The U.S. Supreme Court on Thursday said a Georgia police officer had not violated the country’s main anti-hacking law by improperly accessing a government database for financial gain, a decision likely to curtail prosecutions under the Computer Fraud and Abuse Act (CFAA) of individuals who misuse computer systems to which they have legal access.
The police officer, Nathan Van Buren, was arrested and charged under the 1986 law after accepting payment from an FBI informant to search a law enforcement database of license plate information. The government charged Van Buren with violating the CFAA, which prohibits people from knowingly “exceeding” their “authorized access” to a computer system.
The ruling is widely viewed as a win for criminal defense lawyers who’ve long criticized the statute as overly ambiguous and who’ve accused prosecutors of employing an overly expansive interpretation. The government has previously brought charges under the CFAA against people accused of violating corporate computer policies and website terms of service.
The ruling is “an important victory for civil liberties and civil rights enforcement in the digital age,” the American Civil Liberties Union said.
In its 6-3 decision, the Supreme Court found Van Buren’s use of the license plate database—however improper—was not “unauthorized,” insofar as the CFAA is concerned.
“In sum, an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him,” the court’s opinion, delivered by Justice Amy Coney Barrett, says.
Barrett went on to note the government has never argued that Van Buren was prohibited from accessing the database, even if his motives for doing so, in this case, were immoral. “The only question is whether Van Buren could use the system to retrieve license-plate information. Both sides agree that he could,” she wrote.
Justices Clarence Thomas, Samuel Alito, and Neil Gorsuch dissented.
The CFAA first arose as a topic of national debate in earnest in late 2011 after the Justice Department indicted Aaron Swartz, a young technology activist, for downloading a large number of academic journals from MIT’s computer network. He was charged, among other counts, with accessing MIT’s network “in excess of authorized access.”
A programming prodigy who invented the software behind RSS at age 14, Swartz died by suicide two years later. His father would later accuse federal prosecutors of hounding his son to death, calling the pursuit “a complete miscarriage of justice.”
“The Supreme Court’s decision will allow researchers and journalists to use common investigative techniques online without fear of CFAA liability, say Esha Bhandari, deputy director of the ACLU’s speech, privacy, and technology Project. “It clears away a major barrier to online anti-discrimination testing and research, which is necessary to hold powerful companies and platforms accountable.”
Sen. Ron Wyden, a Democrat of Oregon who co-sponsored legislation to reform the CFAA in the wake of Swartz’s death, calling it “inconsistently and capriciously applied,” said Thursday’s ruling had affirmed the disturbing malleability with which prosecutors have wielded the “terribly written CFAA.”
“Today’s ruling helps rectify the damage caused by that reactionary law,” he said.
Wyden—author of the Mind Your Own Business Act—added the case further underscores an urgent need to pass comprehensive privacy legislation at the federal level, to protect users, he said, “against corporate employees who abuse their access to databases of sensitive personal information.”
Update, 1:30pm: Statements added from the ACLU characterizing the ruling.
Update, 2:20pm: Statements added from the Sen. Ron Wyden
DISCUSSION
Gotta say, I kinda agree with this. I have access to a lot of systems at my job. Misusing the resources I have for financial gain is against company policy, and may be a crime, but is it a Federal “hacking” offense?