by: GUEST BLOGGER Matt Dodge
For the second time in our nation’s history, a public servant named Van Buren is headed to Washington, D.C. Martin Van Buren occupied the White House more than 150 years ago as the eighth President of the United States. And now Nathan Van Buren, a police sergeant from Cumming, Georgia, will be at the United States Supreme Court next term.
On Monday, the Court granted Van Buren’s writ of certiorari, a writ signed by Rebecca Shepard of the Federal Defender Program, Saraliene Durrett of our CJA panel, and Jeffrey L. Fisher, Pamela S. Kaplan, and Brian H. Fletcher of the Stanford Law School Supreme Court Litigation Clinic.
The certiorari petition in Van Buren v. United States presents the following question: “Whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose.”
Put another way: If, with your work computer, you use the internet to do something beyond the express mission of the job, have you committed a federal crime?
Van Buren, as a police sergeant, knew a local ne’er-do-well named Albo, who often invited prostitutes to his home, only to call the police and claim the women stole his money. Albo became an FBI informant and worked to set up Van Buren, who was supposedly low on money, by paying him to use his work computer as a personal favor to Albo.
As a law enforcement officer, Van Buren was permitted to access driver’s license and license plate information on the Georgia Crime Information Center’s computer database. Albo (and FBI agents) knew that. He asked Van Buren to run the tag of a (fictitious) local exotic dancer who caught his eye. Although Albo tried to pay Van Buren in cash, Van Buren demurred. But he did run the woman’s tag number in the GCIC database and offered to share what he learned with Albo. That was his downfall here. Or was it?
Under the CFAA, “[w]hoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information” from a “protected computer” commits a federal crime. 18 U.S.C. § 1030(a)(2). A “protected computer” is one “used in or affecting interstate or foreign commerce or communication”—in other words, any “computer with Internet access.” The phrase “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6).
The federal government indicted Van Buren for violating the CFAA. Although Van Buren’s job permitted (even required) him access to the GCIC database “for law-enforcement purposes,” the government indicted him for using the database for “non-business reasons.” At trial in front of Judge Orinda D. Evans, Van Buren’s FDP lawyers argued that Van Buren was not guilty of violating the statute because, as a law enforcement officer, he was authorized to access the GCIC database. Under the law, they said, it did not matter why he accessed the database. The district court and the Eleventh Circuit demurred. The appeals court affirmed the conviction because it was enough that Van Buren ran the tag for “inappropriate reasons.”
There is a 4-3 circuit split on this question. The Eleventh Circuit says a person violates § 1030(a)(2) if he uses a computer to access information that he is otherwise authorized to access but does so for an improper purpose or “non-business reason.” The Eleventh Circuit is not alone—the First, Fifth, and Seventh Circuits agree that a person violates the law when he uses a work computer for a purpose his employer prohibits. (Um, Van Buren asks in his petition, what about our ubiquitous NCAA March Madness brackets?)
On the other end of the circuit split, the Second, Fourth, and Ninth Circuits each say that a person violates the CFA only if he accesses information on a computer that he is prohibited from accessing at all, no matter his reason.
In the end, Van Buren tells us why the majority’s rule is so dangerous not only to himself, but to all of us: “Reading the statute more broadly would criminalize ordinary computer use throughout the country.” What about corporate or university policies on computer use for employees and students? Under our home circuit’s view of the statute, “[a]ny trivial breach of such condition[s]—from checking sports scores at work to inflating one’s height on a dating website—is a federal crime.” Or maybe it’s not. The Court will hear argument early next term.