VAN BUREN v. UNITED STATES Supreme Court of the United States No. 19-763, Decided June 3, 2021 Officer Found Not Guilty of Violating Federal Anti-Hacking Act
In the 21st century, data privacy and its use are of heightened concern, corresponding with the rapid expansion and development of data-using technologies. In the case of Van Buren v. United States, relevant legislation was brought to question in regards to its applicability to modern times.
Former Georgia police sergeant Nathan Van Buren used his patrol-car computer to retrieve information tied to a specific license plate from a law enforcement database, in exchange for money. Van Buren’s actions were discovered during a FBI sting operation. Van Buren’s database access violated department policies which prohibited the gathering of database information for non-law-enforcement purposes; he was terminated. Ultimately, he was federally prosecuted for felony violation of the Computer Fraud and Abuse Act of 1986(CFAA). The CFAA subjects criminal liability to any individual who “intentionally accesses a computer without authorization or exceeds authorized access.” The jury convicted Van Buren and the District Court sentenced him to 18 months in prison.
The language, “exceeds authorized access,” became the focal point in this case. Per the legal definition, the phrase refers to the “access of a computer with authorization to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter”. So the issue was whether Van Buren exceeded his authority to access the database when he conducted his search for an improper purpose.
Van Buren appealed the conviction to the Supreme Court, arguing that the clause in the CFAA applies only to those who do not have sufficient access, not to those who misuse existing access.
This dispute specifically falls under the phrasing, “not entitled so to obtain”. The Government argued Van Buren violated the CFAA because he exceeded his authorization in violating the department computer policy. The Court disagreed, citing criminal implications in commonplace computer activities. For example, were a company to have an acceptable use policy prohibiting the use of business machines for non-work purposes, the Government’s reading of the statute would deem activities like the checking of social media, personal email, and more as a violation of the CFAA because the employee is not “entitled so” to obtain.
Ultimately, the Court sided with Van Buren and found he did not violate CFAA. The Court found the “without authorization” clause protects computers from external threat actors, while the “exceeds authorized access” clause protects information from internal threat actors, or “hackers” within the organization who obtain information from areas where their access does not extend. Because Van Buren had complete authorization to access the database, he did not violate the CFAA, though he had improper intent. In simplest terms, intent does not negate existing authorization, with authorization dictating data “entitlement”.
The Computer Fraud and Abuse Act of 1986 (CFAA) is equivalent to the California Comprehensive Computer Data Access and Fraud Act, Penal Code §502 (c). Had Van Buren the “former” police sergeant been charged in California, it is likely Van Buren would have been charged with attempting to violate Penal Code §13302, which makes it a misdemeanor for an employee of a “local criminal justice agency” to “knowingly furnish record or information obtained from a record to a person who is not authorized by law to receive the record or information.”
With police employees now having multiple layers of oversight, it is important to understand that actions which may have been previously overlooked, (such as viewing celebrity information), may now from the basis of “criminal,” and not merely “administrative,” liability.
Jesse James is an associate attorney practicing in criminal and administrative law for 17 years.[/et_pb_text][/et_pb_column] [/et_pb_row] [/et_pb_section]