The United States Supreme Court has adopted a narrow interpretation of the scope of liability under the Computer Fraud and Abuse Act
On June 3, 2021, the US Supreme Court in the Van Buren v. United States case overturned the US Court of Appeals for the Eleventh District’s decision to uphold the conviction of Nathan Van Buren, a former Georgia Police Sergeant who allegedly Violated the Computer Fraud and Abuse Act 1986 (“CFAA”) in accessing a law enforcement database for non-criminal purposes against his department’s policies. Van Buren, the target of an FBI stab operation, had accessed the database to look up license plate information in exchange for money. The court dealt with a division of competencies between the districts with regard to the scope of liability under the CFAA.
The question asked in court was whether Van Buren’s actions – accessing a computer with authorization (using valid credentials to log into the database) but for an unauthorized purpose – violated the CFAA’s “exceed authorized access” clause, the “access to a computer with authorization to use and to use this access to obtain or change information on the computer that the authorized user is not authorized to receive or change.” Specifically, the dispute depended on whether Van Buren “Was entitled to” receive the license plate information in question.
In a statement that emphasized the interpretation of the text and the meaning of the word “so,” Judge Barrett, who wrote for the majority, found that Van Buren’s conduct falls outside the relevant CFAA provision, which is best read in order to obtain information from areas of a computer that are not accessible, not to obtain information that is otherwise accessible to a person but with an inappropriate motive. Judge Thomas, who wrote for the dissent, claimed that by focusing on the word ‘so’, the majority largely avoids analyzing the word ‘entitled’, which “forces the conclusion to the contrary”.
Ultimately, the court ruled that if a person were to access a computer with authorization, but then received information that resided in a specific area of the computer, such as files or folders that were “beyond authorized access”, the person would “go beyond authorized access”. are not allowed “. The majority noted that the government’s adoption of the CFAA’s interpretation would result in “a staggering amount of day-to-day computer activity” including criminal penalties. B. sending a personal e-mail by an employee or reading messages on a work computer for non-business purposes against an employer policy.