The U.S. Supreme Court will soon decide what it means to exceed authorized computer access. At stake is the constitutionality of the Computer Fraud and Abuse Act (CFAA).
The court heard arguments in Van Buren v. United States, a case involving a police officer who was convicted of violating the CFAA for looking up an entertainment club dancer’s license plate number in a database maintained by the Georgia Bureau of Investigation (GBI) and the FBI. Nathan Van Buren, a Georgia police sergeant at the time, was authorized to access the database for work purposes, but he did so in this situation as a favor in exchange for a loan.
The CFAA prohibits, among other things, intentionally accessing a computer without authorization and exceeding authorized access to obtain information. Although there is no doubt that the statute criminalizes hacking, it is not clear how many different kinds of exceeding authorized access would trigger federal criminal liability.
A federal grand jury charged Van Buren with one count of honest-services wire fraud, in violation of 18 U.S.C. §§ 1343 and 1346, and one count of felony computer fraud, in violation of 18 U.S.C. § 1030. A jury convicted Van Buren on both counts, and Van Buren appealed his convictions. The U.S. Court of Appeals for the Eleventh Circuit found the jury instructions as to the honest-services count were fatally flawed and remanded that charge for a new trial. It found no deficiencies in the conviction for computer fraud and affirmed that conviction, citing Eleventh Circuit precedent in United States v. Rodriguez, which held that a person “exceed[s] authorized access[]” to a computer when she accesses it for a prohibited use, even if she is authorized to access it for proper purposes. It acknowledged that the Second and Ninth Circuits had held differently but nevertheless stood by the holding in Rodriguez.
The question before the Supreme Court is whether a person who is authorized to access information on a computer for certain purposes violate Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses that information for an improper purpose.