This is approximately the tenth time a post of this nature has appeared on these pages.
Even though the current Supreme Court is often ideologically divided, the Court has shown remarkable consistency in recent years in rejecting (often times unanimously) overly expansive interpretations of a criminal statute by the Department of Justice.
The latest example occurred last week in Van Buren v. U.S. in which the court rejected the DOJ’s expansive interpretation of the Computer Fraud and Abuse Act. The decision was authored by Justice Barrett and joined by Justices Breyer, Sotomayor, Kagan, Gorsuch and Kavanaugh.
In terms of general background, the decision notes:
“Nathan Van Buren, a former police sergeant, ran a license-plate search in a law enforcement computer database in exchange for money. Van Buren’s conduct plainly flouted his department’s policy, which authorized him to obtain database information only for law enforcement purposes. We must decide whether Van Buren also violated the Computer Fraud and Abuse Act of 1986 (CFAA), which makes it illegal “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
The opinion concludes:
“He did not. This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.”
As to the relevant statutory scheme, the opinion states:
“The Act subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access,” and thereby obtains computer information. 18 U. S. C. §1030(a)(2). It defines the term “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” §1030(e)(6).
Initially, subsection (a)(2)’s prohibition barred accessing only certain financial information. It has since expanded to cover any information from any computer “used in or affecting interstate or foreign commerce or communication.” §1030(e)(2)(B). As a result, the prohibition now applies—at a minimum—to all information from all computers that connect to the Internet. §§1030(a)(2)(C), (e)(2)(B).”
As further noted and stated in the decision:
“This case stems from Van Buren’s time as a police sergeant in Georgia. In the course of his duties, Van Buren crossed paths with a man named Andrew Albo. The deputy chief of Van Buren’s department considered Albo to be “very volatile” and warned officers in the department to deal with him carefully. Notwithstanding that warning, Van Buren developed a friendly relationship with Albo. Or so Van Buren thought when he went to Albo to ask for a personal loan. Unbeknownst to Van Buren, Albo secretly recorded that request and took it to the local sheriff ’s office, where he complained that Van Buren had sought to “shake him down” for cash.
The taped conversation made its way to the Federal Bureau of Investigation (FBI), which devised an operation to see how far Van Buren would go for money. The steps were straightforward: Albo would ask Van Buren to search the state law enforcement computer database for a license plate purportedly belonging to a woman whom Albo had met at a local strip club. Albo, no stranger to legal troubles, would tell Van Buren that he wanted to ensure that the woman was not in fact an undercover officer. In return for the search, Albo would pay Van Buren around $5,000.
Things went according to plan. Van Buren used his patrol-car computer to access the law enforcement database with his valid credentials. He searched the database for the license plate that Albo had provided. After obtaining the FBI-created license-plate entry, Van Buren told Albo that he had information to share.
The Federal Government then charged Van Buren with a felony violation of the CFAA on the ground that running the license plate for Albo violated the “exceeds authorized access” clause of 18 U. S. C. §1030(a)(2). The trial evidence showed that Van Buren had been trained not to use the law enforcement database for “an improper purpose,” defined as “any personal use.” Van Buren therefore knew that the search breached department policy. And according to the Government, that violation of department policy also violated the CFAA. Consistent with that position, the Government told the jury that Van Buren’s access of the database “for a non[-]law[-]enforcement purpose” violated the CFAA “concept” against “using” a computer network in a way contrary to “what your job or policy prohibits.” The jury convicted Van Buren, and the District Court sentenced him to 18 months in prison.
Van Buren appealed to the Eleventh Circuit, arguing that the “exceeds authorized access” clause applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have. While several Circuits see the clause Van Buren’s way, the Eleventh Circuit is among those that have taken a broader view. Consistent with its Circuit precedent, the panel held that Van Buren had violated the CFAA by accessing the law enforcement database for an “inappropriate reason.” 940 F. 3d 1192, 1208 (2019). We granted certiorari to resolve the split in authority regarding the scope of liability under the CFAA’s “exceeds authorized access” clause.
Both Van Buren and the Government raise a host of policy arguments to support their respective interpretations. But we start where we always do: with the text of the statute. Here, the most relevant text is the phrase “exceeds authorized access,” which means “to access a computer with authorization and to use such access to obtain . . . information in the computer that the accesser is not entitled so to obtain.”
The parties agree that Van Buren “access[ed] a computer with authorization” when he used his patrol-car computer and valid credentials to log into the law enforcement database. They also agree that Van Buren “obtain[ed] . . . information in the computer” when he acquired the license-plate record for Albo. The dispute is whether Van Buren was “entitled so to obtain” the record.
“Entitle” means “to give . . . a title, right, or claim to something.” Random House Dictionary of the English Language 649 (2d ed. 1987). See also Black’s Law Dictionary 477 (5th ed. 1979) (“to give a right or legal title to”). The parties agree that Van Buren had been given the right to acquire license-plate information—that is, he was “entitled to obtain” it—from the law enforcement computer database. But was Van Buren “entitled so to obtain” the license-plate information, as the statute requires?
Van Buren says yes. He notes that “so,” as used in this statute, serves as a term of reference that recalls “the same manner as has been stated” or “the way or manner described.” Black’s Law Dictionary, at 1246; 15 Oxford English Dictionary 887 (2d ed. 1989). The disputed phrase “entitled so to obtain” thus asks whether one has the right, in “the same manner as has been stated,” to obtain the relevant information. And the only manner of obtaining information already stated in the definitional provision is “via a computer [one] is otherwise authorized to access.” Putting that together, Van Buren contends that the disputed phrase—“is not entitled so to obtain”—plainly refers to information one is not allowed to obtain by using a computer that he is authorized to access. On this reading, if a person has access to information stored in a computer— e.g., in “Folder Y,” from which the person could permissibly pull information—then he does not violate the CFAA by obtaining such information, regardless of whether he pulled the information for a prohibited purpose. But if the information is instead located in prohibited “Folder X,” to which the person lacks access, he violates the CFAA by obtaining such information.
The Government agrees that the statute uses “so” in the word’s term-of-reference sense, but it argues that “so” sweeps more broadly. It reads the phrase “is not entitled so to obtain” to refer to information one was not allowed to obtain in the particular manner or circumstances in which he obtained it. The manner or circumstances in which one has a right to obtain information, the Government says, are defined by any “specifically and explicitly” communicated limits on one’s right to access information. As the Government sees it, an employee might lawfully pull information from Folder Y in the morning for a permissible purpose—say, to prepare for a business meeting—but unlawfully pull the same information from Folder Y in the afternoon for a prohibited purpose—say, to help draft a resume to submit to a competitor employer.
The Government’s interpretation has surface appeal but proves to be a sleight of hand. While highlighting that “so” refers to a “manner or circumstance,” the Government simultaneously ignores the definition’s further instruction that such manner or circumstance already will “‘ha[ve] been stated,’” “‘asserted,’” or “‘described.’” Id., at 18 (quoting Black’s Law Dictionary, at 1246; 15 Oxford English Dictionary, at 887). Under the Government’s approach, the relevant circumstance—the one rendering a person’s conduct illegal—is not identified earlier in the statute. Instead, “so” captures any circumstance-based limit appearing anywhere—in the United States Code, a state statute, a private agreement, or anywhere else. And while the Government tries to cabin its interpretation by suggesting that any such limit must be “specifically and explicitly” stated, “express,” and “inherent in the authorization itself,” the Government does not identify any textual basis for these guardrails.
Van Buren’s account of “so”—namely, that “so” references the previously stated “manner or circumstance” in the text of §1030(e)(6) itself—is more plausible than the Government’s. “So” is not a free-floating term that provides a hook for any limitation stated anywhere. It refers to a stated, identifiable proposition from the “preceding” text; indeed, “so” typically “[r]epresent[s]” a “word or phrase already employed,” thereby avoiding the need for repetition. Oxford English Dictionary, at 887; see Webster’s Third New International Dictionary 2160 (1986) (so “often used as a substitute . . . to express the idea of a preceding phrase”). Myriad federal statutes illustrate this ordinary usage. We agree with Van Buren: The phrase “is not entitled so to obtain” is best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.”
The Government falls back on what it describes as the “common parlance” meaning of the phrase “exceeds authorized access.” According to the Government, any ordinary speaker of the English language would think that Van Buren “exceed[ed] his authorized access” to the law enforcement database when he obtained license-plate information for personal purposes. The dissent, for its part, asserts that this point “settles” the case. If the phrase “exceeds authorized access” were all we had to go on, the Government and the dissent might have a point. But both breeze by the CFAA’s explicit definition of the phrase “exceeds authorized access.” When “a statute includes an explicit definition” of a term, “we must follow that definition, even if it varies from a term’s ordinary meaning.” So the relevant question is not whether Van Buren exceeded his authorized access but whether he exceeded his authorized access as the CFAA defines that phrase. And as we have already explained, the statutory definition favors Van Buren’s reading.
To top it all off, the Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity. Van Buren frames the far-reaching consequences of the Government’s reading as triggering the rule of lenity or constitutional avoidance. That is not how we see it: Because the text, context, and structure support Van Buren’s reading, neither of these canons is in play. Still, the fallout underscores the implausibility of the Government’s interpretation. It is “extra icing on a cake already frosted.”
If the “exceeds authorized access” clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals. Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA. Or consider the Internet. Many websites, services, and databases—which provide “information” from “protected computer[s],” §1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers. And indeed, numerous amici explain why the Government’s reading of subsection (a)(2) would do just that— criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook.
In response to these points, the Government posits that other terms in the statute—specifically “authorization” and “use”—“may well” serve to cabin its prosecutorial power. Yet the Government stops far short of endorsing such limitations. Nor does it cite any prior instance in which it has read the statute to contain such limitations— to the contrary, Van Buren cites instances where it hasn’t. If anything, the Government’s current CFAA charging policy shows why Van Buren’s concerns are far from “hypothetical.” The policy instructs that federal prosecution “may not be warranted”—not that it would be prohibited—“if the defendant exceed[s] authorized access solely by violating an access restriction contained in a contractual agreement or term of service with an Internet service provider or website.” And while the Government insists that the intent requirement serves as yet another safety valve, that requirement would do nothing for those who intentionally use their computers in a way their “job or policy prohibits”—for example, by checking sports scores or paying bills at work.
One final observation: The Government’s approach would inject arbitrariness into the assessment of criminal liability. The Government concedes, as it must, that the “exceeds authorized access” clause prohibits only unlawful information “access,” not downstream information “‘misus[e].’” But the line between the two can be thin on the Government’s reading. Because purpose-based limits on access are often designed with an eye toward information misuse, they can be expressed as either access or use restrictions. For example, one police department might prohibit using a confidential database for a non-law-enforcement purpose (an access restriction), while another might prohibit using information from the database for a non-law-enforcement purpose (a use restriction). Conduct like Van Buren’s can be characterized either way, and an employer might not see much difference between the two. On the Government’s reading, however, the conduct would violate the CFAA only if the employer phrased the policy as an access restriction. An interpretation that stakes so much on a fine distinction controlled by the drafting practices of private parties is hard to sell as the most plausible.
In sum, an individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer— such as files, folders, or databases—that are off limits to him. The parties agree that Van Buren accessed the law enforcement database system with authorization. The only question is whether Van Buren could use the system to retrieve license-plate information. Both sides agree that he could. Van Buren accordingly did not “excee[d] authorized access” to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose. We therefore reverse the contrary judgment of the Eleventh Circuit and remand the case for further proceedings consistent with this opinion.”
In short, the Supreme Court once again held that actual words in a statute have meaning and that federal criminal statutes are not all-purpose ethics statutes. The Van Buren decision follows a clear trend over the last decade of the Supreme Court overturning overly expansive DOJ interpretations of federal criminal statutes.
For instance in U.S. v. Skilling (2010), the Supreme Court rejected the DOJ’s “honest services fraud” theory of criminal prosecution. Instead of the broad construction the DOJ urged, the Court adopted a narrow interpretation of the relevant statute and reiterated “if Congress desires to go further, it must speak more clearly.”
Likewise in Bond v. U.S. (2013), the Supreme Court unanimously rejected the DOJ’s theory of criminal prosecution. Instead of the expansive construction of the term “chemical weapons” the DOJ urged, the Court adopted a narrow interpretation stating that the DOJ’s interpretation “would sweep in everything from the detergent under the kitchen sink to the stain remover in the laundry room.”
Similarly, as highlighted in this prior post, in U.S. v. Yates (2015), the Supreme Court again rejected the DOJ’s theory of criminal prosecution in the infamous are fish “tangible objects” case. Calling the DOJ’s enforcement theory an “unrestrained” and “unbounded” reading of relevant statute, the Court reversed the 11th Circuit’s opinion affirming the criminal conviction.
In U.S. v. McDonnell (2015) (see here for the prior post), the Supreme Court again rejected the DOJ’s theory of criminal prosecution. Calling the DOJ’s theory of prosecution “boundless,” the Court adopted a narrow interpretation of the meaning of “official action” (a term that also appears in the FCPA) in the federal bribery statute. As stated by the Court:
“There is no doubt that this case is distasteful; it may be worse than that. But our concern is not with tawdry tales of Ferraris, Rolexes, and ball gowns. It is instead with the broader legal implications of the Government’s boundless interpretation of the federal bribery statute. A more limited interpretation of the term “official act” leaves ample room for prosecuting corruption, while comporting with the text of the statute and the precedent of this Court.”
The McDonnell court further stated (internal citations omitted)
“[W]e cannot construe a criminal statute on the assumption that the Government will “use it responsibly.” The Court in Sun-Diamond declined to rely on “the Government’s discretion” to protect against overzealous prosecutions under §201, concluding instead that “a statute in this field that can linguistically be interpreted to be either a meat axe or a scalpel should reasonably be taken to be the latter.” A related concern is that, under the Government’s interpretation, the term “official act” is not defined “with sufficient definiteness that ordinary people can understand what conduct is prohibited,” or “in a manner that does not encourage arbitrary and discriminatory enforcement.” Under the “‘standardless sweep’” of the Government’s reading, public officials could be subject to prosecution, without fair notice, for the most prosaic interactions. “Invoking so shapeless a provision to condemn someone to prison” for up to 15 years raises the serious concern that the provision “does not comport with the Constitution’s guarantee of due process.” Our more constrained interpretation of §201(a)(3) avoids this “vagueness shoal.””
In Digital Realty Trust v. Somers (2018) (see here for the prior post) the Supreme Court once again reminded us that the law means what actual words in a specific statute say (not what other similar statutes may say) and not what the SEC interprets words in a statute to mean.
In Kelly v. U.S. (see here for the prior post) (the so-called Bridgegate case in which the DOJ charged former public officials who worked at or with the Port Authority of New York and New Jersey and had political ties to former New Jersey Governor Chris Christie), the Supreme Court unanimously reversed criminal convictions even though “the evidence the jury heard no doubt shows wrongdoing – deception, corruption, abuse of power.” In so doing, the court stated that “the federal fraud statutes at issue do not criminalize all such conduct” and that “not every corrupt act by state or local officials is a federal crime.”
And then of course there were Supreme Court benchslaps of SEC statute of limitations positions in Gabelli v. SEC (2013) (see here for the prior post) and Kokesh v. SEC (2017) (see here for the prior post) as well as the Supreme Court’s recent benchslap of the Federal Trade Commission (see here for the prior post).
What do the above cases have to do with the Foreign Corrupt Practices Act?
In the FCPA’s modern era, the FCPA enforcement agencies seem, in certain instances, to have converted the FCPA into an all-purpose corporate ethics statute. However, the FCPA has specific elements that must be met for there to be a violation.
Yet, given how the DOJ and SEC have chosen to enforce the FCPA – that is through resolution vehicles not subjected to any meaningful judicial scrutiny – courts are rarely given the opportunity to interpret the FCPA’s actual elements and in the FCPA’s 43 year history the Supreme Court has never heard an FCPA case.
It was presented with the opportunity in the Esquenazi “foreign official” challenge (i.e. are employees of SOE’s “foreign official” under the FCPA’s anti-bribery provisions) in 2014 but declined to hear the case. If the Supreme Court had accepted the Esquenazi case, many of the same statutory interpretation issues addressed by the Supreme Court in Skilling, Bond, Yates, McDonnell, Somers, Kelly, and Van Buren would have been relevant.
Indeed, the statutory interpretation issues in Esquenazi were even more compelling because: (i) competing versions of the FCPA Congress considered yet rejected, specifically included state-owned or state-controlled enterprise (SOE) concepts; and (ii) laws passed both before the FCPA and after the FCPA contain the term “instrumentality” as well as SOE concepts.
Many people in the FCPA space view the “foreign official” issue as settled because of one appellate court decision, flawed as it was.
Yet, as indicated by the above cases, the current Supreme Court has clearly, and consistently, rejected the government’s boundless interpretation of other federal criminal statutes or laws and it is probable that if the Court had accepted the Esquenazi case it would have done the same.
FCPA Institute Online
The most comprehensive online FCPA training course available. Over 12 hours of narrated instruction from Professor Koehler allowing professionals to elevate their FCPA knowledge and practical skills at their own pace.