« Notable new polling data on death penalty from Pew Research Center | Main | Prosecutors and Politics Project releases amazing "Prosecutor Lobbying in the States, 2015-2018" »

June 3, 2021

In 6-3 opinion for (police officer) defendant, SCOTUS limits reach of federal Computer Fraud and Abuse Act

The Supreme Court issued one opinion this morning, and it is an interesting criminal law decision with an interesting divide of Justices limiting the reach of a notable federal criminal statute.  The majority opinion in Van Buren v. US, No. 19–783 (S. Ct. June 3, 2021) (available here), is authored by Justice Barrett and it starts and ends this way:  

Nathan Van Buren, a former police sergeant, ran a license-plate search in a law enforcement computer database in exchange for money.  Van Buren’s conduct plainly flouted his department’s policy, which authorized him to obtain database information only for law enforcement purposes.  We must decide whether Van Buren also violated the Computer Fraud and Abuse Act of 1986 (CFAA), which makes it illegal “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”

He did not.  This provision covers those who obtain information from particular areas in the computer — such as files, folders, or databases — to which their computer access does not extend.  It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them....

In sum, an individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer —  such as files, folders, or databases — that are off limits to him.  The parties agree that Van Buren accessed the law enforcement database system with authorization. The only question is whether Van Buren could use the system to retrieve license-plate information. Both sides agree that he could.  Van Buren accordingly did not “excee[d] authorized access” to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose.  We therefore reverse the contrary judgment of the Eleventh Circuit and remand the case for further proceedings consistent with this opinion.

Justice Thomas authored a dissent joined by the Chief Justice and Justice Alito. It starts this way:

Both the common law and statutory law have long punished those who exceed the scope of consent when using property that belongs to others.  A valet, for example, may take possession of a person’s car to park it, but he cannot take it for a joyride.  The Computer Fraud and Abuse Act extends that principle to computers and information.  The Act prohibits exceeding the scope of consent when using a computer that belongs to another person.  Specifically, it punishes anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains” information from that computer. 18 U.S.C. §1030(a)(2).

As a police officer, Nathan Van Buren had permission to retrieve license-plate information from a government database, but only for law enforcement purposes.  Van Buren disregarded this limitation when, in exchange for several thousand dollars, he used the database in an attempt to unmask a potential undercover officer.

The question here is straightforward: Would an ordinary reader of the English language understand Van Buren to have “exceed[ed] authorized access” to the database when he used it under circumstances that were expressly forbidden? In my view, the answer is yes.  The necessary precondition that permitted him to obtain that data was absent.

The Court does not dispute that the phrase “exceeds authorized access” readily encompasses Van Buren’s conduct. It notes, instead, that the statute includes a definition for that phrase and that “we must follow that definition, even if it varies from a term’s ordinary meaning.”  Tanzin v. Tanvir, 592 U.S. ___, ___ (2020) (slip op., at 3) (internal quotation marks omitted). The problem for the majority view, however, is that the text, ordinary principles of property law, and statutory history establish that the definitional provision is quite consistent with the term it defines.

I am pretty sure that this is the first (non-unanimous) opinion in which all the Trump-appointed Justices joined with all the Justices appointed by Democratic presidents, and I am very sure that I am hopeful that this will not be the only case in which these Justices combine to limit the application of questionable criminal laws and doctrines. Interesting times.

UPDATE:  I see Kent Scheidegger at Crime & Consequences has this age-related take on the alliances of the Justices in this Van Buren:

For those who like to categorize Justices and tally statistics, it may (or may not) be noteworthy that the six Justices appointed by Republican Presidents split by age, with the three younger ones supporting the narrower interpretation of this criminal law. There is perhaps a more libertarian streak in the more junior Justices and more wariness of overcriminalization.

June 3, 2021 at 10:36 AM | Permalink


The split is fairly understandable.

Thomas and Alito are basically "High Federalists" and will hold to the conservative interpretation of criminal law often in divided cases. Gorsuch will at times have "liberal" results in such cases. Kavanaugh and Barrett are likely swing votes.

The slight surprise is Roberts, who tends to avoid a dissent, especially if the "swing" votes are not involved or it isn't something he is particularly concerned about such as his dissent in the standing case.

The citation to the statutory guide that is co-authored by Scalia is almost standard now. How many times have it been cited?

Posted by: Joe | Jun 3, 2021 10:52:39 AM

This case reminds me of the 2011 incident involving Florida Highway Patrol Officer Donna "Jane" Watts, who pulled over a Miami police officer speeding (120 m.p.h.) in an unmarked police cruiser, without lights or siren activated, because he was late for his second, off-duty job. As a famous dash cam video shows, she arrested him at gunpoint, in uniform, at the side of the road, handcuffed him and took his service pistol. That Miami officer subsequently lost his job. Jane then became a subject of harassment for several years. Eventually, she discovered that 88 other law enforcement officers from 25 jurisdictions had illegally accessed her Driver's License and other personal information (including her home address) without a legitimate law enforcement purpose. She eventually sued 88 defendants, and all but 5 Miami police officers paid settlements for violating her right to privacy. The 5 Miami officers won at trial, saying that they thought she was a dangerous officer, because she had arrested another uniformed officer at gunpoint for speeding, so they wanted to see her picture and know what she looked like, in case they ever encountered her. Notably, several of those Miami officers continued to access Jane's personal information, even after they had already seen her picture from prior computer searches. Jane had to finish her time as a police officer on desk duty (until she retired) because of concern that other officers would not back her up in dangerous situations in the field while on patrol duty. Upon retirement, she also moved several hundred miles (from the Ft. Lauderdale area) to a new home on the panhandle of Florida.

Posted by: Jim Gormley | Jun 3, 2021 11:25:53 AM

It's a good result for sure. An even better result would have been Prof. Kerr's "code-based" approach, although I have some minor quibbles with that as well. But I think it's about the best anyone can hope for given that the Justices and even their clerks will never be inclined to delve into the deepest technical weeds.

In one way, the opinion assignment isn't all that shocking, because Barrett is known to be, or at least is a self-professed (she was formerly a law prof, get it? ha!), statutory-construction buff. Plus, while it's a very important case in terms of practical consequences, it doesn't involve sexy constitutional issues and/or politically-charged circumstances. But I was surprised in one sense because at oral argument, her questions seemed to show very little grasp of the key issues. Maybe that just means you can't parse many tea leaves from the questioning.

That said, Van Buren's underlying conduct was still reprehensible and I do hope that he somehow receives appropriate punishment. He did lose his job at least.

Posted by: hardreaders | Jun 3, 2021 12:19:12 PM

Also, LGM blog just did a feature on Martin Van Buren the other day, so I feel like they sort of called this one, albeit unknowingly.

Posted by: hardreaders | Jun 3, 2021 1:53:45 PM

The Seinfeld episode "The Van Buren Boys" episode REALLY was ahead of the curve on this one.

The use of a police officer abusing his access to the computer database for personal gain as an avenue to provide a result that might later on help more sympathetic defendants is a tad ironic. But, that is how these things often work.

Trivia note -- this appears to be the first opinion where Justice Breyer was in the majority. In theory, if Roberts, Thomas and Breyer was in the dissent, ALITO would get to assign a case. That would be an interesting case.

Posted by: Joe | Jun 3, 2021 2:12:13 PM

(that is, Breyer was the most senior justice and got to assign the opinion; he sorta was earlier but it was only a plurality opinion)

Thanks to HR for the link on the other thread.

Posted by: Joe | Jun 3, 2021 2:14:22 PM

It will be interesting to see what if any influence this opinion has on state courts. Many states also have anti-hacking statutes which are similar to, but not exactly the same as, the federal statute. Technically, they are free to interpret their statutes differently (especially if the language is different), but I am sure that attorneys will cite to this case as persuasive authority for a narrow read of those statutes.

Additionally, some states have specific statutes on misuse of criminal history information or restricting government employees from using information gained on the job for personal purposes. I don't know if Georgia does, but those could be alternative charges if the local prosecutor wanted to pursue this matter further.

Posted by: tmm | Jun 4, 2021 10:32:06 AM

The C&C piece has this bit:

"The essence of what he did wrong was use law enforcement information for private gain. It would have been just as wrong if he had taken the information in hard copy out of a file cabinet."

That sort of misses the point of the law, which is specifically concerned about computer crimes. People who break the specific law, applying how the majority defines it, will regularly do so for reasons that would be criminal for other reasons too.

But, "Computer Fraud and Abuse" is specifically problematic too on its own. On that front, especially given the Supreme Court's concerns over the years about broad federal laws (even if here that was allegedly but "icing on the cake" and statutory interpretation did the trick), Congress and the states might want to be careful about crafting such laws. For instance, a bit more specifics would help dealing with cases like this without, e.g., the Facebook profile scenario and other hypos, also being covered.

[For instance, perhaps misuse of computers for financial gain or whatever.]

Posted by: Joe | Jun 4, 2021 11:48:00 AM

Post a comment

In the body of your email, please indicate if you are a professor, student, prosecutor, defense attorney, etc. so I can gain a sense of who is reading my blog. Thank you, DAB