AI Case Brief
Generate an AI-powered case brief with:
đKey Facts
âď¸Legal Issues
đCourt Holding
đĄReasoning
đŻSignificance
Estimated cost: $0.001 - $0.003 per brief
Full Opinion
(Slip Opinion) OCTOBER TERM, 2020 1
Syllabus
NOTE: Where it is feasible, a syllabus (headnote) will be released, as is
being done in connection with this case, at the time the opinion is issued.
The syllabus constitutes no part of the opinion of the Court but has been
prepared by the Reporter of Decisions for the convenience of the reader.
See United States v. Detroit Timber & Lumber Co., 200 U. S. 321, 337.
SUPREME COURT OF THE UNITED STATES
Syllabus
VAN BUREN v. UNITED STATES
CERTIORARI TO THE UNITED STATES COURT OF APPEALS FOR
THE ELEVENTH CIRCUIT
No. 19â783. Argued November 30, 2020âDecided June 3, 2021
Former Georgia police sergeant Nathan Van Buren used his patrol-car
computer to access a law enforcement database to retrieve information
about a particular license plate number in exchange for money. Alt-
hough Van Buren used his own, valid credentials to perform the
search, his conduct violated a department policy against obtaining da-
tabase information for non-law-enforcement purposes. Unbeknownst
to Van Buren, his actions were part of a Federal Bureau of Investiga-
tion sting operation. Van Buren was charged with a felony violation
of the Computer Fraud and Abuse Act of 1986 (CFAA), which subjects
to criminal liability anyone who âintentionally accesses a computer
without authorization or exceeds authorized access.â 18 U. S. C.
§1030(a)(2). The term âexceeds authorized accessâ is defined to mean
âto access a computer with authorization and to use such access to ob-
tain or alter information in the computer that the accesser is not enti-
tled so to obtain or alter.â §1030(e)(6). A jury convicted Van Buren,
and the District Court sentenced him to 18 months in prison. Van Bu-
ren appealed to the Eleventh Circuit, arguing that the âexceeds au-
thorized accessâ clause applies only to those who obtain information to
which their computer access does not extend, not to those who misuse
access that they otherwise have. Consistent with Eleventh Circuit
precedent, the panel held that Van Buren had violated the CFAA.
Held: An individual âexceeds authorized accessâ when he accesses a com-
puter with authorization but then obtains information located in par-
ticular areas of the computerâsuch as files, folders, or databasesâ
that are off-limits to him. Pp. 5â20.
(a) (1) The parties agree that Van Buren âaccess[ed] a computer with
authorizationâ and âobtain[ed] . . . information in the computer.â They
2 VAN BUREN v. UNITED STATES
Syllabus
dispute whether Van Buren was âentitled so to obtainâ that infor-
mation. Van Buren contends that the word âsoâ serves as a term of
reference and that the disputed phrase thus asks whether one has the
right, in âthe same manner as has been stated,â to obtain the relevant
information. Blackâs Law Dictionary 1246. He also notes that the only
manner of obtaining information already stated in the definitional pro-
vision is by a computer one is authorized to access. Thus, he continues,
the phrase âis not entitled so to obtainâ plainly refers to information
one is not allowed to obtain by using a computer that he is authorized
to access. The Government argues that âsoâ sweeps more broadly,
reading the phrase âis not entitled so to obtainâ to refer to information
one was not allowed to obtain in the particular manner or circum-
stances in which he obtained it. And the manner or circumstances in
which one has a right to obtain information, the Government says, are
defined by any âspecifically and explicitlyâ communicated limits on
oneâs right to access information. Van Burenâs account of âsoâ best
aligns with the termâs plain meaning as a term of reference, as further
reflected by other federal statutes that use âsoâ the same way. Pp. 5â
8.
(2) The Government contends that Van Burenâs reading renders the
word âsoâ superfluous. âSoâ makes a valuable contribution, the Gov-
ernment insists, only if it incorporates all of the circumstances that
might qualify a personâs right to obtain information. The Court disa-
grees because without âso,â the statute could be read to incorporate all
kinds of limitations on oneâs entitlement to information. Pp. 8â9.
(3) The dissent accepts Van Burenâs definition of âso,â but would ar-
rive at the Governmentâs result by way of the word âentitled.â Accord-
ing to the dissent, the term âentitledâ demands a âcircumstance de-
pendentâ analysis of whether access was proper. But the word
âentitledâ is modified by the phrase âso to obtain.â That phrase in turn
directs the reader to consider a specific limitation on the accesserâs en-
titlement: his entitlement to obtain the information âin the manner
previously stated.â And as already explained, the manner previously
stated is using a computer one is authorized to access. To arrive at its
interpretation, the dissent must write the word âsoâ out of the statute.
Pp. 9â10.
(4) The Government contends that in âcommon parlance,â the
phrase âexceeds authorized accessâ would be understood to mean that
Van Buren âexceed[ed] his authorized accessâ to the law enforcement
database when he obtained license-plate information for personal pur-
poses. The relevant question, however, is not whether Van Buren ex-
ceeded his authorized access but whether he exceeded his authorized
access as the CFAA defines that phrase. For reasons given elsewhere,
he did not. Nor is it contrary to the meaning of the defined term to
Cite as: 593 U. S. ____ (2021) 3
Syllabus
equate âexceed[ing] authorized accessâ with the act of entering a part
of the system to which a computer user lacks access privileges. Pp. 11â
12.
(b) The statuteâs structure further cuts against the Governmentâs
position. Subsection (a)(2) specifies two distinct ways of obtaining in-
formation unlawfullyâfirst, when an individual âaccesses a computer
without authorization,â §1030(a)(2), and second, when an individual
âexceeds authorized accessâ by accessing a computer âwith authoriza-
tionâ and then obtaining information he is ânot entitled so to obtain,â
§§1030(a)(2), (e)(6). Van Buren contends that the âwithout authoriza-
tionâ clause protects computers themselves from outside hackers,
while the âexceeds authorized accessâ clause provides complementary
protection for certain information within computers by targeting so-
called inside hackers. Under Van Burenâs reading, liability under both
clauses stems from a gates-up-or-down inquiryâone either can or can-
not access a computer system, and one either can or cannot access cer-
tain areas within the system. This treats the clauses consistently and
aligns with the computer-context understanding of access as entry. By
contrast, the Government proposes to read the first phrase âwithout
authorizationâ as a gates-up-or-down inquiry and the second phrase
âexceeds authorized accessâ as dependent on the circumstancesâa
reading inconsistent with subsection (a)(2)âs design and structure. The
Governmentâs reading leaves unanswered why the statute would pro-
hibit accessing computer information, but not the computer itself, for
an improper purpose.
Another structural problem for the Government: §1030(a)(2) also
gives rise to civil liability, §1030(g), with the statute defining âdamageâ
and âlossâ to specify what a plaintiff in a civil suit can recover.
§§1030(e)(8), (11). Both terms focus on technological harms to com-
puter data or systems. Such provisions make sense in a scheme aimed
at avoiding the ordinary consequences of hacking but are ill fitted to
remediating âmisuseâ of sensitive information that employees permis-
sibly access using their computers. Pp. 12â16.
(c) The Governmentâs claims that precedent and statutory history
support its interpretation are easily dispatched. This Courtâs decision
in Musacchio v. United States, 577 U. S. 237, did not address the issue
here, and the Court is not bound to follow any dicta in the case. As for
statutory history, the Government claims that the original 1984 Actâs
precursor to the âexceeds authorized accessâ languageâwhich covered
any person who, âhaving accessed a computer with authorization, uses
the opportunity such access provides for purposes to which such au-
thorization does not extendââsupports its reading. But that Congress
removed any reference to âpurposeâ in the CFAA cuts against reading
the statute to cover purpose-based limitations. Pp. 16â17.
4 VAN BUREN v. UNITED STATES
Syllabus
(d) The Governmentâs interpretation of the âexceeds authorized ac-
cessâ clause would attach criminal penalties to a breathtaking amount
of commonplace computer activity. For instance, employers commonly
state that computers and electronic devices can be used only for busi-
ness purposes. On the Governmentâs reading, an employee who sends
a personal e-mail or reads the news using a work computer has vio-
lated the CFAA. The Government speculates that other provisions
might limit its prosecutorial power, but its charging practice and policy
indicate otherwise. The Governmentâs approach would also inject ar-
bitrariness into the assessment of criminal liability, because whether
conduct like Van Burenâs violated the CFAA would depend on how an
employer phrased the policy violated (as a âuseâ restriction or an âac-
cessâ restriction). Pp. 17â20.
940 F. 3d 1192, reversed and remanded.
BARRETT, J., delivered the opinion of the Court, in which BREYER, SO-
TOMAYOR, KAGAN, GORSUCH, and KAVANAUGH, JJ., joined. THOMAS, J.,
filed a dissenting opinion, in which ROBERTS, C. J., and ALITO, J., joined.
Cite as: 593 U. S. ____ (2021) 1
Opinion of the Court
NOTICE: This opinion is subject to formal revision before publication in the
preliminary print of the United States Reports. Readers are requested to
notify the Reporter of Decisions, Supreme Court of the United States, Wash-
ington, D. C. 20543, of any typographical or other formal errors, in order that
corrections may be made before the preliminary print goes to press.
SUPREME COURT OF THE UNITED STATES
_________________
No. 19â783
_________________
NATHAN VAN BUREN, PETITIONER v.
UNITED STATES
ON WRIT OF CERTIORARI TO THE UNITED STATES COURT OF
APPEALS FOR THE ELEVENTH CIRCUIT
[June 3, 2021]
JUSTICE BARRETT delivered the opinion of the Court.
Nathan Van Buren, a former police sergeant, ran a
license-plate search in a law enforcement computer data-
base in exchange for money. Van Burenâs conduct plainly
flouted his departmentâs policy, which authorized him to ob-
tain database information only for law enforcement pur-
poses. We must decide whether Van Buren also violated
the Computer Fraud and Abuse Act of 1986 (CFAA), which
makes it illegal âto access a computer with authorization
and to use such access to obtain or alter information in the
computer that the accesser is not entitled so to obtain or
alter.â
He did not. This provision covers those who obtain infor-
mation from particular areas in the computerâsuch as
files, folders, or databasesâto which their computer access
does not extend. It does not cover those who, like Van Bu-
ren, have improper motives for obtaining information that
is otherwise available to them.
I
A
Technological advances at the dawn of the 1980s brought
2 VAN BUREN v. UNITED STATES
Opinion of the Court
computers to schools, offices, and homes across the Nation.
But as the public and private sectors harnessed the power
of computing for improvement and innovation, so-called
hackers hatched ways to coopt computers for illegal ends.
After a series of highly publicized hackings captured the
publicâs attention, it became clear that traditional theft and
trespass statutes were ill suited to address cybercrimes
that did not deprive computer owners of property in the tra-
ditional sense. See Kerr, Cybercrimeâs Scope: Interpreting
âAccessâ and âAuthorizationâ in Computer Misuse Statutes,
78 N. Y. U. L. Rev. 1596, 1605â1613 (2003).
Congress, following the lead of several States, responded
by enacting the first federal computer-crime statute as part
of the Comprehensive Crime Control Act of 1984. §2102(a),
98 Stat. 2190â2192. A few years later, Congress passed the
CFAA, which included the provisions at issue in this case.
The Act subjects to criminal liability anyone who âinten-
tionally accesses a computer without authorization or ex-
ceeds authorized access,â and thereby obtains computer in-
formation. 18 U. S. C. §1030(a)(2). It defines the term
âexceeds authorized accessâ to mean âto access a computer
with authorization and to use such access to obtain or alter
information in the computer that the accesser is not enti-
tled so to obtain or alter.â §1030(e)(6).
Initially, subsection (a)(2)âs prohibition barred accessing
only certain financial information. It has since expanded to
cover any information from any computer âused in or affect-
ing interstate or foreign commerce or communication.â
§1030(e)(2)(B). As a result, the prohibition now appliesâat
a minimumâto all information from all computers that
connect to the Internet. §§1030(a)(2)(C), (e)(2)(B).
Those who violate §1030(a)(2) face penalties ranging from
fines and misdemeanor sentences to imprisonment for up to
10 years. §1030(c)(2). They also risk civil liability under
the CFAAâs private cause of action, which allows persons
suffering âdamageâ or âlossâ from CFAA violations to sue for
Cite as: 593 U. S. ____ (2021) 3
Opinion of the Court
money damages and equitable relief. §1030(g).
B
This case stems from Van Burenâs time as a police ser-
geant in Georgia. In the course of his duties, Van Buren
crossed paths with a man named Andrew Albo. The deputy
chief of Van Burenâs department considered Albo to be âvery
volatileâ and warned officers in the department to deal with
him carefully. Notwithstanding that warning, Van Buren
developed a friendly relationship with Albo. Or so Van Bu-
ren thought when he went to Albo to ask for a personal loan.
Unbeknownst to Van Buren, Albo secretly recorded that re-
quest and took it to the local sheriff âs office, where he com-
plained that Van Buren had sought to âshake him downâ for
cash.
The taped conversation made its way to the Federal Bu-
reau of Investigation (FBI), which devised an operation to
see how far Van Buren would go for money. The steps were
straightforward: Albo would ask Van Buren to search the
state law enforcement computer database for a license plate
purportedly belonging to a woman whom Albo had met at a
local strip club. Albo, no stranger to legal troubles, would
tell Van Buren that he wanted to ensure that the woman
was not in fact an undercover officer. In return for the
search, Albo would pay Van Buren around $5,000.
Things went according to plan. Van Buren used his
patrol-car computer to access the law enforcement database
with his valid credentials. He searched the database for the
license plate that Albo had provided. After obtaining the
FBI-created license-plate entry, Van Buren told Albo that
he had information to share.
The Federal Government then charged Van Buren with a
felony violation of the CFAA on the ground that running the
4 VAN BUREN v. UNITED STATES
Opinion of the Court
license plate for Albo violated the âexceeds authorized ac-
cessâ clause of 18 U. S. C. §1030(a)(2).1 The trial evidence
showed that Van Buren had been trained not to use the law
enforcement database for âan improper purpose,â defined as
âany personal use.â App. 17. Van Buren therefore knew
that the search breached department policy. And according
to the Government, that violation of department policy also
violated the CFAA. Consistent with that position, the Gov-
ernment told the jury that Van Burenâs access of the data-
base âfor a non[- ]law[-]enforcement purposeâ violated the
CFAA âconceptâ against âusingâ a computer network in a
way contrary to âwhat your job or policy prohibits.â Id., at
39. The jury convicted Van Buren, and the District Court
sentenced him to 18 months in prison.
Van Buren appealed to the Eleventh Circuit, arguing
that the âexceeds authorized accessâ clause applies only to
those who obtain information to which their computer ac-
cess does not extend, not to those who misuse access that
they otherwise have. While several Circuits see the clause
Van Burenâs way, the Eleventh Circuit is among those that
have taken a broader view.2 Consistent with its Circuit
precedent, the panel held that Van Buren had violated the
CFAA by accessing the law enforcement database for an
âinappropriate reason.â 940 F. 3d 1192, 1208 (2019). We
ââââââ
1 Van Buren also was charged with and convicted of honest-services
wire fraud. In a separate holding not at issue here, the United States
Court of Appeals for the Eleventh Circuit vacated Van Burenâs honest-
services fraud conviction as contrary to this Courtâs decision in McDon-
nell v. United States, 579 U. S. 550 (2016).
2 Compare Royal Truck & Trailer Sales & Serv., Inc. v. Kraft, 974 F. 3d
756 (CA6 2020); United States v. Valle, 807 F. 3d 508 (CA2 2015); WEC
Carolina Energy Solutions LLC v. Miller, 687 F. 3d 199 (CA4 2012);
United States v. Nosal, 676 F. 3d 854 (CA9 2012) (en banc), with United
States v. Rodriguez, 628 F. 3d 1258 (CA11 2010); United States v. John,
597 F. 3d 263 (CA5 2010); International Airport Centers, L.L.C. v. Citrin,
440 F. 3d 418 (CA7 2006); EF Cultural Travel BV v. Explorica, Inc., 274
F. 3d 577 (CA1 2001).
Cite as: 593 U. S. ____ (2021) 5
Opinion of the Court
granted certiorari to resolve the split in authority regarding
the scope of liability under the CFAAâs âexceeds authorized
accessâ clause. 590 U. S. ___ (2020).
II
A
1
Both Van Buren and the Government raise a host of pol-
icy arguments to support their respective interpretations.
But we start where we always do: with the text of the stat-
ute. Here, the most relevant text is the phrase âexceeds au-
thorized access,â which means âto access a computer with
authorization and to use such access to obtain . . . infor-
mation in the computer that the accesser is not entitled so
to obtain.â §1030(e)(6).
The parties agree that Van Buren âaccess[ed] a computer
with authorizationâ when he used his patrol-car computer
and valid credentials to log into the law enforcement data-
base. They also agree that Van Buren âobtain[ed] . . . infor-
mation in the computerâ when he acquired the license-plate
record for Albo. The dispute is whether Van Buren was âen-
titled so to obtainâ the record.
âEntitleâ means âto give . . . a title, right, or claim to
something.â Random House Dictionary of the English Lan-
guage 649 (2d ed. 1987). See also Blackâs Law Dictionary
477 (5th ed. 1979) (âto give a right or legal title toâ). The
parties agree that Van Buren had been given the right to
acquire license-plate informationâthat is, he was âentitled
to obtainâ itâfrom the law enforcement computer database.
But was Van Buren âentitled so to obtainâ the license-plate
information, as the statute requires?
Van Buren says yes. He notes that âso,â as used in this
statute, serves as a term of reference that recalls âthe same
manner as has been statedâ or âthe way or manner de-
scribed.â Blackâs Law Dictionary, at 1246; 15 Oxford Eng-
6 VAN BUREN v. UNITED STATES
Opinion of the Court
lish Dictionary 887 (2d ed. 1989). The disputed phrase âen-
titled so to obtainâ thus asks whether one has the right, in
âthe same manner as has been stated,â to obtain the rele-
vant information. And the only manner of obtaining infor-
mation already stated in the definitional provision is âvia a
computer [one] is otherwise authorized to access.â Reply
Brief 3. Putting that together, Van Buren contends that the
disputed phraseââis not entitled so to obtainââplainly re-
fers to information one is not allowed to obtain by using a
computer that he is authorized to access. On this reading, if
a person has access to information stored in a computerâ
e.g., in âFolder Y,â from which the person could permissibly
pull informationâthen he does not violate the CFAA by ob-
taining such information, regardless of whether he pulled
the information for a prohibited purpose. But if the infor-
mation is instead located in prohibited âFolder X,â to which
the person lacks access, he violates the CFAA by obtaining
such information.
The Government agrees that the statute uses âsoâ in the
wordâs term-of-reference sense, but it argues that âsoâ
sweeps more broadly. It reads the phrase âis not entitled so
to obtainâ to refer to information one was not allowed to ob-
tain in the particular manner or circumstances in which he
obtained it. The manner or circumstances in which one has
a right to obtain information, the Government says, are de-
fined by any âspecifically and explicitlyâ communicated lim-
its on oneâs right to access information. Brief for United
States 19. As the Government sees it, an employee might
lawfully pull information from Folder Y in the morning for
a permissible purposeâsay, to prepare for a business meet-
ingâbut unlawfully pull the same information from Folder
Y in the afternoon for a prohibited purposeâsay, to help
draft a resume to submit to a competitor employer.
The Governmentâs interpretation has surface appeal but
proves to be a sleight of hand. While highlighting that âsoâ
Cite as: 593 U. S. ____ (2021) 7
Opinion of the Court
refers to a âmanner or circumstance,â the Government sim-
ultaneously ignores the definitionâs further instruction that
such manner or circumstance already will â âha[ve] been
stated,â â â âasserted,â â or â âdescribed.â â Id., at 18 (quoting
Blackâs Law Dictionary, at 1246; 15 Oxford English Diction-
ary, at 887). Under the Governmentâs approach, the rele-
vant circumstanceâthe one rendering a personâs conduct
illegalâis not identified earlier in the statute. Instead, âsoâ
captures any circumstance-based limit appearing any-
whereâin the United States Code, a state statute, a private
agreement, or anywhere else. And while the Government
tries to cabin its interpretation by suggesting that any such
limit must be âspecifically and explicitlyâ stated, âexpress,â
and âinherent in the authorization itself,â the Government
does not identify any textual basis for these guardrails.
Brief for United States 19; Tr. of Oral Arg. 41.
Van Burenâs account of âsoâânamely, that âsoâ references
the previously stated âmanner or circumstanceâ in the text
of §1030(e)(6) itselfâis more plausible than the Govern-
mentâs. âSoâ is not a free-floating term that provides a hook
for any limitation stated anywhere. It refers to a stated,
identifiable proposition from the âprecedingâ text; indeed,
âsoâ typically â[r]epresent[s]â a âword or phrase already em-
ployed,â thereby avoiding the need for repetition. 15 Oxford
English Dictionary, at 887; see Websterâs Third New Inter-
national Dictionary 2160 (1986) (so âoften used as a substi-
tute . . . to express the idea of a preceding phraseâ). Myriad
federal statutes illustrate this ordinary usage.3 We agree
ââââââ
3 See, e.g., 7 U. S. C. §171(8) (authorizing Secretary of Agriculture â[t]o
sell guayule or rubber processed from guayule and to use funds so ob-
tained in replanting and maintaining an areaâ); 18 U. S. C. §648 (any
person responsible for âsafe-keeping of the public moneysâ who âloans,
uses, or converts to his own use . . . any portion of the public moneys . . .
is guilty of embezzlement of the money so loaned, used, converted, de-
posited, or exchangedâ); §1163 (â[W]hoever embezzles, steals, [or] know-
ingly converts to his useâ money or property âbelonging to any Indian
tribal organization,â or â[w]hoever, knowing any such moneys . . . or
8 VAN BUREN v. UNITED STATES
Opinion of the Court
with Van Buren: The phrase âis not entitled so to obtainâ is
best read to refer to information that a person is not entitled
to obtain by using a computer that he is authorized to ac-
cess.4
2
The Governmentâs primary counterargument is that Van
Burenâs reading renders the word âsoâ superfluous. Recall
the definition: âto access a computer with authorization and
to use such access to obtain . . . information in the computer
that the accesser is not entitled so to obtain.â §1030(e)(6)
(emphasis added). According to the Government, âsoâ adds
nothing to the sentence if it refers solely to the earlier
stated manner of obtaining the information through use of
a computer one has accessed with authorization. What
matters on Van Burenâs reading, as the Government sees
it, is simply that the person obtain information that he is
not entitled to obtainâand that point could be made even
if âsoâ were deleted. By contrast, the Government insists,
âsoâ makes a valuable contribution if it incorporates all of
the circumstances that might qualify a personâs right to ob-
tain information. Because only its interpretation gives âsoâ
ââââââ
other property to have been so embezzled, stolen, [or] converted . . . re-
tains the same with intent to convert it to his use,â is subject to punish-
ment); §1708 (â[W]hoever steals, takes, or abstracts, or by fraud or de-
ception obtains, or attempts so to obtain,â parcels of mail is subject to
punishment).
4 The dissent criticizes this interpretation as inconsistent with âbasic
principles of property law,â and in particular the âfamiliar rule that an
entitlement to use another personâs property is circumstance specific.â
Post, at 4â5 (opinion of THOMAS, J.). But common-law principles âshould
be imported into statutory text only when Congress employs a common-
law termâânot when Congress has outlined an offense âanalogous to a
common-law crime without using common-law terms.â Carter v. United
States, 530 U. S. 255, 265 (2000) (emphasis deleted). Relying on the com-
mon law is particularly ill advised here because it was the failure of pre-
existing law to capture computer crime that helped spur Congress to en-
act the CFAA. See supra, at 2.
Cite as: 593 U. S. ____ (2021) 9
Opinion of the Court
work to do, the Government contends, the rule against su-
perfluity means that its interpretation wins. See Republic
of Sudan v. Harrison, 587 U. S. ___, ___ (2019) (slip op., at
10).
But the canon does not help the Government because Van
Burenâs reading does not render âsoâ superfluous. As Van
Buren points out, without âso,â the statute would allow in-
dividuals to use their right to obtain information in nondig-
ital form as a defense to CFAA liability. Consider, for ex-
ample, a person who downloads restricted personnel files
he is not entitled to obtain by using his computer. Such a
person could argue that he was âentitled to obtainâ the in-
formation if he had the right to access personnel files
through another method (e.g., by requesting hard copies of
the files from human resources). With âso,â the CFAA fore-
closes that theory of defense. The statute is concerned with
what a person does on a computer; it does not excuse hack-
ing into an electronic personnel file if the hacker could have
walked down the hall to pick up a physical copy.
This clarification is significant because it underscores
that one kind of entitlement to information counts: the right
to access the information by using a computer. That can
expand liability, as the above example shows. But it nar-
rows liability too. Without the word âso,â the statute could
be read to incorporate all kinds of limitations on oneâs enti-
tlement to information. The dissentâs take on the statute
illustrates why.
3
While the dissent accepts Van Burenâs definition of âso,â
it would arrive at the Governmentâs result by way of the
word âentitled.â One is âentitledâ to do something, the dis-
sent contends, only when â âproper groundsâ â are in place.
Post, at 3 (opinion of THOMAS, J.) (quoting Blackâs Law Dic-
tionary, at 477). Deciding whether a person was âentitledâ
10 VAN BUREN v. UNITED STATES
Opinion of the Court
to obtain information, the dissent continues, therefore de-
mands a âcircumstance dependentâ analysis of whether ac-
cess was proper. Post, at 3. This reading, like the Govern-
mentâs, would extend the statuteâs reach to any
circumstance-based limit appearing anywhere.
The dissentâs approach to the word âentitledâ fares fine in
the abstract but poorly in context. The statute does not re-
fer to âinformation . . . that the accesser is not entitled to
obtain.â It refers to âinformation . . . that the accesser is not
entitled so to obtain.â 18 U. S. C. §1030(e)(6) (emphasis
added). The word âentitled,â then, does not stand alone, in-
viting the reader to consider the full scope of the accesserâs
entitlement to information. The modifying phrase âso to ob-
tainâ directs the reader to consider a specific limitation on
the accesserâs entitlement: his entitlement to obtain the in-
formation âin the manner previously stated.â Supra, at 7.
And as already explained, the manner previously stated is
using a computer one is authorized to access. Thus, while
giving lipservice to Van Burenâs reading of âso,â the dissent,
like the Government, declines to give âsoâ any limiting func-
tion.5
The dissent cannot have it both ways. The consequence
of accepting Van Burenâs reading of âsoâ is the narrowed
scope of âentitled.â In fact, the dissentâs examples implicitly
concede as much: They all omit the word âso,â thereby giv-
ing âentitledâ its full sweep. See post, at 3â4. An approach
that must rewrite the statute to work is even less persua-
sive than the Governmentâs.
ââââââ
5 For the same reason, the dissent is incorrect when it contends that
our interpretation reads the additional words âunder any possible cir-
cumstanceâ into the statute. Post, at 3 (emphasis deleted). Our reading
instead interprets the phrase âso to obtainâ to incorporate the single âcir-
cumstanceâ of permissible information access identified by the statute:
obtaining the information by using oneâs computer.
Cite as: 593 U. S. ____ (2021) 11
Opinion of the Court
4
The Government falls back on what it describes as the
âcommon parlanceâ meaning of the phrase âexceeds author-
ized access.â Brief for United States 20â21. According to
the Government, any ordinary speaker of the English lan-
guage would think that Van Buren âexceed[ed] his author-
ized accessâ to the law enforcement database when he ob-
tained license-plate information for personal purposes. Id.,
at 21. The dissent, for its part, asserts that this point âset-
tlesâ the case. Post, at 9.
If the phrase âexceeds authorized accessâ were all we had
to go on, the Government and the dissent might have a
point. But both breeze by the CFAAâs explicit definition of
the phrase âexceeds authorized access.â When âa statute
includes an explicit definitionâ of a term, âwe must follow
that definition, even if it varies from a termâs ordinary
meaning.â Tanzin v. Tanvir, 592 U. S. ___, ___ (2020) (slip
op., at 3) (internal quotation marks omitted). So the rele-
vant question is not whether Van Buren exceeded his au-
thorized access but whether he exceeded his authorized ac-
cess as the CFAA defines that phrase. And as we have
already explained, the statutory definition favors Van Bu-
renâs reading.
That reading, moreover, is perfectly consistent with the
way that an âappropriately informedâ speaker of the lan-
guage would understand the meaning of âexceeds author-
ized access.â Nelson, What Is Textualism? 91 Va. L. Rev.
347, 354 (2005). When interpreting statutes, courts take
note of terms that carry âtechnical meaning[s].â A. Scalia
& B. Garner, Reading Law: The Interpretation of Legal
Texts 73 (2012). âAccessâ is one such term, long carrying a
âwell establishedâ meaning in the âcomputational senseââ
a meaning that matters when interpreting a statute about
computers. American Heritage Dictionary 10 (3d ed. 1992).
In the computing context, âaccessâ references the act of en-
tering a computer âsystem itself â or a particular âpart of a
12 VAN BUREN v. UNITED STATES
Opinion of the Court
computer system,â such as files, folders, or databases.6 It is
thus consistent with that meaning to equate âexceed[ing]
authorized accessâ with the act of entering a part of the sys-
tem to which a computer user lacks access privileges.7 The
Government and the dissentâs broader interpretation is nei-
ther the only possible nor even necessarily the most natural
one.
B
While the statuteâs language âspells troubleâ for the Gov-
ernmentâs position, a âwider look at the statuteâs structure
gives us even more reason for pause.â Romag Fasteners,
Inc. v. Fossil Group, Inc., 590 U. S. ___, ___â___ (2020) (slip
op., at 2â3).
The interplay between the âwithout authorizationâ and
âexceeds authorized accessâ clauses of subsection (a)(2) is
particularly probative. Those clauses specify two distinct
ââââââ
6 1 Oxford English Dictionary 72 (2d ed. 1989) (â[t]o gain access to . . .
data, etc., held in a computer or computer-based system, or the system
itself â); Random House Dictionary of the English Language 11 (2d ed.
1987) (âComputers. to locate (data) for transfer from one part of a com-
puter system to another . . . â); see also C. Sippl & R. Sippl, Computer
Dictionary and Handbook 2 (3d ed. 1980) (â[c]oncerns the process of ob-
taining data from or placing data in storageâ); Barnhart Dictionary of
New English 2 (3d ed. 1990) (âto retrieve (data) from a computer storage
unit or device . . . â); Microsoft Computer Dictionary 12 (4th ed. 1999)
(â[t]o gain entry to memory in order to read or write dataâ); A Dictionary
of Computing 5 (6th ed. 2008) (â[t]o gain entry to data, a computer sys-
tem, etc.â).
7 The dissent makes the odd charge that our interpretation violates the
â âpresumption againstâ â reading a provision âcontrary to the ordinary
meaning of the term it defines.â Post, at 9. But when a statute, like this
one, is âaddressing a . . . technical subject, a specialized meaning is to be
expected.â Scalia, Reading Law, at 73. Consistent with that principle,
our interpretation tracks the specialized meaning of âaccessâ in the com-
puter context. This reading is far from â ârepugnant toâ â the meaning of
the phrase âexceeds authorized access,â post, at 9âunlike, say, a defini-
tional provision directing that â âthe word dog is deemed to include all
horses.â â Scalia, supra, at 232, n. 29.
Cite as: 593 U. S. ____ (2021) 13
Opinion of the Court
ways of obtaining information unlawfully. First, an indi-
vidual violates the provision when he âaccesses a computer
without authorization.â §1030(a)(2). Second, an individual
violates the provision when he âexceeds authorized accessâ
by accessing a computer âwith authorizationâ and then ob-
taining information he is ânot entitled so to obtain.â
§§1030(a)(2), (e)(6). Van Burenâs reading places the provi-
sionâs parts âinto an harmonious whole.â Roberts v. Sea-
Land Services, Inc., 566 U. S. 93, 100 (2012) (internal quo-
tation marks omitted). The Governmentâs does not.
Start with Van Burenâs view. The âwithout authoriza-
tionâ clause, Van Buren contends, protects computers them-
selves by targeting so-called outside hackersâthose who
âacces[s] a computer without any permission at all.â LVRC
Holdings LLC v. Brekka, 581 F. 3d 1127, 1133 (CA9 2009);
see also Pulte Homes, Inc. v. Laborersâ Intâl Union of North
Am., 648 F. 3d 295, 304 (CA6 2011). Van Buren reads the
âexceeds authorized accessâ clause to provide complemen-
tary protection for certain information within computers. It
does so, Van Buren asserts, by targeting so-called inside
hackersâthose who access a computer with permission, but
then â âexceedâ the parameters of authorized access by en-
tering an area of the computer to which [that] authorization
does not extend.â United States v. Valle, 807 F. 3d 508, 524
(CA2 2015).
Van Burenâs account of subsection (a)(2) makes sense of
the statutory structure because it treats the âwithout au-
thorizationâ and âexceeds authorized accessâ clauses con-
sistently. Under Van Burenâs reading, liability under both
clauses stems from a gates-up-or-down inquiryâone either
can or cannot access a computer system, and one either can
or cannot access certain areas within the system.8 And
ââââââ
8 For present purposes, we need not address whether this inquiry turns
only on technological (or âcode-basedâ) limitations on access, or instead
also looks to limits contained in contracts or policies. Cf. Brief for Orin
Kerr as Amicus Curiae 7 (urging adoption of code-based approach).
14 VAN BUREN v. UNITED STATES
Opinion of the Court
reading both clauses to adopt a gates-up-or-down approach
aligns with the computer-context understanding of access
as entry. See supra, at 11â12.9
By contrast, the Governmentâs reading of the âexceeds au-
thorized accessâ clause creates âinconsistenc[ies] with the
design and structureâ of subsection (a)(2). University of
Tex. Southwestern Medical Center v. Nassar, 570 U. S. 338,
353 (2013). As discussed, the Government reads the âex-
ceeds authorized accessâ clause to incorporate purpose-
based limits contained in contracts and workplace policies.
Yet the Government does not read such limits into the
threshold question whether someone uses a computer
âwithout authorizationââeven though similar purpose re-
strictions, like a rule against personal use, often govern
oneâs right to access a computer in the first place. See, e.g.,
Royal Truck & Trailer Sales & Serv., Inc. v. Kraft, 974 F. 3d
756, 757 (CA6 2020). Thus, the Government proposes to
read the first phrase âwithout authorizationâ as a gates-up-
or-down inquiry and the second phrase âexceeds authorized
accessâ as one that depends on the circumstances. The Gov-
ernment does not explain why the statute would prohibit
ââââââ
9 Van Burenâs gates-up-or-down reading also aligns with the CFAAâs
prohibition on password trafficking. See Tr. of Oral Arg. 33. Enacted
alongside the âexceeds authorized accessâ definition in 1986, the pass-
word-trafficking provision bars the sale of âany password or similar in-
formation through which a computer may be accessed without authori-
zation.â §1030(a)(6). The provision thus contemplates a âspecific type of
authorizationâthat is, authentication,â which turns on whether a userâs
credentials allow him to proceed past a computerâs access gate, rather
than on other, scope-based restrictions. Bellia, A Code-Based Approach
to Unauthorized Access Under the Computer Fraud and Abuse Act, 84
Geo. Wash. L. Rev. 1442, 1470 (2016); cf. A Dictionary of Computing, at
30 (defining âauthorizationâ as a âprocess by which users, having com-
pleted an . . . authentication stage, gain or are denied access to particular
resources based on their entitlementâ).
Cite as: 593 U. S. ____ (2021) 15
Opinion of the Court
accessing computer information, but not the computer it-
self, for an improper purpose.10
The Governmentâs position has another structural prob-
lem. Recall that violating §1030(a)(2), the provision under
which Van Buren was charged, also gives rise to civil liabil-
ity. See §1030(g). Provisions defining âdamageâ and âlossâ
specify what a plaintiff in a civil suit can recover.
â â[D]amage,â â the statute provides, means âany impairment
to the integrity or availability of data, a program, a system,
or information.â §1030(e)(8). The term âlossâ likewise re-
lates to costs caused by harm to computer data, programs,
systems, or information services. §1030(e)(11). The statu-
tory definitions of âdamageâ and âlossâ thus focus on tech-
nological harmsâsuch as the corruption of filesâof the
type unauthorized users cause to computer systems and
data. Limiting âdamageâ and âlossâ in this way makes
sense in a scheme âaimed at preventing the typical conse-
quences of hacking.â Royal Truck, 974 F. 3d, at 760. The
termâs definitions are ill fitted, however, to remediating
âmisuseâ of sensitive information that employees may per-
missibly access using their computers. Ibid. Van Burenâs
situation is illustrative: His run of the license plate did not
ââââââ
10 Unlike the Government, the dissent would read both clauses of sub-
section (a)(2) to require a circumstance-specific analysis. Doing so, the
dissent contends, would reflect that â[p]roperty law generally protects
against both unlawful entry and unlawful use.â Post, at 7. This inter-
pretation suffers from structural problems of its own. Consider the
standard rule prohibiting the use of oneâs work computer for personal
purposes. Under the dissentâs approach, an employeeâs computer access
would be without authorization if he logged on to the computer with the
purpose of obtaining a file for personal reasons. In that event, obtaining
the file would not violate the âexceeds authorized accessâ clause, which
applies only when one accesses a computer âwith authorization.â
§1030(e)(6) (emphasis added). The dissentâs reading would therefore
leave the âexceeds authorized accessâ clause with no work to do much of
the timeâan outcome that Van Burenâs interpretation (and, for that
matter, the Governmentâs) avoids.
16 VAN BUREN v. UNITED STATES
Opinion of the Court
impair the âintegrity or availabilityâ of data, nor did it oth-
erwise harm the database system itself.
C
Pivoting from text and structure, the Government claims
that precedent and statutory history support its interpreta-
tion. These arguments are easily dispatched.
As for precedent, the Government asserts that this
Courtâs decision in Musacchio v. United States, 577 U. S.
237 (2016), bolsters its reading. There, in addressing a
question about the standard of review for instructional er-
ror, the Court described §1030(a)(2) as prohibiting â(1) ob-
taining access without authorization; and (2) obtaining ac-
cess with authorization but then using that access
improperly.â Id., at 240. This paraphrase of the statute
does not do much for the Government. As an initial matter,
Musacchio did not addressâmuch less resolve in the Gov-
ernmentâs favorâthe âpoint now at issue,â and we thus âare
not bound to followâ any dicta in the case. Central Va. Com-
munity College v. Katz, 546 U. S. 356, 363 (2006). But in
any event, Van Burenâs interpretation, no less than the
Governmentâs, involves âusing [oneâs] access improperly.â
It is plainly âimproperâ for one to use the opportunity his
computer access provides to obtain prohibited information
from within the computer.
As for statutory history, the Government claims that the
original 1984 Act supports its interpretation of the current
version. In a precursor to the âexceeds authorized accessâ
clause, the 1984 Act covered any person who, âhaving ac-
cessed a computer with authorization, uses the opportunity
such access provides for purposes to which such authoriza-
tion does not extend,â and thus expressly alluded to the pur-
pose of an insiderâs computer access. 18 U. S. C. §1030(a)(2)
(1982 ed. Supp. III). According to the Government, this con-
firms that the amended CFAAâwhich makes no mention
Cite as: 593 U. S. ____ (2021) 17
Opinion of the Court
of purpose in defining âexceeds authorized accessââlike-
wise covers insiders like Van Buren who use their computer
access for an unauthorized purpose.11 The Governmentâs
argument gets things precisely backward. âWhen Congress
amends legislation, courts must presume it intends the
change to have real and substantial effect.â Ross v. Blake,
578 U. S. 632, 641â642 (2016) (internal quotation marks
and brackets omitted). Congressâ choice to remove the stat-
uteâs reference to purpose thus cuts against reading the
statute âto capture that very concept.â Brief for United
States 22. The statutory history thus hurts rather than
helps the Governmentâs position.
III
To top it all off, the Governmentâs interpretation of the
statute would attach criminal penalties to a breathtaking
amount of commonplace computer activity. Van Buren
frames the far-reaching consequences of the Governmentâs
reading as triggering the rule of lenity or constitutional
avoidance. That is not how we see it: Because the text, con-
text, and structure support Van Burenâs reading, neither of
these canons is in play. Still, the fallout underscores the
implausibility of the Governmentâs interpretation. It is âex-
tra icing on a cake already frosted.â Yates v. United States,
574 U. S. 528, 557 (2015) (KAGAN, J., dissenting).
If the âexceeds authorized accessâ clause criminalizes
every violation of a computer-use policy, then millions of
ââââââ
11 While the Government insists that Congress made this change
â âmerely to clarify the languageâ â of §1030(a)(2), Brief for United States
28, the dissent has a different take. In the dissentâs telling, the 1986
amendment in fact âexpand[ed]â the provision to reach âtime and man-
nerâ restrictions on computer accessânot just purpose-based ones. Post,
at 10â11. The dissentâs distinct explanation for why Congress removed
§1030(a)(2)âs reference to âpurposeâ requires accepting that the âexceeds
authorized accessâ definition supports a circumstance-specific approach.
We reject the dissentâs premise for the textual and structural reasons
already discussed.
18 VAN BUREN v. UNITED STATES
Opinion of the Court
otherwise law-abiding citizens are criminals. Take the
workplace. Employers commonly state that computers and
electronic devices can be used only for business purposes.
So on the Governmentâs reading of the statute, an employee
who sends a personal e-mail or reads the news using her
work computer has violated the CFAA. Or consider the In-
ternet. Many websites, services, and databasesâwhich
provide âinformationâ from âprotected computer[s],â
§1030(a)(2)(C)âauthorize a userâs access only upon his
agreement to follow specified terms of service. If the âex-
ceeds authorized accessâ clause encompasses violations of
circumstance-based access restrictions on employersâ com-
puters, it is difficult to see why it would not also encompass
violations of such restrictions on website providersâ comput-
ers. And indeed, numerous amici explain why the Govern-
mentâs reading of subsection (a)(2) would do just thatâ
criminalize everything from embellishing an online-dating
profile to using a pseudonym on Facebook. See Brief for
Orin Kerr as Amicus Curiae 10â11; Brief for Technology
Companies as Amici Curiae 6, n. 3, 11; see also Brief for
Reporters Committee for Freedom of the Press et al. as
Amici Curiae 10â13 (journalism activity); Brief for Kyratso
Karahalios et al. as Amici Curiae 11â17 (online civil-rights
testing and research).
In response to these points, the Government posits that
other terms in the statuteâspecifically âauthorizationâ and
âuseâââmay wellâ serve to cabin its prosecutorial power.
Brief for United States 35; see Tr. of Oral Arg. 38, 40, 58
(âinstrumentalâ use; âindividualizedâ and âfairly specificâ
authorization). Yet the Government stops far short of en-
dorsing such limitations. Cf. Brief for United States 37
(concept of âauthorizationâ âmay not logically applyâ); id., at
38 (â âuseâ â might be read in a more âlimitedâ fashion, even
though it âoften has a broader definitionâ); see also, e.g.,
post, at 11â12 (mens rea requirement âmightâ preclude lia-
bility in some cases). Nor does it cite any prior instance in
Cite as: 593 U. S. ____ (2021) 19
Opinion of the Court
which it has read the statute to contain such limitationsâ
to the contrary, Van Buren cites instances where it hasnât.
See Reply Brief 14â15, 17 (collecting cases); cf. Sandvig v.
Barr, 451 F. Supp. 3d 73, 81â82 (DC 2020) (discussing De-
partment of Justice testimony indicating that the Govern-
ment could â âbring a CFAA prosecution basedâ â on terms-
of-service violations causing â âde minimis harmâ â). If any-
thing, the Governmentâs current CFAA charging policy
shows why Van Burenâs concerns are far from âhypothet-
ical,â post, at 12: The policy instructs that federal prosecu-
tion âmay not be warrantedâânot that it would be prohib-
itedââif the defendant exceed[s] authorized access solely by
violating an access restriction contained in a contractual
agreement or term of service with an Internet service pro-
vider or website.â12 And while the Government insists that
the intent requirement serves as yet another safety valve,
that requirement would do nothing for those who intention-
ally use their computers in a way their âjob or policy pro-
hibitsââfor example, by checking sports scores or paying
bills at work. App. 39.
One final observation: The Governmentâs approach would
inject arbitrariness into the assessment of criminal liabil-
ity. The Government concedes, as it must, that the âexceeds
authorized accessâ clause prohibits only unlawful infor-
mation âaccess,â not downstream information â âmisus[e].â â
Brief in Opposition 17 (statute does not cover â âsubse-
quen[t] misus[e of] informationâ â). But the line between the
ââââââ
12 Memorandum from U. S. Atty. Gen. to U. S. Attys. & Assistant
Attys. Gen. for the Crim. & Nat. Security Divs., Intake and Charging
Policy for Computer Crime Matters 5 (Sept. 11, 2014), https://www.
justice.gov/criminal-ccips/file/904941/download (emphasis added). Alt-
hough the Government asserts that it has â[h]istoricallyâ prosecuted only
âcore conductâ like Van Burenâs and not the commonplace violations that
Van Buren fears, Brief for United States 40, the contrary examples Van
Buren and his amici cite give reason to balk at that assurance. See Brief
for Petitioner 32â33; Brief for Orin Kerr as Amicus Curiae 18â23; Brief
for Technology Companies as Amici Curiae 11.
20 VAN BUREN v. UNITED STATES
Opinion of the Court
two can be thin on the Governmentâs reading. Because
purpose-based limits on access are often designed with an
eye toward information misuse, they can be expressed as
either access or use restrictions. For example, one police
department might prohibit using a confidential database
for a non-law-enforcement purpose (an access restriction),
while another might prohibit using information from the
database for a non-law-enforcement purpose (a use re-
striction). Conduct like Van Burenâs can be characterized
either way, and an employer might not see much difference
between the two. On the Governmentâs reading, however,
the conduct would violate the CFAA only if the employer
phrased the policy as an access restriction. An interpreta-
tion that stakes so much on a fine distinction controlled by
the drafting practices of private parties is hard to sell as the
most plausible.
IV
In sum, an individual âexceeds authorized accessâ when
he accesses a computer with authorization but then obtains
information located in particular areas of the computerâ
such as files, folders, or databasesâthat are off limits to
him. The parties agree that Van Buren accessed the law
enforcement database system with authorization. The only
question is whether Van Buren could use the system to re-
trieve license-plate information. Both sides agree that he
could. Van Buren accordingly did not âexcee[d] authorized
accessâ to the database, as the CFAA defines that phrase,
even though he obtained information from the database for
an improper purpose. We therefore reverse the contrary
judgment of the Eleventh Circuit and remand the case for
further proceedings consistent with this opinion.
It is so ordered.
Cite as: 593 U. S. ____ (2021) 1
THOMAS, J., dissenting
SUPREME COURT OF THE UNITED STATES
_________________
No. 19â783
_________________
NATHAN VAN BUREN, PETITIONER v.
UNITED STATES
ON WRIT OF CERTIORARI TO THE UNITED STATES COURT OF
APPEALS FOR THE ELEVENTH CIRCUIT
[June 3, 2021]
JUSTICE THOMAS, with whom THE CHIEF JUSTICE and
JUSTICE ALITO join, dissenting.
Both the common law and statutory law have long pun-
ished those who exceed the scope of consent when using
property that belongs to others. A valet, for example, may
take possession of a personâs car to park it, but he cannot
take it for a joyride. The Computer Fraud and Abuse Act
extends that principle to computers and information. The
Act prohibits exceeding the scope of consent when using a
computer that belongs to another person. Specifically, it
punishes anyone who âintentionally accesses a computer
without authorization or exceeds authorized access, and
thereby obtainsâ information from that computer. 18
U. S. C. §1030(a)(2).
As a police officer, Nathan Van Buren had permission to
retrieve license-plate information from a government data-
base, but only for law enforcement purposes. Van Buren
disregarded this limitation when, in exchange for several
thousand dollars, he used the database in an attempt to un-
mask a potential undercover officer.
The question here is straightforward: Would an ordinary
reader of the English language understand Van Buren to
have âexceed[ed] authorized accessâ to the database when
he used it under circumstances that were expressly forbid-
2 VAN BUREN v. UNITED STATES
THOMAS, J., dissenting
den? In my view, the answer is yes. The necessary precon-
dition that permitted him to obtain that data was absent.
The Court does not dispute that the phrase âexceeds au-
thorized accessâ readily encompasses Van Burenâs conduct.
It notes, instead, that the statute includes a definition for
that phrase and that âwe must follow that definition, even
if it varies from a termâs ordinary meaning.â Tanzin v.
Tanvir, 592 U. S. ___, ___ (2020) (slip op., at 3) (internal
quotation marks omitted). The problem for the majority
view, however, is that the text, ordinary principles of prop-
erty law, and statutory history establish that the defini-
tional provision is quite consistent with the term it defines.
I
A
The Act defines âexceeds authorized accessâ as âto access
a computer with authorization and to use such access to ob-
tain or alter information in the computer that the accesser
is not entitled so to obtain or alter.â §1030(e)(6). For pur-
poses of this appeal, it is agreed that Van Buren was au-
thorized to log into a government database and that he used
his entry to obtain fake license-plate information from that
database. I thus agree with the majority that this case
turns on whether Van Buren was âentitled so to obtainâ the
fake license-plate information. I also agree that âsoâ asks
whether Van Buren had a right to obtain that information
through the means identified earlier in the definition: (1)
accessing a computer with authorization and (2) using that
access to obtain information in the computer. In other
words, Van Burenâs conduct was legal only if he was enti-
tled to obtain that specific license-plate information by us-
ing his admittedly authorized access to the database.
He was not. A person is entitled to do something only if
he has a ârightâ to do it. Blackâs Law Dictionary 477 (5th
ed. 1979); see also American Heritage Dictionary 437 (def.
3a) (1981) (to âallowâ or to âqualifyâ). Van Buren never had
Cite as: 593 U. S. ____ (2021) 3
THOMAS, J., dissenting
a ârightâ to use the computer to obtain the specific license-
plate information. Everyone agrees that he obtained it for
personal gain, not for a valid law enforcement purpose. And
without a valid law enforcement purpose, he was forbidden
to use the computer to obtain that information.
B
The majority postulates an alternative reading of this
definitional provision: So long as a person is entitled to use
a computer to obtain information in at least one circum-
stance, this statute does not apply even if the person ob-
tains the data outside that circumstance. In effect, the ma-
jority reads the statute to apply only when a person is ânot
entitled [under any possible circumstance] so to obtainâ in-
formation. This interpretation is flawed for a number of
reasons.
1
Foremost, that interpretation is contrary to the plain
meaning of the text. Entitlements are necessarily circum-
stance dependent; a person is entitled to do something only
when âproper groundsâ or facts are in place. Blackâs Law
Dictionary, at 477. Focusing on the word âso,â the majority
largely avoids analyzing the term âentitled,â concluding at
the outset in a single sentence that Van Buren was entitled
to obtain this license-plate information. Ante, at 5. But the
plain meaning of âentitledâ compels the opposite conclusion.
Because Van Buren lacked a law enforcement purpose, the
âproper groundsâ did not exist. He was not entitled to ob-
tain the data when he did so.
A few real-world scenarios illustrate the point. An em-
ployee who is entitled to pull the alarm in the event of a fire
is not entitled to pull it for some other purpose, such as to
delay a meeting for which he is unprepared. A valet who
obtains a car from a restaurant patron isâto borrow the
language from §1030(e)(6)ââentitledâ to âaccess [the car]â
4 VAN BUREN v. UNITED STATES
THOMAS, J., dissenting
and âentitledâ to âuse such accessâ to park and retrieve it.
But he is not âentitledâ to âuse such accessâ to joyride. See,
e.g., Ind. Code §35â43â4â3 (2020) (felonious criminal con-
version to âknowingly or intentionally exer[t] unauthorized
control over property of anotherâ if âthe property is a motor
vehicleâ); In re Clayton, 778 N. E. 2d 404, 405 (Ind. 2002)
(interpreting this statute to cover misuse of property a per-
son otherwise is entitled to access). And, to take an exam-
ple closer to this statute, an employee of a car rental com-
pany may be âentitledâ to âaccess a computerâ showing the
GPS location history of a rental car and âuse such accessâ
to locate the car if it is reported stolen. But it would be
unnatural to say he is âentitledâ to âuse such accessâ to stalk
his ex-girlfriend.
The majority offers no real response. It notes that âenti-
tledâ is modified by âsoâ and that courts must therefore con-
sider whether a person is entitled to use a computer to ob-
tain information. Ante, at 10. But if a person is not entitled
to obtain information at all, it necessarily follows that he
has no âright to access the information by using a com-
puter.â Ante, at 9. Van Buren was not entitled to obtain
this information at all because the condition precedent
needed to trigger an entitlementâa law enforcement pur-
poseâwas absent.
2
Next, the majorityâs reading is at odds with basic princi-
ples of property law. By now, it is well established that in-
formation contained in a computer is âproperty.â Nobody
doubts, for example, that a movie stored on a computer is
intellectual property. Federal and state law routinely de-
fine âpropertyâ to include computer data. E.g., 12 U. S. C.
§5433; N. Y. Penal Law Ann. §155.00 (West 2010). And
even the majority acknowledges that this statute is de-
signed to protect property. Ante, at 2. Yet it fails to square
its interpretation with the familiar rule that an entitlement
Cite as: 593 U. S. ____ (2021) 5
THOMAS, J., dissenting
to use another personâs property is circumstance specific.
Consider trespass. When a person is authorized to enter
land and entitled to use that entry for one purpose but does
so for another, he trespasses. As the Second Restatement
of Torts explains, â[a] conditional or restricted consent to
enter land creates a privilege to do so only in so far as the
condition or restriction is complied with.â §168, p. 311
(1964). The Restatement includes a helpful illustration:
â3. A grants permission to B, his neighbor, to enter
Aâs land, and draw water from Aâs spring for Bâs own
use. A has specifically refused permission to C to enter
Aâs land and draw water from the spring. At Câs insti-
gation, B enters Aâs land and obtains for C water from
the spring. Bâs entry is a trespass.â Ibid., Comment b.
What is true for land is also true in the computer context;
if a company grants permission to an employee to use a
computer for a specific purpose, the employee has no au-
thority to use it for other purposes.
Consider, too, the common understanding of theft. A per-
son who is authorized to possess property for a limited pur-
pose commits theft the moment he âexercises unlawful con-
trol overâ it, which occurs âwhenever consent or authority
is exceeded.â ALI, Model Penal Code §223.2(1), pp. 162, 168
(1980). To again borrow the language from §1030(e)(6), a
police officer may have authority to âaccessâ the depart-
mentâs bank account and âuse such accessâ to cover law en-
forcement expenses, but he is nonetheless guilty of embez-
zlement if he âuses such accessâ to line his pockets. He
would not be exonerated simply because he would be âenti-
tled so to obtainâ funds from the account under other cir-
cumstances.
Or take bailment. A bailee commits conversionâwhich
many jurisdictions criminalizeâwhen he, âhaving no au-
thority to use the thing bailed, nonetheless uses it, or, hav-
6 VAN BUREN v. UNITED STATES
THOMAS, J., dissenting
ing authority to use it in a particular way, uses it in a dif-
ferent way.â 8 C. J. S., Bailments §43, pp. 480â481 (2017)
(footnote omitted). A computer technician may have au-
thority to access a celebrityâs computer to recover data from
a crashed hard drive, but not to use his access to copy and
leak to the press photos stored on that computer.
The majority makes no attempt to square its interpreta-
tion with this familiar principle. Instead, it sweeps away
this context by stating that Congress did not include in this
statute any common-law terms. Ante, at 8, n. 4. But the
statute does use words like âexceedâ and âauthorityâ that
are common to other property contexts. And the majority
never identifies any particular property-law buzzwords
that it thinks Congress was obliged to include.
The majority next says that relying on pre-existing con-
cepts of property law is âill advisedâ because Congress en-
acted this law in light of a âfailure of pre-existing law to
capture computer crime.â Ante, at 2, 8, n. 4 (citing Kerr,
Cybercrimeâs Scope: Interpreting âAccessâ and âAuthoriza-
tionâ in Computer Misuse Statutes, 78 N. Y. U. L. Rev. 1596
(2003)). Yet the reasons why pre-existing law was consid-
ered inadequate undermine the majorityâs position. First,
state laws were used to cover conduct like Van Burenâs, but
doing so ârequire[d] considerable creativityâ because those
laws typically required either âphysicalâ entry (which fit
poorly with computers) or âdepriv[ing]â a victim of property
(which fit poorly where a person âmerely copiedâ data or en-
gaged in forbidden âpersonal usesâ). Id., at 1607â1608,
1610â1611. Second, the fit was even more awkward for fed-
eral laws, which were âmore limited in scope.â Id., at 1608.
Congress did not enact this law to eliminate the established
principle that entitlements to use property are circum-
stance specific, but instead to eliminate the deprivation and
physical-entry requirements.
Unable to square its interpretation with established prin-
Cite as: 593 U. S. ____ (2021) 7
THOMAS, J., dissenting
ciples of property law, the majority contends that its inter-
pretation is more harmonious with a separate clause in the
statute that forbids âaccess[ing] a computer without author-
ization.â §1030(a)(2). In the majorityâs telling, this clause
requires âa gates-up-or-down inquiryâone either can or
cannot access a computer system,â so it makes sense to read
the âexceeds authorized accessâ clause in the same sentence
to include the same approach. Ante, at 13â14.
I agree that the two clauses should be read harmoniously,
but there is no reason to believe that if the gates are up in
a single instance, then they must remain up indefinitely.
An employee who works with sensitive defense information
may generally have authority to log into his employer-is-
sued laptop while away from the office. But if his employer
instructs him not to log in while on a trip to a country where
network connections cannot be trusted, he accesses the
computer without authorization if he logs in anyway. For
both clauses, discerning whether the gates are up or down
requires considering the circumstances that cause the gates
to move.
In fact, my reading harmonizes both clauses with estab-
lished concepts of property law. Property law generally pro-
tects against both unlawful entry and unlawful use after
entry. E.g., Restatement (Second) of Torts §214, Comment
e, at 408â409; 8 C. J. S., Bailments §43, at 480â481. The
same is true here. The police department could protect in-
formation by prohibiting officers from logging in with an
improper purpose, but that would do little good if an officer
logged in at the start of his shift with proper intent and
then, hours later while still logged in, conducted license-
plate searches in exchange for payment. By including both
the âwithout authorizationâ and âexceeds authorized ac-
cessâ clauses, Congress ensured protection against im-
proper login as well as misuse after proper login.
8 VAN BUREN v. UNITED STATES
THOMAS, J., dissenting
3
The majorityâs interpretationâthat criminality turns on
whether there is a single exception to a prohibitionâalso
leads to awkward results. Under its reading, an employee
at a credit-card company who is forbidden to obtain the pur-
chasing history of clients violates the Act when he obtains
that data about his ex-wifeâunless his employer tells him
he can obtain and transfer purchase history data when an
account has been flagged for possible fraudulent activity.
The same is true of the person who, minutes before resign-
ing, deletes every file on a computer. See Royal Truck &
Trailer Sales & Serv., Inc. v. Kraft, 974 F. 3d 756, 758 (CA6
2020). So long as an employee could obtain or alter each
file in some hypothetical circumstance, he is immune. But
the person who plays a round of solitaire is a criminal under
the majorityâs reading if his employer, concerned about dis-
tractions, categorically prohibits accessing the âgamesâ
folder in Windows. It is an odd interpretation to âstak[e] so
muchâ on the presence or absence of a single exception.
Ante, at 20.
The majorityâs interpretation is especially odd when ap-
plied to other clauses in the statute. Section 1030(a)(1) pro-
hibits âexceeding authorized accessâ to obtain ârestricted
data . . . with reason to believe that such information so ob-
tained could be used to the injury of the United States, or
to the advantage of any foreign nation,â and retaining or
distributing that data. The term ârestricted dataâ is defined
to include âall data concerning (1) design, manufacture, or
utilization of atomic weapons.â 42 U. S. C. §2014(y). Under
the majorityâs reading, so long as a scientist may obtain
blueprints for atomic weapons in at least one circumstance,
he would be immune if he obtained that data for the im-
proper purpose of helping an unfriendly nation build a nu-
clear arsenal. It is difficult to see what force this provi-
sionâin place in substantially similar form since 1984â
has under the majorityâs reading.
Cite as: 593 U. S. ____ (2021) 9
THOMAS, J., dissenting
4
Were there any remaining doubt about which interpreta-
tion better fits the statute, the defined term settles it.
When a definition is susceptible of more than one reading,
the one that best matches the plain meaning of the defined
term ordinarily controls. See, e.g., Bond v. United States,
572 U. S. 844, 861 (2014) (considering the âordinary mean-
ing of a defined termâ); id., at 870 (Scalia, J., concurring in
judgment) (courts may âus[e] the ordinary meaning of the
term being defined for the purpose of resolving an ambigu-
ity in the definitionâ (emphasis deleted)). That is because
âthere is a presumption againstâ reading a provision con-
trary to the ordinary meaning of the term it defines. A.
Scalia & B. Garner, Reading Law: The Interpretation of Le-
gal Texts 232 (2012); see also id., at 228 (â[T]he meaning of
the definition is almost always closely related to the ordi-
nary meaning of the word being definedâ).
The majority instead resolves supposed ambiguity in the
definition against the plain meaning of the defined term. It
adopts a âfavor[ed]â interpretation of the definition and
then asks whether the defined term can be interpreted in a
way âconsistentâ with this âfavor[ed]â view. Ante, at 11.
But â[i]t should take the strongest evidence to make us be-
lieve that Congress has defined a term in a manner repug-
nant to its ordinary and traditional sense.â Babbitt v. Sweet
Home Chapter, Communities for Great Ore., 515 U. S. 687,
719 (1995) (Scalia, J., dissenting). The majority identifies
no such evidence. The most it says is that my reading of
âexceeds authorized accessâ is not ânecessarilyâ best be-
cause âaccessâ can have a technical meaning: entering the
computer system or a part of the computer system. Ante, at
11, 12, n. 6. But whatever meaning âaccessâ might have,
âauthorityââlike âentitledââis circumstance dependent.
The majorityâs reading of âaccessâ confirms that point. The
definitions the majority cites reference not mere entry, but
using entry to obtain specific data. Ante, at 12, n. 6. That
10 VAN BUREN v. UNITED STATES
THOMAS, J., dissenting
accords with the definition here, which regulates a personâs
âuseâ of a computer after entering it. §1030(e)(6). Here, as
in other contexts of property law, a personâs authority to use
his access to property is circumstance dependent. The ma-
jorityâs focus on the term âaccessââat the expense of âau-
thorityâ and âentitledââharms, not helps, its argument.
II
What the text and established concepts of property law
make clear, statutory history reinforces. The original text
of this Act expressly prohibited accessing a computer with
authorization and then âus[ing] the opportunity such access
provides for purposes to which such authorization does not
extend.â 98 Stat. 2191. The Act thus applied when persons
used computers for improper reasonsâjust like Van Buren
indisputably did here.
The majority does not deny this. Instead, it notes that
Congress amended the text in 1986 to its present definition,
and it says that the Court can presume that Congressâ de-
cision to omit the term âpurposeâ necessarily eliminated
any prohibition against obtaining information for an im-
proper purpose. Ante, at 17.
But the majority cannot so easily evade this history.
True, the statute previously included the term âpurposeâ
and now does not, but the majority fails to consider how
that change affected the statute. Often, deleting a word ex-
pands, rather than constricts, the scope of a provision. If a
city changes a sign in a park from âno unleashed dogsâ to
âno dogs,â nobody would presume that unleashed dogs are
now allowed. The same is true when the specific is replaced
by the general (âno dogsâ to âno petsâ).
Congressâ change to this statute similarly broadened the
law. The original text prohibited accessing a computer with
authorization then âus[ing] the opportunity such access
provides for purposes to which such authorization does not
extend.â The term âpurposeâ limited that clause to purpose-
Cite as: 593 U. S. ____ (2021) 11
THOMAS, J., dissenting
based constraints. It did not naturally include other con-
straints, such as time and manner restrictions. By replac-
ing the specific, limited term âpurposesâ with the broader,
more general phrase ânot entitled,â Congress gave force to
those other kinds of constraints. Consider the previous ex-
ample of the employee who violates an instruction not to log
in while in an unfriendly foreign country with insecure net-
works. The original text would not cover him, so long as he
logged in for a proper purpose like checking work e-mail.
The newer text would cover him because his entitlement to
obtain or alter data is context dependent. His purpose is
innocent, but the time or manner of his use is not.
III
The majority ends with policy arguments. It suggests
they are not needed. Ante, at 17 (â âextra icing on a cake
already frostedâ â). Yet, it stresses them at length. Ante, at
17â20. Regardless, the majorityâs reliance on these policy
arguments is in error.
Concerned about criminalizing a âbreathtaking amount
of commonplace computer activity,â the majority says that
the way people use computers today âunderscores the im-
plausibility of the Governmentâs interpretation.â Ante, at
17. But statutes are read according to their â âordinary
meaning at the time Congress enacted the statute.â â Wis-
consin Central Ltd. v. United States, 585 U. S. ___, ___
(2018) (slip op., at 2) (ellipsis omitted). The majorityâs reli-
ance on modern-day uses of computers to determine what
was plausible in the 1980s wrongly assumes that Congress
in 1984 was aware of how computers would be used in 2021.
I also would not so readily assume that my interpretation
would automatically cover so much conduct. Many provi-
sions plausibly narrow the statuteâs reach. For example,
the statute includes the strict mens rea requirement that a
person must âintentionally . . . excee[d] authorized access.â
§1030(a)(2). The statute thus might not apply if a person
12 VAN BUREN v. UNITED STATES
THOMAS, J., dissenting
believes he is allowed to use the computer a certain way be-
cause, for example, that kind of behavior is common and
tolerated. Cf. Restatement (Second) of Contracts §223(2)
(1979) (discussing how an established âcourse of dealingâ
can erase written limitations in certain contractual con-
texts). The Act also concerns only âobtain[ing] or alter[ing]
information in the computer,â §1030(e)(6) (emphasis
added), not using the Internet to check sports scores stored
in some distant server (i.e., a different computer). The ma-
jority does not deny that many provisions plausibly narrow
the focus of this statute. It simply faults the government
for not arguing the point more forcefully. Ante, at 18â19. I
would not give so much weight to the hypothetical concern
that the Government might start charging innocuous con-
duct and that courts might interpret the statute to cover
that conduct.
The majorityâs argument also proves too much. Much of
the Federal Code criminalizes common activity. Absent ag-
gravating factors, the penalty for violating this Act is a mis-
demeanor. §1030(c)(2)(A). This Act thus penalizes mine-
run offenders about as harshly as federal law punishes a
person who removes a single grain of sand from the Na-
tional Mall, 40 U. S. C. §8103(b); breaks a lamp in a Gov-
ernment building, ibid.; or permits a horse to eat grass on
federal land, 18 U. S. C. §1857. The number of federal laws
and regulations that trigger criminal penalties may be as
high as several hundred thousand. Fields & Emshwiller,
Many Failed Efforts To Count Nationâs Federal Criminal
Laws, Wall-Street Journal (July 23, 2011).* It is under-
standable to be uncomfortable with so much conduct being
criminalized, but that discomfort does not give us authority
to alter statutes.
ââââââ
* www.wsj.com/article/SB10001424052702304319804576389601079
728920.html.
Cite as: 593 U. S. ____ (2021) 13
THOMAS, J., dissenting
* * *
In the end, the Act may or may not cover a wide array of
conduct because of changes in technology that have oc-
curred since 1984. But the text makes one thing clear: Us-
ing a police database to obtain information in circum-
stances where that use is expressly forbidden is a crime. I
respectfully dissent.