The United States Supreme Court heard oral argument on Monday in Van Buren v. United States, No. 19-783, a landmark case involving a key provision of the Computer Fraud and Abuse Act (“CFAA”). At issue was whether a person who is authorized to access information on a computer for certain purposes violates CFAA if that person accesses the same information for unauthorized reasons. The Court’s decision has the potential to resolve an important circuit split on the interpretation of CFAA and to define the contours of a hotly debated anti-hacking statute that applies to both criminal prosecutions and civil actions.
As we previously reported, CFAA provides for both criminal and civil penalties for accessing a computer “without authorization” or in a manner “exceeding authorized access.” 18 U.S.C. § 1030(a)(2). “[E]xceeding authorized access” is defined as “access[ing] a computer with authorization and . . . us[ing] such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” Id. § 1030(e)(6).
The United States Courts of Appeal have diverged on how to interpret CFAA’s “exceeding authorization” prong. On the one hand, the Second, Fourth, and Ninth Circuits criminalize only unauthorized access to a computer system, regardless of the purpose of that use. The First, Fifth, Seventh, and Eleventh Circuits, by contrast, have more broadly interpreted the prong to include misuse of data, even if the offender gains access to the information permissibly. In those Circuits, a person violates CFAA simply by downloading information from a database she is authorized to use, but for a reason for which she does not have permission.
In Van Buren, the court squarely addressed the meaning of the “exceeding authorization” prong. At the center of the case was Nathan Van Buren, a former police sergeant in Georgia and the defendant-petitioner. Van Buren allegedly used his authorized access to a restricted law enforcement database to search for license plate information in exchange for compensation from an acquaintance. Caught in an FBI sting operation, Van Buren was arrested and charged with honest services fraud and a CFAA violation.
Before the Supreme Court, petitioner’s counsel argued that upholding Van Buren’s CFAA conviction could have broad-reaching implications, potentially “brand[ing] most Americans criminals on a daily basis” just, for example, by using a business Zoom account for personal reasons not specifically authorized by an employer. Petitioner argued that such a broad statutory interpretation—in line with that adopted by the First, Fifth, Seventh and Eleventh Circuits—would criminalize ordinary activities far beyond Congress’s congressional intent in enacting the anti-hacking provisions of CFAA.
The Government rejected Van Buren’s hypothetical “parade of horribles,” arguing instead that “everyone would understand that [CFAA’s] language [was meant] to cover an employee who’s allowed to take items for work who instead takes them for himself.” According to the Government, CFAA was “precisely . . . designed to cover” the “serious breaches of trust by insiders” like Van Buren. The statutory prohibitions on “exceeding authorization” certainly would not extend, the Government argued, to every-day use of websites like Facebook or Hotmail, where “specific individualized permission” is not a condition of usage.
In an argument exceeding an hour, the justices peppered both parties on congressional intent in passing CFAA and delicate questions of statutory interpretation. Justice Alito, for example, challenged Van Buren’s counsel to prove that Congress did not intend to cover analogous situations, such as the bank employee “who has access to credit card numbers and uses that information to sell for a personal profit.” Justice Gorsuch, for his part, questioned the Government on the propriety of expanding federal criminal jurisdiction to cover conduct like Van Buren’s that could be prosecuted under state statutes. And Justices Sotomayor, Kavanaugh, and Barrett all asked questions designed to identify the outer bounds of CFAA’s applicability. Justice Sotomayor thus contemplated congressional action, querying whether there were “targeted changes” to the statutory text that could limit the reach of the statute to avoid criminalizing ordinary behavior.
Although too early to predict how the court will rule, any decision is likely to have far-reaching consequences for the enforceability of CFAA. We will continue to provide updates as the Court considers the case.