Van Buren v. United States
593 U. S. ____ (2021) (2021)
Premium Feature
Subscribe to Lexplug to listen to the Case Podcast.
Rule of Law:
An individual 'exceeds authorized access' under the Computer Fraud and Abuse Act of 1986 (CFAA) when they access a computer with authorization but then obtain information located in particular areas of the computer—such as files, folders, or databases—that are off-limits to them. The statute does not prohibit accessing information for an improper purpose if the user is otherwise authorized to obtain that information.
Facts:
- Nathan Van Buren was a police sergeant in Cumming, Georgia.
- Van Buren befriended a man named Andrew Albo, who was known to be volatile.
- Facing financial difficulties, Van Buren asked Albo for a personal loan.
- Albo secretly recorded the conversation and reported it to the local sheriff's office, claiming Van Buren was attempting to 'shake him down' for money.
- This report led the FBI to launch a sting operation against Van Buren.
- As part of the sting, Albo asked Van Buren to search the state law enforcement database for a specific license plate number, telling him he wanted to ensure the woman associated with it was not an undercover officer.
- Albo offered to pay Van Buren approximately $5,000 for conducting the search.
- Van Buren used his valid credentials on his patrol-car computer to access the database and retrieve the information, in violation of a department policy that authorized database access for law-enforcement purposes only.
Procedural Posture:
- The United States charged Nathan Van Buren in the U.S. District Court for the Northern District of Georgia with a felony violation of the Computer Fraud and Abuse Act (CFAA).
- A jury convicted Van Buren of the charge.
- The District Court sentenced Van Buren to 18 months in prison.
- Van Buren, as appellant, appealed his conviction to the U.S. Court of Appeals for the Eleventh Circuit.
- The Eleventh Circuit, with the United States as appellee, affirmed the conviction, holding that Van Buren had violated the CFAA by accessing the law enforcement database for an 'inappropriate reason.'
- The U.S. Supreme Court granted Van Buren's petition for a writ of certiorari to resolve a circuit split on the interpretation of the CFAA.
Premium Content
Subscribe to Lexplug to view the complete brief
You're viewing a preview with Rule of Law, Facts, and Procedural Posture
Issue:
Does a person 'exceed authorized access' under the Computer Fraud and Abuse Act of 1986 when they access a computer database with valid credentials but use that access to obtain information for an improper purpose?
Opinions:
Majority - Justice Barrett
No. A person does not 'exceed authorized access' under the CFAA by accessing information for an improper purpose when they have the authority to access that information. The statutory phrase 'is not entitled so to obtain' refers to information one is not allowed to obtain by using a computer they are authorized to access, establishing a 'gates-up-or-down' inquiry. This means the violation occurs when a user accesses files, folders, or databases that are off-limits to them, not when they misuse their valid access. This interpretation aligns the 'exceeds authorized access' clause with the 'without authorization' clause, which targets outside hackers, by treating both as access-based violations. The government's broader, purpose-based interpretation would criminalize a vast range of common activities, such as using a work computer for personal tasks in violation of employer policy, an outcome Congress did not intend.
Dissenting - Justice Thomas
Yes. A person 'exceeds authorized access' when they use a computer database under circumstances that are expressly forbidden. The term 'entitled' is circumstance-dependent; because Van Buren lacked a valid law enforcement purpose, he was not 'entitled' to obtain the information at that time. This reading aligns with foundational principles of property law, where exceeding the scope of consent constitutes a violation, such as a valet taking a car for a joyride. The majority's interpretation incorrectly reads the statute as if authorization is absolute rather than conditional, ignoring that authority to access property is inherently tied to the purpose for which that access is granted. The plain meaning of the phrase encompasses Van Buren's conduct, as he used his access in a way he was explicitly forbidden to.
Analysis:
This decision significantly narrows the scope of criminal liability under the Computer Fraud and Abuse Act, resolving a long-standing circuit split. By rejecting a purpose-based interpretation, the Court clarified that the CFAA is an anti-hacking statute, not a tool for prosecuting violations of computer use policies or terms of service. This provides a greater degree of protection for employees, security researchers, and ordinary internet users whose activities might technically violate a use policy but do not involve accessing information they are not authorized to see. The ruling shifts the legal focus from a user's subjective intent or purpose to the objective, technical limits of their authorization.
