# The Supreme Court Narrows the CFAA: What Van Buren Means for "Exceeds Authorized Access"
*The Computer Fraud and Abuse Act is the federal government's primary anti-hacking statute — and for years no one was sure how far it reached. In 2021 the Supreme Court drew a hard line: misusing access you legitimately have is not a federal computer crime.*
In Van Buren v. United States, the Supreme Court resolved a decades-long split over the Computer Fraud and Abuse Act (CFAA) and adopted a narrow reading of its most litigated phrase — "exceeds authorized access." For contractors, the ruling matters because the CFAA is the statute most often invoked when an insider misuses data, and Van Buren sharply limits when that conduct becomes a federal crime.
What the Case Was About
Nathan Van Buren, a Georgia police sergeant, used his valid credentials to run a license-plate search in a law-enforcement database in exchange for money. He was authorized to use the database — but not for that purpose. He was convicted under the CFAA's "exceeds authorized access" provision, which reaches anyone who accesses a computer with authorization but then obtains information they are "not entitled so to obtain." The government's theory was sweeping: any access for an improper purpose — violating an employer policy, a website's terms of service, or a database use restriction — could be a federal crime.
What the Court Held
In a 6–3 decision by Justice Barrett, the Court rejected the government's purpose-based reading. "Exceeds authorized access," it held, applies only when someone accesses files, folders, databases, or other areas of a computer that are off-limits to them — not when they access information they are otherwise allowed to obtain but do so for a forbidden reason. The Court adopted a "gates-up-or-down" framework: either you are entitled to access the area or you are not; why you accessed it is irrelevant to CFAA liability. The Court warned that the government's broader reading would "criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook."
Why It Matters for Contractors
- Insider misuse is not automatically a CFAA violation. An employee authorized to access a system but who uses the data improperly may breach policy, an NDA, or the False Claims Act — but, after Van Buren, has not necessarily committed a federal computer crime.
- The CFAA is not your access-control policy. Contractors cannot rely on the CFAA to police every internal misuse of authorized data. Role-based access controls, monitoring, and contractual remedies do that work.
- It reframes scraping and research disputes. Van Buren's logic drove the civil scraping fights that followed and the research-access ruling in Sandvig v. Barr.
Key Takeaways
- Van Buren (2021) limits the CFAA's "exceeds authorized access" clause to accessing off-limits areas of a system — not misusing data you were allowed to reach.
- Violating an employer policy or a site's terms of service is, by itself, not a federal computer crime after Van Buren.
- Contractors should protect data with access controls and contracts, not by assuming the CFAA criminalizes every internal misuse.
Build the foundation in Cybersecurity 101, see the Computer Fraud and Abuse Act statute page, and compare the civil scraping line in hiQ v. LinkedIn.
*Source: Van Buren v. United States, 593 U.S. 374 (2021) (No. 19-783)*