Supreme Court limits broad reading of Computer Fraud and Abuse Act

In a 6-3 decision on Thursday, the US Supreme Court held that a former police sergeant did not violate the 1986 Computer Fraud and Abuse Act (CFAA) when he used his patrol car computer to access a police database for personal purposes.

Sergeant Nathan Van Buren was paid $5,000 by an FBI informant to run a license plate number through a law enforcement database. Van Buren was arrested and charged with a felony violation of the CFAA, under which it is illegal “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Van Buren argued that the statute’s phrase “exceeds authorized access” applies only to persons who obtain access to information to which their authorized access does not extend, not to those such as himself, who merely misuse their authorized access.

Justice Amy Coney Barrett, writing for the majority, held that the plain meaning of the text of the statute aligns with Van Buren’s argument. In particular, the word “so” in the phrase “entitled so to obtain” refers to information that one is not allowed to access using a computer that one is authorized to access. By this reasoning, Van Buren’s search, while a misuse of his authority, was not a violation of the CFAA because he is authorized to access the license information on his computer. Barrett’s opinion was joined by Justices Breyer, Kagan, Sotomayor, Kavanaugh, and Gorsuch.

Justice Thomas, joined by Chief Justice Roberts and Justice Alito, dissented from the decision. Thomas agreed with Van Buren’s understanding of the word “so,” but contends that the word “entitled” is “circumstance dependent,” and in this particular circumstance, the fact that Van Buren was searching the database for his own personal gain invalidated his entitlement to do so.

The decision places a limit on a broad reading of the CFAA that the Department of Justice has relied on in recent years.