Advertisement

A Supreme Court ruling limits the reach of a landmark hacking law

The Supreme Court's 6-3 ruling is a significant step in limiting the bounds of the Computer Fraud and Abuse Act.
Supreme Court, SCOTUS
(Geoff Livingston / Flickr)

The Supreme Court issued a 6-3 ruling Thursday determining that improper use of a computer system by someone allowed to use it does not fall under the Computer Fraud and Abuse Act, the nation’s landmark hacking law.

The ruling is a significant step in limiting the bounds of the law, which critics have long blasted as overly broad. It’s the first time the court has ruled on a case involving the decades-old hacking statute.

The case in question involved former Georgia police officer Nathan Van Buren, who was accused of looking up license plate data in a law enforcement database in exchange for bribes. The prosecution argued that Van Buren’s use exceeded “authorized access,” putting him in violation of the Computer Fraud and Abuse Act.

Such an interpretation “would attach criminal penalties to a breathtaking amount of commonplace computer activity,” Justice Amy Coney Barrett, who authored the majority opinion, wrote. “If the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals.”

Advertisement

The decision reverses a lower court ruling that had upheld a jury verdict against the officer.

The dissent, issued by Justice Clarence Thomas, argued that the law falls within the logic of physical property violations.

While experts have hailed the ruling as a significant step in narrowing what kind of cases are brought forward under CFAA in the future, they note that the court leaves a big loophole in defining what “authorization” actually means.

In a footnote the majority opinion declines to address whether access is based on technological access or contracts or policies.

“They dodge one of the really crucial questions that I think many people were looking to them to resolve with this case, which is whether violation of terms of service agreements, or other written contracts around computer use, are considered violations of the CFAA or whether it actually has to involve some kind of technical code circumvention to be a CFAA violation,” said Josephine Wolff, assistant professor of cybersecurity policy at Tufts University.

Advertisement

That leaves the door open to ongoing debate in the lower courts. Wolff pointed to a 2009 case in which the U.S. District Court of Central California indicted a woman under CFAA using the argument that her violation of MySpace’s terms of service constituted unauthorized access. The woman had created a fake account to pose as a love interest for a teenage girl, ultimately leading to her suicide. The defendant, Lori Drew, was found guilty of a misdemeanor violation of the CFAA. She was later acquitted.

The Electronic Privacy Information Center, a nonprofit organization that filed an amicus brief opposite Van Buren because of fears that a narrow interpretation in the case would let government officials abuse their access to sensitive information and violate privacy, also expressed concerns with the loophole left with the ruling.

“The range of criminalized activities may, in some respects, still be much broader than even the Government was advocating,” the group said in a statement. “Certain website terms of service that prohibit specific individuals or groups from accessing the website may still be enforceable even if the individuals have no knowledge of the restrictions and the website owners do nothing else to limit access.”

The decision points to a need for sweeping privacy legislation, said Sen. Ron Wyden (D-Ore.), who has criticized the law.

“The Supreme Court recognized today that the terribly written CFAA crossed the line by criminalizing everyday activities like using your work computer to read the news or send personal emails,” Wyden said in a statement. “Today’s ruling helps rectify the damage caused by that reactionary law. However, today’s case highlights the pressing need for Congress to pass comprehensive privacy legislation and to protect users against corporate employees who abuse their access to databases of sensitive personal information.”

Advertisement

EPIC also called for privacy legislation.

“The outcome of this case highlights the urgent need for comprehensive privacy legislation,” the group said in a statement. “We need enforceable rules to prevent improper access to and misuse of personal information contained in both government and private databases.”

The dissent, issued by Justice Clarence Thomas, argued that the law falls within the logic of physical property violations.

“What is true for land is also true in the computer context; if a company grants permission to an employee to use a computer for a specific purpose, the employee has no authority to use it for other purposes,” he wrote.

Updated, 6/4/21: This story was updated to clarify that a quotation from the dissent was written by Clarence Thomas.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts