Van Buren v. United States was the Supreme Court’s first opinion interpreting the Computer Fraud and Abuse Act (CFAA) of 1986. Originally drafted as an anti-hacking statute, the Act prohibits people from accessing computers or computer systems “without authorization” or in a way that “exceeds authorized access.” Violations of the Act are punishable by civil and criminal penalties.
The question before the Court in Van Buren was how to interpret the phrase “exceeds authorized access” and whether it means that people are prohibited from obtaining information from some parts of a computer system but not others or whether it applies more broadly to people who are allowed to access a computer system but use that access to obtain information for improper purposes.
Van Buren involved a former Georgia police officer who was charged with a felony for violating the Computer Fraud and Abuse Act. Officer Nathan Van Buren was accused of taking money in exchange for running a search in a law enforcement license plate database. This conduct violated a police policy that requires that the database be used for law enforcement purposes only. Van Buren was convicted of violating the CFAA because he used the database for an improper purpose, even though it was a database he was allowed to access.
The Court’s decision has broad implications for our everyday lives. If the Court interpreted the Computer Fraud and Abuse Act broadly, the decision could have criminalized “a breathtaking amount of commonplace computer activity” such as employees who violate an employer’s policy that computers be used for business purposes by using a work computer to send a personal email or check the news.
A broad interpretation of the CFAA could have also criminalized violations of a website’s terms of service agreement, the restrictions imposed on users in click-through agreements.
But the Court ultimately interpreted the CFAA more narrowly, finding that the Act did not apply to people who simply “have improper motives for obtaining information that is otherwise available to them.”
The majority opinion, authored by Justice Barrett on June 3, 2021, rejected the government’s plea for an expansive interpretation of the CFAA, finding that doing so could criminalize employees for using business computers for non-work purposes. The Court also ruled that violating a website’s terms of service agreement is not a criminal violation.
Three of the Court’s conservative justices, Clarence Thomas, Samuel Alito, and John Roberts, dissented from the majority ruling.
Interpreting the Computer Fraud and Abuse Act narrowly, the Court adopted a “gates-up-or-gates-down” test, finding that a person must bypass a gate that is down in order to be held criminally liable. Specifically, a person must enter an area of the computer system that they are not supposed to access, entering “particular areas of the computer—such as files, folders, or databases—that are off limits.”
Under the Court’s interpretation of the CFAA, the two ways of violating the CFAA work together. Prohibiting “access without authorization” means a person is not allowed to enter a computer or computer system that they are not authorized to access. This prohibition targets outside hackers who try to enter a computer system with no authorization whatsoever.
The prohibition on “exceeding authorized access” means that people are not permitted to enter “a part of the system to which a computer user lacks access privileges.” This language targets inside hackers who access a computer with permission but exceed the bounds of that authorized access by entering an area of the computer system that they do not have authorization to access.
Using the gates-up-or-gates-down analogy, a person either can or cannot access the computer system, and they can or cannot access areas within the system. Applying this reasoning, Mr. Van Buren did not violate the CFAA because he had access to the database; the rule prohibiting non-business use was not a closed gate.
Under the Court’s interpretation in Van Buren, the Computer Fraud and Abuse Act is ultimately a trespassing law. A user is prohibited from going places in the computer system that they are not permitted to go. When the gate is down, the user is prohibited from wrongfully bypassing the gate.
Future analyses of violations of the CFAA may turn on questions of authentication, such as how a user gained authorization to bypass a gate by giving the correct username and password.
Even though the Court in Van Buren interpreted the CFAA narrowly, allegations of fraud and other internet crimes are serious, and conviction can carry significant penalties.
If you have been charged with online criminal activity, you need an experienced criminal defense attorney on your side. You need a lawyer who understands the intersection of technology and the law and will fight to protect and defend your constitutional rights.
Hope Lefeber has been representing people accused of crimes in federal court for more than 30 years. She began her career as an enforcement attorney with the United States Securities and Exchange Commission (SEC), where she learned first-hand how the government prepares and prosecutes cases in federal court. Today, she uses that experience to defend people accused of internet crimes in federal court.
Ms. Lefeber is staunchly committed to keeping the government out of people’s personal lives and vehemently defends her clients with passion, skill, and dedication. You will find her to be meticulously prepared and hands-on in her approach to criminal defense.
If you are under investigation or have been charged with a crime in federal court, Hope Lefeber should be your first call. Contact Ms. Lefeber today to schedule a free, confidential consultation to discuss your case.