Supreme Court Narrows Cybercrime Law

Last week the Supreme Court decided an important case concerning the scope of the federal government’s main cybercrime law, the Computer Fraud and Abuse Act. I wrote this post about the case, Van Buren v. United States, late last year when it was argued. As I expected, the Court has ruled in favor of the defendant and rejected the government’s sweeping interpretation of the CFAA. That was a welcome development — but the Supreme Court’s Van Buren decision leaves unresolved at least one important question concerning what kinds of computer-related misconduct might still be subject to prosecution.

Van Buren’s Prosecution

This case involves a particular subsection of the CFAA, 18 U.S.C. §1030(a)(2)(C). Under that subsection, a person commits a crime if he “accesses a computer without authorization or exceeds authorized access, and thereby obtains information” from that computer. The term “exceeds authorized access” is further defined to mean, “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” §1030(e)(6). The key issue in the case was what it means to “exceed authorized access” under this provision.

Nathan Van Buren was a police officer in Cumming, Georgia.  In exchange for a bribe, he searched a police database for a vehicle license plate number. The person who paid the bribe, Andrew Albo, told Van Buren the car belonged to a woman he had met and he wanted to be sure she was not an undercover police officer. Van Buren knew that, pursuant to police department policy, he was allowed to use the database only for legitimate law enforcement purposes. What he didn’t know was that Albo was actually cooperating with the FBI in an undercover investigation.

Van Buren was convicted for violating section 1030(a)(2). There was no question he was authorized to access the police database. But the government argued Van Buren had exceeded his authorized access, and thereby obtained the license plate information, by performing the search for an improper purpose – namely, in exchange for a bribe.

Van Buren argued that the CFAA is primarily a computer hacking statute. He claimed the prohibition against exceeding authorized access criminalizes obtaining information from a computer only when a person has no right at all to access that information. It does not apply to obtaining otherwise accessible information for an improper reason – which is what Van Buren did when he ran the license plate number, in a database where he was authorized to be, in exchange for a bribe.

The government had argued for a broader interpretation. It claimed the prohibition against exceeding authorized access applies whenever a defendant was not entitled to obtain the information under the circumstances in which he did — even if he could have properly obtained that same information under other circumstances. Here, Van Buren was authorized to access the database to obtain license plate information for legitimate police purposes. But, the government argued, he exceeded his authorized access when he searched that same database in exchange for a bribe.

Justice Amy Coney Barrett

The Court’s Decision

Writing for a 6-3 majority, Justice Barrett found that Van Buren had the better of the argument. Much of the opinion is devoted to a detailed parsing of the statutory language. But in the end, it mostly came down to the meaning of one little word: “so.” 

The statutory definition of “exceeds authorized access” prohibits obtaining information that the defendant is not entitled “so to obtain.” The word “so,” Barrett wrote, requires an antecedent; it necessarily refers back to a “word or phrase already employed.” In this statute, she wrote, the antecedent is the act of accessing of a computer. “So to obtain” therefore refers to obtaining information by accessing a computer, as opposed to by some other means. Because Van Buren was authorized to obtain license plate information from this database, he was authorized “so to obtain” the information that he did. Doing so for an improper reason did not exceed his authorized access within the meaning of the statute.  

The government had argued that “so to obtain” prohibits any obtaining of information under circumstances or conditions that were not authorized. The problem with the government’s approach, Barrett wrote, is that  “the relevant circumstance—the one rendering a person’s conduct illegal—is not identified earlier in the statute. Instead, ‘so’ captures any circumstance-based limit appearing anywhere—in the United States Code, a state statute, a private agreement, or anywhere else.”  But, she wrote, the word “so” is not a “free floating term that provides a hook for any limitation stated anywhere.” Van Buren’s approach, which links the word “so” to a specific statutory provision, is the more logical reading of the statute.

Hackers and Gates

The majority agreed with Van Buren that this portion of the CFAA is concerned with “hackers” — a term that the Court uses rather loosely. The prohibition against accessing a computer without authorization applies to “outside hackers,” those who break into a computer system from the outside. The prohibition against exceeding authorized access complements this provision “by targeting so-called inside hackers—those who access a computer with permission, but then ‘exceed’ the parameters of authorized access by entering an area of the computer to which [that] authorization does not extend.” Van Buren was not an “inside hacker,” however, because he did have authorization to be in that database.

The majority also described this approach as a “gates up or gates down” analysis: “one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.” The CFAA is violated when an individual breaches one of these “gates” without authorization. It is not violated when an individual is authorized to open the gate but does so for an improper reason.

The Parade of Horribles

Justice Barrett concluded by noting that the government’s position, if adopted, “would attach criminal penalties to a breathtaking amount of commonplace computer activity.” Much of the oral argument last November had focused on this so-called “parade of horribles.” Van Buren argued that under the government’s interpretation an employee would violate the CFAA by using a work computer for personal emails or online shopping if that was prohibited by company policy. Violating a website’s terms of use policy might also qualify, which could criminalize conduct such as lying in an online dating profile. In short, she concluded, “If the ‘exceeds authorized access’ prohibition criminalizes every violation of a computer use policy, then millions of otherwise law-abiding citizens are criminals.”

“In sum,” Barrett concluded, “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer— such as files, folders, or databases—that are off limits to him.” Because Van Buren did have authority to be in this police database, his use of that database in a way contrary to police department policy did not violate the CFAA.

Justice Thomas
Justice Clarence Thomas

The Dissent

Justice Thomas dissented, joined by Chief Justice Roberts and Justice Alito. He argued that the plain language of the statute resolved the case. “An ordinary reader of the English language,” he wrote, would agree that Van Buren exceeded his authorized access when he used the police database for an improper purpose. Thomas also argued the majority’s interpretation was contrary to traditional common-law property rules that criminalize the behavior of someone authorized to use another’s property who then exceeds the scope of that authorization.

Thomas noted that the majority’s interpretation placed a great deal of misconduct out of reach of the CFAA. Suppose, he argued, a scientist was authorized to obtain blueprints for atomic weapons under some circumstances. According to the majority, that scientist would therefore be “immune” if he obtained those blueprints for the improper purpose of helping an enemy power.

Finally, Thomas rejected the parade of horribles argument, suggesting that such concerns were speculative and far-fetched: “I would not give so much weight to the hypothetical concern that the Government might start charging innocuous conduct and that courts might interpret the statute to cover that conduct.”

Analysis of the Opinion

As I argued in my earlier post, I think the majority got it right here. Its interpretation is most in line with the overall purpose of the CFAA: preventing unauthorized intrusions into computer files owned by others. And it avoided the interpretation that would have made unwitting criminals of the vast majority of computer users – whether or not such cases would ever be prosecuted. Ruling against Van Buren would have turned the CFAA into a draconian personnel regulation.

I was surprised that the rule of lenity did not come into play in the majority’s decision. Frequently invoked in white collar cases, the rule provides that if there is any ambiguity in a criminal statute the court will err on the side that favors the defendant. It’s based on the rule that due process requires criminal prohibitions to be clear so people can know what is and is not permissible. The majority dismissed the rule of lenity as unnecessary, stating its interpretation was so clearly correct reliance on the rule was unnecessary. In a complex statutory case decided 6-3, I think that displays a certain — lack of humility.  Shocking, I know.

Scene from Casablanca

As for Justice Thomas’s arguments about property law, the majority reasonably pointed out that common law property doctrines – many of which have their roots in medieval England – don’t necessarily adapt well to the area of cybercrime. Better to focus on the precise definitions in this particular statute, which deals with a very specialized area.

Thomas’s concern about the nuclear scientist who sells weapons blueprints being “immune” from liability is not well-founded. Such wrongdoers are not immune; other statutes, such as those against espionage, would easily cover that criminal conduct. There is no need to stretch the boundaries of the CFAA to cover it as well. Van Buren engaged in misconduct and deserved to be punished, but a conviction under the CFAA is far from the only way to do that.

When it comes to the parade of horribles, here I am more inclined to agree with the dissent. Many white collar statutes potentially encompass relatively trivial conduct that, in the real world, is never prosecuted. It’s unlikely that if the case had gone the other way we would have seen a wave of prosecutions of employees for unauthorized Facebook use at work. But here Thomas was swimming against the tide of a Supreme Court trend. In a series of recent decisions the government has argued for broad interpretations of criminal statutes by saying essentially, “trust us – even if this interpretation might criminalize some trivial conduct, we won’t bring those cases.” The Court has refused to go along. Van Buren is in accord with this line of cases.

The 6-3 Breakdown

The breakdown of the Justices in the majority and dissent is interesting.  The newest, Trump-appointed Justices – Barrett, Kavanaugh, and Gorsuch – joined with the liberals – Breyer, Sotomayor, and Kagan – to form the majority. The other three conservatives – Thomas, Roberts, and Alito – were the dissenters.

Most of the conservatives on the Court profess to be textualists, whose decisions are driven primarily by the plain words of a statute. Indeed, Justice Barrett began her analysis by stating: “we start where we always do: with the text of the statute.” Both of the opinions seek support from the same book on statutory interpretation, which was co-authored by the late Justice Scalia, the father of modern textualism. The competing opinions are an interesting study in how even committed textualists can disagree over what the statutory language actually requires.

Some might also have expected the Trump appointees to vote to expand prosecutorial power, not to restrain prosecutors and free a criminal defendant. But decisions in criminal cases frequently do not break down along such ideological lines. Scalia, who is revered by today’s conservative Justices, was a strong voice against the expansive reading of criminal statutes and often ruled in a defendant’s favor. The Van Buren majority’s approach to the case is in the finest Scalia tradition.

gate

What Kind of Gate Will Suffice?

The Van Buren decision does leave one major question unanswered. As noted above, the majority adopts a “gates up, gates down” analysis: the question is whether the defendant was authorized to be inside a particular file, database, or folder, or whether that area of the computer was off limits. But it did not answer a key question: what kind of “gate” will satisfy the statute?

Computer crime expert professor Orin Kerr argued in an amicus brief that the CFAA requires a technological gate. The information must be protected by a password or similar electronic barrier that the defendant breached, or “hacked,” without authorization, even if he was otherwise authorized to be inside the computer system that contained that information. But there are other possible kinds of gates as well, such as those imposed by a contract or office policy.

For example, consider an employee at a large company who works in the purchasing department. He is authorized to access the areas of the company’s computer system that relate to his job, but is not authorized to access employee personnel records that are contained within the same system. If those personnel records are contained in a separate folder that requires a unique password, that would be a technological “hard gate.” If the employee steals that password to access the records, he would exceed his authorized access by breaching that gate.

Now suppose the personnel folder does not require a separate password but is potentially accessible to anyone already inside the company’s computer system. But company policy and the employee handbook clearly prohibit any employee not working in human resources from accessing the personnel folder. If our employee in purchasing accesses the personnel records in violation of that policy, he has breached a “soft gate” – in this case, one imposed not by technology but by a written requirement.

In footnote eight of the opinion, the Court (while citing Professor Kerr’s brief) expressly says it is not resolving this question: “For present purposes, we need not address whether this inquiry turns only on technological (or “code-based”) limitations on access, or instead also looks to limits contained in contracts or policies.” But for now it appears either kind of limit would qualify under the majority opinion. The dissent also interprets the majority opinion that way, arguing that under the majority’s approach an employee could be prosecuted for playing a game of solitaire if company policy prohibited him from opening the “games” folder on his work computer.

The majority opinion and the metaphor of a “gate” suggest there does have to be some kind of barrier or partition, even if that only consists of storing the information in a separate file or folder. It envisions a computer system with different compartments or areas of data. Exceeding authorized access would mean the information obtained would not automatically be accessible to the employee based on his level of access, and he would have to take some additional step to reach it – which could mean simply clicking on a different folder. But exactly what kind of barrier would suffice, and whether some more significant steps by the employee would be required, is left unclear.

Portions of the majority opinion, such as the reference to those who exceed authorized access as “inside hackers,” do imply some kind of technological barrier or hard gate. The majority also criticized the dissent’s interpretation of “so” in part because it could make criminality turn on external factors like office policies outside the statute itself. But if a soft gate is sufficient to define the limits of an employee’s access, then the same issue arises; it’s simply been bumped from the definition of “so” to the definition of “authorized.” That might suggest the majority would require a hard gate if confronted with a case squarely raising that question.

But all that being said, it’s hard to find the requirement of a password or other technological gate in the definition of “authorized.” If an employee opens a folder that his contract or office policy forbid him to open, his actions seem pretty clearly “unauthorized,” even if no stolen password is required.

A requirement of a technological gate to define the scope of authorization would be much cleaner and easier to enforce. But we will have to await future court decisions – or a clarifying amendment by Congress – to learn whether that is required by the statute.

Like this post? Click here to join the Sidebars mailing list

Supreme Court Poised to Limit Computer Fraud Statute

Suppose your employer prohibits using the company computer system for personal purposes. You’re aware of the policy but you’re also a little behind on your Christmas shopping, so while logged in at work you spend some time on Amazon buying gifts. If your boss found out you might expect to be reprimanded, maybe even fired. You probably wouldn’t think you were potentially subject to federal prosecution. But under a legal theory advanced by the government before the U.S. Supreme Court last week in Van Buren v. United States, your holiday shopping could indeed be a crime. Fortunately, the Court seems poised to reject the government’s approach.

computer hacker

The Computer Fraud and Abuse Act

The criminal law in question is called the Computer Fraud and Abuse Act, or CFAA, 18 U.S.C. §1030.  The CFAA is the primary federal statute used to prosecute computer-related crime. It’s a complicated statute with a number of different sections. But in general, the CFAA prohibits breaking into a computer to harm that computer or steal information, commonly known as hacking. It prohibits sending malicious code or viruses that damage a computer or that allow the sender to obtain information without authorization — including “phishing” schemes. The CFAA also prohibits trafficking in computer passwords and extortion by threats to harm a computer or the information it contains.

A high-profile recent case involving the CFAA was the July, 2018 indictment brought by special counsel Robert Mueller of twelve Russian intelligence officers for computer hacking related to the 2016 presidential election. The indictment charges that the Russian agents hacked into computers and email accounts used by scores of individuals and organizations associated with the Hillary Clinton campaign and other Democratic organizations. The lead charge in that indictment: conspiracy to violate various provisions of the CFAA.

Van Buren v. United States

The Van Buren case argued before the Court last week involves a particular subsection of the CFAA, 18 U.S.C. §1030(a)(2)(C). Under that subsection, a person commits a crime whenever he “accesses a computer without authorization or exceeds authorized access, and thereby obtains information” from that computer. The term “exceeds authorized access” is further defined to mean, “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” §1030(e)(6). The issue in Van Buren is the proper interpretation of the term, “exceeds authorized access.”

The defendant, Nathan Van Buren, was a police officer in Cumming, Georgia.  As part of an FBI sting, he ended up accepting several thousand dollars from Andrew Albo, an informant cooperating with the FBI. In exchange, Van Buren agreed to search a police database for a vehicle license plate number Albo gave him. (Albo told Van Buren the car belonged to a woman he had met at a strip club and he wanted to be sure she was not an undercover police officer.) Van Buren performed the search for Albo in the Georgia Crime Information Center database. He had been trained on the use of that database and knew he was allowed to use it only for legitimate law enforcement purpose.

Van Buren was convicted for violating section 1030(a)(2). There was no question he was authorized to access the police database. But the government argued Van Buren had exceeded his authorized access, and thereby obtained the license plate information, by performing the search for an improper purpose – namely, in exchange for a bribe. 

Image of US Supreme Court, which decided the Bob McDonnell case
United States Supreme Court

Van Buren’s Position

In their briefs to the Court, Van Buren and those amici who support him argued that Section 1030 is, at heart, a computer hacking statute. It is primarily aimed at conduct that is the electronic equivalent of breaking and entering. According to Van Buren, the prohibition against exceeding authorized access therefore criminalizes obtaining information only when a person has no right at all to access that information. An example would be a Pentagon employee who is authorized to use the Department of Defense computer system for limited purposes related to her job, but then uses a stolen password to gain access to a different part of that system she is not authorized to view.

Van Buren unquestionably had the right to enter the database and access license plate data. In this instance he did so for an improper reason: because he had been bribed. That might subject him to job discipline or some other legal sanction, but it does not, Van Buren argued, violate the CFAA.  “Exceeding authorized  access” does not apply to obtaining otherwise accessible information for an improper reason. It applies, he argued, only when the defendant had no right to access the information under any circumstances.

Van Buren cited a number of examples of the potential consequences of the government’s position. Suppose workplace policy prohibits an employee from using the company’s computer system for social media, but she uses that system to log onto Facebook. Or an employee has a work-provided Zoom account that is to be used only for business but uses it for a group family chat on the weekend. Or someone uses a dating website but, in violation of the site’s terms of services, lies in his profile about how tall he is or about his age and then obtains information about potential partners.

 In each of these examples, the person has the right to access the information that was obtained, but did it in ways or for reasons that were not authorized. That is Van Buren’s situation as well. If the government is correct, he argued, then all of the people in those examples are criminals: they exceeded their authorized access by violating workplace policies or website terms of service.

Computer law expert Professor Orin Kerr, who filed an amicus brief, agreed with Van Buren and framed it this way: the CFAA prohibits someone circumventing technological barriers, such as a password requirement, to obtain information the person is not otherwise authorized to obtain. It does not apply to someone who merely ignores verbal or written barriers, such as instructions from an employer or requirements in a website’s terms of service. Here Van Buren violated police department policy, but he did not breach any technological barriers to obtain the information. Accordingly, the CFAA should not apply.

US Dept of Justice
U.S. Department of Justice

The Government’s  Response

The government responded that Van Buren’s argument ignores the plain text of the statute, and that the text is enough to decide this case. The statute prohibits exceeding authorized access and thereby obtaining information “that the accesser is not entitled so to obtain.” The key, the government argued, is the word  “so.” If Van Buren is right, that “so” is unnecessary. Congress would have just written “that the accesser is not entitled to obtain,” and Van Buren would be in the clear. But the word “so” in the phrase “so to obtain” means that the manner or circumstances of obtaining the information matters: “so” means that the defendant was not entitled to obtain the information under the circumstances in which he did, even if he could have properly obtained it under other circumstances. The statute therefore governs insiders who have some limited authority to access the relevant computer information but exceed those limits.

As for Van Buren’s hypotheticals about everyday computer users suddenly becoming criminals, the government argued those concerns are wildly exaggerated. Such cases are not being prosecuted, and Van Buren has not identified any such cases in the past that led to a sustained conviction. Potential cases involving people using Facebook at work are just a fantasy. They would never be brought in the real world.

The government also suggested that the hypothetical cases posed by Van Buren might not violate the statute because of other statutory terms. For example, the government argued that the term “authorization” means a user has been granted specific, affirmative, individualized permission to use the system. It might not apply to websites such as Facebook that simply take all comers who are willing to open an account.

The  Oral Argument – Reviewing the Parade of Horribles

During the oral arguments on November 30, several of the Justices appeared skeptical of the government’s arguments and concerned about the potential breadth of the statute.

The Court spent a good deal of time discussing Van Buren’s “parade of horribles,” the hypotheticals about all those who might be ensnared by the government’s interpretation. Justice Thomas wondered whether the parade was real, asking whether there were any real-world examples of the types of cases Van Buren was warning against. Jeffrey Fisher, counsel for Van Buren, admitted there were no recent examples. But he pointed out that the Court has repeatedly held it can’t approve a sweeping interpretation of a criminal statute based on the government’s promise that it will enforce it benevolently.

Chief Justice Roberts and others raised the idea of a different parade of horribles: bad actors who could NOT be prosecuted if Van Buren’s interpretation is adopted.  What about a bank employee, for example, who has legitimate access to computer files containing customer social security numbers but then accesses those files to steal the numbers and sell them? Fisher responded that other criminal laws would cover most such misconduct. Justices Gorsuch and Sotomayor appeared to agree that, given the number of federal and state criminal laws available, any such misconduct not covered by the CFAA could likely still be prosecuted.

Justice Sotomayor and others pressed the Assistant Solicitor General Eric Feigin on his suggestion that other terms, such as the definition of “authorization,” could control the sweep of the CFAA. She said the government was relying on narrower definitions that did not appear in the statute itself. Fisher also had noted in his briefs that there was no precedent for those narrower interpretations and that the government was merely raising them as hypotheticals, not committing to follow them.

Justice Kagan pressed both attorneys on the role of the word “so.”  She noted it requires an antecedent and asked each side what they thought “so” referred back to. Fisher replied that “so to obtain” merely refers to using a computer to obtain the information. That means it would not be a defense for an employee who hacked into a portion of the office computer to argue that he could have gotten the same information by some other means anyway. Even if that were true, he was not entitled “so” to obtain it – in other words, by hacking the computer.

Feigin argued that “so” referred back to the circumstances under which the defendant was obtaining the information. Van Buren was not authorized “so to obtain” the license information because the way he obtained it violated the workplace restrictions covering his use of the database.

Justice  Neil Gorsuch
Justice Neil Gorsuch

A Pattern of Government Overreach

I think the Court is likely to rule in Van Buren’s favor and reject the government’s sweeping interpretation of the CFAA. The battles over the significance of the word “so” are fascinating (at least to legal nerds), but in the end I don’t think they yield a clear winner. In light of that, the Court is likely to adopt the reading that avoids vastly increasing the scope of federal criminal law.

During his questioning of Feigin, Justice Gorsuch raised what I think is a key point. He noted there has been a string of cases in recent years where prosecutors have sought to expand the scope of federal criminal law in pretty sweeping ways. In each case, the Court has rejected the government’s position. I wrote about that trend in this post: White Collar Crime, Prosecutorial Discretion, and the Supreme Court. It stems both from the Court’s approach to federal criminal law in general and from a characteristic of white collar statutes like the CFAA in particular.

In general, the Court is reluctant to read federal criminal laws expansively, at least absent a clear sign of Congressional intent. In McNally v. United States in 1987, where the Court first rejected the theory of honest services fraud, part of its rationale was a concern that the government’s interpretation would dramatically increase the scope of federal criminal law. Just last year in Kelly v. United States, the Court reaffirmed that  principle when it unanimously rejected the government’s attempt to use federal fraud statutes to prosecute the defendants in the Bridgegate scandal. The Court noted that the defendants’ behavior was deplorable, but that not every instance of political misconduct amounts to a federal fraud.

White collar statutes in particular often raise concerns about their potential scope. They are written broadly to avoid loopholes that may be exploited by clever criminals. They deal not with clear crimes like assault or robbery but with fuzzier concepts such as fraud and corruption whose parameters are less well-defined. As a result, they often sweep within their terms conduct that most would agree does not merit  a federal prosecution.

For example, if I call in sick and lie to my employer so I can go to the ball game, that fits all the legal requirements for federal wire fraud. Fortunately, we don’t see cases of such truant employees clogging the federal courts. That’s because of prosecutorial discretion: prosecutors exercising good judgment about which cases are actually worth bringing and which should not be pursued even if they technically violate the statute.

But that discretion must be exercised wisely. In cases raising concerns about the scope of federal criminal statutes, the government’s response often has been, essentially: “Trust us. You should interpret the statute broadly, to allow us flexibility to pursue the appropriate cases. We’d never bring the trivial or outrageous cases that the defendant is claiming would result.”

That’s also what the government is saying in Van Buren: trust us, we’d never prosecute the employee who does holiday shopping at work. But in recent years the Court has been increasingly unwilling to take the government at its word. Instead, it has narrowed the statutes in question to limit prosecutors’ discretion.

Consider, for example, the Court’s 2016 decision in McDonnell v. United States, the corruption prosecution of the former governor of Virginia. McDonnell and his allies presented their own parade of horribles to the Court. They argued that if the government’s sweeping interpretation of “official act” in bribery law were adopted, federal officials would be at the mercy of prosecutors who might charge bribery based on politicians engaging in routine political courtesies. Part of the government’s response was, essentially, “we won’t bring those kinds of cases and never have.” That wasn’t enough for the Court: it unanimously rejected the government’s argument, threw out McDonnell’s conviction, and drastically narrowed the scope of bribery law.

To explain this Supreme Court trend, at least in part, the Justice Department need only look in the mirror. These are often self-inflicted wounds. The “trust us” argument becomes harder when the case that lands before the Court seems to involve a poor exercise of prosecutorial discretion.  This was true, for example, Yates v. United States, where prosecutors used an obstruction of justice statute with a twenty-year penalty to prosecute a captain who threw undersized fish overboard to avoid a civil fine. Or Bond v. United States, where a woman put Drano on the doorknob and mailbox of her romantic rival, causing a minor skin irritation, and was charged with a chemical weapons offense carrying up to life in prison.

When such cases make it to the Supreme Court, it becomes harder for the government to argue the Court should entrust prosecutors with criminal statutes that sweep as broadly as possible. That’s what led Justice Gorsuch to remark during the Van Buren argument that the Solicitor General’s office should not act as a mere “rubber stamp” when questionable cases stretching the boundaries of federal criminal law are brought by U.S. Attorneys.   

In this case Van Buren’s conduct does seem worthy of prosecution. But it also seems clear there were other ways  to punish him, either with other federal statutes (he was also charged with honest services fraud, but that charge may face a McDonnell issue) or with a Georgia state prosecution for bribery or other crimes. There is no need for the Court to stretch the boundaries of the CFAA based a concern that there is otherwise no way to punish someone like Van Buren.

In Van Buren’s case, the Court is likely to continue the trend identified by Justice Gorsuch. It will likely reject an expansive interpretation of the CFAA that turns almost all ordinary Americans into potential criminals. In this case, that’s the right result.

You may now return to your Amazon shopping.

Like this post? Click here to join the Sidebars mailing list