“An individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases— that are off-limits to him.” – Majority holding
The United States Supreme Court today ruled that a former police sergeant did not flout Section (a)(2) of the Computer Fraud and Abuse Act (CFAA) because that provision “does not cover those who…have improper motives for obtaining information that is otherwise available to them.” The opinion, authored by Justice Amy Coney Barrett, contradicts the U.S. government’s reading of the statute. Three justices dissented from the majority.
Interpreting the CFAA
As covered previously on IPWatchdog, Van Buren v. United States involves Nathan Van Buren’s appeal from an Eleventh Circuit decision that his acceptance of $5,000 from a friend to access information on a law enforcement database to determine whether someone was an undercover police officer constituted a violation of the CFAA. Van Buren’s actions were in clear violation of his department’s policy, which authorized access only for law enforcement purposes, but he argued that it was not a violation of the CFAA.
The CFAA subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access,” in obtaining computer information. 18 U. S. C. §1030(a)(2).
It defines the term “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” §1030(e)(6).
Six justices held that: “An individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases— that are off-limits to him.”
The Court’s analysis hinged on the disputed phrase “so to obtain.” Van Buren and the Government both agreed that “’so,’ as used in this statute, serves as a term of reference that recalls ‘the same manner as has been stated’ or ‘the way or manner described.’” However, while Van Buren argued that “is not entitled so to obtain” means that “if a person has access to information stored in a computer— e.g., in ‘Folder Y,’ from which the person could permissibly pull information—then he does not violate the CFAA by obtaining such information, regardless of whether he pulled the information for a prohibited purpose”, the Government said the word “so” in the statute should be interpreted more broadly to refer to a “manner or circumstance”:
As the Government sees it, an employee might lawfully pull information from Folder Y in the morning for a permissible purpose—say, to prepare for a business meeting—but unlawfully pull the same information from Folder Y in the afternoon for a prohibited purpose—say, to help draft a resume to submit to a competitor employer.
But the Court found Van Buren’s reading more plausible and said that “so” is not a “free-floating” term.
It refers to a stated, identifiable proposition from the “preceding” text; indeed, “so” typically “[r]epresent[s]” a “word or phrase already employed,” thereby avoiding the need for repetition. 15 Oxford English Dictionary, at 887; see Webster’s Third New Inter-national Dictionary 2160 (1986) (so “often used as a substitute . . . to express the idea of a preceding phrase”)…. The phrase “is not entitled so to obtain” is best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.
Importantly, the majority explained, the Government’s interpretation of the statute would also impose criminal penalties for “a breathtaking amount of commonplace computer activity.” As an example, an employee who sends a personal email or reads the news on her work computer would be in violation of the CFAA, wrote the Court.
Ultimately, since Van Buren was authorized to access the information he did, he did not “exceed authorized access” and thus the Court reversed the Eleventh Circuit holding.
The dissent read the CFAA more plainly to hold that it simply extends principles of real property law to computers and information. “The Act prohibits exceeding the scope of consent when using a computer that belongs to another person,” said the dissent, authored by Justice Thomas, who added:
The question here is straightforward: Would an ordinary reader of the English language understand Van Buren to have “exceed[ed] authorized access” to the database whenhe used it under circumstances that were expressly forbidden? In my view, the answer is yes.
Justice Thomas explained that the majority’s reading of the statute would mean that it only applies “when a person is ‘not entitled [under any possible circumstance] so to obtain’ information. This interpretation is flawed for a number of reasons.”
The majority’s reading is contrary to a plain reading of the text, at odds with basic principles of property law, and defies the precedent that, “when a definition is susceptible of more than one reading, the one that best matches the plain meaning of the defined term ordinarily controls.”