In Van Buren v. United States, 593 U.S. ____ (2021), the Court clarified an outdated and vague law that was not in conformity with today’s digital age. Van Buren, a former police sergeant, ran a license-plate search in a police computer database in exchange for money with a shady local citizen. The FBI was already investigating Van Buren in connection with other dealings he had with the citizen. Van Buren’s database search violated department policy, which authorized him to obtain database information only for law enforcement purposes. Van Buren was also convicted of a felony violation of the Computer Fraud and Abuse Act of 1986 (CFAA), which subjects criminal liability to anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” (18 U.S.C. §1030(a)(2).) The term “exceeds authorized access” is defined as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” (18 U.S.C. §1030(e)(6).)
The issue was whether Van Buren exceeded his authorized access when he searched the database for an improper purpose. Van Buren argued that the “without authorization” clause protected computers from outside-hackers, while the “exceeds authorized access” clause provided protection for information within computers by targeting inside-hackers. The Government attempted to use grammar and sentence structure to show that Van Buren’s conduct fit within the provision. However, the Court stated the CFAA provision would have attached criminal penalties to an immense amount of commonplace computer activity that did not involve hacking if it adopted the Government’s interpretation. For example, employers have rules that work computers can only be used for business purposes. If an employee sent a personal e-mail or read the news using a work computer, he/she would be in violation of the CFAA. To avoid this absurd result, the Court dismissed the Government’s interpretation.
The Court held that Van Buren did not violate the CFAA. The Court reasoned that the provision covers people who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. The provision does not cover people who, like Van Buren, have improper motives for obtaining information that is otherwise available to them. Here, even though he had an improper purpose for the license-plate search, he did not exceed his authorized access. Thus, he was not hacking the database. The rule is that if you have authority to access a database, you are not exceeding that authority if you are using the database for an improper purpose.
The California Comprehensive Computer Data Access and Fraud Act (Penal Code § 502)
Penal Code § 502 is the equivalent to the CFAA. PC 502(c) has 14 enumerated acts that may constitute a violation. Our focus is on the enumerated acts that contain “knowingly accessing and without permission” language, which is similar to the CFAA provision in Van Buren. PC 502 also has a built-in “scope of employment” exception in subsection (h).
The CA Supreme Court has not interpreted PC 502(c), but the appellate court in Chrisman v. City of Los Angeles (2007) 155 Cal.App.4th 29 had a similar holding and reasoning as Van Buren. The ChrismanCourt held that PC 502(c)(7), which contains the “knowingly accessing and without permission” language, did not apply to an officer accused of misusing his computer to seek information that he was permitted to access, but for which he had an improper purpose.
The ChrismanCourt further held that the “scope of employment” exception under subsection (h) is not limited to work-related conduct. Employee conduct on a computer that is not work-related does not necessarily make that conduct criminal. The ChrismanCourt used the same example in Van Burenabout how reading personal emails on a work computer would be criminal under the statute. The ChrismanCourt reasoned that was not the intent of the Legislature. In other words, your local state representative did not intend to put you in jail for checking your social media on a work computer.
These holdings are not an excuse to access a database for an improper purpose. An employee can still be held liable for policy violations and other statutory violations, e.g., misuse of CLETS. If you have been charged with a violation of PC 502(c) or a similar law, consult with your attorney to determine if your conduct is applicable to your charge.