EPIC - Van Buren v. United States

Van Buren v. United States

Whether a police officer "exceeds authorized access" under the Computer Fraud & Abuse Act when they use their authorization to access personal information in a government database for an improper purpose.

Background |
EPIC's Interest |
Legal Documents |
Resources |
News

EPIC to Supreme Court: Government Insiders Who Improperly Access Personal Data Violate Computer Crime Statute : EPIC has filed an amicus brief in the U.S. Supreme Court case Van Buren v. United States, which concerns whether a police officer violated the Computer Fraud & Abuse Act by accessing personal data in a government database for non-law enforcement purposes. EPIC’s brief argues that the CFAA was enacted “to protect personal information stored in recordkeeping systems” and the scope of the law “should be co-extensive with its data protection purpose.” EPIC wrote that government databases “hold vast quantities of some of the most sensitive personal data imaginable” and that “we need the CFAA, now more than ever, to be an extra check against abuse by the people entrusted to access sensitive data and systems.” The brief also responds to concerns about the potential scope of CFAA liability by noting that “any limiting principle should be tethered to the underlying purpose of” the provision, which is “to protect sensitive data from exposure and subsequent misuse.” EPIC has participated as amicus in LinkedIn v. hiQ Labs, which concerns the application of the CFAA to companies that scrape social media user data. The petition for review in the LinkedIn case is pending in the U.S. Supreme Court. (Sep. 3, 2020)

Summary

The scope of the Computer Fraud & Abuse Act ("CFAA") has been a source of heated debate for well over a decade. The provision at issue in this case was enacted as a data protection law. But several prominent advocacy groups and scholars have argued that the law can be interpreted to criminalize the everyday activities of computer users and, as a result, the scope of the law must be limited to instances where individuals bypass an authentication gate or other code-based restriction. Yet, such an interpretation would exclude almost all improper access by insiders such as employees who have credentials to access records to perform their job functions but are prohibited from using the credentials to access information for personal gain. EPIC argues that the scope of the CFAA can be limited to its data protection purpose without excluding all word-based restrictions from the law.

Nathan Van Buren was a police officer who accessed personal information in a government database for a local wealthy man in the hopes of a financial payout. Van Buren had access credentials for the database, but knew he was only to use his access to view records pursuant to his job duties. Van Buren was charged under the CFAA and convicted by a jury. Van Buren appealed to the Eleventh Circuit, which affirmed his CFAA conviction. The U.S. Supreme Court granted review.

Background

Factual Background

Nathan Van Buren was a police officer in Cuming, Georgia, when he became the subject of an FBI sting operation after soliciting money from a wealthy local eccentric, Andrew Albo. At the FBI’s prompting, Albo asked Van Buren to run a license plate number to determine whether the driver was an undercover cop. Van Buren accessed the license plate record in the Georgia Crime Information Center (“GCIC”) database, which is maintained by the Georgia Bureau of Investigation and connected to the National Crime Information Center (“NCIC”) database maintained by the FBI. Officers are only allowed to access the GCIC system for law enforcement purposes, and receive training on proper and improper access. Van Buren also admitted that he knew accessing the information was “wrong.”

Legal Background

The provision of the CFAA at issue in this case was enacted as a data protection statute. The provision states, in relevant part, that “whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer" is subject to criminal and civil liability. As originally enacted in 1984, the provision protected access to a specific category of data: sensitive financial information within the scope of the Financial Privacy Act and the Fair Credit Reporting Act. The provision targeted both “outsider” hackers and “insiders” who had authorization to access the information for business purposes but instead accessed the information for a “purpose not contemplated by the authorization.” In 1996, Congress addressed “significant gaps” in “privacy protection” for information stored in government and private databases by expanding the provision to cover any type of information.

For over a decade, several scholars and advocates (most prominently Orin Kerr) have argued that the CFAA has an overcriminalization problem. This group argues that the CFAA’s key terms, “without authorization” and “exceeds authorized access,” are ambiguous: they are either limited to circumventing a code-based restriction, such as an authorization gate, or they also extend to contract-based and other word-based restrictions on access. Because, as the group claims, word-based restrictions are materially indistinguishable from one another, including any such restriction within the scope of the law would require including all. As a result, the law would either criminalize the everyday activity of millions of Americans or fail to give proper notice of criminal liability, leading to several constitutional issues such as overbreadth and void-for-vagueness. The Second, Fourth, and Ninth Circuits have adopted this view, while the First, Fifth, Seventh, and Eleventh Circuits have read the provision more broadly.

Procedural History

The FBI charged Van Buren with honest-services fraud and felony computer fraud. A jury convicted him on both counts. On appeal to the Eleventh Circuit, Van Buren argued, among other things, that the jury instructions were incorrect and that there was insufficient evidence to support his convictions. The Eleventh Circuit reversed and remanded the honest-services conviction because of an error in the jury instructions, but affirmed the computer-fraud conviction. The court determined that it was bound by its prior ruling in United States v. Rodriquez, where the court held that a Social Security Administration employee who accessed the personal information of seventeen individuals in an agency database for personal reasons “exceed[ed] authorized access” under the CFAA.

Van Buren petitioned for review in the U.S. Supreme Court, arguing that the Eleventh Circuit’s decision deepens a circuit split over the interpretation of “exceeds authorized access.” The Court granted review on the question

Whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose.

EPIC's Interest

EPIC supports both data protection and online civil liberties. EPIC is the leading advocate for comprehensive federal data protection laws and a federal data protection agency and routinely participates as amicus in cases concerning data protection. Specifically, EPIC has participated as amicus in another CFAA case, LinkedIn v. hiQ Labs, which concerns LinkedIn's blocking of hiQ's bots from scraping LinkedIn user data for a data analysis tool that predicts for employers how long their employees will stay with the company. EPIC filed briefs in the Ninth Circuit and in support of LinkedIn's petition for review in the U.S. Supreme Court. EPIC has also also supported civil liberties online in cases such as Packingham v. North Carolina and Carr v. Department of Transportation.