The Van Buren Holding

Section summaryVan Buren held that "exceeds authorized access" applies when one accesses files, folders, or databases the user is not authorized to access at all. Mere misuse of authorized files is not CFAA violation.

Holding:

  • Police officer used his access to license database for personal reasons.
  • Court held this is not CFAA violation.
  • "Exceeds authorized access" means accessing what user not authorized to access.
  • Use restrictions are not access restrictions.

Gates Analysis

Section summaryThe Court used a gates analogy. CFAA applies when user crosses gates they are not authorized to cross. Misuse of access "inside the gates" is not CFAA.

Gates framework:

  • Each gate represents a permission boundary.
  • User had access to specific gates.
  • Crossing gates not authorized is "exceeds authorized access."
  • Misusing material inside accessible gates is not.

Practical Examples

Section summaryPolice officer using authorized database for personal reasons: not CFAA. Employee using authorized files for competitor: not CFAA per se. Hacker accessing files they never had permission for: CFAA violation.

Examples:

ScenarioPre-Van BurenPost-Van Buren
Officer accesses database for personal reasonPossible CFAANot CFAA
Employee accesses authorized files for competitorPossible CFAANot CFAA
Hacker accesses unauthorized serverCFAACFAA
Employee accesses HR files outside scopeCFAACFAA

What Van Buren Did Not Decide

Section summaryVan Buren did not address whether contract terms can create technical "gates." Did not address password sharing. Did not eliminate CFAA for misuse of authorized access in all circumstances.

Open issues:

  • Contract-based access restrictions.
  • Password sharing analysis.
  • Specific technical-restriction-based access.
  • Some narrowing limited to "exceeds authorized access" subsection.

Reconsideration of Older Cases

Section summaryPre-Van Buren convictions may be subject to challenge. Recently-pending cases may benefit from the narrowed scope.

Reconsideration considerations:

  • Pre-Van Buren convictions may support 28 U.S.C. §2255 motions.
  • Pending cases may benefit from new analysis.
  • Civil cases under CFAA also affected.

Need defense counsel?

L&L Law Group, PLLC handles Computer Crimes Defense cases throughout DFW. Initial consultations are free.

Call (972) 370-5060 →

Forensic Foundation

Van Buren and Its Impact on CFAA Practice cases turn on digital-forensic evidence: device images, file metadata, network logs, cloud-account records, malware reverse engineering, and attribution analysis. Counsel handling a CFAA case affected by Van Buren must engage with the forensic record at a technical level, not just legal level.

The defense's threshold task is review of the government's forensic methodology. Was the device imaged using accepted procedures? Was the image hash-verified against the original? Did the examiner have appropriate certifications? Did the analysis follow the examiner's lab's standard operating procedures? Each step in the chain produces potential challenges at hearing and trial.

Where the case turns on contested forensic findings, the defense should retain an independent examiner. The defense expert reviews the government's work, performs parallel analysis where possible, and is available to testify if needed. Funding for defense experts is available in federal cases under the Criminal Justice Act (18 U.S.C. §3006A) and in Texas indigent cases under Code of Criminal Procedure Article 26.05.

Van Buren and Authorization Screen

The Supreme Court's decision in Van Buren v. United States, 593 U.S. 374 (2021), reshaped the CFAA "exceeds authorized access" analysis. The Court held that the statute applies only where the defendant accessed an area of a computer system they were not entitled to enter at all — not where they had credentials but used them for an improper purpose. The "gates-up-or-down" inquiry asks whether the user could or could not access the specific area, not why they accessed it.

For a CFAA case affected by Van Buren (where authorization is in issue), the defense must screen the indictment against the post-Van Buren framework. Cases built on theories that the defendant misused authorized access — rather than entering a system they had no right to enter — should be evaluated for dismissal under Van Buren. Many CFAA charges filed before 2021 survived only because the law had not yet been clarified; charges filed since must satisfy the gates-up-or-down standard.

The defense should also consider whether parallel state charges (Texas Penal Code §33.02) provide the same protection. Texas "effective consent" analysis under Chapter 1 of the Penal Code is broad. A defendant who had colorable authorization — an unrevoked password, a shared account, an implied license — has a defense to the access element under state law that runs parallel to the federal Van Buren analysis.

The Van Buren decision and its analytical framework

Van Buren v. United States, 593 U.S. 374 (2021), is the most significant Supreme Court decision interpreting the Computer Fraud and Abuse Act since the statute was enacted in 1986. The Court held in a 6-3 decision that the CFAA exceeds authorized access provision does not reach individuals who access files or systems they are permitted to access but for purposes that violate use policies. The decision substantially narrowed CFAA liability and provides a foundational framework for evaluating CFAA cases.

The case arose from the prosecution of a Georgia police sergeant who used his patrol vehicle computer to access a license plate database in exchange for money, in violation of department policy. The government argued that the sergeant exceeded authorized access by using the system for an improper purpose. The Court rejected this interpretation, holding that the CFAA authorization analysis focuses on whether the user has access to the specific area of the system rather than whether the user uses the access for proper purposes.

The Court analytical framework distinguishes between two categories of authorization issues. Gate-up access involves accessing systems or files that the user is not permitted to enter at all. Gate-down access involves accessing systems or files that the user is permitted to access but using the access in ways that violate use policies. The CFAA reaches gate-up access but not gate-down policy violations. The framework provides a clear analytical structure for evaluating specific CFAA charges.

Application of Van Buren to insider misconduct cases

The Van Buren framework has its largest impact in insider misconduct cases where employees use legitimate credentials to access systems they are authorized to access for purposes that violate employer policies. Before Van Buren, the government routinely prosecuted these cases under the exceeds-authorized-access provision. After Van Buren, the cases must satisfy the gate-up access requirement or proceed under different theories.

The defense application in insider cases focuses on identifying the specific access alleged to be unauthorized and analyzing whether the access fits the gate-up or gate-down framework. Most insider cases involve gate-down access because employees typically have credentials that permit access to the systems and files they used. The defense can therefore obtain dismissal or acquittal on CFAA charges in many insider cases.

The Van Buren defense does not preclude prosecution under other theories. Employees who misappropriate trade secrets can be prosecuted under the federal trade secrets statute. Employees who commit fraud can be prosecuted under wire fraud or mail fraud. Employees who steal money can be prosecuted under embezzlement or theft statutes. The Van Buren defense narrows CFAA liability but does not provide a complete defense against all charges arising from insider misconduct.

Application of Van Buren to web scraping and automated access

Van Buren has substantial implications for web scraping and automated access cases. Before Van Buren, the government and some private plaintiffs argued that scraping public websites in violation of terms of service constituted exceeding authorized access under the CFAA. The Van Buren framework treats access to public websites as authorized regardless of the user purposes or whether the user violates terms of service, because the access is gate-down rather than gate-up.

The hiQ Labs v. LinkedIn case decided after Van Buren provides important precedent on web scraping. The Ninth Circuit on remand from the Supreme Court held that scraping public LinkedIn profiles did not violate the CFAA because the access was authorized for general users. The decision aligned with the Van Buren framework and provides specific guidance on scraping cases.

The web scraping defense must still consider other theories that may apply. Trade secret claims may arise if the scraped data has trade secret protection. Copyright claims may arise if the scraping involves substantial reproduction of copyrighted content. Trespass to chattels claims may arise if the scraping causes harm to the website operations. The Van Buren defense narrows CFAA liability for scraping but does not provide complete immunity from other potential claims.

The remaining CFAA exposure after Van Buren

Van Buren did not eliminate CFAA liability entirely. The provision continues to reach genuine gate-up access cases including unauthorized intrusion into systems, theft of credentials, and other forms of access that involve entering systems the defendant has no permission to enter. The CFAA remains a substantial federal criminal statute for cases involving these forms of access.

The CFAA also continues to reach the various other subsections that do not depend on the exceeds-authorized-access framework. Section 1030(a)(5) reaches damage to protected computers. Section 1030(a)(6) reaches trafficking in passwords. Section 1030(a)(7) reaches extortion. Each subsection has its own elements that the government must prove, and Van Buren affects only the specific authorization element under Sections 1030(a)(1), (a)(2), and (a)(4).

The defense in CFAA cases after Van Buren must carefully analyze the specific charges and the specific factual basis. The Van Buren defense applies in many cases but not all. The defense should identify the specific provisions charged, the specific factual basis for each, and the application of Van Buren and other authorities to each. The case-specific analysis is critical because the post-Van Buren landscape remains complex and the application of the decision to specific facts requires careful work.

Frequently Asked Questions

Does Van Buren mean I can use my work computer for anything?
No. Employer policies still apply. Van Buren narrows CFAA criminal exposure but does not affect employer's right to discipline or terminate for policy violations. Other criminal statutes (theft, EEA) may also apply.
Can old CFAA convictions be challenged?
Possibly. Where the conviction rested on theory that Van Buren rejects, post-conviction relief may be available. Counsel should review specific cases for Van Buren-based challenges.
Does Van Buren help in trade secret cases?
Limited. Van Buren narrows CFAA but does not affect EEA, DTSA, or other trade secret statutes. Trade secret cases involving authorized employee access remain prosecutable through those statutes.
How does Van Buren affect civil CFAA cases?
Same analysis applies. Civil CFAA actions under §1030(g) are subject to Van Buren's narrowed interpretation. Civil plaintiffs cannot succeed on theories Van Buren rejected.
Part of a larger guide

Read the full Texas Computer Crimes Defense Guide

This article is one section of our comprehensive Texas Computer Crimes Defense Guide. The pillar guide covers recent developments, official resources, and the complete framework with deeper analysis.

Read the Pillar Guide →
⚖️
Texas Bar
Licensed
Bar Nos. 24043266 · 24043514
🏆
40+
Years Combined
Criminal Defense Experience
📞
Free
Consultation
Direct to Attorney
🔓
24/7
Jail Release
Available 7 Days a Week

Practical Checklist

  • Document everything early. Communications, records, and witness contact information lose value as time passes. Preserve them at the start of the case.
  • Identify all parallel proceedings. Criminal, administrative, civil, and regulatory tracks often run in parallel. A statement in one becomes evidence in another. Map the full picture before any disclosure.
  • Calendar every deadline. Filing deadlines, response deadlines, discovery deadlines, and hearing dates all have consequences. Missing a deadline can foreclose defenses that the facts otherwise support.
  • Build the mitigation package early. Witness letters, treatment records, employment verification, and character references take time to gather. Counsel should begin building the package at the first consultation, not as the hearing approaches.
  • Coordinate counsel across forums. Where the matter implicates multiple proceedings, having coordinated counsel (whether one firm or multiple firms in close communication) avoids the strategic errors that inconsistent representation creates.
  • Understand the public-record dimension. Many dispositions create searchable records that follow the licensee, defendant, or respondent for years. The decision to contest versus resolve must account for the public visibility of each path.

For a confidential evaluation of your matter, call L&L Law Group at (972) 370-5060 or email info@landllawgroup.com. Initial consultations are free.

Next Steps

If you are facing a situation described here, consult counsel promptly. Many issues in this area run on strict deadlines.

Reggie London & Njeri London

Co-Founding Partners · L&L Law Group, PLLC

Reggie London (Tex. Bar #24043514) and Njeri London (Tex. Bar #24043266) co-founded L&L Law Group in Frisco, Texas.

This guide was reviewed by Reggie London on May 30, 2026.

Cite this guide

Bluebook: Reggie London & Njeri London, Van Buren v. United States Impact, L&L Law Group (May 30, 2026), https://landllawgroup.com/insights/van-buren-impact-cfaa/.

APA: London, R., & London, N. (2026, May 30). Van Buren v. United States Impact. L&L Law Group.