A cyber stakeholder's guide to Van Buren vs. US

On Monday, the Supreme Court will hear oral arguments involving the Computer Fraud and Abuse Act (CFAA). The case centers around Georgia-based police sergeant Nathan Van Buren after he was caught using his credentials to access the Georgia Crime Information Center (GCIC) in exchange for money.

While Van Buren had authorized access to the GCIC, the case questions if he abused his legal access by existing CFAA standards.

Van Buren's bribe was part of a sting operation organized by the FBI; he was convicted of "honest services wire fraud and computer fraud" in October 2017, according to the Department of Justice.

The CFAA criminalizes unauthorizved access to computers. What the Supreme Court could determine is if it is a federal crime when an individual, who has the authority to access a computer system, does it for improper reasons. In past rulings, the U.S. Court of Appeals for the Eleventh Circuit said Van Buren violated the CFAA.

"Is this the case for the Supreme Court to decide? Or is it more appropriate for Congress to clarify what they mean by authorized access?" said Michael Bahar, a partner and co-lead of Global Cybersecurity and Data Privacy at Eversheds Sutherland LLP.

If the Supreme Court reverses the Eleventh Circuit decision, or refuses to rule against defendants "in cases of ambiguities," it might ignite Congressional action, according to Bahar. Likewise, if the Supreme Court upholds the Eleventh Circuit's ruling, Congress might be less incentivized to issue clarity or an amendment for the CFAA.

While the case will mostly impact individuals and computer crimes, it will also influence how U.S. citizens interact with computers or databases they have authorized access to. The case's outcome will likely extend to how employers treat their service agreements and the scope of employee access.

Split circuit

In past decisions, courts upheld "that disregarding the computer system owner's restrictions" for an authorized user "is not sufficient to trigger the CFAA," said Richard B. Newman of Hinch Newman LLP.

"Those courts focus on more egregious actions, such as hacking." Van Buren's case could impact violations of website term agreements, for example.

In support of Van Buren, the Electronic Frontier Foundation (EFF) argued "this formulation dangerously broadens the CFAA's scope and transforms it into an all-purpose mechanism for policing objectionable or simply undesirable behavior," in its amicus brief filed in January. The EFF said the Second, Fourth and Ninth Circuits ruled "such a formulation loses sight of the CFAA's intended purpose," which is to criminalize the unlawful hacking of a computer.

Those in favor of ruling Van Buren in violation of the CFAA, say "it would not be possible to generalize across different factual scenarios," including "violations of contract-based restrictions," according to the amicus brief filed by the Electronic Privacy Information Center.

Van Buren's CFAA case is the first to go before the Supreme Court. But it echoes similarities of the 2011 U.S. vs. David Nosal case, which was passed for review by the Supreme Court.

Nosal was charged in violation of the CFAA in 2008 after taking a former executive assistant's credentials to access the database of his former employer, Korn Ferry.

Before the U.S. Court of Appeals for the Ninth Circuit, the dissenting judge wrote "this case is about password sharing" and the CFAA "does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals." Other judges said the case was more so about former employees conspiring to access "trade secrets in a proprietary database through the back door when the front door had been firmly closed."

Similar to Nosal, Van Buren has had a circuit split. "We can't have criminal conduct in one half the country and not be criminal in the other half the country, right?" said Bahar.

Computer crime evolves

At the time Congress passed the Comprehensive Crime Control Act in 1984, it was intended to provide a "statement of proscribed activity," but fell short of making the access of classified information a felony, according to the DOJ. It also failed to make a misdemeanor for accessing financial information "stored in a financial institution or to trespass into a government computer."

When Congress passed the CFAA, it included computer intrusions, denial of service attacks, viruses and worms as variations of computer crimes. Hacking and computer crimes have since evolved, leaving more gray areas for the CFAA to potentially cover.

"When you're trying to interpret a statute from the 80s in light of technology of the 2020s, it's a very difficult task," said Bahar. "If you're trying to combine this congressional intent from the 80s, and yet, have it apply now, it becomes more difficult to do."

In Van Buren's case, what's up for debate is the applicability of Section 1030(a)(2) in the CFAA and the difference between "without authorization" and "exceeds authorized access." The DOJ describes "exceeds authorized access" as lawful computer access, but using it to "to obtain or alter information in the computer that the accessor is not entitled to obtain or alter." Typically those who "exceed authorized access" are insiders, such as Van Buren.

However, in order to prove an individual exceeded their authorization, prosecutors have to prove two things, according to the DOJ:

How the individual's authority accessing the computer data was "limited, rather than absolute"
How the individual then "exceeded those limitations" in accessing the data

"Think of the CFAA as a trespass statute. It can be enforced both criminally and civilly," said Newman. The entities absorbing damage from "exceeding authorized access" have a right to sue.