Van Buren v. United States

Van Buren v. United States is a pending United States Supreme Court case dealing with the Computer Fraud and Abuse Act (CFAA) and its definition of "exceeds authorized access" in relation to one intentionally accessing a computer system they have authorization to access. The CFAA's language has long created a circuit split in case law, and the Court's decision will significantly impact cybersecurity and computer crime enforcement.

Van Buren v. United States
Argued November 30, 2020
Full case nameNathan Van Buren v. United States
Docket no.19-783
Case history
Prior
  • Conviction, United States v. Van Buren, No. 1:16-cr-00243 (N.D. Ga. May 3, 2018)
  • Affirmed, 940 F.3d 1192 (11th Cir. 2019)
  • Cert. granted, Van Buren v. United States, 206 L. Ed. 2d 822 (2020)
Questions presented
Whether a person who is authorized to access information on a computer for certain purposes violates Section 18 U.S.C. § 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose.
Court membership
Chief Justice
John Roberts
Associate Justices
Clarence Thomas · Stephen Breyer
Samuel Alito · Sonia Sotomayor
Elena Kagan · Neil Gorsuch
Brett Kavanaugh · Amy Coney Barrett

Background

The Computer Fraud and Abuse Act (CFAA) is a federal law passed in 1986 to strengthen laws around unauthorized access to computer systems. The law was passed partially based on fears from Congress members who saw the 1983 film WarGames.[1] Among its core statutes at 18 U.S.C. § 1030(a)(2) is that intentionally accessing a computer system "without authorization or exceeds authorized access" to obtain protected information, financial records, or federal government information is considered a federal crime that can include fines and imprisonment as a penalty.

The exact definition of "exceeds authorized access" is not clear and created a 4–3 circuit split of cases at the Circuit Courts.[2] In the First, Fifth, Seventh, and Eleventh Circuits, the courts upheld a broad view of the statement, that accessing a computer with authorization but for an improper purpose is a violation of the CFAA. The Second, Fourth, and Ninth Circuits took a more narrow view that a violation only occurs if the authorized user accesses information they were prohibited from accessing.[2]

Because of the case law split, there has been debate on whether the language should be treated narrowly or broadly between cybersecurity researchers and law enforcement among others. For cybersecurity practitioners, a narrow interpretation of "exceeds authorized access" language in §1030(a)(2) would allow them to better conduct work identifying and resolving security problems with computer hardware and software as to make the Internet safer. The vagueness of the statute otherwise puts these job functions at risk. Law enforcement and the U.S. government in general prefer a broader interpretation as this allows them to prosecute those who use hacking to bring down or take advantage of insecure systems under the CFAA.[3] There are additional concerns as the language of CFAA, if broadly interpreted, could apply to commonly-accepted activities at businesses or elsewhere, such as using office computers for browsing the web. Jeffrey L. Fisher, a law professor at Stanford University who represents the petitioner in the present case, states that the law's language is outdated with modern computer usage, and its broad interpretation "[makes] a crime out of ordinary breaches of computer restrictions and terms of service that people likely don’t even know about and if they did would have no reason to think would be a federal crime."[3]

In the present case, a police officer Nathan Van Buren from Cumming, Georgia was in need of money and asked a man, Andrew Albo, for help. Albo was known to have connections to prostitution in the town and had prior conflicts with the police. Albo reported this request to the local sheriff's office, where the request was passed to the Federal Bureau of Investigation (FBI). The FBI set up a sting operation and instructed Albo to offer Van Buren US$6,000, but in exchange, to request Van Buren look up a license plate on the Georgia Crime Information Center (GCIC) he had authorized access to, as to see if its registered owner, a stripper, was an undercover officer. Van Buren complied with the request, which led the FBI to arrest him for felon computer fraud under the CFAA §1030(a)(2). Van Buren was found guilty in a jury trial and sentenced to 18 months of prison in the U.S. District Court for the Northern District of Georgia.[2]

Van Buren appealed the conviction to the United States Court of Appeals for the Eleventh Circuit, asserting that accessing the GCIC that he had authorized access to but for an improper purpose was not a violation of the "exceeds authorized access" clause of the CFAA. While the Circuit judges had some sympathy for this argument, they chose to rule on precedence from a prior Eleventh Circuit case, (United States v. Rodriguez (2010),[4] to uphold Van Buren's conviction.[5][2]

Supreme Court

Van Buren petitioned to the Supreme Court, which granted certification of the case in April 2020.[3] The case was argued via telephone due to the ongoing COVID-19 pandemic on November 30, 2020.[6]

References

  1. Kopsidas, Andrew; Stark, Eda (July 7, 2020). "INSIGHT: SCOTUS Decision on Computer Fraud Act Could Impact Trade Secrets". Bloomberg News. Retrieved July 15, 2020.
  2. Cloutier, Kevin M.; Poell, David M. (April 30, 2020). "U.S. Supreme Court Case Preview—Van Buren v. United States: Does Use of a Computer for an "Improper Purpose" Violate the Computer Fraud and Abuse Act?". National Law Review. Retrieved July 15, 2020.
  3. Marks, Joseph (April 24, 2020). "The Cybersecurity 202: There's finally a Supreme Court battle coming over the nation's main hacking law". The Washington Post. Retrieved July 15, 2020.
  4. United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010).
  5. United States v. Van Buren, 940 F.3d 1192 (11th Cir. 2019).
  6. "Monthly Argument - Supreme Court of the United States". www.supremecourt.gov. Retrieved 2020-11-27.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.