Breaking News

Case preview: Justices to consider breadth of federal computer fraud statute

Van Buren v. United States gives the Supreme Court its first chance ever to interpret the Computer Fraud and Abuse Act, a federal statute that imposes civil and criminal liability for unauthorized access of computers. The case, which will be argued on Monday, presents a central question about the statute that has deeply divided lower courts: how the statute applies when an individual is authorized to obtain information from a computer for some purposes but not others.

Nathan Van Buren was a police officer in Georgia authorized to search computerized records about license plates for law-enforcement purposes. Falling for a sting conducted by the FBI, he searched those records for private purposes (at the request of an FBI informant who offered to pay him several thousand dollars for the information). The government charged Van Buren in federal district court with two counts of fraud: computer fraud under the CFAA and honest-services wire fraud under another statute. A jury convicted him of both counts. The U.S. Court of Appeals for the 11th Circuit vacated the wire-fraud conviction but upheld the conviction under the CFAA. Van Buren appealed to the Supreme Court last December.

All agree that the case turns on the vague language of the CFAA, which sanctions any person who “exceeds authorized access” on a computer. The statute defines that term as meaning “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Van Buren argues that the statute applies only if the defendant obtains information that he was under no circumstances entitled to obtain. From Van Buren’s perspective, a defendant who obtains information that he had a right to obtain from the computer for certain purposes (like the license-plate records at issue here) should not face federal criminal sanctions solely because the particular way in which he obtained the information was inappropriate (as it was here). Van Buren doubtless faces sanctions for violating the police department’s computer-use rules, but that is a matter for the department, he says, not for a U.S. attorney.

The government argues that Van Buren’s reading of the CFAA eliminates the word “so” from the relevant statutory phrase, which criminalizes obtaining information that the defendant “is not entitled so to obtain or alter.” For the government, the inclusion of “so” in that phrase means it is a crime if, as is the case here, the defendant was not entitled to obtain (or alter) the information in the particular way that the defendant did. A potential problem with that reading as a textual matter is that nothing in the earlier phrases of the statute suggests that “so” is meant to incorporate into the CFAA the kinds of limitations on computer access that are at issue here (and in numerous other prosecutions under the CFAA) – specifically, access limitation that derive from employment contracts, terms-of-use policies or other private agreements.

It is fair to say that the statute was not written with an eye to answering the question before the justices in Van Buren. It seems likely, then, that the practical consequences of the decision will weigh markedly in the court’s analysis. On that point, the biggest problem the government faces is the breadth of prosecutions available under its reading. Van Buren points, for example, to a student who views material on amazon.com during a law-school class, flagrantly violating computer-use restrictions imposed by the professor. The government has no obvious answer for why that is beyond the scope of the statute under its reading, except for the implicit suggestion that prosecutors rarely would bring cases of that sort. Several strong amicus filings in support of Van Buren spell out some of the startling practical implications of the government’s reading. At the same time, it seems clear that the government has a legitimate need for prosecution in many cases that a narrow reading of the CFAA would not reach.

Unless the justices discern a clarity in the statute that seems to have eluded most observers, they well may find the broad prosecutorial reach of the government’s reading too much to tolerate, expecting that Congress easily would amend the CFAA to reach more precisely to cases of demonstrable prosecutorial urgency. We should know much more about that by the end of the argument on Monday.

Recommended Citation: Ronald Mann, Case preview: Justices to consider breadth of federal computer fraud statute, SCOTUSblog (Nov. 29, 2020, 12:52 PM), https://www.scotusblog.com/2020/11/case-preview-justices-to-consider-breadth-of-federal-computer-fraud-statute/