a computer violates the CFAA when he accesses that information for an improper purpose. The First, Fifth, Seventh, and Eleventh Circuits have taken the expansive view that it is a violation of the CFAA for a person with permission to access information on a computer to access that information for an improper purpose.18 By contrast, the Second, Fourth, and Ninth Circuits have construed the CFAA more narrowly, holding that the CFAA’s “exceeds authorized access” prong does not impose criminal liability on a person with permission to access information on a computer who accesses that information for an improper purpose.19 A person violates the CFAA in those circuits only if he accesses information on a computer that he is prohibited from accessing at all, for any reason.
Regardless of which interpretation the Court adopts, a decision in the present case will clarify the scope of the CFAA and ensure nationwide uniformity as to its application. The decision will be part of the Court’s next term.
1 The case is Van Buren v. United States, No. 19-783 (Apr. 20, 2020), in the U.S. Supreme Court.
2 See United States v. Van Buren, 940 F.3d 1192, 1197-98 (11th Cir. 2019).
4 Id. at 1197.
5 Id. at 1208.
6 Id. at 1198.
8 Id. at 1208.
9 See H.R. Rep. No. 98-894 (1984), at 10.
10 Computer Fraud and Abuse Act of 1986, Pub. L. No. 99-474, 100 Stat. 1213.
11 18 U.S.C. § 1030(a)(2).
12 See United States v. Nosal, 676 F.3d 854, 859 (9th Cir. 2012) (en banc).
13 18 U.S.C. § 1030(e)(6).
14 Id. § 1030(g).
15 See id. § 1030(c)(2)(A).
16 Id. § 1030(c)(2)(B)(i).
17 Jonathan Mayer, Cybercrime Litigation, 164 U. Penn. L. Rev. 1453, 1456 (2016) (“Read broadly, contemporary cybercrime law does not just address sophisticated hacking. It also imposes worldwide civil and criminal liability that displaces trade secret, property, contract, fraud, and copyright law in the information economy.”).
18 See EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001); United States v. John, 597 F.3d 263 (5th Cir. 2010), cert. denied, 568 U.S. 1163 (2013); Int’l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006); United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010).
19 See United States v. Valle, 807 F.3d 508, 524, 527 (2d Cir. 2015); WEC Carolina Energy Sols. LLC v. Miller, 687 F.3d 199, 202, 207 (4th Cir. 2012); Nosal, 676 F.3d at 862-63.