VAN BUREN v. UNITED STATES
Certiorari To The United States Court Of Appeals For The Eleventh Circuit
No. 19–783. Argued November 30, 2020—Decided June 3, 2021
Former Georgia police sergeant Nathan Van Buren used his patrol-car computer to access a law enforcement database to retrieve information about a particular license plate number in exchange for money. Although Van Buren used his own, valid credentials to perform the search, his conduct violated a department policy against obtaining database information for non-law-enforcement purposes. Unbeknownst to Van Buren, his actions were part of a Federal Bureau of Investigation sting operation. Van Buren was charged with a felony violation of the Computer Fraud and Abuse Act of 1986 (CFAA), which subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” 18 U. S. C. §1030(a)(2). The term “exceeds authorized access” is defined to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” §1030(e)(6). A jury convicted Van Buren, and the District Court sentenced him to 18 months in prison. Van Buren appealed to the Eleventh Circuit, arguing that the “exceeds authorized access” clause applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have. Consistent with Eleventh Circuit precedent, the panel held that Van Buren had violated the CFAA.
Held: An individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off-limits to him. Pp. 5–20.
(a) (1) The parties agree that Van Buren “access[ed] a computer with authorization” and “obtain[ed] . . . information in the computer.” They dispute whether Van Buren was “entitled so to obtain” that information. Van Buren contends that the word “so” serves as a term of reference and that the disputed phrase thus asks whether one has the right, in “the same manner as has been stated,” to obtain the relevant information. Black’s Law Dictionary 1246. He also notes that the only manner of obtaining information already stated in the definitional provision is by a computer one is authorized to access. Thus, he continues, the phrase “is not entitled so to obtain” plainly refers to information one is not allowed to obtain by using a computer that he is authorized to access. The Government argues that “so” sweeps more broadly, reading the phrase “is not entitled so to obtain” to refer to information one was not allowed to obtain in the particular manner or circumstances in which he obtained it. And the manner or circumstances in which one has a right to obtain information, the Government says, are defined by any “specifically and explicitly” communicated limits on one’s right to access information. Van Buren’s account of “so” best aligns with the term’s plain meaning as a term of reference, as further reflected by other federal statutes that use “so” the same way. Pp. 5–8.
(2) The Government contends that Van Buren’s reading renders the word “so” superfluous. “So” makes a valuable contribution, the Government insists, only if it incorporates all of the circumstances that might qualify a person’s right to obtain information. The Court disagrees because without “so,” the statute could be read to incorporate all kinds of limitations on one’s entitlement to information. Pp. 8–9.
(3) The dissent accepts Van Buren’s definition of “so,” but would arrive at the Government’s result by way of the word “entitled.” According to the dissent, the term “entitled” demands a “circumstance dependent” analysis of whether access was proper. But the word “entitled” is modified by the phrase “so to obtain.” That phrase in turn directs the reader to consider a specific limitation on the accesser’s entitlement: his entitlement to obtain the information “in the manner previously stated.” And as already explained, the manner previously stated is using a computer one is authorized to access. To arrive at its interpretation, the dissent must write the word “so” out of the statute. Pp. 9–10.
(4) The Government contends that in “common parlance,” the phrase “exceeds authorized access” would be understood to mean that Van Buren “exceed[ed] his authorized access” to the law enforcement database when he obtained license-plate information for personal purposes. The relevant question, however, is not whether Van Buren exceeded his authorized access but whether he exceeded his authorized access as the CFAA defines that phrase. For reasons given elsewhere, he did not. Nor is it contrary to the meaning of the defined term to equate “exceed[ing] authorized access” with the act of entering a part of the system to which a computer user lacks access privileges. Pp. 11–12.
(b) The statute’s structure further cuts against the Government’s position. Subsection (a)(2) specifies two distinct ways of obtaining information unlawfully—first, when an individual “accesses a computer without authorization,” §1030(a)(2), and second, when an individual “exceeds authorized access” by accessing a computer “with authorization” and then obtaining information he is “not entitled so to obtain,” §§1030(a)(2), (e)(6). Van Buren contends that the “without authorization” clause protects computers themselves from outside hackers, while the “exceeds authorized access” clause provides complementary protection for certain information within computers by targeting so-called inside hackers. Under Van Buren’s reading, liability under both clauses stems from a gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system. This treats the clauses consistently and aligns with the computer-context understanding of access as entry. By contrast, the Government proposes to read the first phrase “without authorization” as a gates-up-or-down inquiry and the second phrase “exceeds authorized access” as dependent on the circumstances—a reading inconsistent with subsection (a)(2)’s design and structure. The Government’s reading leaves unanswered why the statute would prohibit accessing computer information, but not the computer itself, for an improper purpose.
Another structural problem for the Government: §1030(a)(2) also gives rise to civil liability, §1030(g), with the statute defining “damage” and “loss” to specify what a plaintiff in a civil suit can recover. §§1030(e)(8), (11). Both terms focus on technological harms to computer data or systems. Such provisions make sense in a scheme aimed at avoiding the ordinary consequences of hacking but are ill fitted to remediating “misuse” of sensitive information that employees permissibly access using their computers. Pp. 12–16.
(c) The Government’s claims that precedent and statutory history support its interpretation are easily dispatched. This Court’s decision in Musacchio v. United States, 577 U. S. 237, did not address the issue here, and the Court is not bound to follow any dicta in the case. As for statutory history, the Government claims that the original 1984 Act’s precursor to the “exceeds authorized access” language—which covered any person who, “having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend”—supports its reading. But that Congress removed any reference to “purpose” in the CFAA cuts against reading the statute to cover purpose-based limitations. Pp. 16–17.
(d) The Government’s interpretation of the “exceeds authorized access” clause would attach criminal penalties to a breathtaking amount of commonplace computer activity. For instance, employers commonly state that computers and electronic devices can be used only for business purposes. On the Government’s reading, an employee who sends a personal e-mail or reads the news using a work computer has violated the CFAA. The Government speculates that other provisions might limit its prosecutorial power, but its charging practice and policy indicate otherwise. The Government’s approach would also inject arbitrariness into the assessment of criminal liability, because whether conduct like Van Buren’s violated the CFAA would depend on how an employer phrased the policy violated (as a “use” restriction or an “access” restriction). Pp. 17–20.
940 F. 3d 1192, reversed and remanded.
Barrett, J., delivered the opinion of the Court, in which Breyer, Sotomayor, Kagan, Gorsuch, and Kavanaugh, JJ., joined. Thomas, J., filed a dissenting opinion, in which Roberts, C. J., and Alito, J., joined.