(no title)

What you are missing is that you are assuming that the CFAA is the only means by which Van Buren should be punished. So you are assuming that either the CFAA covers this abuse, or he gets off completely free.

The CFAA isn't the only means to deal with his conduct. Although it doesn't apply, he is still liable to be punished under whatever regime he was given access to it.

In simplified form:

He was granted access to the system pursuant to his employment - ie he was able to log into it, whereas the average citizen can't. Whatever conditions are applicable to that grant are the ones to apply when he abuses that access (eg if the policy says "you can only access this for these purposes, or you will be fired" then if he accesses it for a different purpose, they can fire him).

That is quite separate from the CFAA.

The CFAA is a parallel source of obligations, and is part of the criminal law.

Just because Van Buren breached the terms on which his employer let him access the database doesn't necessarily mean he committed a crime as well.

What SCOTUS did was say that the criminal law provision essentially deals with the "technical" side of access:

* if you get into a computer that you have no access to (ie hacking into it), you breach the relevant section.

* if you are authorised by the operator to have the technical means to access to certain info in the computer (eg permissions), and you do something to access other material, you breach the section (eg escalation of privileges)

* if you have the technical means to access the computer (eg log/password) and you access material that is permitted under those means (ie the user account), but you are not authorised to have that means of access (ie stolen login credentials), you also breach the section.

The problem with the interoperation that SCOTUS rejected was that under EULAs, the provider could essentially say "you can use our systems to log in and view information. But if we decide we don't like you, or you haven't paid your bill, or if you decide you are going to vote for politician X in the upcoming election, then if you actually view any information while you are logged in, you breach the act and commit a crime"

The rejected interpretation said: "authorised does not just mean you have been provided with the technical means to access the information, but also any additional conditions put on your use of the technical means by the person who granted it, which may change at any time" (eg change of policy, what is going through the user's mind)

So the answer to your observation:

> I feel pretty strongly that what van Buren did is a massive abuse of authority and it warrants punishment.

is: it is exactly that. But it is punishment to be delivered via the process granting him the access to the information (ie whatever sanctions apply to violation of departmental policy). What he did was a breach of that policy, leaving him open to whatever sanctions are provided in it. But it is not also a crime under the CFAA.