Van Buren v. United States
- Justices Concerned for Privacy of Personal Information if Insiders Can Abuse Access Privileges: During oral argument this week in Van Buren v. United States, a case concerning the scope of the Computer Fraud & Abuse Act, several Justices of the U.S. Supreme Court emphasized the need to protect sensitive personal data from both hackers and insiders who could abuse their access privileges. Van Buren, a police officer, was prosecuted under the CFAA for improperly accessing personal data in a government system for financial gain. He argued that he didn't violate the law because he had credentials to access the system. EPIC filed an amicus brief in the case, arguing that the CFAA was enacted "to protect personal information stored in recordkeeping systems" and the scope of the law "should be co-extensive with its data protection purpose." At oral argument, many of the justices questioned Van Buren's attorney about the impact of his interpretation on the privacy of sensitive personal information, and a majority seemed to agree that the conduct at issue in this case should be criminalized. Justice Alito said that insiders who abuse their access can do "enormous damage" to personal privacy and referenced EPIC's amicus brief. In the brief, EPIC explained that government databases "hold vast quantities of some of the most sensitive personal data imaginable" and that "we need the CFAA, now more than ever, to be an extra check against abuse by the people entrusted to access sensitive data and systems." EPIC also argued that the Court need not limit CFAA liability to those who bypass a login system to avoid criminalizing the activity of ordinary internet users. During argument, several justices were interested in alternative ways to limit the statute to better align the law with its data protection purpose. EPIC has also participated as amicus in another CFAA case before the Court, LinkedIn v. hiQ Labs. The petition for review in LinkedIn is currently pending. (Dec. 2, 2020) More top news »
The scope of the Computer Fraud & Abuse Act ("CFAA") has been a source of heated debate for well over a decade. The provision at issue in this case was enacted as a data protection law. But several prominent advocacy groups and scholars have argued that the law can be interpreted to criminalize the everyday activities of computer users and, as a result, the scope of the law must be limited to instances where individuals bypass an authentication gate or other code-based restriction. Yet, such an interpretation would exclude almost all improper access by insiders such as employees who have credentials to access records to perform their job functions but are prohibited from using the credentials to access information for personal gain. EPIC argues that the scope of the CFAA can be limited to its data protection purpose without excluding all word-based restrictions from the law.
Nathan Van Buren was a police officer who accessed personal information in a government database for a local wealthy man in the hopes of a financial payout. Van Buren had access credentials for the database, but knew he was only to use his access to view records pursuant to his job duties. Van Buren was charged under the CFAA and convicted by a jury. Van Buren appealed to the Eleventh Circuit, which affirmed his CFAA conviction. The U.S. Supreme Court granted review.
Nathan Van Buren was a police officer in Cuming, Georgia, when he became the subject of an FBI sting operation after soliciting money from a wealthy local eccentric, Andrew Albo. At the FBI’s prompting, Albo asked Van Buren to run a license plate number to determine whether the driver was an undercover cop. Van Buren accessed the license plate record in the Georgia Crime Information Center (“GCIC”) database, which is maintained by the Georgia Bureau of Investigation and connected to the National Crime Information Center (“NCIC”) database maintained by the FBI. Officers are only allowed to access the GCIC system for law enforcement purposes, and receive training on proper and improper access. Van Buren also admitted that he knew accessing the information was “wrong.”
The provision of the CFAA at issue in this case was enacted as a data protection statute. The provision states, in relevant part, that “whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer" is subject to criminal and civil liability. As originally enacted in 1984, the provision protected access to a specific category of data: sensitive financial information within the scope of the Financial Privacy Act and the Fair Credit Reporting Act. The provision targeted both “outsider” hackers and “insiders” who had authorization to access the information for business purposes but instead accessed the information for a “purpose not contemplated by the authorization.” In 1996, Congress addressed “significant gaps” in “privacy protection” for information stored in government and private databases by expanding the provision to cover any type of information.
For over a decade, several scholars and advocates (most prominently Orin Kerr) have argued that the CFAA has an overcriminalization problem. This group argues that the CFAA’s key terms, “without authorization” and “exceeds authorized access,” are ambiguous: they are either limited to circumventing a code-based restriction, such as an authorization gate, or they also extend to contract-based and other word-based restrictions on access. Because, as the group claims, word-based restrictions are materially indistinguishable from one another, including any such restriction within the scope of the law would require including all. As a result, the law would either criminalize the everyday activity of millions of Americans or fail to give proper notice of criminal liability, leading to several constitutional issues such as overbreadth and void-for-vagueness. The Second, Fourth, and Ninth Circuits have adopted this view, while the First, Fifth, Seventh, and Eleventh Circuits have read the provision more broadly.
The FBI charged Van Buren with honest-services fraud and felony computer fraud. A jury convicted him on both counts. On appeal to the Eleventh Circuit, Van Buren argued, among other things, that the jury instructions were incorrect and that there was insufficient evidence to support his convictions. The Eleventh Circuit reversed and remanded the honest-services conviction because of an error in the jury instructions, but affirmed the computer-fraud conviction. The court determined that it was bound by its prior ruling in United States v. Rodriquez, where the court held that a Social Security Administration employee who accessed the personal information of seventeen individuals in an agency database for personal reasons “exceed[ed] authorized access” under the CFAA.
Van Buren petitioned for review in the U.S. Supreme Court, arguing that the Eleventh Circuit’s decision deepens a circuit split over the interpretation of “exceeds authorized access.” The Court granted review on the question
Whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose.
EPIC supports both data protection and online civil liberties. EPIC is the leading advocate for comprehensive federal data protection laws and a federal data protection agency and routinely participates as amicus in cases concerning data protection. Specifically, EPIC has participated as amicus in another CFAA case, LinkedIn v. hiQ Labs, which concerns LinkedIn's blocking of hiQ's bots from scraping LinkedIn user data for a data analysis tool that predicts for employers how long their employees will stay with the company. EPIC filed briefs in the Ninth Circuit and in support of LinkedIn's petition for review in the U.S. Supreme Court. EPIC has also also supported civil liberties online in cases such as Packingham v. North Carolina and Carr v. Department of Transportation.
U.S. Supreme Court (No. 19-783)
- Petition Stage
- Van Buren's Petition for a Writ of Certiorari (Dec. 18, 2019)
- Brief of Respondent United States in Opposition (Mar. 10, 2020)
- Reply Brief of Petitioner Van Buren (Mar. 18, 2020)
- Merits Stage
- Brief of Petitioner Van Buren on the Merits (July 1, 2020)
- Amicus Briefs in Support of Petitioner
- Amicus Brief of R Street (July 7, 2020)
- Amicus Brief of Kyratso Karahalios and others (July 7, 2020)
- Amicus Brief of Association of Medical Device Service Organizations (July 7, 2020)
- Amicus Brief of Association of Medical Device Reprocessors (July 7, 2020)
- Amicus Brief of National Association of Criminal Defense Lawyers (July 8, 2020)
- Amicus Brief of Committee for Justice (July 8, 2020)
- Amicus Brief of Americans for Prosperity Foundation (July 8, 2020)
- Amicus Brief of Reporters Committee for Freedom of the Press and others (July 8, 2020)
- Amicus Brief of National Whistleblower Center (July 8, 2020)
- Amicus Brief of Technology Companies (July 8, 2020)
- Amicus Brief of Orin S. Kerr (July 8, 2020)
- Amicus Brief of Computer Security Researchers and others (July 8, 2020)
- Amicus Brief of The Markup (July 8, 2020)
- Amicus Briefs in Support of Neither Party
- Amicus Brief of The United States Technology Policy Committee of the ACM (July 7, 2020)
- Brief of Respondent the United States on the Merits (Aug. 27, 2020)
- Amicus Briefs in Support of Respondent
- Amicus Brief of EPIC (Sep. 3, 2020)
- Amicus Brief of Federal Law Enforcement Officers Association (Aug. 31, 2020)
- Amicus Brief of Managed Funds Association (Sep. 1, 2020)
- Amicus Brief of Karen Heart and Anthony Volini of CIPLIT (Sep. 2, 2020)
- Amicus Brief of Voatz, Inc. (Sep. 3, 2020)
U.S. Court of Appeals for the Eleventh Circuit (No. 18-12024)
- Opinion (Oct. 10, 2019)
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.