You know the Supreme Court of the United States feels strongly about an issue when, in the Court’s parlance, it adds “extra icing on a cake already frosted.”
That is, in effect, what the Court did in Van Buren v. United States (No.19-783), an opinion issued last Thursday in which the Court reversed the Eleventh Circuit Court of Appeals in a prosecution arising under the Computer Fraud and Abuse Act (CFAA). After considering “the text, context, and structure” of the CFAA, the Court resolved the issue in dispute—i.e., the cake was “frosted.” But the Court then added “extra icing” and emphasized—again—its profound concerns with federal prosecutors using broad federal criminal laws to target ordinary, seemingly innocent conduct.
Van Buren concerned a “Georgia police sergeant [Van Buren] using his patrol-car computer to access a law enforcement database to retrieve information about a particular license plate number in exchange for money.” While he “used his own, valid credentials to perform the search, his conduct violated a department policy against obtaining database information for non-law-enforcement purposes.” The issue was whether Van Buren had “exceed[ed] authorized access” in violation of the CFAA by accessing the database for an improper purpose.
The Court analyzed “the text, context, and structure” of the CFAA and concluded Van Buren had not violated the CFAA. In doing so, the Court held: “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders or databases—that are off limits to him.” “The parties agree[d] that Van Buren accessed the law enforcement database system with authorization.” Further, both sides agreed “Van Buren could use the system to retrieve license-plate information.” Those undisputed facts established that Van Buren had not “exceed[ed] authorized access.” In other words, that Van Buren “obtained information from the database for an improper purpose” did not establish a violation of the CFAA, despite the Government’s arguments to the contrary.
Based on the foregoing analysis, the Court could have closed its opinion. The cake was “frosted.” But the Court added “extra icing on a cake already frosted” and addressed how the Government’s proposed reading of the CFAA over-criminalizes “commonplace computer activity” and “inject[s] arbitrariness into the assessment of criminal liability.” In other words, the Court went beyond the necessary reasoning to stress the alarming trend to criminalize seemingly innocuous activities through sweeping federal criminal statutes.
Taking the issues in turn, the Court highlighted that the Government’s broad interpretation of the CFAA would mean “millions of otherwise law-abiding citizens are criminals,” including “an employee who sends a personal e-mail or reads the news using her work computer” in violation of an employer policy that company computers “can be used only for business purposes.” The Court also noted that the Government’s reading could reach conduct ranging from “embellishing an online-dating profile to using a pseudonym on Facebook.”
The Court found the Government’s responses to these concerns unpersuasive. While the Government argued that the CFAA’s text “may well” limit “its prosecutorial power” and prevent prosecutions of ordinary conduct, it “stop[ped] far short of endorsing such limitations.” And its prior enforcement actions did not show the Government followed such limits. Nor does its CFAA charging policy prohibit such prosecutions—it leaves the door open to them.
Next, the Court pointed to the arbitrariness of the Government’s position. Though the Government conceded that the “exceeds authorized access” clause prohibits only unlawful information “access,” not downstream information “‘misus[e],’” the Court noted that “the line between the two can be thin on the Government’s reading.” As the Court observed: “Because purpose-based limits on access are often designed with an eye toward information misuse, they can be expressed as either access or use restrictions. For example, one police department might prohibit using a confidential database for a non-law-enforcement purpose (an access restriction), while another might prohibit using information from the database for a non-law-enforcement purpose (a use restriction).”
While “an employer might not see much difference between the two,” the Government’s position was that the CFAA only proscribes violation of an “access restriction.” The Court brushed that position aside as implausible: “An interpretation that stakes so much on a fine distinction controlled by the drafting practices of private parties is hard to sell as the most plausible.”
Van Buren is only the most recent example of the Supreme Court’s obvious concern with the trend to criminalize apparently innocent conduct. Our white-collar crime and government investigations team has handled many cases involving federal criminal laws proscribing malum prohibitum conduct where over-criminalization of certain seemingly innocent activity is a major concern. If you have a question about a federal criminal matter, please do not hesitate to give us a call today.
 As to this point, the dissent agreed: “[t]he number of federal laws and regulations that trigger criminal penalties may be as high as several hundred thousand,” and, further, “[i]t is understandable to be uncomfortable with so much conduct being criminalized[.]” Be that as it may, the dissent argued, “that discomfort does not give us authority to alter statutes.”
 Malum in se means wrong in and of itself (e.g., murder, rape, robbery); regardless of what the law says, such conduct is impermissible. By contrast, malum prohibitum refers to conduct that is wrong only because it is prohibited by law; for example, “the failure to pay a particular tax or register a gun.” United States v. Urfer, 287 F.3d 663, 666 (7th Cir. 2002) (Posner, J.).