Issues
Does an individual “exceed authorized access” under the Consumer Fraud and Abuse Act (“CFAA”) when the individual is authorized to access information on a computer for a specific purpose but accesses that information for an impermissible purpose?
This case asks the Supreme Court to determine the scope of the “exceeds authorized access” clause of the Consumer Fraud and Abuse Act (“CFAA”). A person violates the CFAA when the person “accesses a computer without authorization or exceeds authorized access, and thereby obtains information” from the computer. Petitioner Van Buren was a policeman who was authorized to access a law enforcement database. For reasons unrelated to his job, he used that access to search a license plate for financial gain. Respondent United States contends that when Van Buren accessed the database for a reason unrelated to his job, he exceeded his authorized access and violated the CFAA. Van Buren argues that he did not exceed his authorized access because the “exceeds authorized access” provision does not punish individuals who misuse information they are otherwise authorized to access. The outcome of this case will have broad implications on how employers protect sensitive data and how prosecutors can pursue hacking and computer fraud.
Questions as Framed for the Court by the Parties
Whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose.
Facts
Nathan Van Buren, a police sergeant in Cumming, Georgia, befriended Andrew Albo, a man who had previously been arrested by Van Buren. United States v. Van Buren at 1197. Albo frequently paid prostitutes for services, and Van Buren helped managed disputes arising from those interactions. Id.
In 2015, Van Buren experienced financial issues and asked Albo for $15,368. Id. Van Buren falsely claimed that he needed the money to pay for his son’s medical bills and was unable to obtain a bank loan due to bad credit. Id. Albo, however, recorded their conversations about the loan solicitation without Van Buren’s knowledge. Id. Albo then brought the recorded conversations to the FBI, which devised a “sting” operation to see how far Van Buren would go for money. Id. Under the operation, Albo was to provide Van Buren with cash in exchange for information about the identity of a woman named Carson. Id. Albo had allegedly met Carson at a strip club and wanted to know if she was an undercover officer before pursuing her further. Id.
Initially, Albo paid $5,000 in exchange for Van Buren’s help in discovering whether Carson was an undercover officer. Id. Albo subsequently provided Van Buren with a fake license plate number, created by the FBI, to investigate whether Carson’s license plate was in the police database. Id. at 1198. The two subsequently met over lunch where Albo paid Van Buren an additional $1,000. Id. A few days later, Van Buren ran the plates through the police system and texted Albo that he had information for him. Id.
The next day, both the FBI and the Georgia Bureau of Investigation arrived at Van Buren’s doorstep, whereupon Van Buren admitted to his actions. Id. Van Buren admitted to having received $6,000 from Albo and to having illegally investigated Carson using the police database. Id. Van Buren also admitted that he knew his sole role was to discover whether Carson was an undercover officer. Id.
At trial, the jury found Van Buren guilty for one count of honest-services wire fraud, in violation of 18 U.S.C. §§ 1343 and 1346, and one count of felony computer fraud, in violation of 18 U.S.C. § 1030 (the Consumer Fraud and Abuse Act). Id. Van Buren appealed his convictions on grounds that (1) the district court’s jury instructions were flawed; (2) the government produced insufficient evidence to support his convictions; and (3) he was denied his Sixth Amendment right to confront an adverse witness. Id.
Reviewing the claims de novo, the United States Court of Appeals for the Eleventh Circuit first held that the district court’s jury instructions on the honest-services count were flawed. Id. However, it found that there was sufficient evidence to support the conviction on that count so it remanded for a new trial on that charge. Id. Next, the Eleventh Circuit held that there were no problems with the jury instructions or the evidence presented on the computer-fraud conviction. Id. at 1207. Relying on its previous interpretation of 18 U.S.C. § 1030’s “exceeds authorized access” provision in United States v. Rodriguez, the Eleventh Circuit held that a person with access to a computer can commit computer fraud if that person abuses or misuses their privilege. Id. Since Van Buren’s actions met this definition, the Eleventh Circuit affirmed his conviction. Id. at 1208.
Lastly, the Eleventh Circuit affirmed the district court’s decision in finding no merit to Van Buren’s Sixth Amendment claim. Id. at 1209.
Van Buren appealed, and on April 20, 2020 the United States Supreme Court granted certiorari to hear this case.
Analysis
DOES THE DEFINITION OF “EXCEED AUTHORIZED ACCESS” COVER AUTHORIZED ACCESS FOR AN IMPROPER PURPOSE?
Van Buren argues that the most natural reading of the Consumer Fraud and Abuse Act’s (“CFAA”) definition of “exceed authorized access” excludes an individual who is authorized to access information but does so for an unauthorized reason. See Brief for Petitioner, Van Buren at 17. Van Buren states that “exceeds authorized access” is defined in 18 U.S.C. § 1030(e)(6) of the CFAA as: “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Id. Van Buren contends that the key words in that definition are “entitled” and “obtain,” and their ordinary meanings, respectively, are “to give a right” and “to acquire.” Id. at 18. Thus, Van Buren argues that the phrase “not entitled so to obtain or alter” should be read to mean “does not have the right to acquire.” Id. Therefore, he contends that “exceeds authorized access” only applies to individuals obtaining information that they are not entitled to access for any reason. See id. Van Buren concludes that his conduct—accessing authorized information for an improper purpose—accordingly falls outside of this definition because he had the right to acquire the information. See id. Van Buren further contends that had Congress wanted to prohibit accessing information for an unauthorized purpose, it would have done so expressly. See id. at 19. As evidence, Van Buren points to three different statutes Congress passed that prohibit obtaining or using information for “an unauthorized purpose.” Id.
The United States counters that the text of the definition of “exceeds authorized access” should be construed to include an authorized individual accessing information for an unauthorized purpose. See Brief for Respondent, United States at 18. The United States agrees with Van Buren’s definition of the word “obtains.” See id. The United States, however, argues that Van Buren misreads the provision by considering “entitled”; rather, the United States contends the critical phrase is “entitled so.” Id. The United States contends that “entitled so” means to “grant the right to do [something] in a particular manner or circumstance.” See id. Thus, the United States concludes the definition of “exceeds authorized access” describes individual who did not have the right to acquire information in that particular manner or circumstance. Id. at 18–19. Therefore, the United States argues that just as a psychiatrist who uses her credentials to access patient information to sell it would exceed her authorized access, Van Buren exceeded his authorized access when he ran Carson’s license plate because he used his authorized access to obtain information for an unauthorized purpose. See id. at 19.
THE PURPOSE OF “EXCEEDS AUTHORIZED ACCESS”
Van Buren argues that interpreting “exceeds authorized access” to cover an individual using authorized access to obtain information for an unauthorized purpose would be inconsistent with the CFAA’s purpose. See Brief for Petitioner at 23. Van Buren contends that the CFAA was enacted to prevent hackers who did not have permission to “enter” computer files or data. Id. Van Buren thus contends that the “exceeds authorized access” clause was included to specifically target inside hackers—people who are authorized to access certain data but accessed data they were not authorized to access. See id. at 23–24. Van Buren states that extending the CFAA to cover situations where a person was authorized to access the data at issue but just did so for an impermissible purpose would therefore be inconsistent with the CFAA’s purpose. See id.
The United States counters that Congress intended the “exceeds authorized access” clause to include an individual using authorized access to obtain data for an unauthorized purpose. See Brief for Respondent at 26. The United States points out that the original version of the provision included a person who had “accessed a computer with authorization [and] use[d] the opportunity such access provides for purposes to which such authorization does not extend.” See id. The United States argues this is evidence that the CFAA’s purpose was not to just prevent insider hacking, as Van Buren contends. See id. at 26–27. The United States further argues that Congress intended the provision to apply to an individual accessing authorized information for an unauthorized purpose because the provision was intended to treat computer information as property. See id. The United States contends that since traditional property law crimes, like theft and trespass, cover someone using property in a way the owner has not authorized, “exceeds authorized access” was intended to cover people like Van Buren who have authorization to access information but do so for an unauthorized purpose. See id. at 33–34. As evidence Congress intended to adopt the more protective property law paradigm, the United States points to House Reports that found that traditional theft statutes inadequately protected people from theft of computer information. See id. at 30–32.
EFFECTS OF EXPANDING “EXCEEDS AUTHORIZED ACCESS”
Van Buren argues that expanding “exceeds authorized access” to include individuals using authorized access for an unauthorized purpose would criminalize benign conduct and raise First Amendment and vagueness concerns. See Brief for Petitioner at 26–27. First, Van Buren states that, under such an interpretation, commonplace computer use, such as a law student using Westlaw for personal use or a worker using a company computer to fill out an NCAA bracket, would violate the CFAA. See id. at 27–28. Second, Van Buren contends that such an interpretation may raise constitutional concerns because the First Amendment protects individuals who make false statements. See id. at 36–37. Under the government’s definition, Van Buren argues that an individual who creates a fake account on a dating site would be using the site for an unauthorized purpose, thereby exceeding their authorized access and violating the CFAA. Id. Thus, Van Buren argues that holding that person liable under the CFAA for making false statements would run afoul of the First Amendment’s protections of false statements. See id. Third, Van Buren argues that interpreting “exceeds authorized access” to include unauthorized use may create a “void-for-vagueness” problem. See id. at 38. Van Buren argues that a statute is impermissibly vague when it is “so standardless that it invites arbitrary enforcement” and the United States’ proposed interpretation would criminalize so much conduct that it would invite arbitrary enforcement. See id. at 29–31, 38. These consequences, Van Buren argues, are further evidence that such an interpretation is incorrect. See id. at 29.
The United States disputes Van Buren’s argument that interpreting “exceeds authorized access” to include people using authorized access for an unauthorized purpose would criminalize benign conduct and raise First Amendment and vagueness concerns. See Brief for Respondent at 34. First, the United States responds that its interpretation would not result in commonplace computer use violating the CFAA. See id. at 35. The United States points out that while there is only one condition of “exceeds authorized access” at issue here, other parts of “exceeds authorized access” would limit violations; including that the individuals must still access the database “with authorization” and use that access to “obtain or alter information in the computer.” See id. at 36. Next, the United States responds to Van Buren’s constitutional and vagueness concerns by pointing out that constitutional avoidance—a principle that the Supreme Court should avoid ruling on constitutional issues when it can resolve the dispute on other grounds—only applies when there are multiple viable interpretations of a statute. See id. at 44–45. The United States, however, emphasizes that there is only one viable interpretation here. See id. Even if constitutional avoidance were at issue here, the United States argues its interpretation does not raise First Amendment or vagueness problems. See id. at 44–48. For the First Amendment, the United States argues that “exceeds authorized access” actions would only regulate conduct, and therefore would not raise First Amendment concerns. See id. at 45. For vagueness, the United States argues its interpretation of “exceeds authorized access” would still provide fair notice of the conduct it prohibits, and therefore, it would not be impermissibly vague. See id. at 47–48.
Discussion
CIVIL RIGHTS AND LIBERTIES ISSUES
Kyratso Karahalios (“Karahalios”), in support of Van Buren, argues that the government’s overly restrictive interpretation of the CFAA risks encumbering online auditors and networks from efficiently mitigating instances of racial discrimination in numerous areas of digital transactions. See Brief of Amici Curiae Kyratso Karahalios, et al., in Support of Petitioner at 7. Karahalios states that civil rights abuses have increasingly migrated online. See id. at 11. Therefore, Karahalios maintains, there is an increased need to allow digital research and data auditors, who already combat such abuse, the continued ability to do so. Id. at 14. However, Karahalios argues that an expansive reading of the CFAA risks preventing these digital auditors from doing their jobs because they could theoretically be liable for trivial violations of a given website’s ever-shifting terms of service that virtually no one reads. Id. at 19–21. Additionally, Karahalios states that the government’s interpretation would severely restrict the auditors ability to gather information and readily adapt their polices to changing technological needs. See id. at 20.
Electronic Privacy Information Center (“EPIC”), in support of United States, counters that rather than restricting the scope of civil liberties violations, the CFAA protects against such abuses by preventing government insiders from obtaining access to secure government databases. See Brief of Amici Curiae Electronic Privacy Information Center (EPIC), et al., in Support of Respondent at 7–9. By arguing that the CFAA merely restricts private companies from using emerging technologies to thwart modern civil rights abuses in the digital arena, EPIC contests that such focus overlooks the critical fact that government agents have access to the personal data records of millions of Americans. Id. at 13. Accordingly, EPIC asserts that limiting the CFAA’s scope would risk divulging highly personal information, such as the “Social Security numbers, dates of birth, addresses, [and] telephone numbers” of countless Americans to unauthorized individuals. Id. at 14. A privacy breach of this magnitude, EPIC maintains, could result in grave civil rights violations. Id. By contrast, EPIC maintains that the approach it endorses would keep the restrictive rules in place, but permit judges to evaluate allegations of CFAA on a case-by-case basis. Id. Thus, EPIC states that the fears that blanket bans would be imposed on non-complying private actors are unfounded because judges are encouraged to balance the alleged violation against the broader public good being provided by a private actor. Id. Hence, EPIC insists that judges custom-tailor any punitive measures against single actors only, and not entire industries, so as to not impede technology companies from pursuing their own private interests, which often align with the government’s interest anyway to eradicate all forms of digital discrimination. Id. at 25.
LAW ENFORCEMENT IMPLICATIONS
The National Association of Criminal Defense Lawyers (“NACDL”), in support of Van Buren, asserts that an expansive reading of the CFAA invites arbitrary, discriminatory enforcement of criminal law, creating constitutional violations. See Brief of Amici Curiae The National Association of Criminal Defense Lawyers, in Support of Petitioner at 16. The NACDL contends that an expansive construction of the CFAA criminalizes more persons than is reasonable, which erodes the bedrock freedoms of American society. Id. at 19. The NACDL recognizes the utility of the CFAA, but also claims that the government can interpret the law narrowly so as to avoid the broader due process intrusions that arise from over-penalizing any individual or business who accesses information improperly. Id. at 20. The NACDL maintains that such a sweeping interpretation would unduly risk incriminating unsuspecting persons of a felony for otherwise “innocuous instances of computer misuse.” Id. at 21.
The Federal Law Enforcement Officers Association (“Federal Officers Association”), in support of United States, argues that Petitioner’s reading of the CFAA is too limited in that it only focuses on the “hacking side” of a data breach while ignoring the scope to which authorized persons of data could abuse their privilege. See Brief of Amici Curiae Federal Officers Association, in Support of Petitioner at 6. The Federal Officers Association asserts that hundreds of thousands of federal, state, and local enforcement officers have authorized access to the private data of millions of Americans. Id. at 9–10. Thus, the Federal Officers Association maintains that merely regulating unauthorized persons overlooks the grave possibility that without a legal backstop, law enforcement officers may readily abuse their powers for exploitative purposes. Id. Federal Officers Association reasons that a hands-off approach towards authorized data users could undermine confidence in database systems; people might alter records of crimes that could potentially create “a flaw in the search warrant application or even an arrest.” Id. 11. Therefore, Federal Officers Association concludes that the CFAA must protect not only against data breaches, but individuals accessing information for impermissible reasons as well. Id.
Written by
Edited by
Acknowledgments
Additional Resources
- Jon Reid, High Court to Hear Case Testing Scope of Anti-Hack Law, Bloomberg Law (Apr. 20, 2020).
- Morvillo Abramowitz Grand Iason & Anello PC, The Supreme Court Will Interpret Another White-Collar Criminal Statute, Lexology (Nov. 10, 2020).