The Federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030, and the 2021 SCOTUS Limitation on Arrests and Prosecutions

In 1986, Congress passed the Computer Fraud and Abuse Act (“CFAA”), 18 USC §1030, that defines both civil and criminal liability for “…[w]hoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information.” 18 U.S.C. § 1030(a)(2).

Last year, from a federal computer crime defense perspective, big changes happened.  The Supreme Court of the United States defined the scope of this law, and how it is to be read and applied, after hearing a case of a police officer who was arrested for violating its provisions.  Van Buren v. United States, 141 S. Ct. 1648, 593 U.S., 210 L. Ed. 2d 26 (2021).  The policeman’s conviction was reversed and the lower court’s decision vacated and remanded.  See, United States v. Buren, 5 F.4th 1327 (11th Cir. 2021). 

Here’s what happened and why it is important for the criminal defense of federal computer crime investigations and arrests in the State of Texas.

What Georgia Cop Nathan Van Buren Did – and Why

Drive about forty-five minutes northeast from Atlanta, a ways past Alpharetta on US Route 19, and you will arrive in Cumming, Georgia, a small town best known for its proximity to a state park system and serving as part of the suburban communities for the Atlanta metroplex.   It was here that Nathan Van Buren served the local police department as a police officer when he was investigated and arrested by agents of the Federal Bureau of Investigation (“FBI”) on federal felony charges.

Specifically, he was charged under a federal grand jury indictment with one count of honest-services wire fraud, in violation of 18 U.S.C. §§ 1343 and 1346, alongside one count of felony computer fraud in violation of 18 U.S.C. § 1030 (CFAA).  The case was presented to a full jury trial, and Nathan Van Buren was convicted on both counts.

The details surrounding Officer Van Buren’s arrest and federal charges were described by the 11^th Circuit Court of Appeals in its decision upholding his conviction.   United States v. Van Buren, 940 F.3d 1192, 1197-98 (11th Cir. 2019).  It is an interesting read.

From the appellate opinion:

Nathan Van Buren was a sergeant with the Cumming, Georgia, Police Department. In his capacity as a police officer, Van Buren came to know a man named Andrew Albo. Albo was a recent widower in his early sixties, who allegedly fancied younger women, including minors and prostitutes. He allegedly paid prostitutes to spend time with him and then often accused the women of stealing the money he gave them. At least one woman also alleged Albo surreptitiously recorded and harassed her. The Deputy Chief of Police in the Cumming Police Department believed that Albo “had a mental health condition” and considered Albo to be “very volatile,” so he warned his officers to “be careful” with Albo.

Van Buren did not heed the Deputy Chief’s caveat. Instead, he fostered a relationship with Albo. Van Buren, who first met Albo when he helped arrest Albo for providing alcohol to a minor, often handled the disputes between Albo and various women. At the time, Van Buren was grappling with financial difficulties, and Van Buren saw in Albo a chance to improve his situation. So Van Buren decided to ask Albo for a loan. To justify his request, Van Buren falsely claimed he needed $15,368 to settle his son’s medical bills. He explained to Albo that he could not obtain a loan from a bank because he had shoddy credit.

Unbeknownst to Van Buren, however, Albo recorded their conversations. Albo presented the recording of Van Buren’s loan solicitation to a detective in the Forsyth County Sheriff’s Office. He told the detective that Van Buren was “shak[ing] him down for his money.” Albo’s complaint drew the suspicion of the FBI, which created a sting operation to test how far Van Buren was willing to go for money. Under the plan, Albo was to give Van Buren some cash, and in exchange, Albo was to ask Van Buren to tell him whether Carson, a woman he supposedly met at a strip club, was an undercover police officer.

Over a series of meetings and communications monitored and recorded by the FBI, Albo put the plan into action. At lunch with Van Buren on August 21, 2015, Albo handed Van Buren an envelope with $5,000, telling him that this was “not the whole thing.” Van Buren offered to pay Albo back, but Albo waved that off, saying money was “not the issue.” Instead, Albo told Van Buren he had met a woman he liked at a strip club, but he needed to know if she was an undercover officer before he would pursue her further. Van Buren agreed to help.

On August 31, Albo followed up on a previous discussion the pair had had about searching the woman’s license plate in the police database. During that conversation, Albo asked Van Buren whether he had had a chance to conduct the search yet. Van Buren replied, “As far as running the plates, I don’t—I don’t think I got the right plate numbers from you.” Van Buren then told Albo to just text him the plate number, so Albo texted Van Buren “Pkp” and “1568,” a fake license plate number created by the FBI. Van Buren responded that he would look into the matter, but he would need the “item” first. Albo replied that he had “2,” and the pair scheduled to meet for lunch.

At lunch, Albo passed Van Buren an envelope containing $1,000 and apologized that he did not have $2,000, as they had discussed. Van Buren asked Albo for the woman’s name, explaining that “the car may not [be] registered to her.” After learning that her name was Carson, Van Buren promised to attend to the matter promptly, and Albo responded, “then I will have all the money for you.”

A few days later, on September 2, 2015, Van Buren searched for license-plate number PKP1568 in the Georgia Crime Information Center (“GCIC”) database, an official government database maintained by the Georgia Bureau of Investigation (“GBI”) and connected to the National Crime Information Center (“NCIC”) maintained by the FBI. Van Buren then texted Albo to tell him he had information for him.

The next day, the FBI and GBI arrived at Van Buren’s doorstep and conducted an interview with Van Buren. During the interview, Van Buren admitted he had concocted a fake story about his son’s need for surgery to justify asking Albo for $15,000. He also conceded he had received a total of $6,000 from Albo. In addition, Van Buren confessed he had run a tag search for Albo and he knew doing so was “wrong.” And while Van Buren asserted that $5,000 of the money he received from Albo was a “gift,” he did reply “I mean he gave me $1,000” when asked if he received anything in exchange for running the tag. Finally, Van Buren conceded he understood the purpose of running the tag was to discover and reveal to Albo whether Carson was an undercover officer.

The Van Buren Opinion: SCOTUS

In June 2021, the Supreme Court of the United States published its review of the federal appellate determinations of the 11^th Circuit and clarified that the CFAA does not form the basis of a criminal arrest and prosecution if the user is authorized in some way to access the computer information.  Van Buren v. United States, 141 S. Ct. 1648, 593 U.S., 210 L. Ed. 2d 26 (2021) (“VanBuren”).

In so doing, the arrest of a police officer in a small town in Georgia becomes an important precedent here in Texas for any criminal felony allegations by federal prosecutors of federal computer crime fraud using the longstanding CFAA.

What is the CFAA?

The federal law has not been routed, of course.  The CFAA is still the federal act that makes it illegal for someone to violate computer systems that are connected to the internet in this country.  It works with other federal statutes, such as the 2008 Identity Theft Enforcement and Restitution Act, to combat the use of computers for fraudulent purposes.

Computers Under the CFAA

Under the CFAA (18 USC § 1030(e)(1)), the word “computer” has a very broad definition. It includes “an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device.”

This means federal agents can snoop into activities not only on a work computer in an office space, but also a computer installed in a police car, as well as any company-provided laptops, smartphones, or even someone’s e-reader (e.g., Kindle, Nook), tablet (e.g., iPad, Fire) or video game console (e.g., X-Box, PlayStation) as long as the gizmo has the ability to connect with the internet.

The Seven Illegal Acts Under the CFAA

The CFAA has seven (7) provisions within its first subsection (§1030(a)) that criminalize the use of a computer for the following with its second subsection (§1030(b)) making it a federal felony if anyone attempts or conspires to do any of the following:

• Espionage (18 U.S.C. 1030(a)(1))
• Obtaining Information by Unauthorized Computer Access (18 U.S.C. 1030(a)(2))
• Trespassing in Government Cyberspace (18 U.S.C. 1030(a)(3))
• Fraud (18 U.S.C. 1030(a)(4))
• Causing Damage (18 U.S.C. 1030(a)(5))
• Trafficking (18 U.S.C. 1030(a)(6))
• Extortion (18 U.S.C.1030(a)(7)).

These are serious charges.  Under the CFAA’s third subsection (§1030(c)), there is the possibility of a sentence of life imprisonment if someone is shown to have died as a result of the accused’s intentional damage of a computer.

What Van Buren Changes in the CFAA

Before the SCOTUS ruling, the United States Court of Appeals for the Fifth Circuit, which governs federal cases within the State of Texas, had agreed with the Eleventh Circuit that under the CFAA the accused “exceeds authorized access” of the computer if he accesses information otherwise available to him for an unauthorized purpose.

SCOTUS has ruled in Van Buren that the CFAA makes it illegal to get information from databases, files, folders, drives, etc., on a computer if the accused is not authorized to access it.  If the person can be shown to have the authority to use the computer or access that database, file, folder, drive, etc., then he cannot be held to violate the CFAA by federal prosecutors – even if it was for an unauthorized reason.

From the SCOTUS Opinion:

In sum, an individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases —that are off limits to him. The parties agree that Van Buren accessed the law enforcement database system with authorization. The only question is whether Van Buren could use the system to retrieve license-plate information. Both sides agree that he could. Van Buren accordingly did not “excee[d] authorized access” to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose. We therefore reverse the contrary judgment of the Eleventh Circuit and remand the case for further proceedings consistent with this opinion.

Van Buren, 141 S.Ct. at 1662.

Impact of the Van Buren Decision

Particularly for criminal defense attorneys practicing in the Fifth Circuit and the Eleventh Circuit, where SCOTUS has overruled past appellate court constructions of the CFAA, the 2021 VanBuren decision is extremely important when any federal agent or prosecutor is looking into the actions of an individual for possible computer felony charges.

First of all, VanBuren can be used to counter any allegations that an employee who is using a company computer (or laptop or smartphone) for non-business reasons is violating the CFAA.

Secondly, VanBuren defines hacking under the CFAA to involve “outside hackers” where the accused is shown to have accessed a computer “without authorization.”  From SCOTUS: “… one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.” Van Buren, 141 S.Ct. at 1650-51.

Additionally, this SCOTUS holding arguably protects individuals who are doing things like using an alias on Facebook, Instagram, or Twitter (or another social media website) from being held in violation of the CFAA if they are doing so in violation of that social media platform’s Terms and Conditions.

Criminal Defense of Computer Fraud Charges Based Upon CFAA: Access Key

By its ruling in VanBuren, SCOTUS has returned the CFAA to the earlier years of prosecution as a clear “anti-hacking” law where hackers are proven to have illegally accessed the computer (laptop, smartphone, etc.)  Allegations against employees, students, and others that they have illegally used information found via a computer cannot sustain a conviction under CFAA if they can provide the defense that they were given access to that device and were authorized to use it.

For more on state and federal fraud charges, read our earlier discussions in:

• Arrested for Bank Fraud in Texas;
• Consumer Insurance Fraud: Crime Involving Submission of Insurance Claims;
• Mortgage Fraud “Straw Buyer” Cases Are Major Target of Federal Fraud Investigations;
• PPP Fraud: Government Loans and Federal Arrests Based on COVID-19 Relief;
• Medical Identity Theft: Texas Criminal Defense of Health Care Fraud Charges; and
• Online Impersonation: Catfishing is Illegal in Texas.

For more on sentencing concerns in defense of federal fraud cases, see:

• Federal Crimes and Sentencing Guidelines: Health Care Fraud;
• Relevant Conduct in the Federal Sentencing Guidelines: Acquittals And Uncharged Conduct; and
• Loss Amounts in Federal Sentences: Calculating Economic and Financial Losses in Federal Felonies.

_____________________________________

For more information, check out our web resources, read Michael Lowe’s Case Results, and read his in-depth articles,” Pre-Arrest Criminal Investigations” and “White Collar Crime: Indictments Of Texas Professionals.”