Van Buren v United States (2021) was a United States Supreme Court case dealing with the Computer Fraud and Abuse Act (CFAA) and its definition of "exceeds authorized access" in relation to one intentionally accessing a computer system they have authorization to access. In June 2021, the Supreme Court ruled in a 6–3 opinion that one "exceeds authorized access" by accessing off-limit files and other information on a computer system they were otherwise authorized to access. The CFAA's language had long created a circuit split in case law, and the Court's decision narrowed the applicability of CFAA in prosecuting cybersecurity and computer crime.
Background.
The Computer Fraud and Abuse Act (CFAA) is a federal law passed in 1986 to strengthen laws around unauthorized access to computer systems. The law was passed partially based on fears from Congress members who saw the 1983 film WarGames. Among its core statutes at 18 U.S.C. § 1030(a)(2) is that intentionally accessing a computer system "without authorization or exceeds authorized access" to obtain protected information, financial records, or federal government information is considered a federal crime that can include fines and imprisonment as a penalty.
The exact definition of "exceeds authorized access" is not clear and created a 4–3 circuit split of cases at the Circuit Courts. In the First, Fifth, Seventh, and Eleventh Circuits, the courts upheld a broad view of the statement, that accessing a computer with authorization but for an improper purpose is a violation of the CFAA. The Second, Fourth, and Ninth Circuits took a more narrow view that a violation only occurs if the authorized user accesses information they were prohibited from accessing.
Because of the case law split, there has been debate on whether the language should be treated narrowly or broadly between cybersecurity researchers and law enforcement among others. For cybersecurity practitioners, a narrow interpretation of "exceeds authorized access" language in §1030(a)(2) would allow them to better conduct work identifying and resolving security problems with computer hardware and software as to make the Internet safer. The vagueness of the statute otherwise puts these job functions at risk. Law enforcement and the U.S. government in general prefer a broader interpretation as this allows them to prosecute those who use hacking to bring down or take advantage of insecure systems under the CFAA. There are additional concerns as the language of CFAA, if broadly interpreted, could apply to commonly-accepted activities at businesses or elsewhere, such as using office computers for browsing the web. Jeffrey L. Fisher, a law professor at Stanford University who represents the petitioner in the present case, states that the law's language is outdated with modern computer usage, and its broad interpretation " a crime out of ordinary breaches of computer restrictions and terms of service that people likely don’t even know about and if they did would have no reason to think would be a federal crime."
