The scope of the Computer Fraud & Abuse Act (“CFAA”) has been a source of heated debate for well over a decade. The provision at issue in this case was enacted as a data protection law. But several prominent advocacy groups and scholars have argued that the law can be interpreted to criminalize the everyday activities of computer users and, as a result, the scope of the law must be limited to instances where individuals bypass an authentication gate or other code-based restriction. Yet, such an interpretation would exclude almost all improper access by insiders such as employees who have credentials to access records to perform their job functions but are prohibited from using the credentials to access information for personal gain. EPIC argues that the scope of the CFAA can be limited to its data protection purpose without excluding all word-based restrictions from the law.
Nathan Van Buren was a police officer who accessed personal information in a government database for a local wealthy man in the hopes of a financial payout. Van Buren had access credentials for the database, but knew he was only to use his access to view records pursuant to his job duties. Van Buren was charged under the CFAA and convicted by a jury. Van Buren appealed to the Eleventh Circuit, which affirmed his CFAA conviction. The U.S. Supreme Court granted review.
Nathan Van Buren was a police officer in Cuming, Georgia, when he became the subject of an FBI sting operation after soliciting money from a wealthy local eccentric, Andrew Albo. At the FBI’s prompting, Albo asked Van Buren to run a license plate number to determine whether the driver was an undercover cop. Van Buren accessed the license plate record in the Georgia Crime Information Center (“GCIC”) database, which is maintained by the Georgia Bureau of Investigation and connected to the National Crime Information Center (“NCIC”) database maintained by the FBI. Officers are only allowed to access the GCIC system for law enforcement purposes, and receive training on proper and improper access. Van Buren also admitted that he knew accessing the information was “wrong.”
The provision of the CFAA at issue in this case was enacted as a data protection statute. The provision states, in relevant part, that “whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer” is subject to criminal and civil liability. As originally enacted in 1984, the provision protected access to a specific category of data: sensitive financial information within the scope of the Financial Privacy Act and the Fair Credit Reporting Act. The provision targeted both “outsider” hackers and “insiders” who had authorization to access the information for business purposes but instead accessed the information for a “purpose not contemplated by the authorization.” In 1996, Congress addressed “significant gaps” in “privacy protection” for information stored in government and private databases by expanding the provision to cover any type of information.
For over a decade, several scholars and advocates (most prominently Orin Kerr) have argued that the CFAA has an overcriminalization problem. This group argues that the CFAA’s key terms, “without authorization” and “exceeds authorized access,” are ambiguous: they are either limited to circumventing a code-based restriction, such as an authorization gate, or they also extend to contract-based and other word-based restrictions on access. Because, as the group claims, word-based restrictions are materially indistinguishable from one another, including any such restriction within the scope of the law would require including all. As a result, the law would either criminalize the everyday activity of millions of Americans or fail to give proper notice of criminal liability, leading to several constitutional issues such as overbreadth and void-for-vagueness. The Second, Fourth, and Ninth Circuits have adopted this view, while the First, Fifth, Seventh, and Eleventh Circuits have read the provision more broadly.
The FBI charged Van Buren with honest-services fraud and felony computer fraud. A jury convicted him on both counts. On appeal to the Eleventh Circuit, Van Buren argued, among other things, that the jury instructions were incorrect and that there was insufficient evidence to support his convictions. The Eleventh Circuit reversed and remanded the honest-services conviction because of an error in the jury instructions, but affirmed the computer-fraud conviction. The court determined that it was bound by its prior ruling in United States v. Rodriquez, where the court held that a Social Security Administration employee who accessed the personal information of seventeen individuals in an agency database for personal reasons “exceed[ed] authorized access” under the CFAA.
Van Buren petitioned for review in the U.S. Supreme Court, arguing that the Eleventh Circuit’s decision deepens a circuit split over the interpretation of “exceeds authorized access.” The Court granted review on the question
Whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose.