Embedded Files
by
Laila Mohammed Ali
CyJurII Scholar
Citation Number: 593 U.S. (2021).
Facts
Nathan Van Buren, a police sergeant in Georgia, had authorized access to a law enforcement database. He was approached by an acquaintance (Andrew Albo) who offered him 5000$ to run a license plate search in the database, ostensibly to check if the car owner was an undercover police officer.
Although Van Buren had legitimate access credentials, the purpose of this search was personal and corrupt, not tied to his official duties.
The Federal Government charged him under the Computer Fraud and Abuse Act of 1986 (CFAA), claiming that by using the database for an improper purpose, he had “exceeded authorized access,” a clause of 18 U.S.C. §1030, and sentenced him to 18 months in prison
Issue
The central issue was:
Does a person “exceed authorized access” under the CFAA if they use information from a computer system that they are otherwise entitled to access, but for an improper or unauthorized purpose?
Rules
Under the CFAA, “exceeds authorized access” is defined as:
1. Accessing a computer with authorization and obtaining information from areas of the computer that the person is not entitled to access.
- The statute distinguishes between (1) someone who has no authorization and hacks into a system, and (2) someone who crosses boundaries by entering restricted areas of the system
Application
• Van Buren did have authorized access to the law enforcement database.
• He did not access any restricted area of the system that was off-limits to him.
• Instead, he misused information he was already entitled to see for a corrupt reason (money).
• The government argued that misuse of access equals exceeding authorized access.
• The Supreme Court rejected that interpretation, ruling that the CFAA does not criminalize misuse of information, only accessing parts of a system you are not permitted to enter.
Conclusion
The Court held that Van Buren did not “exceed authorized access” under the CFAA, and the conviction under the CFAA was overturned.
The Court clarified that the CFAA targets hacking into restricted areas of computer systems, not every misuse of authorized access.
The Case`s Impact on Cyberlaw and Society
1. Limiting Over-criminalization
Before this ruling, the CFAA was sometimes interpreted broadly, allowing prosecutors to treat violations of workplace policies or improper uses of data as hacking crimes.
The Court’s decision prevented ordinary computer users and employees from facing criminal liability for relatively minor misuses, such as checking sports scores or social media on a work computer.
2. Clarifying Boundaries Between Ethics and Criminality
Misusing data for personal gain may be unethical or corrupt, but it is not necessarily “hacking” in a legal sense.
This ruling draws a sharp line: hacking means crossing into forbidden digital territory, not merely abusing access rights.
3. Impact on Cybersecurity Practices
Companies must now clearly define access boundaries within their systems. If employers want to restrict employees, they must use technical restrictions (access controls, permissions).
4. Encouraging Responsible Whistleblowing & Research
Ethical hackers, researchers, or employees who access permitted data but use it in controversial ways may now be safer from criminal prosecution.
This supports transparency and reporting of vulnerabilities without the fear of being prosecuted under an overly broad law.
5. Raising the Bar for Prosecutors
Prosecutors must now show that the accused actually entered a restricted digital space, not merely that they acted improperly with data. This narrows the scope of the CFAA and forces more precise application.
Page updated
Google Sites
Report abuse