On Nov. 30, 2020, the U.S. Supreme Court heard oral arguments in the case Van Buren v. the United States. Van Buren is appealing an 11th Circuit Court decision that convicted him under the 1986 Computer Fraud and Abuse Act. The Court granted certiorari in order to resolve a circuit split on the question of whether “a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses that information for an improper purpose?”
Overview
Nathan Van Buren, a police officer in Georgia, used his professional credentials to search the Georgia Bureau of Investigation and the Federal Bureau of Investigation license plate databases and obtain information for his own personal use. Van Buren became acquainted with a man named Andrew Albo, who unbeknownst to Van Buren, became involved with the FBI and the County Sheriff’s office. The FBI instructed Albo to ask Van Buren to perform a search for the alleged license plate number of a woman he was interested in. Van Buren agreed to search the Georgia Crime Information Center database, a restricted database he could access because of his job as a police officer and gave the information to Albo. The FBI charged Van Buren for violating the Computer Fraud and Abuse Act arguing that although Van Buren accessed the database using legitimate authorization granted to him in his capacity as a police officer, using the credentials for his own personal use exceeded his authorized access and is therefore criminally liable under the CFAA.
The answer to the question of whether a person with information access violates the CFAA by accessing the information for an improper purpose depends on how the Court interprets Section 1030(a)(2) of the Act. This section states that whoever “intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains information…” violates the CFAA. The statute defines “exceeds authorized access” as “to access a computer with authorization and ... use such access to obtain or alter information in the computer that the accesser [sic] is not entitled so to obtain or alter.”
Recently, circuit courts have ruled differently from one another, causing a circuit split. The split arises out of conflicting interpretations of the CFAA’s definition of “exceeds authorized access.” The 1st, 5th, 7th and 11th Circuit Courts have each adopted a wide view of this definition whereas the 2nd, 4th and 9th Circuit Courts have adopted narrower views.
In upholding Van Buren’s conviction, the 11th Circuit Court stood by its prior CFAA interpretation set forth in States v. Rodriguez that a person “exceed[s] authorized access[]” to a computer when she accesses it for a prohibited use, even if authorized to access it for other proper purposes. In this case, the Rodriguez precedent meant that, according to the 11th Circuit Court interpretation, even though Van Buren was authorized to use the license plate database for official police purposes, he exceeded authorized access when he used the database for his own personal use.
This interpretation lies in contrast to other cases coming out of the 2nd, 4th and 9th Circuit Courts. These courts each adopted a narrow interpretation of what “exceeds authorized access” means and held that an individual only “exceeds authorized access” when accessing the information on a computer that the individual has no authorization to use. Under this interpretation, Van Buren would not have been found to have violated the CFAA because he had the authorization to access the computer through his capacity as a police officer. Because he had authorization, the fact he used such access for improper purposes is immaterial.
Two amicus briefs demonstrate contrasting viewpoints
The concerns articulated in amicus briefs submitted by privacy civil society organizations the Electronic Privacy Information Center and the Electronic Frontier Foundation highlight the proposed ramifications of siding with either Van Buren or the government.
Those who support the government’s position argue that Van Buren’s improper use of the database is exactly the type of harm that the CFAA was drafted to protect against. For example, the Electronic Privacy Information Center’s brief argues the CFAA was intended to protect not only the computer system but was “meant to prohibit malicious access” by insiders and outsiders, with outsiders being those “without authorization” and insiders being those who “exceed authorized access.” Their argument is that the CFAA is an “extra check against abuse by the people entrusted to access sensitive data and systems” and highlights the improper access of databases that contain personal information.
The EPIC brief rejects the possibility that innocent conduct will end up being criminalized under the CFAA. EPIC maintains that the legality of activities that cause the most concern in the face of a broad CFAA interpretation, such as data scraping, would be better hashed out in the upcoming LinkedIn v. hiQ labs case, which examines whether the CFAA prevents a company from scraping publicly-available information from a website.
However, even if the Court were to agree with the EPIC amicus that the statute was drafted, at least in part, to protect an individual’s privacy, it is important to point out that the CFAA is an anti-hacking statute originally introduced in the 1980s when computer technology was a far cry from its ubiquity and necessity today. The statute was never designed to be the vehicle to comprehensively protect privacy interests nor was it drafted with the complexity of modern privacy issues in mind. Thus, while the CFAA can shape privacy policy, it does not do so artfully. In other words, if privacy regulation requires the nuanced approach of a scalpel, the CFAA acts as a hammer.
By contrast, the EFF argues that the CFAA can be used to protect privacy, but only does so at an enormous cost to individuals’ electronic liberties. EFF highlights this viewpoint by demonstrating that if the CFAA is interpreted broadly thereby protecting electronic privacy, the Court would be effectively paving the way for companies to censor and criminalize otherwise innocuous behavior.
One of the primary concerns highlighted by both the EFF brief and Van Buren’s attorney, Jeff Fisher, during oral arguments is that an organization can effectively determine what the law is by changing its terms of use. To put it in other words, for an individual to use a school or employer’s computer system, or before an individual is permitted to use a service like Facebook, they generally must first agree to the “Terms of Use.” However, as EFF points out in their brief, “users routinely violate computer use policies in the course of their employment or as a part of their daily lives.”
Currently, failure to comply with the TOU can, at the very most, result in the individual being barred from future use of the site. However, if the CFAA were to be construed broadly, there is a risk that failure to comply with the TOU could also run afoul of the CFAA. This is because the organization could argue that by failing to adhere to the TOU, the individual exceeded their authorization to use the service and is therefore potentially both civilly and criminally liable. Thus, while the individual's data would receive heightened protection and individuals would have more privacy, such benefits would come at a major potential cost to other electronic liberties.
How other jurisdictions approach this same type of situation
The United States is not the only country to face the problem of a police officer misusing a non-public database for personal purposes. Looking at how other nations have addressed the problem can be helpful in revealing that there are congressional alternatives to using the CFAA as a privacy proxy.
In Germany, after a 15-year-old girl filed a complaint at a police station, the police officer who took her complaint contacted her via the information she provided and invited her to a “photoshoot.” In another case out of Germany, a police investigator texted lewd advances to an underage witness using contact details obtained in his professional capacity. Finally, in a third case out of Germany, a police officer accessed a police database of license plate numbers in order to run a second search to discover an acquaintance’s phone number.
In each of these instances, the officer had legal access to the information in question but was fined. In the first two cases, a data protection officer fined the offending officers. In the third case, the officer was fined in accordance with the EU General Data Protection Regulation for impermissibly accessing and processing that information. The most obvious difference between the CFAA’s approach and the GDPR’s approach is that the CFAA is an anti-hacking law whereas the GDPR is a data protection law. As a result, the primary focus of each is different. The CFAA inquiry focuses on whether the individual had “authorized access” to information. Alternatively, the GDPR does not focus on how the information is obtained but instead focuses on how the information is used.
Indeed, the GDPR is not perfect. In each of the German cases, there was public displeasure at the fact that the police officers in question were merely fined between 800 and 1,500 euros. Congress does not seem to desire to adopt a GDPR-like law, and may not take the same approach as Europe. However, the cases out of Germany show that there are alternative ways of handling scenarios where someone with access to a sensitive database accessed it for personal purposes. They show how Congress could approach the question presented in Van Buren and address the privacy concerns of the Supreme Court.
It was clear through oral arguments that the Supreme Court was unconvinced that the CFAA was the appropriate vehicle with which to regulate Van Buren’s conduct, with Justice Sonia Sotomayor asking if Van Buren’s conduct could be prosecuted in a different way or if the CFAA could be subject to “targeted changes.”
What does the case mean for privacy?
Irrespective of the outcome, the Van Buren case is important for privacy professionals because the application of the CFAA, in this case, highlights that privacy concerns have outgrown the statutory framework currently used to protect individual’s privacy. While it may be used to do so, the CFAA does not need to act as a bandage to cover the ever-growing problem of privacy while creating a host of other problems.
The patchwork of existing sector-specific privacy laws and state laws do not cover all the rogue conduct that could (and may already) have been done by bad actors. Issues arising out of the application of one statute to cover data protection when the statute was never intended to be a data protection statute could be remedied by the creation of a federal privacy law that looks at some conduct as privacy violations and data protection harms instead of hacking harms. Additionally, a comprehensive privacy law would also address the understandable fears of those who find Van Buren’s behavior a clear violation of data protection.
As Van Buren’s attorney, Jeff Fisher, repeatedly reminded the Court during oral argument, the tricky part in determining the outcome of this case is remembering that the question at bar is not about whether the CFAA or other statutes should protect privacy interests and prevent unauthorized use of data. The question is whether “the CFAA as enacted and existing right now” actually does so.
Photo by Christian Wiediger on Unsplash