In Van Buren v. United States, the Supreme Court ruled six to three in favor of Nathan Van Buren, a Georgia Police Sergeant, establishing the reach of the Computer Fraud and Abuse Act (CFAA) in convicting individuals for improper use of “authorized information.” By clarifying the previously vague definition of “improper use,” the ruling will protect Americans from a judge’s subjective interpretation and potentially dangerous application of the law.
Van Buren, a police sergeant from Cumming, Georgia, asked a known criminal, Andrew Albo, for a large sum of money. In response, Albo reported the request from Van Buren to the police who then referred the case to the Federal Bureau of Investigation (FBI). The FBI then conducted a sting operation by having Albo demand that Van Buren determine whether an individual was an undercover officer in exchange for the money. Van Buren, using the license plate database to which he had authorized access, obtained the information and relayed it to Albo. He was arrested by the FBI for computer fraud under the CFAA and sentenced to 18 months in prison by the US District Court for the Northern District of Georgia. Following the conviction by the US District Court, Van Buren appealed the decision to the US Court of Appeals for the Eleventh Circuit that subsequently upheld the District Court’s ruling citing Eleventh Circuit precedent. Van Buren finally petitioned to the Supreme Court and was granted certiorari thereafter.
Before a discussion of the Supreme Court decision, a basic understanding of the CFAA is necessary. The CFAA was enacted in 1986 to address hacking and has been amended numerous times to account for rapidly developing technology in the years following its passage. The law deems that an individual who “intentionally accesses a computer without authorization or exceeds authorized access” is subject to criminal liability. The point of contention is how the definition of “exceeds authorized access” should be interpreted. As defined in the law, the term means: “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Within the definition, the interpretation of “entitled so to obtain” strikes at the heart of Mr. Van Buren’s case. If interpreted narrowly to mean criminal liability extends to those obtaining information from areas of a computer without authorized access, Van Buren’s case, although improper, does not fall under the law. But if viewed under the government’s broader definition, Van Buren’s use of authorized access to obtain information with improper motives makes him a felon under the law.
The court voted 6-3 in favor of Van Buren’s interpretation with Justices Amy Coney Barrett, Stephen Breyer, Sonia Sotomayor, Elena Kagan, Neil Gorsuch, and Brett Kavanaugh in the majority and Justices Clarence Thomas, Samuel Alito, and John Roberts dissenting. In her majority opinion, Justice Barrett concludes that Van Buren’s interpretation of “entitled so to obtain” is correct with the government’s interpretation not aligning with the purpose of the law and leaving room for vast subjectivity in rulings. Further, Barrett found Van Buren’s interpretation to be consistent with the rest of the law by arguing that the first part of the statute means “that one either can or cannot access a computer system” and under Van Buren’s interpretation, the second part must logically mean “one either can or cannot access certain areas within the system.” Under the government’s interpretation, the first part is agreed upon, but the second part means “exceeds authorized access” is “circumstance dependent.” The latter definition has “inconsistenc[ies] with the design and structure” of the law according to Barrett and the majority. Barrett concludes by discussing the dangers of adopting the government’s interpretation of the statute, cautioning that millions of Americans could be prosecuted under the CFAA for conducting personal activity like emailing friends on an office computer. The “arbitrariness” when determining criminal liability that comes with the government’s interpretation is far too dangerous in her eyes.
Justice Thomas, writing in dissent, argues that Van Buren was not “entitled” to the information that he obtained because he used his access to a law enforcement database to obtain information for non-law enforcement purposes. According to Justice Thomas, it is critical to evaluate the circumstances of an act when determining criminal liability and in Van Buren’s circumstance, it is clear that his improper use violates his entitlement to access the law enforcement database. Justice Thomas cites property law to argue that similar to the computer authorization, improper use of property that one is entitled to use is a criminal act. Justice Thomas believes that with this interpretation, he is harmonizing the two parts of the statute by injecting the “arbitrariness” that Justice Barrett fears. He argues that with the Government’s interpretation, the statute would protect against unauthorized access to computers and against improper use of authorized information.
With the perpetually expanding frontier of technological development, US statutes governing the field struggle to keep pace. In their decision, the Supreme Court held that leaving the statutory meaning of “improper use” up to interpretation is not the answer, as it would force private parties to evaluate their actions in relation to an arbitrary and inconsistent definition of improper use, making it difficult to determine possible criminal liability. While an act may seem improper or distasteful, relying on a subjective definition of what constitutes an improper act as the standard for a federal crime would have put all Americans at risk if not for the Supreme Court’s ruling in Van Buren v. United States.
Vineet Chovatia is a freshman from Princeton Junction, New Jersey studying Public Policy and Economics.