The United States Supreme Court has adopted a narrow interpretation of the scope of liability under the Computer Fraud and Abuse Act

On June 3, 2021, the US Supreme Court in the Van Buren v. United States case overturned the US Court of Appeals for the Eleventh District decision convicting Nathan Van Buren, a former Georgia police officer who allegedly opposed the computer fraud Had violated the Uphold Abuse Act 1986 (“CFAA”) while accessing a law enforcement database for non-criminal purposes against his department’s guidelines. Van Buren, the target of an FBI stab operation, had accessed the database to look up license plate information in exchange for money. The court dealt with a distribution of powers between the districts with regard to the extent of liability under the CFAA.

The question asked in court was whether Van Buren’s actions – accessing a computer with authorization (using valid credentials to log into the database) but for an unauthorized purpose – violated the CFAA’s “exceed authorized access” clause, to use the “access to a computer with authorization and to use this access to obtain or change information on the computer that the authorized user is not authorized to receive or change.” Specifically, the dispute was about the question, whether Van Buren was entitled to receive the license plate information in question.

In a statement emphasizing the interpretation of the text and the meaning of the word “so”, Judge Barrett, who wrote for the majority, noted that Van Buren’s conduct is not covered by the relevant CFAA provision which is best to read is to obtain information from areas of a computer that are not accessible, not to obtain information that is otherwise accessible to a person, but with an inappropriate motive. Judge Thomas, who wrote for the dissent, claimed that by focusing on the word ‘so’, the majority largely avoid analyzing the word ‘entitled’, which “forces the conclusion to the contrary”.

Ultimately, the court ruled that if a person were to access a computer with authorization, but then received information that resided in a specific area of ​​the computer, such as files or folders that were “beyond authorized access”, the person would “go beyond authorized access”. are not allowed. The majority noted that the government’s adoption of the CFAA’s interpretation would result in “a staggering amount of day-to-day computer activity” including criminal penalties. B. sending a personal e-mail by an employee or reading messages on a work computer for non-business purposes against an employer policy.

Comments are closed.