What would happen if seemingly innocuous things almost everyone does at work suddenly became a serious violation of federal law?
March Madness, the NCAA Division 1 Men’s Basketball is a big deal. One of the biggest American sporting events of the year, it not only keeps people glued to their televisions—it has a big effect on US worker productivity.
Challenger, Gray & Christmas, the Chicago-based executive outplacement firm, has estimated that March Madness causes about a $13.3 billion loss of productivity for the American workforce.
In fact, various sports streaming services offer the so-called “Boss Button”—a sneaky feature that allows workers watching March Madness games to press a button that instantly turns the games on their computer screens into a spreadsheet, or some other responsible work product, when the boss walks by.
At the same time, banks have offered countless new online resources, TikTok has become an internet sensation, and streaming services provide endless entertainment for online consumption.
Of course, in our 21st Century world, you can do all these things with the work devices you’re using every day anyway.
But are sports-watching slackers and bank balance checkers violating federal law?
The US Supreme Court has decided to hear the issue. On April 20, the High Court granted certiorari in Van Buren v. United States, No. 19-783 (U.S. Apr. 20, 2020). The issue presented is: Does a person who is authorized to access information on a computer for certain purposes violate Section 1030(a)(2) of the Computer Fraud and Abuse Act (CFAA) of 1986, 18 U.S.C. § 1030, if she accesses the same information for an improper purpose?
Not only is it the first time in the law’s 34-year history that the US Supreme Court has reviewed the CFAA, it addresses a 4-3 circuit split on the issue.
Andrew Albo apparently engaged in some rather unsavory practices. In an alleged scheme, Albo paid prostitutes to spend time with him—but then he would call the police, claiming the women had stolen the money he gave them.
As a result of these practices, Albo claimed to fear retaliation from these women, so he asked local police officers in Cummings, Georgia, to run computer searches of allegedly suspicious license plates.
In 2015, one Cummings police officer, Nathan Van Buren, got into financial difficulty and asked Albo for a loan. Unbeknownst to Van Buren, Albo—demonstrating the same questionable ethics he displayed with the ladies of the evening—recorded all their conversations, and turned the recordings over to local sheriffs, who, in turn referred the matter to the Cummings Police Department, who, in turn, referred to matter to the FBI.
The FBI then set up a sting operation to “test how far Van Buren was willing to go for money.” The FBI invented a favor for Also to ask of Van Buren in exchange for the loan.
Federal agents instructed Albo to ask Van Buren to run a computer search for the supposed license plate number of a dancer at a local erotic dancing establishment. The FBI told Albo to tell Van Buren that he liked the fictitious dancer but wanted to know if she were an undercover police officer before pursuing a relationship with her.
Unfortunately for Van Buren, he took the bait and the $5,000. In fairness to Officer Van Buren, we should note he offered to pay the money back and told Albo, “I’m not charging for helping you out.”
However, Van Buren did access the Georgia Crime Information Center (GCIC) database, which contains license plate and vehicle registration information. As a law enforcement officer, Van Buren was authorized to access this database “for law-enforcement purposes,” but not to run license checks on potential love interests.
Federal prosecutors charged Van Buren with one count of felony computer fraud, in violation of 18 U.S.C. § 1030 of the CFAA, as well as honest services fraud. Van Buren moved for a judgment of acquittal on the CFAA count, arguing that accessing information for an improper or impermissible purpose does not “exceed authorized access” as meant by Section 1030(a)(2) of the CFAA.
Prosecutors conceded that there was a circuit split with various US Circuit Courts of Appeals divided on the issue. However, the government countered that the Eleventh Circuit’s decision in United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010), required the district court to reject Van Buren’s argument.
The trial court agreed, following Rodriguez and prosecutors’ argument that a defendant violates the CFAA not only when he obtains information that he has no rightful authorization to acquire, but also when he obtains information for a nonbusiness purpose.
A jury convicted Van Buren, and he was sentenced to 18 months in prison. He appealed to the 11th Circuit, but the appellate court affirmed, rejecting Van Buren’s argument that he was innocent of computer fraud because he accessed only databases that he was authorized to access. As we noted above, the US Supreme Court granted certiorari on April 20.
The question is not an easy one. As noted above, it’s created a circuit split among various US Circuit Courts of Appeals.
The disagreement among the US Courts of Appeals on this issue of whether a person with permission to access information on a computer violates the CFAA when he accesses that information for an improper purpose is a 4-3 circuit split, with 11th Circuit siding with the 1st, 5th, and 7th Circuits.
On the other hand, the 2d, 4th, and 9th Circuits disagree and side with Van Buren’s interpretation of the CFAA.
In United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), the 9th Circuit wrote: “reading the CFAA to cover ‘use restrictions’ and thereby to reach activities routinely prohibited by many computer-use policies would improperly turn millions of ordinary citizens into criminals.”
Likewise, in a case involving a New York City police officer who accessed the National Crime Information Center (NCIC) database, which he was authorized to access, but who did so to look up records on acquaintances, United States v. Valle, 807 F.3d 508 (2d Cir. 2015), the 2d Circuit rejected the argument that people authorized to access computer databases violated the CFAA if they accessed them for improper purposes.
“The CFAA is indeed limited to situations where the user does not have access for any purpose at all,” the 2d Circuit wrote in Valle.
As the Electronic Frontier Foundation (EFF) argued in its Amicus brief supporting Van Buren, “The CFAA’s historical and statutory context establishes that Congress sought to ‘prevent intentional intrusion onto someone else’s computer—specifically, computer hacking.’”
However (and not surprisingly), US Department of Justice guidance differs from the EFF’s position. In its educational manual, Prosecuting Computer Crimes, the Justice Department states: “The legislative history of the CFAA reflects an expectation that persons who ‘exceed authorized access’” will be insiders (e.g., employees using a victim’s corporate computer network).”
Why Van Buren Matters
The Computer Fraud and Abuse Act was passed with a noble goal, but has it run amok here?
Van Buren is an important case. It’s the first time the US Supreme Court has reviewed the CFAA, and it should resolve a 4-3 circuit split in which US Circuit Courts of Appeal disagree on the reach of the CFAA.
Is the law limited to actual cases of computer hacking, as Van Buren argues? On the other hand, perhaps the 11th Circuit had it right in Rodriguez based on the language of the law.
What about legislative intent? Did Congress really intend to make it a federal crime for Sally to check sports scores and Bill to check his bank balance on their work computers?
Some would argue we should look at the clear and unambiguous language of the statute.
Section 1030(a)(2) of the CFAA provides, “whoever intentionally accesses a computer without authorization or exceeds authorized access …” (emphasis added).
As the Rodriguez court wrote, “a person with access to a computer for business reasons exceeds his authorized access” whenever he “obtains ... information for a nonbusiness reason.” The Eleventh Circuit held that “the plain language of the Act” required this result.
But, is this really what Congress intended when it passed the CFAA?
Legislative intent is an important component of legal analysis, and there’s a reasonable argument to be made that Congress was going after hackers—not people using their work computers to play Solitaire, order on Amazon Prime, or check sports scores, or even police officers running people’s plates.
If that’s the case, why didn’t they just write the law that way?
It wouldn’t be the first time a legislative body has engaged in clumsy drafting. Of course, if one follows the legal reasoning of the 1st, 5th, 7th, and 11th Circuits, there was no clumsy drafting at all. Congress wrote exactly what it intended, and people checking sports scores on work computers are violating the law.
If the Supreme Court sides with the government in Van Buren, one possible fix would be for employers to change their computer use policies to allow some personal use. Realizing the inevitability of people using their work computers for personal use, some employers have these policies in place today.
Whichever way the High Court decides, the holding will matter—and maybe someday, Congress will give us new laws so our data law isn’t based on laws from the 1980s. In the process, Congress can make the world safe for March Madness.