Richard Patterson - Flickr

Justices Split Van Buren v. US, Leave Gaps in Cyber Law

It is time for the relationship between tech user agreements and cyber law to be clarified

By guest author Jonathan Hofer
August 25, 2021

Computer and internet laws always seem borked. Many were written at a time when digital technology was less developed and the Computer Fraud and Abuse Act (CFAA) is no exception. This summer, the Supreme Court in Van Buren v. United States offered their interpretation of the controversial cyber law which has drawn ire for being too broad.

The decision has been heralded by many digital privacy activists and legal academics alike, such as law professor Oren Kerr, who once called the CFAA the “the worst law.” But the result of this decision leaves us with less robust protections from potential malicious actors misusing their access to computers and digital networks.   

In Van Buren v. United States, the Court decided in favor of a former police officer who had accessed a law enforcement database to retrieve personal information in exchange for money. While he was still working as a police officer, Nathan Van Buren was reported to the local sheriff’s office by a former friend who alleged Van Buren was trying to shake him down for cash. 

The friend had secretly recorded Van Buren and the recording was passed to the FBI. Investigating “how far Van Buren would go for money”, the FBI arranged for the friend to ask Van Buren if he would look up a license plate for a woman the friend said he met at a strip club, in exchange for $5,000. 

Van Buren accepted and handed over the information of the woman he retrieved from the law enforcement database. Unbeknownst to him, however, the entry and license plate data for the woman was a fake created by the FBI. 

Van Buren was arrested and charged by the Federal Government for violating the CFAA for using the law enforcement database for personal use. After losing an appeal to the Eleventh Circuit, his case made it to the Supreme Court. 

Remaining Remnants of Old Cyber Law

One of the first federal computer laws, CFAA was enacted during the internet’s infancy in the eighties as a way to address hacking. Though its popular usage as a catch-all term to describe any sort of malicious computer activity, “hacking” as a technical term essentially means accessing a computer without authorization. However, what constitutes access to a computer without authorization is still tremendously broad. The CFAA never clarified this issue and simply prohibited access “without authorization or in excess of authorization”. 

When Van Buren made it to the Supreme Court, the arguments there revolved around adjudicating this problem. After all, Van Buren logged into the database with his valid credentials he had been given for his job. But on the other hand, Van Buren was using the database in a manner that was forbidden by his department’s policy. To use a metaphor, is Van Buren breaking into a house if he has been given a key? What if he was only allowed to go into the house for specific reasons? 

After reviewing the arguments the Court decided that Van Buren did not exceed his authorized access when he used the police database for personal use under the CFAA. The Court’s ruling, delivered by Justice Amy Coney Barrett, joined by Breyer, Sotomayor, Kagen, Gorsuch and Kavanaugh, narrowed what counts as “authorized access” and tried to give clarity. 

Reigning In the CFAA

The Supreme Court’s ruling concluded that exceeding “authorized access” means that a person is accessing an area of a computer, for example a file or database, that is off limits to that person. It does not mean that a person exceeded their authorized access when they are abusing their access credentials. The opinion reads, “The statute is concerned with what a person does on a computer; it does not excuse hacking into an electronic personnel file if the hacker could have walked down the hall to pick up a physical copy.”

The opinion of the Court raised an important point: 

“If the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals. Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA.” 

The Court did make some important clarifications. The law was far too broad. Simply violating the terms of use of a database or digital platforms should not be equated with hacking. Take social media for example, Facebook in its terms of service has, for a long time, said that misrepresenting where you live goes against their terms of service. Clearly, misstating where you live on Facebook is not the same as attacking Facebook with a virus.

Therein lies a problem that this opinion leaves largely unaddressed: Shouldn’t platform owners have the right to some recourse for people that exceed the terms of their platform? 

Exceeding the Scope of Consent and Privacy 

In fact, that is an issue that Justice Thomas brought up in his dissenting opinion which was joined by Roberts and Alito. To return to the breaking into a house analogy, criminal law acknowledges the nuance of “breaking and entering”, that is, using force to gain entry into a house and trespassing, which is when you are “using” the property of another person in a manner without their consent. 

Thomas includes another interesting analogy, writing, “A valet, for example, may take possession of a person’s car to park it, but he cannot take it for a joyride.” He continues, “Consider, too, the common understanding of theft. A person who is authorized to possess property for a limited purpose commits theft the moment he ‘exercises unlawful control over’ it, which occurs ‘whenever consent or authority is exceeded.’” 

Van Buren was permitted to use the database, but only for official use. By disregarding this limitation Van Buren should not be entitled to the information stored on the database. Without further legal developments, this decision has created more unknowns, such as, can prohibitions on access must be either, technical or contract-based, or a combination thereof? 

It’s good that the Court said simple violations of terms of use are not a federal crime. However, the status quo is still not satisfying. Van Buren’s department appropriately fired him. But there should be more recourse in the future for this sort of abuse. There should be mechanisms that hold police officers and database managers civilly liable when there are data breaches. Currently, there is already a high threshold for data breach liability, but this is further complicated by qualified immunity and other limitations. 

Though the Court correctly narrowed the CFAA, it is also imperative to computer security and digital privacy that exceeding the scope of consent of a platform’s usage survives in cyber law somewhere and these laws that would address that issue are still lagging behind technological innovation. 

Jonathan Hofer is an Editorial and Research Associate at the Independent Institute.