Van Buren v. United States: The Ultimate Guide to Hacking, Authorization, and the CFAA

LEGAL DISCLAIMER: This article provides general, informational content for educational purposes only. It is not a substitute for professional legal advice from a qualified attorney. Always consult with a lawyer for guidance on your specific legal situation.

Imagine your employer gives you a keycard to your office building. This keycard gets you through the front door and into your specific office, Room 101. You are authorized to be in those areas. One day, out of curiosity, you use your valid keycard to enter the building after hours, but instead of going to your office, you go to the server room—a place you know you're not supposed to be—just to look at data for a personal project. You didn't pick a lock or break a window; you used the access you were given for a purpose you shouldn't have. Have you committed a federal crime? For decades, the answer was a frightening “maybe,” depending on where you lived and which prosecutor handled your case. This ambiguity is what the landmark supreme_court case, Van Buren v. United States, finally addressed. It tackled the nation's most important anti-hacking law, the computer_fraud_and_abuse_act (CFAA), and clarified what it means to “exceed authorized access” on a computer system. The Court's decision dramatically narrowed the scope of this powerful law, providing crucial clarity for millions of American workers, security researchers, and everyday internet users.

• Key Takeaways At-a-Glance:
  • The Ruling: The Supreme Court held that Van Buren v. United States clarifies you only “exceed authorized access” under the computer_fraud_and_abuse_act if you access files, folders, or databases on a computer that you are not permitted to access at all.
  • The Impact: This ruling means that misusing information you are allowed to access—for example, looking up a customer's file for personal reasons when you have permission to view customer files for work—is not a federal crime under the CFAA. It might still get you fired or lead to other legal trouble, but it is not a federal hacking offense.
  • What It Means For You: The Van Buren v. United States decision protects ordinary employees from the threat of federal prosecution for minor violations of a company's computer use policy, such as checking personal email or social media on a work computer.

To understand the importance of *Van Buren*, we have to travel back to the 1980s. The personal computer was just beginning to enter American homes, and the internet was a niche network for academics and the military. The public's perception of computers was shaped by Hollywood, especially the 1983 film *WarGames*, where a teenager accidentally hacks into a military supercomputer and nearly starts World War III. This fear of a new, mysterious threat—the “hacker”—spurred Congress into action. In 1986, they passed the computer_fraud_and_abuse_act (CFAA). The goal was simple: to create a federal law that criminalized breaking into sensitive computer systems, particularly those belonging to the government and financial institutions. The problem was that the law was written for a world of floppy disks and dial-up modems. Its language was broad and, at times, vague. As technology exploded over the next 30 years, prosecutors began applying this old law to new situations. One phrase in particular became a legal battleground: “exceeds authorized access.” Does that mean accessing information for an improper reason, or does it mean breaking into a digital area you were never supposed to be in? This question created a deep and messy split among the nation's courts, setting the stage for a final showdown at the Supreme Court.

The entire *Van Buren* case hinges on the interpretation of a few words within a single statute. The relevant law is the computer_fraud_and_abuse_act, which is codified in the U.S. federal criminal code at `18_usc_1030`. Specifically, the CFAA makes it a federal crime for anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” The key phrase is “exceeds authorized access.” The statute itself defines this as:

“…to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”

For years, prosecutors and courts couldn't agree on what “not entitled so to obtain” meant. This led to two competing interpretations that caused a major split in the federal judiciary.

Before the Supreme Court provides a final answer on a federal law, the U.S. Courts of Appeals in different regions (known as “circuits”) often come to different conclusions. This is called a “circuit split,” and it's a primary reason the Supreme Court agrees to hear a case—to create a single, uniform rule for the entire country. The split over the CFAA was a perfect example.

This messy legal landscape meant that the exact same action could be a federal crime in Georgia but perfectly legal (from a criminal standpoint) in California. This inconsistency and the potential for a law designed to stop hackers to be used against ordinary employees is precisely the problem that Nathan Van Buren's case brought to the Supreme Court.

The Supreme Court's decision in *Van Buren* wasn't just about the specific facts of one police officer's case. It was about defining foundational legal concepts that govern our digital lives.

This was the heart of the dispute. The entire case revolved around which of the two competing views of this phrase was correct.

• The Government's Argument (The Broad “Improper Purpose” View): Prosecutors argued that “exceeds authorized access” should be read broadly. In their view, your “authorization” is defined by the circumstances under which you're allowed to access information. If your company policy says “you are authorized to access the customer database for sales purposes only,” then accessing that same database to get a customer's phone number to sell to a rival company would mean you “exceeded” your authorization. Your purpose for accessing the data matters. Under this theory, violating a website's terms_of_service or a company's internal computer use policy could potentially trigger a federal criminal investigation.
• Van Buren's Argument (The Narrow “Gates-Up-or-Down” View): Van Buren's lawyers argued for a much simpler, more intuitive interpretation. They claimed that “exceeds authorized access” applies only when a person is allowed into some parts of a computer system but uses that initial access to get into other parts they are not allowed to access at all. Your purpose is irrelevant; what matters is whether you bypassed a digital gate or barrier.

Ultimately, the Supreme Court sided with Van Buren, adopting the narrow “gates-up-or-down” interpretation.

Justice Amy Coney Barrett, writing for the 6-3 majority, solidified the narrow view with a powerful and easy-to-understand analogy that is now central to understanding the CFAA. She explained that “authorization” works like a gate.

• “Without Authorization”: This is like jumping the fence to get into a property you were never allowed to enter. It's classic hacking.
• “Exceeds Authorized Access”: This is like having a key that lets you open the front gate to a park (“authorized access”), but then using that access to pick the lock on a maintenance shed inside the park that you were never given a key for. You were allowed inside the park, but you went into a specific area of the park that was off-limits to you.

The key takeaway from the “gates-up-or-down” model is that the “gate” must be a technological one. It refers to accessing specific files, folders, or databases that are digitally closed to you. It does not refer to policy-based restrictions on how you use information that is otherwise available to you. Checking your personal email on a work computer does not involve breaking through any digital “gate”; you are simply in an area you are already allowed to be, but for an improper reason. This, the Court said, is not a federal crime under the CFAA.

In its reasoning, the Court also invoked a long-standing principle of criminal_law known as the rule of lenity. This rule states that if a criminal statute is ambiguous and can be interpreted in two different ways—one harsh on the defendant and one more lenient—the court should choose the more lenient interpretation. The Justices argued that the government's broad interpretation of the CFAA would turn millions of unsuspecting people into criminals. They painted a picture where everyday activities, like telling a white lie on a dating profile (a violation of the terms of service) or using a work computer to check sports scores, could be prosecuted as federal crimes. Since the law's text could reasonably support the narrower “gates-up-or-down” view, and because the broader view would criminalize so much ordinary behavior, the rule of lenity favored the defendant, Van Buren.

• Nathan Van Buren: A former police sergeant in Cumming, Georgia. He was the petitioner, the individual asking the Supreme Court to overturn his conviction. His actions, while ethically questionable, became the test case for the CFAA's reach.
• The U.S. Department of Justice (DOJ): The federal prosecutors who represented the U.S. government. They argued for the broad interpretation of the CFAA, seeking to preserve a powerful tool they used to prosecute a wide range of computer-related crimes.
• The Supreme Court Majority: Led by Justice Amy Coney Barrett, and joined by Justices Breyer, Sotomayor, Kagan, Gorsuch, and Kavanaugh. This group was persuaded by the “gates-up-or-down” logic and the dangers of overcriminalization.
• The Supreme Court Dissent: Led by Justice Clarence Thomas, and joined by Chief Justice Roberts and Justice Alito. They argued that the plain text of the statute supported the government's broader interpretation and that the majority's reading was too narrow.
• Amici Curiae (“Friends of the Court”): Numerous outside groups filed briefs to offer their perspectives. This included technology companies, cybersecurity researchers, and civil liberties organizations like the ACLU. The vast majority of these groups supported Van Buren, arguing that the DOJ's broad interpretation of the CFAA stifled security research, threatened journalistic work, and endangered the privacy of ordinary citizens.

The Supreme Court's ruling wasn't just an abstract legal debate; it has direct, tangible consequences for people in their daily lives and jobs.

Before *Van Buren*, there was a genuine, if remote, fear that a minor workplace infraction could lead to a federal indictment. That fear has now been significantly reduced.

• What has changed? You can no longer be charged with a federal crime under the CFAA for violating your employer's computer use policy, as long as you are not accessing files or data you are forbidden from seeing.
  • Example: Your company handbook says, “Work computers are for business use only.” You use your work laptop to book a vacation, check ESPN, and send a personal email. You have violated company policy, but because you didn't hack into the HR department's salary database (a digital area you have no access to), you have not committed a federal crime under the CFAA.
• What has NOT changed? You can still be fired. The *Van Buren* ruling is about criminal liability, not employment law. Your employer has every right to discipline or terminate you for violating company policy. The decision simply means you won't also be facing a federal prosecutor. It's the difference between losing your job and losing your freedom.

The ruling provides clarity for employers on how to protect their digital assets.

• Policy is Not Enough: The *Van Buren* decision makes it clear that a strongly worded computer use policy is not a substitute for actual technical security. You cannot rely on the CFAA to prosecute a rogue employee who misuses data they were already permitted to see.
• Actionable Steps:
  • Implement Access Controls: The best way to protect sensitive information is to use technological “gates.” Segment your network and use permission-based access controls so that employees can only see the data they absolutely need to do their jobs. An employee in marketing should not have access to financial records.
  • Focus on Contracts and Civil Remedies: If an employee misuses data they are authorized to access (e.g., downloads a client list to take to a competitor), your legal remedy is likely through civil_law, such as suing for breach of an employment contract, non-disclosure agreement (NDA), or theft of trade_secrets.

This group may be the biggest beneficiary of the *Van Buren* ruling. “White hat” hackers and security researchers often test the security of websites and products to find vulnerabilities and report them responsibly. Journalists use digital tools to investigate stories in the public interest.

• The Old Fear: Under the broad interpretation of the CFAA, their work was legally perilous. If a website's terms_of_service said, “You may not run automated scripts on this site,” a security researcher doing exactly that to find a flaw could be seen as “exceeding authorized access.”
• The New Protection: *Van Buren* provides significant protection. By clarifying that a CFAA violation requires bypassing a technological barrier, not just a policy-based one, the ruling makes it much harder to prosecute good-faith security research and digital journalism. It doesn't create total immunity, but it removes one of the most chilling legal threats they faced.

The case began with Nathan Van Buren, a police sergeant in Georgia. In a conversation with an acquaintance, Andrew Albo, Van Buren mentioned he was struggling with financial debts. Albo, who had a history with law enforcement, secretly recorded this conversation and took it to the local sheriff's office, hoping to gain favor. This information made its way to the fbi, who arranged a sting operation. They had Albo ask Van Buren to search the state police database for a license plate number in exchange for several thousand dollars. Albo claimed the woman associated with the license plate was a prostitute he wanted to ensure was not an undercover officer. Van Buren agreed. He used his patrol-car computer, for which he had valid credentials and authorization, to search for the license plate in the Georgia Crime Information Center database. This was an action he was fully authorized to perform as part of his duties. However, he did it for a private, corrupt purpose and not for a law enforcement reason. After accessing the record, he was arrested and charged with violating the CFAA for “exceeding authorized access.”

Van Buren was convicted at trial and sentenced to 18 months in federal prison. The Eleventh Circuit Court of Appeals upheld his conviction, relying on the broad, “improper purpose” interpretation of the CFAA. They reasoned that because Van Buren accessed the database for a non-law-enforcement purpose, he had “exceeded his authorized access.” Van Buren's lawyers appealed to the Supreme Court, presenting a clear and vital question for the digital age: Does the Computer Fraud and Abuse Act make it a federal crime to use a computer for an improper purpose, even if you are authorized to access the information you obtain?

In a 6-3 decision issued on June 3, 2021, the Supreme Court reversed the Eleventh Circuit's decision and sided with Van Buren. Justice Barrett's majority opinion methodically dismantled the government's broad interpretation. She focused on the text of the statute, particularly the phrase “entitled so to obtain.” She argued that the “so” refers to the specific act of obtaining information that is off-limits. It does not refer to the user's motives or purpose. She illustrated this with another simple analogy: A person who has a key to a valet stand is allowed to access the key hooks to get car keys. If that person uses their access to the hooks to take a key to a Ferrari they are not assigned to drive, they have accessed a key they were “not entitled so to obtain.” However, if they are assigned to park a Ford, and they take the Ford key (which they *are* entitled to obtain) but then go on a joyride, they have not violated the “access” rule, even though they have misused the car. The Court concluded that the CFAA is an anti-hacking statute, not a general-purpose tool for policing the misuse of information.

Justice Thomas, in his dissent, argued that the majority was misreading the law's plain text. He focused on the same phrase—“entitled so to obtain”—but came to the opposite conclusion. He believed “so” referred to the entire context of the authorization. In his view, if you are only “entitled” to access data under certain circumstances (e.g., for work purposes), then accessing it under any other circumstance means you are not “entitled so to obtain” it. He warned that the majority's “gates-up-or-down” rule created an artificial distinction that ignored the reality of modern, permission-based computer systems and could weaken the government's ability to prosecute malicious insiders who abuse their access.

• Van Buren* was a monumental decision, but it did not solve every problem with the CFAA. The law remains a source of legal debate.
• “Without Authorization”: The Court clarified “exceeds authorized access” but left the meaning of accessing a computer “without authorization” largely untouched. This leaves open questions about common internet behaviors.
• Password Sharing: Is sharing your Netflix or HBO password with a friend a federal crime? Under a strict reading, you are giving someone else the means to access a computer system “without authorization.” While it is extremely unlikely anyone would be prosecuted for this, the legal ambiguity remains a concern for civil liberties advocates.
• Data Scraping: The practice of using automated bots to collect large amounts of public data from websites is in a legal gray area. Companies often forbid this in their terms_of_service, and legal battles are currently being fought over whether scraping public data constitutes “unauthorized access” under the CFAA.

The *Van Buren* decision provided a 21st-century interpretation of a 1980s law, but technology continues to evolve at a blistering pace. Congress faces ongoing pressure to reform the CFAA to better address modern challenges.

• The Push for CFAA Reform: Advocates argue that the CFAA is still too broad and needs to be updated. They are pushing for legislation that would explicitly exempt good-faith security research and create clearer rules that don't rely on vague terms or violations of private user agreements.
• Artificial Intelligence (AI) and the CFAA: How will the CFAA apply to AI agents that access websites and data? If an AI system scrapes a site against its terms of service to train its model, has its owner violated the CFAA? These are the types of new, complex questions that courts and lawmakers will have to confront in the coming years.
• The Internet of Things (IoT): As more devices—from refrigerators to cars—are connected to the internet, the definition of a “protected computer” under the CFAA will continue to expand, creating new potential avenues for both malicious attacks and confusing legal prosecutions.

The *Van Buren v. United States* decision was a landmark moment that reined in the scope of America's primary anti-hacking law. It affirmed that the CFAA is meant to target hackers, not to criminalize the everyday behavior of citizens who violate fine-print policies online and at work.

• amicus_curiae: “Friend of the court.” An individual or organization who is not a party to a case but is permitted to file a brief to offer expertise or insight.
• circuit_split: A situation where two or more different U.S. Circuit Courts of Appeals have made conflicting rulings on the same legal issue.
• computer_fraud_and_abuse_act (CFAA): The primary federal anti-hacking statute in the United States, passed in 1986.
• data_scraping: The process of using automated software to extract large amounts of data from websites.
• dissenting_opinion: An opinion written by one or more judges expressing disagreement with the majority opinion of the court.
• fbi: The Federal Bureau of Investigation, the lead federal agency for investigating cybercrime in the United States.
• hacking: The act of gaining unauthorized access to a computer system.
• majority_opinion: The judicial opinion that is joined by more than half the judges hearing a case, which sets the binding legal precedent.
• petitioner: The party who presents a petition to a court for relief, often the party appealing a lower court's decision.
• rule_of_lenity: A legal doctrine requiring that ambiguous criminal laws be interpreted in the manner most favorable to the defendant.
• statute: A written law passed by a legislative body, such as Congress.
• sting_operation: A deceptive operation designed by law enforcement to catch a person committing a crime.
• supreme_court: The highest federal court in the United States, with final appellate jurisdiction over all federal and state court cases.
• terms_of_service: A set of rules and regulations that a user must agree to in order to use an online service.

• cybercrime
• data_privacy
• criminal_law
• computer_fraud_and_abuse_act
• fourth_amendment
• white_collar_crime
• 18_usc_1030