Trying to make sense of the Supreme Court’s recent Van Buren ruling? Below, is an easy-to-digest breakdown of the Court’s decision
Brief Overview of Van Buren v. U.S.
On June 3, 2021, the Supreme Court issued a 6-3 decision, ruling on the Van Buren v. United States case. The court held that defendant Nathan Van Buren, a former police sergeant, did not violate the Computer Fraud and Abuse Act of 1986 (CFAA) when he ran a license-plate search in a law enforcement database in exchange for money.
Under the CFAA, it is unlawful to obtain or alter information by “access[ing] a computer without authorization” or by “exceed[ing] authorized access [ . . . ] that the accesser is not entitled so to obtain or alter.”[1] Violating the statute is punishable by up to twenty years imprisonment.
The Supreme Court ruled that Van Buren did not violate the CFAA because, despite his improper motives, he obtained the license-plate information from a database that he was entitled to access.[2] The reason Van Buren did not technically violate the CFAA’s “exceeds authorized access . . .” clause is because the clause is defined to mean “access[ing] a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.”
So, What Does This Mean?
According to the Supreme Court, under the CFAA, if a person has the authorization to access a computer entitling them to obtain or alter information, then they can’t technically be exceeding their authorization unless otherwise specified by the Act.
Let’s start by examining the legislative history for added context so we can better understand lawmakers’ intent in passing a law that prohibits the unauthorized or exceeding of authorized access in obtaining or altering information within a computer.
At the time that the Computer Fraud and Abuse Act (1986) and Comprehensive Crime Control Act (1984) were enacted, computer hacking was an entirely new, loosely understood class of threat. Interestingly, the concept of this new threat was best captured and explained in the 1983 film Wargames.
The Only Winning Move Is Not to Play
In the WarGames movie, a young man named David hacks his way into a U.S. military central computer by exploiting a back door. Once in the network, David mistakes a NORAD warfare scenario program for an edgy computer game only to later realize that the program he activated was not a game, but instead the system which controls the entire U.S. nuclear arsenal.
The WarGames movie had such a profound impact on society that it spurred Congress to enact the Comprehensive Crime Control Act of 1984 (CCCA) which laid the foundation for the Computer Fraud and Abuse Act of 1986 (CFAA). The CCCA made it a crime to “knowingly access a computer without authorization . . . [or with authorization] for purposes to which authorization does not extend.”[3]
When the CCCA was brought to the floor of the House of Representatives for debate in 1984, Kansas Congressman Dan Glickman opened by saying, “[w]e are gonna show about four minutes from the movie WarGames, which outlines the problem fairly clearly.” The House of Representatives Committee on Science and Technology Report that followed found that the film showed “a realistic representation of the automatic dialing and access capabilities of the personal computer.”[4]
In part, thanks to Wargames, Congress enacted the CCCA of 1984 to make computer hacking a federal criminal offense. Two years later, Congress replaced the CCCA with the CFAA. The CFAA contained two clauses that together were intended to address the unlawful obtaining or alteration of information by both outsider and insider threats.
However, the clause that addressed insider threats now requires an update some 35 years later.
The SCOTUS majority opinion in the Van Buren decision signaled to the other two co-equal branches of government that the CFAA is an outdated enforcement tool due to the fact that the language of the statute fails to include an intended purpose or improper use clause which would have addressed what Van Buren, an authorized accessor, planned to do with the information he was entitled to obtain.
Conclusion
The government, for all intents and purposes, just lost half of one of its favorite cybersecurity enforcement tools. Now, one of two things is likely to happen: (1) the Executive branch will simply utilize a similar, but different enforcement tool to charge insider-threat perpetrators, or (2) Congress will amend the CFAA to include language that casts a wider net.
Conveniently enough, if Congress wants to give teeth back to the CFAA and its now dull “exceed[es] authorized access” clause, they could simply look back to the CFAA’s predecessor, the 1984 CCCA. The sweeping language of the CCCA’s “provides for purposes” clause qualifies the extent of an accessor’s authorization which widens the violation’s scope as compared to the CFAA.
The CCCA’s “purposes” clause states:
“Whoever knowingly accesses a computer without authorization, or having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend, and by means of such conduct obtains information . . .[shall be in violation]”
In closing, the Van Buren ruling issued by our highest court does not pave the way for insider threat free-for-alls. Cybercrime prevention and enforcement operations will not be put on hold as a result of this decision.
The Supreme Court is simply telling the Executive branch that their go-to tool no longer does what they thought it did while also broadcasting to Congress that, hey, it might be time to either update or abandon the CFAA in favor of bringing insider-threat cybercrime charges under a different statute such as the Stored Communications Act (SCA), the Electronic Communications Privacy Act (ECPA), the Health Information Technology for Economic and Clinical Health Act (HITECH), or the Defend Trade Secrets Act (DTSA).
[1] 18 U.S. Code §1030
[2] Nathan Van Buren v. United States, 593 U.S. (2021) No. 19-783
[3] Public Law 98-473, Oct. 12, 1984
[4] U.S. House of Representatives, Committee on Science and Technology Report, page 17. (link)
Leave A Comment