Supreme Court Hears Oral Argument in Van Buren v. United States

Does the Computer Fraud and Abuse Act prohibit a police officer who is authorized to access his employer’s computers from using his access in unauthorized ways? On Nov. 30, the Supreme Court picked up the phone to tackle that very question in oral argument in Van Buren v. United States, a case addressing the interpretation of two provisions of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §§ 1030(a)(2)(C) and (c)(2)(B)(i).

Section 1030(a)(2)(C) prohibits users of protected computers (meaning a computer covered by the statute) owned by others from “exceed[ing] authorized access.” Section 1030(e)(6) defines “exceeds authorized access” to mean “access[ing] a computer with authorization and … us[ing] such access to obtain or alter information in the computer that the accesser [sic] is not entitled so to obtain or alter.”

Nathan Van Buren was a Georgia police officer who, in a sting operation, ran a license plate search for a friend in exchange for money. Van Buren used a police computer to perform the search. The Justice Department didn’t take kindly to Van Buren’s freelancing and charged him under the CFAA, 18 U.S.C. § 1030(a)(2)(C) (and for honest-services fraud).

At trial, Van Buren moved for judgment of acquittal on the ground that a person does not “exceed authorized access” when he “access[es] information that [he has] access to” even if that access is “for an improper or impermissible purpose.” The trial court denied the motion but, on Van Buren’s suggestion, instructed the jury that it must find that Van Buren used his access “to get or []change information that [he was] not permitted to get or change.” The jury convicted him, and the trial judge sentenced him to 18 months in prison.

Van Buren appealed, arguing insufficient evidence supported his CFAA conviction. The U.S. Court of Appeals for the Eleventh Circuit disagreed, concluding that it was bound by its 2010 decision in United States v. Rodriguez, which held that a person “exceed[s] authorized access[]” to a computer when she accesses it for a prohibited use, even if she is authorized to access it for proper purposes. It acknowledged that the Second and Ninth Circuits had held differently but nevertheless stood by the holding in Rodriguez.

Van Buren appealed to the Supreme Court, which granted cert in April.

As Van Buren makes clear in the briefing, his argument at the Supreme Court is grounded in the CFAA’s text and purpose. The statute defines “exceeds authorized access” as, among other things, when someone is “not entitled so to obtain or alter” but does so anyway. The petitioner argues that the court should understand that language as not including misuse of authorized access. Where Congress has sought to prohibit misuse of access, it has done so explicitly—as in, for example, 10 U.S.C. § 923(a)(1), which prohibits retrieving classified information by accessing a government computer “with an unauthorized purpose.” He also argues the CFAA’s purpose is limited to hacking into computers without authorized access; that “only occurs when someone accesses information that he has no right at all to obtain.” Per the petitioner, a contrary interpretation would criminalize everyday activities based on computer owners’ purpose-based restrictions. Filling out a March Madness bracket, for example, would likely violate an employer’s policy against using work computers for personal purposes. (Though not mentioned at argument and cited only in passing in the petitioner’s brief, it bears mention that the same provision of the CFAA was among the charges prosecutors brought against Aaron Swartz, the young computer researcher and open-source activist who killed himself after being charged for using an MIT computer to mass-download papers from JSTOR.) And Van Buren urges the court to adopt his construction to avoid constitutional questions that flow from the Due Process Clause and First Amendment and in adherence to the rule of lenity, which counsels leniency in the application of ambiguous criminal statutes.

The government has a different read of the CFAA’s text and purpose. It argues that the plain meaning of “obtain[ing] … information in the computer that the accesser [sic] is not entitled so to obtain” includes obtaining information for an unauthorized purpose. Why? The government argues that to be “entitled so to obtain” something, a person must have been “granted a right to do it in the particular manner or circumstance.” The government asserts that its reading of the text is consistent with Congress’s purpose—both in prohibiting malicious insider hackers in addition to external hacking and in extending common-law prohibitions on misuse of unowned property to computer systems. The government argues that other terms in the CFAA limit the expansive future interpretations that Van Buren is concerned about and the constitutional concerns they might raise. It also stresses that the lenity rule is inapplicable because the statute at issue is not ambiguous.

So how did oral argument go?

Become a supporter of IT Security News and help us remove the ads.