Supreme Court Clarifies the Term “Exceeds Authorized Access” Under the Computer Fraud and Abuse Act

By Sarah Wirskye - On

In Van Buren v. United States, the Court held that an individual “exceeds authorized access” under the Computer Fraud and Abuse Act of 1986 (CFAA), 18 U. S. C. §1030(a)(2), when he accesses a computer with authorization but then obtains information located in areas of the computer that are off-limits to him. The Court declined to adopt the government’s more expansive interpretation of this language that “exceeds authorized access” includes information one was not allowed to obtain in the particular manner or circumstances in which he obtained it. Thus the Court ruled that if an individual has access to information, an inappropriate purpose or reason for accessing does not make the access unlawful under the CFAA.

Van Buren, a former Georgia police sergeant, used his patrol-car computer to access a law enforcement database to retrieve information about a license plate in exchange for money.  Although Van Buren used his own credentials to access the information, he violated a department policy against obtaining database information for non-law-enforcement purposes.  He was charged with violating the Computer Fraud and Abuse Act, 18 U. S. C. §1030(a)(2), which criminalizes “intentionally access[ing] a computer without authorization or exceed[ing] authorized access.” “[E]xceeds authorized access” is defined as “access[ing] a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” §1030(e)(6).

Van Buren appealed his conviction to the Eleventh Circuit, arguing that the “exceeds authorized access” clause applies only to those who obtain information to which their computer access does not extend. He argued that it does not extend to those who misuse access that they otherwise have. While some Circuit Courts interpreted the clause Van Buren’s way, the Eleventh Circuit (along with the First, Fifth, and Seventh Circuits) took a broader view. Thus the Eleventh Circuit held that Van Buren had violated the CFAA by accessing the law enforcement database for an “inappropriate reason.”

The Court’s opinion focused on the text of the statute and specifically the use of the word “so” in statute.  Van Buren argued that the disputed phrase— “is not entitled so to obtain”— refers to information one is not allowed to obtain by using a computer that he is authorized to access. The government argued that “so” is broader and refers to information one was not allowed to obtain in the particular manner or circumstances in which he obtained it. The Court agreed with Van Buren’s interpretation.

While this opinion helped clarify the CFAA and resolved a split in the circuits, this case makes clear that the CFAA is due for review. For example, the Court stated that the government’s interpretation could result in a violation of the CFAA if an employee sends a personal e-mail or reads the news using a work computer. The CFAA is an old, 1986 law when computers and technology were far different than they are today. There is conduct that may not be criminalized under the CFAA that should be and vice versa. It remains to be seen if Congress will amend this statue soon. With the increasing use and importance of this statue in criminal and civil enforcement, it should be updated to reflect the realities of today’s technology.

Leave a Comment