This morning, the United States Supreme Court issued its opinion in Van Buren v. United States, defining what activity falls under the “exceeds authorized access” of the federal Computer Fraud and Abuse Act (“CFAA”).
The CFAA prohibits two types of activity – unauthorized access (e.g., an outside “hacker” who has no legitimate credentials to access a computer or computer system) and activity that “exceeds authorized access.” The question before the Court concerned the latter section — whether an employee who has legitimate access to a computer or data “exceeds authorized access” for purposes of the CFAA if the employee utilizes that access for improper purposes. In this case, Van Buren was a sheriff’s deputy who had legitimate access to a license plate database. He used that access for an improper, personal purpose – he looked up a license plate for a friend (actually, an undercover FBI officer) in exchange for approximately $5,000. The parties agreed that this improper search violated the department’s computer use policy, but disagreed whether it was conduct covered by the CFAA.
Van Buren argued that “exceeds authorized access” should be interpreted to mean that the employee accessed information or systems from which he was prohibited. For example, if an employee’s credentials or permissions do not allow him to access the personnel files of other employees, but he manages to access those files. A majority of the Court, in an opinion authored by Justice Barrett, adopted Van Buren’s approach. The Court held that the CFAA does not criminalize activity by employees who have legitimate access to computers or computer systems but use that access for an improper purpose.
The government argued for a broader scope, which would make any violation of policy equivalent to exceeding authorized access. The majority rejected this broad interpretation, in part because this government’s interpretation of the CFAA would criminalize an enormous swathe of common behavior – every time an employee used her work computer to send a personal email or browsed a news site unrelated to his work tasks, that would constitute a felony. The majority reasoned that Congress did not intend to criminalize such behavior.
Justice Thomas wrote a dissent, joined by Chief Justice Roberts and Justice Alito. The dissenting opinion relied primarily on the “ordinary meaning” of “exceeds authorized access”. The majority countered, however, that “exceeds authorized access” was a defined term under the CFAA such that the Court could not default to the “ordinary meaning.”
The CFAA is almost 30 years old and this opinion is welcome guidance on what had previously been a gray area. The opinion can be accessed on the Supreme Court’s website.