In Van Buren v. United States, the U.S. Supreme Court held that defendant Nathan Van Buren, a Georgia police officer Buren, did not violate the nation’s top computer crime law when he searched a license plate database for non-official purposes.
Former Georgia police sergeant Nathan Van Buren used his patrol-car computer to access a law enforcement database to retrieve information about a particular license plate number in exchange for money. Van Buren agreed. The requestor – a third party who offered to pay him to search the database – was an undercover FBI informant. Van Buren used his own valid credentials to perform the search. However, his conduct clearly violated a department policy against obtaining database information for non-law-enforcement purposes.
Again, unbeknownst to Van Buren, his actions were part of a FBI sting operation. Van Buren was charged with a felony violation of the Computer Fraud and Abuse Act of 1986 (CFAA), which subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” 18 U. S. C. §1030(a)(2). A jury convicted Van Buren, and the lower federal District Court sentenced him to 18 months in prison.
Van Buren appealed his conviction to the Eleventh Circuit Court of Appeals, arguing that the “exceeds authorized access” clause applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have. Consistent with Eleventh Circuit precedent, the panel held that Van Buren had violated the CFAA.
Van Buren appealed again, this time to the U.S. Supreme Court.
COURT’S RATIONALE & CONCLUSIONS
“The relevant question, however, is not whether Van Buren exceeded his authorized access but whether he exceeded his authorized access as the CFAA defines that phrase. For reasons given elsewhere, he did not.” ~U.S. Supreme Court Justice Barrett, Majority Opinion
“To top it all off,” she wrote, the government’s expansive interpretation of the law “would attach criminal penalties to a breathtaking amount of commonplace computer activity.” Simply checking personal email or reading the news on a work computer would be considered a crime, Barrett added.
“The Government’s interpretation of the “exceeds authorized access” clause would attach criminal penalties to a breathtaking amount of commonplace computer activity. For instance, employers commonly state that computers and electronic devices can be used only for business purposes. On the Government’s reading, an employee who sends a personal e-mail or reads the news using a work computer has violated the CFAA.” ~U.S. Supreme Court Justice Barrett, Majority Opinion
Finally, Justice Barrett reasoned that the Government’s prosecution would also inject arbitrariness into the assessment of criminal liability, because whether conduct like Van Buren’s violated the CFAA would depend on how an employer phrased the policy violated.
With that, the U.S. Supreme Court reversed Van Buren’s criminal conviction.
“When the police officer accessed the database in exchange for a bribe from an acquaintance, he exceeded authorized access under the law . . . Without valid law enforcement purposes, he was forbidden to use the computer to obtain that information.” ~ U.S. Supreme Court Justice Thomas, Dissenting Opinion.