By Emma Nitzsche
On Thursday, The Supreme Court narrowed the controversial Computer Fraud and Abuse Act (CFAA) in a 6-3 ruling.
CFAA was created in 1986 as a legal remedy against computer hacking and has since been modified and reviewed. The law attempts to prevent individuals from accessing computer systems or individual files they were not previously permitted to access.
The virtual world has changed extensively since the law’s creation over three decades ago. Previous amendments attempted to modernize CFAA, but the National Association of Criminal Defense Lawyers pointed out that the amendments expanded its legal reach to include alleged misconduct far beyond its original intent.
On Thursday, the Court gave a fresh look to the extent of CFAA within the context of employer and employee authorization. The case, Van Buren v. United States, involves a former police officer who accepted a bribe to use a police database to violate department rules and look up a woman’s license plate. The question posed to the Court was whether the officer violated a provision of the CFAA that states it is illegal “to access a computer with authorization and to use such access to obtain or alter information in the computer that the individual is not entitled so to obtain or alter.”
Justice Amy Coney Barrett wrote the majority opinion and held that Van Buren did not violate federal law when he accessed the database for an improper reason. Justice Barrett noted the officer would violate CFAA if he hacked into a prohibited database.
“An individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer – such as files, folders, or databases – that are off-limits to him,” wrote Justice Barrett.
The critical distinction Justice Barrett made in her opinion is that Van Buren was previously given access to the database from his organization. Thus, simply accessing authorized areas in an unapproved fashion does not violate CFAA rules.
The majority ruling crossed the political aisle and had a mix of justices — including Justices Stephen Breyer, Sonia Sotomayor, Elena Kagan, Neil Gorsuch, and Brett Kavanaugh.
“This is an important victory for civil liberties and civil rights enforcement in the digital age,” said Esha Bhandari, the American Civil Liberties Union’s Speech, Privacy, and Technology Project deputy director.
Justice Barrett’s narrow interpretation of the CFAA prevents the seemingly endless list of activities that could be considered criminal under a broad understanding of the CFAA. Citing friend-of-the-court briefs, Barrett noted that “the Government’s interpretation of the ‘excess authorized access’ clause would attach criminal penalties to a breathtaking amount of commonplace computer activity.” Examples of commonplace computer activity include creating multiple Facebook accounts, playing solitaire on a work computer, and lying on a dating profile.
For instance, employers usually state that their employees can only utilize workplace computers for business purposes. Therefore, the New York Times notes that any employee who reads the news on her work computer would violate the 1986 law, turning millions of employees into federal criminals.
Cornell University Law School Professor James Grimmelmann remarked that the decision was “a substantial deal. It really clarifies that employees using computers disloyally is not a CFAA issue.”
Justice Clarence Thomas dissented and argued for a much more expansive reading of CFAA. Clashing with Justice Barret on the phrase “exceeds authorized access,” Justice Thomas argued that Van Buren didn’t have the right to use the computer to obtain personal information. The dissenting opinion would still allow companies to govern what computer users do with legally authorized information.
There may be other legal recourses to pursue when an individual misuses authorized information, but the Court ruled that citing CFAA is not an acceptable avenue.