Van Buren v. United States | |
---|---|
Argued November 30, 2020 Decided June 3, 2021 | |
Full case name | Nathan Van Buren v. United States |
Docket no. | 19-783 |
Citations | 593 U.S. 374 ( more ) 141 S. Ct. 1648, 210 L. Ed. 2d 26 |
Case history | |
Prior | |
Holding | |
An individual "exceeds authorized access" when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off-limits to him. | |
Court membership | |
| |
Case opinions | |
Majority | Barrett, joined by Breyer, Sotomayor, Kagan, Gorsuch, Kavanaugh |
Dissent | Thomas, joined by Roberts, Alito |
Laws applied | |
Computer Fraud and Abuse Act |
Van Buren v. United States, 593 U.S. 374 (2021), was a United States Supreme Court case dealing with the Computer Fraud and Abuse Act (CFAA) and its definition of "exceeds authorized access" in relation to one intentionally accessing a computer system they have authorization to access. In June 2021, the Supreme Court ruled in a 6–3 opinion that one "exceeds authorized access" by accessing off-limit files and other information on a computer system they were otherwise authorized to access. The CFAA's language had long created a 4–3 circuit split in case law that led to the failed introduction of Aaron's Law, and this decision narrowed the applicability of CFAA in prosecuting cybersecurity and computer crime.
The Computer Fraud and Abuse Act (CFAA) is a federal law passed in 1986 to strengthen laws around unauthorized access to computer systems. The law was passed partially based on fears from Congress members who saw the 1983 film WarGames . [1] Among its core statutes at is that intentionally accessing a computer system "without authorization or exceeds authorized access" to obtain protected information, financial records, or federal government information is considered a federal crime that can include fines and imprisonment as a penalty.
The exact definition of "exceeds authorized access" is not clear and created a 4–3 circuit split of cases at the Circuit Courts. [2] In the First, Fifth, Seventh, and Eleventh Circuits, the courts upheld a broad view of the statement, that accessing a computer with authorization but for an improper purpose is a violation of the CFAA. The Second, Fourth, and Ninth Circuits took a more narrow view that a violation only occurs if the authorized user accesses information they were prohibited from accessing. [2]
Because of the case law split, there has been debate on whether the language should be treated narrowly or broadly between cybersecurity researchers and law enforcement among others. For cybersecurity practitioners, a narrow interpretation of "exceeds authorized access" language in §1030(a)(2) would allow them to better conduct work identifying and resolving security problems with computer hardware and software as to make the Internet safer. The vagueness of the statute otherwise puts these job functions at risk. Law enforcement and the U.S. government in general prefer a broader interpretation as this allows them to prosecute those who use hacking to bring down or take advantage of insecure systems under the CFAA. [3] There are additional concerns as the language of CFAA, if broadly interpreted, could apply to commonly-accepted activities at businesses or elsewhere, such as using office computers for browsing the web. Jeffrey L. Fisher, a law professor at Stanford University who represents the petitioner in the present case, states that the law's language is outdated with modern computer usage, and its broad interpretation "[makes] a crime out of ordinary breaches of computer restrictions and terms of service that people likely don’t even know about and if they did would have no reason to think would be a federal crime." [3]
Police officer Nathan Van Buren, from Cumming, Georgia, was in need of money and asked a man, Andrew Albo, for help. Albo was known to have connections to prostitution in the town and had prior conflicts with the police. Albo reported this request to the local sheriff's office, where the request was passed to the Federal Bureau of Investigation (FBI). The FBI set up a sting operation and instructed Albo to offer Van Buren US$6,000, but in exchange, to request Van Buren look up a license plate on the Georgia Crime Information Center (GCIC) he had authorized access to, as to see if its registered owner, a stripper, was an undercover officer. Van Buren complied with the request, which led the FBI to arrest him for felony computer fraud under the CFAA §1030(a)(2). Van Buren was found guilty in a jury trial and sentenced to 18 months of prison by the United States District Court for the Northern District of Georgia. [2]
Van Buren appealed the conviction to the United States Court of Appeals for the Eleventh Circuit, asserting that accessing the GCIC that he had authorized access to but for an improper purpose was not a violation of the "exceeds authorized access" clause of the CFAA. While the Circuit judges had some sympathy for this argument, they chose to rule on precedent from a prior Eleventh Circuit case, United States v. Rodriguez (2010), [4] to uphold Van Buren's conviction. [5] [2]
Van Buren petitioned to the Supreme Court, which granted certiorari in April 2020. [3] The case was argued on November 30, 2020, via telephone due to the COVID-19 pandemic. [6]
The Court issued its decision on June 3, 2021. In a 6–3 decision, the Court reversed and remanded the lower court ruling. The majority opinion was written by Justice Amy Coney Barrett, joined by Justices Stephen Breyer, Sonia Sotomayor, Elena Kagan, Neil Gorsuch, and Brett Kavanaugh. Barrett ruled that for the CFAA, a person violates the "exceeds authorized access" language when they access files or other information that is off-limits to them on a computer system that they otherwise have authorized access to. The majority opinion distinguished this from Van Buren's case, in that the information that he obtained was within the limits of what he could access with his authorization, but was done for improper reasons, and thus he could not be charged under CFAA for this crime. [7] In the opinion Barrett agreed with critics of the law that if they had taken the government's stance that "the 'exceeds authorized access' clause criminalizes every violation of a computer-use policy", "then millions of otherwise law-abiding citizens are criminals." [8]
Justice Clarence Thomas wrote the dissenting opinion joined by Chief Justice John Roberts and Justice Samuel Alito. Thomas wrote that many parts of federal law denote portions of law where a person may be given temporary access to property but still places limits on what they may do with that access, such as a valet parking a car, and that the majority had taken a contrived position. Thomas wrote "It is understandable to be uncomfortable with so much conduct being criminalized, but that discomfort does not give us authority to alter statutes." [8]
This case is notable for being the first in which Justice Stephen Breyer assigned the majority opinion. Because the Chief Justice and Justice Thomas both dissented, Breyer, who is the second-most senior Associate Justice, was the most senior justice in the majority and so assigned the opinion. Breyer chose to assign this opinion to Justice Barrett, who was the newest justice at the time. [9]
The Electronic Frontier Foundation, which had filed an amicus brief in the case stating that "the CFAA has hindered [the] work [of 'security researchers']" and opined that "the government’s broad interpretation of the CFAA" meant that "standard security research practices ... can be highly risky", [10] called the ruling "a victory for all Internet users" and "especially good news for security researchers". [11]
The following week, on the basis of Van Buren, the Supreme Court vacated the Ninth Circuit's decision in hiQ Labs v. LinkedIn (2019) via order, in which hiQ had prevailed to be able to web scrape data from LinkedIn, which is owned by Microsoft. The Ninth Circuit had relied on the interpretation of CFAA that as LinkedIn's data was publicly available, Microsoft could not stop hiQ from collecting it even at a massive scale beyond the capabilities of a human. The Supreme Court vacated the ruling and instructed the Ninth Circuit to review the case under the Van Buren decision, which could incorporate web scraping as an improper act under CFAA within the Supreme Court's ruling. [12]
Stephen Gerald Breyer is an American lawyer and jurist who served as an associate justice of the U.S. Supreme Court from 1994 until his retirement in 2022. He was nominated by President Bill Clinton, and replaced retiring justice Harry Blackmun. Breyer was generally associated with the liberal wing of the Court. He is now the Byrne Professor of Administrative Law and Process at Harvard Law School.
The Computer Fraud and Abuse Act of 1986 (CFAA) is a United States cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law, which had been included in the Comprehensive Crime Control Act of 1984. Prior to computer-specific criminal laws, computer crimes were prosecuted as mail and wire fraud, but the applying law was often insufficient.
Plaut v. Spendthrift Farm, Inc., 514 U.S. 211 (1995), was a landmark case about separation of powers in which the Supreme Court of the United States held that Congress may not retroactively require federal courts to reopen final judgments. Writing for the Court, Justice Scalia asserted that such action amounted to an unauthorized encroachment by Congress upon the powers of the judiciary and therefore violated the constitutional principle of separation of powers.
Arlington Central School District Board of Education v. Murphy, 548 U.S. 291 (2006), was a United States Supreme Court case about experts' fees in cases commenced under the Individuals with Disabilities Education Act (IDEA). Justice Samuel Alito, writing for the majority, ruled that IDEA does not authorize the payment of the experts' fees of the prevailing parents. Justice Ruth Bader Ginsburg concurred in part, and in the judgment. Justices David Souter and Stephen Breyer filed dissents.
United States v. Drew, 259 F.R.D. 449, was an American federal criminal case in which the U.S. government charged Lori Drew with violations of the Computer Fraud and Abuse Act (CFAA) over her alleged cyberbullying of her 13-year-old neighbor, Megan Meier, who had died of suicide. The jury deadlocked on a felony conspiracy count and acquitted Drew of three felony CFAA violations, but found her guilty of lesser included misdemeanor violations; the judge overturned these convictions in response to a subsequent motion for acquittal by Drew.
LVRC Holdings v. Brekka 581 F.3d 1127, 1135 is a Ninth Circuit Court of Appeals Decision that deals with the scope of the concept of "authorization" in the Computer Fraud and Abuse Act. The major finding of this case is that even if an employee accesses a computer for an improper purpose, such as one that violates the duty of loyalty to their employer, the employee remains authorized to access the computer until the employer revokes the employee's access. The findings of this case were upheld by another Ninth Circuit decision in United States v. Nosal, 676 F.3d 854 and are the current law in this circuit.
United States v. Alfonso D. Lopez, Jr., 514 U.S. 549 (1995), was a landmark case of the United States Supreme Court that struck down the Gun-Free School Zones Act of 1990 (GFSZA) as it was outside of Congress's power to regulate interstate commerce. It was the first case since 1937 in which the Court held that Congress had exceeded its power under the Commerce Clause.
United States v. Nosal, 676 F.3d 854 was a United States Court of Appeals for the Ninth Circuit decision dealing with the scope of criminal prosecutions of former employees under the Computer Fraud and Abuse Act (CFAA). The Ninth Circuit's first ruling established that employees have not "exceeded authorization" for the purposes of the CFAA if they access a computer in a manner that violates the company's computer use policies—if they are authorized to access the computer and do not circumvent any protection mechanisms.
In United States v. John, 597 F.3d 263 (2010) United States Court of Appeals for the Fifth Circuit interpreted the term "exceeds authorized access" in the Computer Fraud and Abuse Act 18 U.S.C. §1030(e)(6) and concluded that access to a computer may be exceeded if the purposes for which access has been given are exceeded.
In International Airport Centers, L.L.C. v. Citrin, the Seventh Circuit Court of Appeals evaluated the dismissal of the plaintiffs' lawsuit for failure to state a claim based upon the interpretation of the word "transmission" in the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. Jacob Citrin had been employed by IAC, who had lent him a laptop for use while under their employment. Upon leaving IAC, he deleted the data on the laptop before returning it to IAC. The Court of Appeals decided to reverse the decision and reinstated IAC's lawsuit.
Lee v. PMSI, Inc., No. 10-2094, was a case in the United States District Court for the Middle District of Florida about whether the Computer Fraud and Abuse Act (CFAA) makes it illegal for an employee to violate an employer's acceptable use policy. The court ruled that violating an employer's policy did not "exceed authorization" as defined by the CFAA and was not illegal under the act.
United States v. Vampire Nation, 451 F.3d 189, is a 2006 decision of the United States Court of Appeals for the Third Circuit regarding the Federal Sentencing Guidelines and asset forfeiture. A three-judge panel unanimously affirmed the conviction and sentence of Frederick Banks, a Pittsburgh man, on numerous felony charges resulting from fraudulent schemes carried out over the Internet. The case takes its title, which has been singled out as memorable and included among lists of amusingly titled cases, from one of Banks' aliases, an electronic music group of which he was the sole regular member. He had filed the appeal under that name while representing himself.
Pulte Homes, Inc. v. Laborers' International Union of North America, 648 F.3d 295, is a Sixth Circuit Court of Appeals case that reinstated a Computer Fraud and Abuse Act ("CFAA") claim brought by an employer against a labor union for "bombarding" the company's phone and computer systems with emails and voicemail, making it impossible for the company to communicate with customers. It held that causing a transmission that diminishes a plaintiff's ability to use its systems and data constitutes "causing damage" in violation of the CFAA.
Minnesota Voters Alliance v. Mansky, 585 U.S. ___ (2018), was a landmark decision of the US Supreme Court concerning the constitutionality of governmental speech restrictions in a polling place venue. The case challenged a century-old Minnesota law that prevents voters from wearing clothing or items considered political while voting. While the Supreme Court previously affirmed that political campaigning near polling places may be restricted, the Minnesota law was challenged on being overbroad and violation of free speech rights under the First Amendment. The case's decision was issued on June 14, 2018, with the Court finding 7–2 that the Minnesota law was overbroad of what could be considered "political" speech, violating free speech rights and deemed unconstitutional.
United States v. Kane, No 11-mj-00001, is a court case where a software bug in a video poker machine was exploited to win several hundred thousand dollars. Central to the case was whether a video poker machine constituted a protected computer and whether the exploitation of a software bug constituted exceeding authorized access under Title 18 U.S.C. § 1030(a)(4) of the Computer Fraud and Abuse Act (CFAA). Ultimately, the Court ruled that the government’s argument failed to sufficiently meet the “exceeding authorized access” requirement of Title 18 U.S.C. § 1030(a)(4) and granted the Defendants’ Motions to Dismiss.
hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985, was a United States Ninth Circuit case about web scraping. hiQ is a small data analytics company that used automated bots to scrape information from public LinkedIn profiles. LinkedIn used legal means to prevent this. hiQ Labs brought a case against LinkedIn in a district court, seeking an injunction against these means, which was granted. LinkedIn appealed. The 9th Circuit affirmed the district court's preliminary injunction, preventing LinkedIn from denying the plaintiff, hiQ Labs, from accessing LinkedIn's publicly available LinkedIn member profiles. However, after further appeal in another court, hiQ was found to be in breach of LinkedIn's terms, and there was a settlement.
Pasquantino v. United States, 544 U.S. 349 (2005), is a United States Supreme Court case in which the Court held that a plot to defraud a foreign government of tax revenue violates the federal wire fraud statute.
Americans for Prosperity Foundation v. Bonta, 141 S.Ct. 2373 (2021), is a United States Supreme Court case dealing with the disclosure of donors to non-profit organizations. The case challenged California's requirement that non-profit organizations disclose the identity of their donors to the state's Attorney General as a precondition of soliciting donations in the state. The case was consolidated with Thomas More Law Center v. Bonta. In July 2021, the Supreme Court ruled in a 6–3 decision that California's requirement burdened the donors' First Amendment rights, was not narrowly tailored, and was constitutionally invalid.
TransUnion LLC v. Ramirez, 594 U.S. ___ (2021), was a United States Court case dealing with standing under Article III of the Constitution related to class-action suits against private defendants. In a 5–4 decision, the Court ruled that only those that can show concrete harm have standing to seek damages against private defendants.
Garland v. Gonzalez, 596 U.S. ___ (2022), was a United States Supreme Court case related to immigration detention.