Yesterday the Supreme Court issued a decision in Van Buren v. United States, No. 19-783, ruling that a police officer did not violate the Computer Fraud and Abuse Act (“CFAA”) when he obtained information from a law enforcement database that he was permitted to access, but did so for an improper purpose. In so ruling, the Court adopted a relatively narrow reading of the CFAA, and partially resolved a years-long debate concerning the scope of liability under the CFAA.
The CFAA prohibits, inter alia, “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] information from any protected computer.” 18 U.S.C. § 1030(a)(2). What it means to “exceed authorized access” has been the subject of disagreement among lower courts: Some have concluded that this term refers to accessing areas of a computer that the user is not permitted to access under any circumstances—e.g., a student accessing her university’s database of grades that is restricted to only administrator use. Others have concluded that this term also encompasses individuals who are permitted to access an area of a computer for certain purposes, but they do so for an improper purpose—e.g., an administrator accessing the university’s database of grades that she is generally permitted to use, but she does so for the improper purpose of blackmailing a student.