Skip navigation
× You have 2 more free articles available this month. Subscribe today.

SCOTUS: ‘Exceeds Authorized Access’ Under the CFAA Means Accessing Areas of Computer That Are Off-Limits on Computer Otherwise Authorized to Access

by Doug Ankney

The Supreme Court of the United States (“SCOTUS”) held that for purposes of 18 U.S.C. § 1030(a)(2), the Computer Fraud and Abuse Act of 1986 (“CFAA”), an individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer (files, folders, databases) that are off-limits to him.
The FBI directed Andrew Albo to offer Police Sergeant Nathan Van Buren $5,000 to search the state law enforcement computer database for a license plate purportedly belonging to a woman Albo had met at a strip club ostensibly to make sure she wasn’t an undercover officer. Van Buren used his patrol-car computer to access the law enforcement database using his valid credentials. Van Buren obtained the FBI-created entry and informed Albo he had information to share. The Federal Government then charged Van Buren with a felony violation of the CFAA on the ground that running the license plate check for Albo violated the “exceeds authorized access” clause.

Trial evidence showed that Van Buren had been trained not to use the law enforcement database for “an improper purpose” defined as “any personal use.” According to the Government, that violation of department policy also violated the CFAA. The Government told the jury that Van Buren’s access of the database “for a non-law-enforcement purpose” violated the CFAA “concept” against “using” a computer network in a way contrary to “what your job or policy prohibits.”

The jury convicted Van Buren, and he was sentenced to 18 months in prison. Van Buren appealed to the Eleventh Circuit, arguing that the “exceeds authorized access” clause applies only to those who obtained information to which their computer access did not extend, not to those who misuse the access that they otherwise have. While the First, Second, Fourth, Fifth, Sixth, Seventh, and Ninth Circuits all agree with Van Buren’s interpretation (see opinion for supporting citations), a panel of the Eleventh Circuit—consistent with precedent—held that Van Buren had violated the CFAA by accessing the law enforcement database for an “inappropriate reason.” SCOTUS granted certiorari to resolve the circuit split regarding the scope of liability under the CFAA’s “exceeds authorized access” clause.

The case was one of statutory interpretation. As such, the Court observed “[w]e start where we always do: with the text of the statute. Here, the most relevant text is the phrase ‘exceeds authorized access,’ which means ‘to access a computer with authorization and to use such access to obtain ... information in the computer that the accesser is not entitled so to obtain.’ § 1030(e)(6).”

The parties agreed that Van Buren accessed the computer with authorization and that he had obtained information in the computer when he acquired the license-plate record. Consequently, the dispute was whether Van Buren was “entitled so to obtain” the record.

“Entitle” means “to give ... a title, right, or claim to something.” Random House Dictionary of the English Language (2d ed. 1987). While the parties agreed Van Buren was entitled to obtain the information, they disputed whether he was “entitled so to obtain” the information.

According to Van Buren, “entitled so to obtain” asks whether one had the right in “the same manner as has been stated” to obtain the information. (“So” is defined as “the same manner as has been stated” in Black’s Law Dictionary.) He argued that the only manner of obtaining information as had been stated in the statute was “via a computer [one] is otherwise authorized to access.” Thus, if a person has access to information stored in a computer in “Folder Y,” and pulls that information and uses it for a prohibited purpose, he lawfully obtained the information even though he misused the information. But if a person accesses the computer and obtains information from a prohibited place, “Folder X,” he violates the CFAA by obtaining the information.

On the other hand, the Government interpreted the phrase “is not entitled so to obtain” to refer to information one was not allowed to obtain in the particular manner or circumstances in which he obtained it. The manner or circumstances in which one has a right to obtain information, according to the Government, is defined by any “specifically and explicitly” communicated limits on one’s right to access information. For example, an employee may lawfully pull information from Folder Y in the morning for a business meeting but unlawfully pull that same information from Folder Y in the afternoon for a prohibited purpose such as drafting a resume to submit to a competitor.

SCOTUS determined that Van Buren’s interpretation to be more plausible than the Government’s because his treatment of “so” references the previously stated “manner or circumstance” in the text of § 1030(e)(6) itself. The Court reasoned: “‘So’ is not a free-floating term that provides a hook for any limitation stated anywhere. It refers to a stated, identifiable proposition from the ‘preceding’ text; indeed, ‘so’ typically ‘[r]epresents’ a ‘word or phrase already employed,’ thereby avoiding the need for repetition. Oxford English Dictionary [(2d ed. 1989).]”
The Government countered that the “common parlance” meaning of the phrase “exceeds authorized access” requires its interpretation. That is, according to the Government, any ordinary speaker of the English language would think that Van Buren “exceed[ed] his authorized access” to the law enforcement database when he obtained information for personal use.
SCOTUS explained “[i]f the phrase ‘exceeds authorized access’ were all we had to go on, the Government ... might have a point.” But the CFAA explicitly defines the phrase “exceeds authorized access.” When “a statute includes an explicit definition” of a term, the courts “must follow that definition, even if it varies from a term’s ordinary meaning.” Tanzin v. Tanvir, 141 S. Ct. 486 (2020). The statutory definition of the phrase favors Van Buren’s interpretation, SCOTUS determined.

Van Buren’s interpretation places the statute’s two individual parts into a harmonious whole using a “gates-up-or-down” inquiry. Roberts v. Sea-Land Services, Inc., 566 U.S. 93 (2012). That is, a person may obtain information unlawfully in one of two ways: (1) by accessing a computer without authorization, § 1030(a)(2); or by accessing a computer with authorization and then obtaining information he is not entitled so to obtain. §§ 1030(a)(2), (e)(6). Under Van Buren’s interpretation, one either can or cannot access a computer system, and one either can or cannot access certain areas within the system, SCOTUS observed.

Finally, SCOTUS noted that the Government’s interpretation would make criminals out of millions of otherwise law-abiding citizens. If the “exceeds authorized access” clause criminalizes every violation of a computer use policy, then the CFAA would be violated every time an employee sent a personal email or read the news or paid a bill on her work computer. In fact, there was Department of Justice testimony indicating that “a CFAA prosecution” could be based on terms-of-service violations causing “de minimis harm.” Sandvig v. Barr, 451 F.Supp.3d 73 (DC 2020). A prosecution could commence “if the defendant exceed[s] authorized access solely by violating an access restriction contained in a contractual agreement or term of service with an Internet service provider or website.” Id. SCOTUS, pointing to the foregoing, stated that concerns about prosecutions for terms of service violations are not hypothetical in light of the Government’s current CFAA charging policy.

SCOTUS concluded “[i]n sum, an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” Because Van Buren had authorization to access the law enforcement database, he did not “exceed authorized access,” SCOTUS held.

Accordingly, SCOTUS reversed the contrary judgment of the Eleventh Circuit and remanded for further proceedings consistent with its opinion. See: Van Buren v. United States, 141 S. Ct. 1648 (2021). 

As a digital subscriber to Criminal Legal News, you can access full text and downloads for this and other premium content.

Subscribe today

Already a subscriber? Login

Related legal case

Van Buren v. United States

 

 

Prison Profiteers - Side
CLN Subscribe Now Ad
PLN Subscribe Now Ad