A Supreme Court ruling limits the reach of a landmark hacking law
The Supreme Court issued a 6-3 ruling Thursday determining that improper use of a computer system by someone allowed to use it does not fall under the Computer Fraud and Abuse Act, the nation’s landmark hacking law.
The ruling is a significant step in limiting the bounds of the law, which critics have long blasted as overly broad. It’s the first time the court has ruled on a case involving the decades-old hacking statute.
The case in question involved former Georgia police officer Nathan Van Buren, who was accused of looking up license plate data in a law enforcement database in exchange for bribes. The prosecution argued that Van Buren’s use exceeded “authorized access,” putting him in violation of the Computer Fraud and Abuse Act.
Such an interpretation “would attach criminal penalties to a breathtaking amount of commonplace computer activity,” Justice Amy Coney Barrett, who authored the majority opinion, wrote. “If the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals.”
The decision reverses a lower court ruling that had upheld a jury verdict against the officer.
The dissent, issued by Justice Clarence Thomas, argued that the law falls within the logic of physical property violations.
While experts have hailed the ruling as a significant step in narrowing what kind of cases are brought forward under CFAA in the future, they note that the court leaves a big loophole in defining what “authorization” actually means.
In a footnote the majority opinion declines to address whether access is based on technological access or contracts or policies.
“They dodge one of the really crucial questions that I think many people were looking to them to resolve with this case, which is whether violation of terms of service agreements, or other written contracts around computer use, are considered violations of the CFAA or whether it actually has to involve some kind of technical code circumvention to be a CFAA violation,” said Josephine Wolff, assistant professor of cybersecurity policy at Tufts University.
That leaves the door open to ongoing debate in the lower courts. Wolff pointed to a 2009 case in which the U.S. District Court of Central California indicted a woman under CFAA using the argument that her violation of MySpace’s terms of service constituted unauthorized access. The woman had created a fake account to pose as a love interest for a teenage girl, ultimately leading to her suicide. The defendant, Lori Drew, was found guilty of a misdemeanor violation of the CFAA. She was later acquitted.
The Electronic Privacy Information Center, a nonprofit organization that filed an amicus brief opposite Van Buren because of fears that a narrow interpretation in the case would let government officials abuse their access to sensitive information and violate privacy, also expressed concerns with the loophole left with the ruling.
“The range of criminalized activities may, in some respects, still be much broader than even the Government was advocating,” the group said in a statement. “Certain website terms of service that prohibit specific individuals or groups from accessing the website may still be enforceable even if the individuals have no knowledge of the restrictions and the website owners do nothing else to limit access.”
The decision points to a need for sweeping privacy legislation, said Sen. Ron Wyden (D-Ore.), who has criticized the law.
“The Supreme Court recognized today that the terribly written CFAA crossed the line by criminalizing everyday activities like using your work computer to read the news or send personal emails,” Wyden said in a statement. “Today’s ruling helps rectify the damage caused by that reactionary law. However, today’s case highlights the pressing need for Congress to pass comprehensive privacy legislation and to protect users against corporate employees who abuse their access to databases of sensitive personal information.”
EPIC also called for privacy legislation.
“The outcome of this case highlights the urgent need for comprehensive privacy legislation,” the group said in a statement. “We need enforceable rules to prevent improper access to and misuse of personal information contained in both government and private databases.”
The dissent, issued by Justice Clarence Thomas, argued that the law falls within the logic of physical property violations.
“What is true for land is also true in the computer context; if a company grants permission to an employee to use a computer for a specific purpose, the employee has no authority to use it for other purposes,” he wrote.
Updated, 6/4/21: This story was updated to clarify that a quotation from the dissent was written by Clarence Thomas.