Supreme Court Limits Broad Reading of Computer Fraud and Abuse Act

During Nathan Van Buren’s time as a police sergeant, he made a deal with a man, Albo. In exchange for $5,000, Van Buren would use the law enforcement computer database to search for a license plate number given to him by Albo. The FBI charged Van Buren with felony violations of the Computer Fraud and Abuse Act (CFAA) on the ground that running the license plate number for Albo violated the ‘exceeds authorized access’ clause of the CFAA. The CFAA is a cybersecurity bill that is an amendment to an existing computer fraud law that had been included in the Comprehensive Crime Control Act. The law prohibits accessing a computer without authorization, or in excess of authorized access. Van Buren’s conduct plainly flouted his department’s policy and training, which authorized him to obtain database information only for law enforcement purposes.


Van Buren appealed the computer fraud conviction, arguing that ‘exceeds authorized access’ applies only to those who obtain information to which their computer does not extend, not to those who misuse the access that they otherwise have. The Supreme Court granted certiorari “to resolve a split in authority among the Courts of Appeals regarding the scope of liability under the CFAA’s ‘exceeds authorized access’ clause.”


Justice Barrett delivered the opinion of the court, holding that Nathan Van Buren did not violate the ‘exceeds authorized access’ clause. The court said, “The provision covers those who obtain information from particular areas in the computer- such as files, folders, or databases- to which their computer does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.” Exceeds authorized access means ‘to access a computer with authorization and to use such access to obtain… information in the computer that the accessor is not entitled so to obtain.’


The Supreme Court held that because the information Van Buren accessed was ready and available to him on his computer, he did not ‘exceed authorized access’ to any areas of his computer, even though he obtained the information from the database for an improper purpose. Van Buren obtained information that his access to his computer extended, and therefore did not violate the law. This was even if his access violated a police policy.


Barrett’s opinion also focused on the statute’s scope, noting that the government’s previous broad interpretation would criminalize a “breathtaking amount of commonplace computer activity,” including mundane activities such as using a work computer for personal purposes. This decision significantly narrowed the scope of the CFAA due to the circumscribed interpretation of the statute and will greatly impact future related cases.

Read the case here

Another link to the case