SCOTUS LIMITS COMPUTER FRAUD AND ABUSE ACT
While it may not get as much attention as some of the hot button political cases the U.S. Supreme Court will handle, the Court’s June 3 decision in Van Buren v. United States will have lasting implications as courts continue to determine the boundaries of the Computer Fraud and Abuse Act. The Van Buren decision will make life a little harder for prosecutors.
The Computer Fraud and Abuse Act, as the title suggests, is a piece of federal legislation aimed at curbing hacking. In a very general sense, it prohibits two types of conduct. In the first instance, it subjects to criminal (and civil) liability anyone who “intentionally accesses a computer without authorization.” But it also imposes liability on anyone who “exceeds authorized access.” Again, in a general sense the first part of the statute encompasses the traditional hacker who finds a way into a computer system. The second part is a little more complicated, as it recognizes that initial access was permitted. The question in that circumstance then is how do we determine whether the person exceeded the authorized access?
Van Buren was a Georgia police sergeant who used his patrol-car computer to access a law enforcement database to retrieve information about a particular license plate number in exchange for a bribe. Van Buren didn’t realize that he was part of an FBI sting operation, and he was charged with violating the CFAA. The prosecutors contended Van Buren exceeded his authorized access because in sharing the information with the bribe payer, he violated policy by using the information for his personal use.
Van Buren argued that this interpretation was too broad. The CFAA’s focus is on the access to the data, not the ultimate use of the data. Van Buren argued that the data he accessed was data which he was authorized to access and that ended the inquiry. What he did with the data was not relevant for purposes of the CFAA.
The Supreme Court, in an opinion authored Justice Barrett, agreed with Van Buren. In its reading of the statute’s plain language, it determined that a person exceeds authorization only when that person initially accesses the computer with authorization, but then accesses areas in the computer – such as files, folders, or databases – to which the authorized access doesn’t extend. It does not cover people like Van Buren, who had improper motives for obtaining information that was otherwise available to them.
In Van Buren’s case, there was no dispute that he was authorized to access the license number data base. To allow him to be charged under the CFAA for a use of the information that violated Department policy would in essence allow the Department to amend the U.S. Criminal Code. The Supreme Court was not willing to go there.
Whether one agrees or disagrees with the decision, it provides some needed clarity on a question that has divided federal courts for some time. And if Congress doesn’t like it, they can amend the CFAA to broaden its scope. But for now, we can rest assured that “access” means “access” and not “use.”