In Van Buren v. United States, the U.S. Supreme Court held that defendant Nathan Van Buren, a Georgia police officer Buren, did not violate the nation’s top computer crime law when he searched a license plate database for non-official purposes.
Former Georgia police sergeant Nathan Van Buren used his patrol-car computer to access a law enforcement database to retrieve information about a particular license plate number in exchange for money. Van Buren agreed. The requestor – a third party who offered to pay him to search the database – was an undercover FBI informant. Van Buren used his own valid credentials to perform the search. However, his conduct clearly violated a department policy against obtaining database information for non-law-enforcement purposes.
Again, unbeknownst to Van Buren, his actions were part of a FBI sting operation. Van Buren was charged with a felony violation of the Computer Fraud and Abuse Act of 1986 (CFAA), which subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” 18 U. S. C. §1030(a)(2). A jury convicted Van Buren, and the lower federal District Court sentenced him to 18 months in prison.
Van Buren appealed his conviction to the Eleventh Circuit Court of Appeals, arguing that the “exceeds authorized access” clause applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have. Consistent with Eleventh Circuit precedent, the panel held that Van Buren had violated the CFAA.
Van Buren appealed again, this time to the U.S. Supreme Court.
COURT’S RATIONALE & CONCLUSIONS
In a 6-3 majority opinion penned by Justice Amy Coney Barrett, the Court held that Van Buren’s conduct did not violate the CFAA when he searched a license plate database for non-official purposes.
Justice Barrett wrote that Van Buren’s conduct “plainly flouted” his department’s policy, which authorized him to obtain database information only for law enforcement purposes.
“The parties agree that Van Buren accessed a computer with authorization and obtained information in the computer,” wrote Justice Barrett. “They dispute whether Van Buren was entitled so to obtain that information.”
Regarding that specific issue, Justice Barrett reasoned the provision of the law at issue does not cover those who have improper motives for obtaining information that is otherwise available to them. And regarding the issue of whether Van Buren violated the CFAA – the truly important legal issue of the case – Justice Barrett wrote “he did not.”
“The relevant question, however, is not whether Van Buren exceeded his authorized access but whether he exceeded his authorized access as the CFAA defines that phrase. For reasons given elsewhere, he did not.” ~U.S. Supreme Court Justice Barrett, Majority Opinion
“To top it all off,” she wrote, the government’s expansive interpretation of the law “would attach criminal penalties to a breathtaking amount of commonplace computer activity.” Simply checking personal email or reading the news on a work computer would be considered a crime, Barrett added.
“The Government’s interpretation of the “exceeds authorized access” clause would attach criminal penalties to a breathtaking amount of commonplace computer activity. For instance, employers commonly state that computers and electronic devices can be used only for business purposes. On the Government’s reading, an employee who sends a personal e-mail or reads the news using a work computer has violated the CFAA.” ~U.S. Supreme Court Justice Barrett, Majority Opinion
Finally, Justice Barrett reasoned that the Government’s prosecution would also inject arbitrariness into the assessment of criminal liability, because whether conduct like Van Buren’s violated the CFAA would depend on how an employer phrased the policy violated.
With that, the U.S. Supreme Court reversed Van Buren’s criminal conviction.
In his dissent, Justice Thomas compared Van Buren’s actions to a valet charged with parking a car, writing that the law should have covered the police officers’ actions. The valet, Thomas wrote, may “take possession of a person’s car to park it, but he cannot take it for a joyride,” Thomas wrote. He noted that Van Buren had permission to retrieve license plate information, but only for “law enforcement purposes.”
“When the police officer accessed the database in exchange for a bribe from an acquaintance, he exceeded authorized access under the law . . . Without valid law enforcement purposes, he was forbidden to use the computer to obtain that information.” ~ U.S. Supreme Court Justice Thomas, Dissenting Opinion.
In another example, Thomas said that an employee may be entitled to pull the alarm in the event of a fire, “but he is not entitled to pull it for some other purpose, such as to delay a meeting for which he is unprepared.”
Please contact my office
if you, a friend or family member are charged with a crime. Hiring an effective and competent defense attorney is the first and best step toward justice.