The Supreme Court of the United States has a juicy slate of opinions coming out this June. Some of cases have received significant local and national coverage, covering topics like healthcare, voting rights, and religious liberties. Others, such as the rulings released today, may receive far less coverage – but that doesn’t make them any less important.
Case in point: Van Buren v. United States was released on June 3, 2021. In a 6-3 ruling, the Court overturned a conviction while also limiting the way a federal computer fraud law can be prosecuted. We want to talk a bit about what that limitation will do, and why this case presented some unexpected challenges.
A short summary of the case
In 2015, a Georgia police sergeant named Nathan Van Buren ran a license plate through the Georgia Crime Information Center (GCIC) in exchange for a payment of $6,000 from a man named Andrew Albo. As it turned out, Albo was part of an FBI sting operation, and the FBI arrested Van Buren for fraud. He was sentenced to prison for 18 months.
Van Buren appealed the decision, but the U.S. Court of Appeals for the Eleventh Circuit upheld the original decision. In the June 3rd ruling, SCOTUS reversed and remanded the decision back to the courts.
Why was Van Buren charged with fraud?
The federal government charged Van Buren of violating Section 1030 the Computer Fraud and Abuse Act (CFAA), claiming that his running the licensed plate through the law enforcement database intentionally “exceed[ed] authorized access” for the purpose of obtaining protected information.
In other words, because he accessed the database for a payday (as opposed to for reasons related to his job duties), Van Buren committed an act of felony computer fraud.
What was Van Buren’s defense?
Van Buren admitted that he ran the plate, but the defense argued that accessing the database did not violate the CFAA. In his appeal to the Eleventh Circuit, his attorneys argued “that the ‘exceeds authorized access’ clause applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have.” They argued that because Van Buren could access the information on the database, and because he did so using his own credentials, that he did not exceed his authorized use. After all, he was authorized to use that database.
In other words, misusing the database was not a crime, and because Van Buren was allowed to access the database as part of his job, he could do so legally.
SCOTUS’ ruling hinged on the wording of the Act itself
The opinion, issued by the newest Justice Amy Coney Barrett, is an exercise in language, as SCOTUS rulings so often are: what is implied, vs. what is written. This case was no different. The ruling hinged on whether Van Buren was “entitled so to obtain” those records, “because without ‘so,’ the statute could be read to incorporate all kinds of limitations on one’s entitlement to information.”
You can read the full opinion here, but in essence, the Court ruled that Van Buren’s bad judgment was not an act of fraud based on the way the CFAA is written:
The relevant question, however, is not whether Van Buren exceeded his authorized access but whether he exceeded his authorized access as the CFAA defines that phrase….
He did not. This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.
But wasn’t Van Buren wrong for misusing his access to the database?
Yes, he was. He violated his employer’s policy about using the law enforcement database for non-law enforcement reasons. What he did not do was commit an act of fraud, per the Supreme Court. This is why they reversed the ruling and remanded back the lower Court – in this case, back to the Eleventh Circuit, and likely back to the very same judge who heard it the first time.
Why is this ruling on Van Buren so important?
If the federal government’s definition of what constitutes “exceeding authorized use” was held, then you could technically be charged with fraud any time you printed out an article to give to someone else to read, share your password for an account, or used your work computer to check your social media. This was, after all, the law the government used to prosecute Aaron Swartz for “downloading 4.8 million documents from the academic archive JSTOR, in violation of its terms of use, and of evading MIT’s efforts to stop him from doing so.”
Per Justice Coney Barrett’s opinion:
The Government speculates that other provisions might limit its prosecutorial power, but its charging practice and policy indicate otherwise. The Government’s approach would also inject arbitrariness into the assessment of criminal liability, because whether conduct like Van Buren’s violated the CFAA would depend on how an employer phrased the policy violated (as a “use” restriction or an “access” restriction).
The ruling limits the way that the federal government can use this law to prosecute potential fraud claims. This is important, because it is the primary tool the government has for prosecuting hackers – but the law was written before the Internet as we know it even existed, in 1984. In the last 37 years, the law has been repeatedly amended, allowing for prosecutorial overreach and vague and contradictory interpretations. Now, as written, it could conceivably “protect” anything that is shared on the internet by any computer user.
The Van Buren ruling may not have received as much coverage as other Supreme Court cases, but it is an incredibly important ruling, as it could affect our collective access to data for the rest of the foreseeable future. If you have been charged with computer fraud, or are facing federal criminal charges of any kind, contact Carey Law Office for help. Please call 301.464.2500 or fill out our contact form. We maintain offices in Bowie, Crofton, and Owings for your convenience.
My name is Joe Carey, and I am the founder and principal attorney of the Carey Law Office. I have lived in Maryland my entire life. I grew up in a small town in Prince George’s County and, with the help of my partner in life, Nancy, I raised my family here: three exceptional children (a son and two daughters), and two goofy, spoiled black Labrador Retrievers. Learn More