Van Buren v. United States
593 U.S. 374
| SCOTUS | 2021Background:
- Nathan Van Buren, a Georgia police sergeant, used his patrol-car computer and valid credentials to run a license-plate search in exchange for money as part of an FBI sting.
- His department policy authorized database queries only for law-enforcement purposes; Van Buren knew his search violated that policy.
- Federal prosecutors charged Van Buren under the CFAA, 18 U.S.C. §1030(a)(2), claiming he "exceeded authorized access." A jury convicted and the Eleventh Circuit affirmed.
- Circuits were split on whether the CFAA’s "exceeds authorized access" covers misuse of otherwise permitted access (violating purpose/use restrictions) or only access to computer areas off-limits to the user.
- The Supreme Court granted certiorari to resolve that split and reversed: the CFAA’s "exceeds authorized access" reaches access to particular areas (files/folders/databases) that are off-limits, not mere misuse of access for an improper purpose.
Issues:
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Scope of "exceeds authorized access" under §1030(e)(6) | Van Buren: applies only when a user accesses parts of a computer (files/folders/databases) to which he lacks access privileges. | Government: covers using otherwise authorized access for impermissible purposes (violating employer policy/terms). | Court: Narrow reading — it covers access to off-limits areas of a computer, not purpose-based misuse of otherwise accessible information. |
| Meaning of the word "so" in "entitled so to obtain" | Van Buren: "so" is a term of reference to the manner previously stated — i.e., obtaining via a computer one is authorized to access. | Government: "so" incorporates the particular circumstances/manner, including any communicated limits (purpose/time/manner). | Court: "So" refers back to the manner stated in the definition (accessing via an authorized computer), limiting "entitled" to entitlement to obtain via that access. |
| Statutory structure and interplay with "accesses a computer without authorization" | Van Buren: both clauses should be read consistently as gates-up-or-down inquiries (outside vs inside access to areas). | Government: first clause is gates-up-or-down; second clause can be circumstance/purpose-dependent. | Court: Structure favors Van Buren’s consistent gates-up-or-down approach; reading the clauses differently would create incoherence and odd gaps. |
| Policy/overbreadth concerns (practical consequences) | Van Buren: Government’s reading would criminalize routine acts (personal email, ToS breaches, benign workplace misuse). | Government: other statutory terms, mens rea, and charging policies will cabin prosecutions. | Court: Policy arguments reinforce the narrow interpretation — the Government’s reading risks vast and arbitrary criminal exposure. |
Key Cases Cited
- Musacchio v. United States, 577 U.S. 237 (2016) (prior paraphrase of §1030(a)(2) was dicta and not dispositive)
- Ross v. Blake, 578 U.S. 632 (2016) (presumption that Congress intends amendments to have effect)
- Yates v. United States, 574 U.S. 528 (2015) (used as illustrative authority on avoiding strained readings)
- United States v. Valle, 807 F.3d 508 (2d Cir. 2015) (circuit decision addressing scope of "exceeds authorized access")
- United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc) (narrow reading supporting limits on CFAA liability)
- United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010) (circuit precedent adopting broader scope)
- Royal Truck & Trailer Sales & Serv., Inc. v. Kraft, 974 F.3d 756 (6th Cir. 2020) (recent circuit ruling relevant to the split)