Van Buren v. United States, 19-783

• Court: United States Supreme Court
• Writing for the Court: Justice BARRETT delivered the opinion of the Court.
• Citation: 210 L.Ed.2d 26,141 S.Ct. 1648
• Parties: Nathan VAN BUREN, Petitioner v. UNITED STATES
• Docket Number: No. 19-783,19-783
• Decision Date: 03 June 2021

141 S.Ct. 1648
210 L.Ed.2d 26

Nathan VAN BUREN, Petitioner
v.
UNITED STATES

No. 19-783

Supreme Court of the United States.

Argued November 30, 2020
Decided June 3, 2021

Jeffrey L. Fisher, Stanford, CA, for the petitioner.

Eric J. Feigin, Deputy Solicitor General, for the respondent.

Saraliene Smith Durrett, Saraliene Smith Durrett, LLC, Rebecca Shepard, Federal Defender Program, Inc., Atlanta, GA, Jeffrey L. Fisher, Brian H. Fletcher, Pamela S. Karlan, Stanford Law School Supreme Court Litigation Clinic, Stanford, CA, for Petitioner.

Jeffrey B. Wall, Acting Solicitor General Counsel of Record, Brian C. Rabbitt, Acting Assistant Attorney General, Eric J. Feigin, Deputy Solicitor General, Morgan L. Ratner, Assistant to the Solicitor General, Jenny C. Ellickson, Attorney, Department of Justice, Washington, DC, for United States.

Justice BARRETT delivered the opinion of the Court.

141 S.Ct. 1652

Nathan Van Buren, a former police sergeant, ran a license-plate search in a law enforcement computer database in exchange for money. Van Buren's conduct plainly flouted his department's policy, which authorized him to obtain database information only for law enforcement purposes. We must decide whether Van Buren also violated the Computer Fraud and Abuse Act of 1986 (CFAA), which makes it illegal "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."

He did not. This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.

I

A

Technological advances at the dawn of the 1980s brought computers to schools, offices, and homes across the Nation. But as the public and private sectors harnessed the power of computing for improvement and innovation, so-called hackers hatched ways to coopt computers for illegal ends. After a series of highly publicized hackings captured the public's attention, it became clear that traditional theft and trespass statutes were ill suited to address cybercrimes that did not deprive computer owners of property in the traditional sense. See Kerr, Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes, 78 N. Y. U. L. Rev. 1596, 1605–1613 (2003).

Congress, following the lead of several States, responded by enacting the first federal computer-crime statute as part of the Comprehensive Crime Control Act of 1984. § 2102(a), 98 Stat. 2190–2192. A few years later, Congress passed the CFAA, which included the provisions at issue in this case. The Act subjects to criminal liability anyone who "intentionally accesses a computer without authorization or exceeds authorized access," and thereby obtains computer information. 18 U.S.C. § 1030(a)(2). It defines the term "exceeds authorized access" to mean "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." § 1030(e)(6).

Initially, subsection (a)(2)’s prohibition barred accessing only certain financial information. It has since expanded to cover any information from any computer "used in or affecting interstate or foreign commerce or communication." § 1030(e)(2)(B). As a result, the prohibition now applies—at a minimum—to all information from all computers that connect to the Internet. §§ 1030(a)(2)(C), (e)(2)(B).

Those who violate § 1030(a)(2) face penalties ranging from fines and misdemeanor sentences to imprisonment for up to 10 years. § 1030(c)(2). They also risk civil liability under the CFAA's private cause of action, which allows persons suffering "damage" or "loss" from CFAA violations to sue for money damages and equitable relief. § 1030(g).

141 S.Ct. 1653

B

This case stems from Van Buren's time as a police sergeant in Georgia. In the course of his duties, Van Buren crossed paths with a man named Andrew Albo. The deputy chief of Van Buren's department considered Albo to be "very volatile" and warned officers in the department to deal with him carefully. Notwithstanding that warning, Van Buren developed a friendly relationship with Albo. Or so Van Buren thought when he went to Albo to ask for a personal loan. Unbeknownst to Van Buren, Albo secretly recorded that request and took it to the local sheriff ’s office, where he complained that Van Buren had sought to "shake him down" for cash.

The taped conversation made its way to the Federal Bureau of Investigation (FBI), which devised an operation to see how far Van Buren would go for money. The steps were straightforward: Albo would ask Van Buren to search the state law enforcement computer database for a license plate purportedly belonging to a woman whom Albo had met at a local strip club. Albo, no stranger to legal troubles, would tell Van Buren that he wanted to ensure that the woman was not in fact an undercover officer. In return for the search, Albo would pay Van Buren around $5,000.

Things went according to plan. Van Buren used his patrol-car computer to access the law enforcement database with his valid credentials. He searched the database for the license plate that Albo had provided. After obtaining the FBI-created license-plate entry, Van Buren told Albo that he had information to share.

The Federal Government then charged Van Buren with a felony violation of the CFAA on the ground that running the license plate for Albo violated the "exceeds authorized access" clause of 18 U.S.C. § 1030(a)(2).¹ The trial evidence showed that Van Buren had been trained not to use the law enforcement database for "an improper purpose," defined as "any personal use." App. 17. Van Buren therefore knew that the search breached department policy. And according to the Government, that violation of department policy also violated the CFAA. Consistent with that position, the Government told the jury that Van Buren's access of the database "for a non[-]law[-]enforcement purpose" violated the CFAA "concept" against "using" a computer network in a way contrary to "what your job or policy prohibits." Id., at 39. The jury convicted Van Buren, and the District Court sentenced him to 18 months in prison.

Van Buren appealed to the Eleventh Circuit, arguing that the "exceeds authorized access" clause applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have. While several Circuits see the clause Van Buren's way, the Eleventh Circuit is among those that have taken a broader view.² Consistent with its Circuit precedent,

141 S.Ct. 1654

the panel held that Van Buren had violated the CFAA by accessing the law enforcement database for an "inappropriate reason." 940 F.3d 1192, 1208 (2019). We granted certiorari to resolve the split in authority regarding the scope of liability under the CFAA's "exceeds authorized access" clause. 590 U. S. ––––, 140 S.Ct. 2667, 206 L.Ed.2d 822 (2020).

II

A

1

Both Van Buren and the Government raise a host of policy arguments to support their respective interpretations. But we start where we always do: with the text of the statute. Here, the most relevant text is the phrase "exceeds authorized access," which means "to access a computer with authorization and to use such access to obtain ... information in the computer that the accesser is not entitled so to obtain." § 1030(e)(6).

The parties agree that Van Buren "access[ed] a computer with authorization" when he used his patrol-car computer and valid credentials to log into the law enforcement database. They also agree that Van Buren "obtain[ed] ... information in the computer" when he acquired the license-plate record for Albo. The dispute is whether Van Buren was "entitled so to obtain" the record.

"Entitle" means "to give ... a title, right, or claim to something." Random House Dictionary of the English Language 649 (2d ed. 1987). See also Black's Law Dictionary 477 (5th ed. 1979) ("to give a right or legal title to"). The parties agree that Van Buren had been given the right to acquire license-plate information—that is, he was "entitled to obtain" it—from the law enforcement computer database. But was Van Buren "entitled so to obtain" the license-plate information, as the statute requires?

Van Buren says yes. He notes that "so," as used in this statute, serves as a term of reference that recalls "the same manner as has been stated" or "the way or manner described." Black's Law Dictionary, at 1246; 15 Oxford English Dictionary 887 (2d ed. 1989). The disputed phrase "entitled so to obtain" thus asks whether one has the right, in "the same manner as has been stated," to obtain the relevant information. And the only manner of obtaining information already stated in the definitional provision is "via a computer [one] is otherwise authorized to access." Reply Brief 3. Putting that together, Van Buren contends that the disputed phrase—"is not entitled so to obtain"—plainly refers to information one is not allowed to obtain by...