Van Buren and the Challenge of Reinterpreting the Computer Fraud and Abuse Act
Jacqueline Hillman | May 2021
Former Defense Secretary Ash Carter tours Amazon's Seattle headquarters in 2016.
henever that little box authorizing the use of our data pops up on a screen, most of us click it without hesitation. In a millisecond, our personal data is legally deposited in a digital archive, able to be accessed at the discretion of whichever firm we provide with the proper authorization. However, when this data is accessed for malicious purposes, a Pandora’s box of privacy and cybersecurity violations can be opened.
The Computer Fraud and Abuse Act: A Brief History
In order to safeguard citizens against data breaches and abuse of the databases containing such personal information, the Computer Fraud and Abuse Act (CFAA) was promulgated in 1986 as an extension of the 1984 Comprehensive Crime Control Act, which applied similar principles but restricted precedent to federal employees.
The original act provided both criminal legal pathways and civil legal remedies in response to breaches of “protected computers,” defined as computers used by or for the purpose of “a financial institution or the United States Government” as well as for “interstate or foreign commerce” or “part of a voting system.”
The development of more sophisticated, extensive databases of personal data, however, has rapidly expanded, necessitating an amendment to the CFAA in 2008. On a very rudimentary level, this amendment, under U.S. Code § 1030(a)(1), expressly prohibits intentional access of a computer without proper authorization.
Cybercrime penalties under the CFAA are fairly harsh, as first time offenses are punishable with up to five years of jail time, with more severe violations entailing sentences of up to twenty years and even the potential for life imprisonment. Despite the severity of potential punishment for violation of the CFAA, significant questions still exist regarding its application, especially in a criminal setting, weakening its present application and interpretation in cybercrime cases.
Van Buren v. United States
The aforementioned questions usually stem from the prevalence of ambiguity in the language of the CFAA, the most notable instance being the question of what it means to be an “authorized” user of a computer.
Last November, the Supreme Court heard oral arguments in the case Van Buren v. United States, and the pending decision is anticipated to provide legal precedent as to whether a user authorized to use a computer for one purpose is in violation of the CFAA if they access it for another, improper purpose. Lower federal district court opinions regarding this question were almost evenly split on the issue,with the First, Fifth, Seventh, and Eleventh Circuits determining a violation and the Second, Fourth, and Ninth circuits finding no violation. Due to the ambiguity of the CFAA, this question of authorization necessitates legislative reform, so that the policy can be applied to more complex, multi-dimensional cases such as Van Buren.
In Van Buren, petitioner Nathan Van Buren, a former Georgia police sergeant, was convicted of a violation of the CFAA and sentenced to 18 months in prison, a trial court decision that was upheld in Van Buren’s initial appeal. Legal action was taken against Van Buren for accessing the Georgia Crime Information Center database, which he was authorized to access, and acquiring data on a license plate number after being bribed for $6,000 by FBI informant Andrew Albo. The question before the court in Van Buren concerned the use of the CFAA as grounds for conviction, as Van Buren’s job specifically entailed authorized access to the data for warranted police use.
Arguments Surrounding the CFAA
Although no formal opinion has been rendered in the case, as it is still pending adjudication, a key component of oral argument illuminates potential implications that this case will have on cybersecurity.
At one point, Justice Thomas inquired about the argument that a higher clearance level warrants the type of access that does not violate the authorization clause of the CFAA, while a lower clearance level would not. I refer to this argument as the “clearance level” argument.
Thomas challenged this argument by claiming that if someone’s clearance level limits their authority to access information, such authority can also be limited based on how that information is used once accessed. In explaining himself, Thomas provided this hypothetical situation: “you work for a car rental and you have the access to the GPS, but rather than use it to determine the location of a car that may be missing, you use it to follow a spouse, or as in this case, the... use of the information is a problem.” Such a hypothetical nullifies the clearance level argument in proving that an individual’s clearance level in accessing classified information is not the only issue to consider in data privacy; one must additionally look at whether the information is used maliciously or illegally once accessed.
The plaintiff’s response to this inquiry, however, underscores an important distinction in the usage of the CFAA to prosecute the defendant in the hypothetical GPS case. Plaintiff’s representation, Jeffery Fisher, states: “Now it may be a breach of company policy. It may be -- in the case of the stalking example that the government gives in its brief like that, it may be a different crime, but the question in... front of you here is whether it violates the CFAA as enacted and existing right now.”
This response poses an interesting distinction between private corporate policies against data breaches and legal grounds for similar actions. Amicus briefs filed by individuals and organizations in Van Buren express an overwhelming concern for the fate of personal privacy if the ruling overturns Van Buren’s conviction under the CFAA. But the issue at hand is far more nuanced in its implications for technological and corporate innovations.
Effects on Innovation
The unfortunate reality of our legal system is that it is slow-moving, and extensions of jurisprudence to consumer privacy protection issues can be drawn out, failing to keep up with the pace of innovation in data usage and storage. Thus, it is crucial to evaluate the best mode of restricting data use from several perspectives. For instance, private corporate policies may be more effective in creating privacy procedures and protections that best suit the specific technologies used by their employees or customers. Sweeping legal reforms may not be able to anticipate the nuances and gray areas that come with new and evolving technologies and data uses.
I believe that a combined approach of an overarching policy geared at public agencies with more flexibility in similar cases at a private corporate level is the best course of action to remedy these issues and uphold privacy protections. Perhaps Van Buren is not the venue in which to determine application, and the legislative branch might need to lead reform to address these concerns. Alternatively, an opinion affirming conviction in Van Buren may bring the judicial impetus for legislative reform and amendment to the CFAA, whose protections are too outdated and unidimensional to confront malicious breaches of privacy. Regardless, this case, bringing the ambiguity of the CFAA to the Supreme Court, highlights valid concerns regarding cybersecurity, especially in our digital paradigm, in which data usage and collection are becoming increasingly complex.