For 35 years, the Computer Fraud and Abuse Act (CFAA) has been a powerful weapon in law enforcement’s arsenal against computer hackers. Essentially, it criminalized the standard definition of hacking – accessing information on a computer, where the user lacks authorization to do so. But what happens when someone is authorized to access the information, but then misuses the information? For example, a police officer who accepted a bribe and then accessed a vehicle database for non-law-enforcement purposes? This was the situation in Van Buren v. United States, which was decided by the U.S. Supreme Court on June 3, 2021. In a 6-3 decision, the court determined that the CFAA penalizes unauthorized access to information, not misuse of the information accessed.
In the Van Buren case, Georgia police sergeant Nathan Van Buren was authorized to check vehicle license plates against a vehicle database, as part of his job. An FBI informant bribed Van Buren to search a license plate belonging to a woman he met at a strip club, to make sure that she wasn’t an undercover police officer. Van Buren accepted a $6,000 bribe and ran the search. He was convicted of honest services wire fraud and felony computer fraud. The latter was brought under the CFAA (18 U. S. C. ß1030). Because Federal appeals courts were split on their interpretation of the CFAA, the Supreme Court granted certiorari.
The CFAA penalizes both “outside hacking” (“intentionally access[ing] a computer without authorization”) and “inside hacking” (by an authorized user who “exceeds authorized access”). It defines “authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
The government’s argument was that the statute prohibits the misuse of information even if the user technically had access. The court spent time reviewing how the word “so” in the statute modified the word “entitled”. The justices looked to several dictionary definitions of the word “so”, including Black’s Law Dictionary and the Oxford English Dictionary, and stated that “[i]t refers to a stated, identifiable proposition from the ‘preceding’ text; indeed, ‘so’ typically ‘[r]epresent[s]’ a ‘word or phrase already employed,’ thereby avoiding the need for repetition.” Writing for the court’s majority, Justice Barrett concluded that “[t]he disputed phrase ‘entitled so to obtain’ thus asks whether one has the right, in ‘the same manner as has been stated,’ to obtain the relevant information. And the only manner of obtaining information already stated in the definitional provision is ‘via a computer [one] is otherwise authorized to access.'”
This opinion has the potential to shake the foundations of cybersecurity and law enforcement. For big businesses, who have the resources to monitor their employees’ use of technology, it may not be a problem. But for small businesses, it may be a very large problem. If you have granted overly broad access to a secretary, and he or she steals the design of your new electric car, the Justice Department won’t be able to charge them under the CFAA. The Federal Defend Trade Secrets Act may apply, depending on the facts, and employees who violate the terms of their employment or non-disclosure agreements can still be sued.
The takeaway from this opinion is that your business should rely on the principle of “least privileged access” to protect your resources. For example, if you have valuable information, you can disable access to USB drives, and instead require that employees connect through a VPN, with access based on the employee’s role. Current computer and cloud services agreements should be reviewed to ensure that your users and vendors are aware of their responsibilities.
Take the time to protect your business using proper technology and proper agreements. You’ll be “so” glad that you did.
— Joshua D. Waterston, Esq.