Van Buren v. United States

Background

Nathan Van Buren, a former Georgia police sergeant, used his patrol-car computer and valid credentials to search a law-enforcement database for a license plate in exchange for money. Department policy forbade using the database for non–law-enforcement purposes. The FBI had set up a sting. Van Buren was convicted by a jury under the Computer Fraud and Abuse Act’s “exceeds authorized access” clause and sentenced to 18 months; the Eleventh Circuit affirmed.

Reasoning

The Court asked whether “exceeds authorized access” covers employees who misuse access they otherwise have, or only those who obtain data from parts of a computer they are not allowed to reach. Reading the CFAA definition, the Court held the phrase applies when someone goes into particular files, folders, or databases that are off-limits, not when someone merely uses permitted access for an improper purpose. The Court relied on the statutory wording (including the word “so”), the statute’s structure, and the removal of a prior “purpose” reference in the law’s history.

Real world impact

The ruling narrows criminal liability under the CFAA. It makes it less likely that ordinary personal uses of work computers or violations of employer policies will be federal crimes under the “exceeds authorized access” clause. The decision affects employers, prosecutors, website operators, and people who use online services, and the case was reversed and remanded to the lower court for further proceedings consistent with the opinion.

Dissents or concurrances

Justice Thomas (joined by the Chief Justice and Justice Alito) dissented, arguing traditional property-law concepts and the statute’s history support a broader rule that would criminalize using authorized access for improper purposes.