SCOTUS Says Former Police Sergeant Did Not Violate CFAA, Snubbing Government’s Reading

“An individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases— that are off-limits to him.” – Majority holding

The United States Supreme Court today ruled that a former police sergeant did not flout Section (a)(2) of the Computer Fraud and Abuse Act (CFAA) because that provision “does not cover those who…have improper motives for obtaining information that is otherwise available to them.” The opinion, authored by Justice Amy Coney Barrett, contradicts the U.S. government’s reading of the statute. Three justices dissented from the majority.

Interpreting the CFAA

As covered previously on IPWatchdog, Van Buren v. United States involves Nathan Van Buren’s appeal from an Eleventh Circuit decision that his acceptance of $5,000 from a friend to access information on a law enforcement database to determine whether someone was an undercover police officer constituted a violation of the CFAA. Van Buren’s actions were in clear violation of his department’s policy, which authorized access only for law enforcement purposes, but he argued that it was not a violation of the CFAA.

The CFAA subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access,” in obtaining computer information. 18 U. S. C. §1030(a)(2).

It defines the term “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” §1030(e)(6).

Six justices held that: “An individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases— that are off-limits to him.”

[[Advertisement]]

The Court’s analysis hinged on the disputed phrase “so to obtain.” Van Buren and the Government both agreed that “’so,’ as used in this statute, serves as a term of reference that recalls ‘the same manner as has been stated’ or ‘the way or manner described.’” However, while Van Buren argued that “is not entitled so to obtain” means that “if a person has access to information stored in a computer— e.g., in ‘Folder Y,’ from which the person could permissibly pull information—then he does not violate the CFAA by obtaining such information, regardless of whether he pulled the information for a prohibited purpose”, the Government said the word “so” in the statute should be interpreted more broadly to refer to a “manner or circumstance”:

As the Government sees it, an employee might lawfully pull information from Folder Y in the morning for a permissible purpose—say, to prepare for a business meeting—but unlawfully pull the same information from Folder Y in the afternoon for a prohibited purpose—say, to help draft a resume to submit to a competitor employer.

But the Court found Van Buren’s reading more plausible and said that “so” is not a “free-floating” term.

It refers to a stated, identifiable proposition from the “preceding” text; indeed, “so” typically “[r]epresent[s]” a “word or phrase already employed,” thereby avoiding the need for repetition. 15 Oxford English Dictionary, at 887; see Webster’s Third New Inter-national Dictionary 2160 (1986) (so “often used as a substitute . . . to express the idea of a preceding phrase”)…. The phrase “is not entitled so to obtain” is best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.

Importantly, the majority explained, the Government’s interpretation of the statute would also impose criminal penalties for “a breathtaking amount of commonplace computer activity.” As an example, an employee who sends a personal email or reads the news on her work computer would be in violation of the CFAA, wrote the Court.

Ultimately, since Van Buren was authorized to access the information he did, he did not “exceed authorized access” and thus the Court reversed the Eleventh Circuit holding.

It’s Plain

The dissent read the CFAA more plainly to hold that it simply extends principles of real property law to computers and information. “The Act prohibits exceeding the scope of consent when using a computer that belongs to another person,” said the dissent, authored by Justice Thomas, who added:

The question here is straightforward: Would an ordinary reader of the English language understand Van Buren to have “exceed[ed] authorized access” to the database whenhe used it under circumstances that were expressly forbidden? In my view, the answer is yes.

Justice Thomas explained that the majority’s reading of the statute would mean that it only applies “when a person is ‘not entitled [under any possible circumstance] so to obtain’ information. This interpretation is flawed for a number of reasons.”

The majority’s reading is contrary to a plain reading of the text, at odds with basic principles of property law, and defies the precedent that, “when a definition is susceptible of more than one reading, the one that best matches the plain meaning of the defined term ordinarily controls.”

Share

Warning & Disclaimer: The pages, articles and comments on IPWatchdog.com do not constitute legal advice, nor do they create any attorney-client relationship. The articles published express the personal opinion and views of the author as of the time of publication and should not be attributed to the author’s employer, clients or the sponsors of IPWatchdog.com.

Join the Discussion

7 comments so far.

  • [Avatar for Anon]
    Anon
    June 7, 2021 11:44 am

    IP counsel,

    While I may agree with some overall view of yours (I am not done digesting this – as I have a backlog of items to cover; and after a first quick read, think that the dissent has the better position), I am not certain that I can go so quickly to any type of Trade Secret violation. Mere “not in the public” should not be confused with Trade Secrets (you only hit the second of the two words, and miss out on the first of the two words).

  • [Avatar for IP counsel]
    IP counsel
    June 5, 2021 03:49 pm

    What in idiotic ruling. Hats off to Van Buren’s counsel. One of the first times that I have ever agreed with Justice Thomas. Our lead “originalist” is interpreting the law based on Congressional intent, rather than the actual words of the statute. Sometimes that actually is the best way to hit the mark, your honor.

    As for our sergeant, he was also violating the defend trade secret act. The information he was accessing and giving away was hardly public, I am quite certain he was operating under a confidentiality agreement with his employer, and I am also certain he had to log into their computer system to access — and steal – the information at issue. Multiple other claims come to mind as well.

  • [Avatar for concerned]
    concerned
    June 4, 2021 02:02 pm

    @4:

    Article from the attorney handling my CAFC appeal:

    https://ipwatchdog.com/2019/11/07/search-inventive-concept-snipe-hunts/id=115653/

    Same difference.

  • [Avatar for TFCFM]
    TFCFM
    June 4, 2021 10:57 am

    Concerned@#2: “Judges says they know an invention when they see one.

    Do you have a quotation / citation for this assertion, or is it a mere allegation?

  • [Avatar for Pro Say]
    Pro Say
    June 4, 2021 09:54 am

    Yup Concerned.

    The Patent Office is trying it’s darnedest to rob you of your well-deserving (and long-overdue) patent.

    Someone — or possibly multiple someones — has their heavy thumb on the scales of justice.

    The claims your excellent attorney has written easy pass 101.

    Easily.

    Keep fighting your good and honorable fight my friend.

    Keep. Fighting.

  • [Avatar for Concerned]
    Concerned
    June 4, 2021 06:19 am

    Hey Pro Say:

    Tell that to the PTAB, which wrote that my claims did meet the ordinary meaning of the 101 words, but not the legal meaning of their (undefined) words.

    Then the PTAB outdid themselves. When challenged that there have never been claims that resolved a problem of my magnitude and be denied a patent, the PTAB simply wrote my claims resolved no such thing, no proof offered and my proof tossed.

    Memo to PTAB: Even the examiner admitted the claims resolved the problem and so implied the PTAB with their statement the claims met the law as wrote by Congress, but not the inserted and undefined definition of fellow jurists.

    Consistent: Judges says they know an invention when they see one. I know BS when I see it.

  • [Avatar for Pro Say]
    Pro Say
    June 3, 2021 06:59 pm

    “The majority’s reading is contrary to a plain reading of the text, at odds with basic principles of property law, and defies the precedent that, ‘when a definition is susceptible of more than one reading, the one that best matches the plain meaning of the defined term ordinarily controls.'”

    Cool! Which means that their Mayo / Alice decisions are in direct conflict with Section 101; to wit:

    “Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.”

    Noting in particular: “invents OR discovers” and “ANY new and useful.”

    Meaning that SCOTUS or Congress will soon be restoring patent eligibility to ALL areas innovation . . . including for DISCOVERIES as well!

    Cool!

    With America soon reclaiming it’s rightful place as the leading innovation nation on Earth.

    Cool!