Supreme Court Restricts CFAA Application for Exceeding Authorized Access
(June 6, 2021) Thanks to a cop running a private license plate check for money, employers and others may need to rethink how they grant access to their computer databases and how files are kept in the databases.
In a split decision, the Supreme Court said the cop did not violate the Computer Fraud and Abuse Act (“CFAA”), which makes it illegal to “access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The majority ruled that the cop had proper access to the computer database and the CFAA does not cover taking the information because of an improper motive.
The case involved former Georgia police sergeant Nathan Van Buren. The officer asked a third party for a loan. The third party complained to the FBI that he thought Van Buren was shaking him down. The FBI then created a fake license plate registration and asked the third party to have Van Buren run the plate check. In return for the plate check, the third party would pay Van Buren $5,000. The police officer used his law enforcement computer to run the plate check. Van Buren was charged under the criminal portion of the CFAA for exceeding his authorized access to the database because Van Buren’s personal search was not an authorized access. Following his conviction, he appealed, arguing that he was authorized to access the information even though it was for a personal, not law enforcement, purpose.
The Supreme Court reversed, finding Van Buren did not exceed his authorized access because he was authorized to have access to the particular files in the database that he accessed. The court reasoned that “exceeds authorized access” occurs only when a person with authorization to access the computer obtains “information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” Van Buren had authorization to access the license plate database and his actions did not violate the CFAA even though his use of the information was for “an improper purpose.”
The majority said upholding the conviction under the CFAA “would attach criminal penalties to a breathtaking amount of commonplace computer activities.” For example, the court noted that employers commonly state that computers and electronic devices can be used only for business purposes. If Van Buren’s conviction were upheld, then an employee who sends a personal email or reads the news using a work computer would violate the CFAA. Likewise, it would criminalize “everything from embellishing an online-dating profile to using a pseudonym on Facebook.”
The dissent observed that Van Buren obtained the license plate information for personal gain, not for a valid law enforcement purpose. “And without a valid law enforcement purpose, he was forbidden to use the computer to obtain the information.” The dissent noted that the law has historically punished those who exceed the scope of consent when using property belonging to others such as a valet who takes possession of a car to park it cannot take the car for a joyride.
The dissent faults the majority’s interpretation that, once a person has access to a data file, there can be no violation of the CFAA for unauthorized access. Thus, if a credit card company forbids access by an employee to his ex-wife’s purchasing history but allows the employee to obtain and transfer purchase history data when an account has been flagged, then the employee would not violate the CFAA by accessing his ex-wife’s data. The same would be true if a person, minutes before resigning, deletes every file on a computer. So long as the employee could access the files, would be immune. On the other hand, if the employer forbids accessing a file of computer games, there would be a criminal violation under the CFAA if the employee plays a round of solitaire from the Windows “games” folder.
The result of the decision means employers may need to revise their policies regarding access and segregate the files and databases that employees may access. Website operators also may need to revisit their terms and conditions, especially if users have access to files, folders, or databases.
Van Buren v. United States, Supreme Court No. 19-783, issued June 3, 2021.