A Georgia police officer did not violate federal computer fraud law when he used his patrol car computer to access information on a license plate in exchange for money, even though his action violated his department’s policy against obtaining database information for non-law-enforcement purposes, according to the U.S. Supreme Court.
The U.S. Supreme Court sided with a police officer Nathan Van Buren who was charged with a felony under the Computer Fraud and Abuse Act of 1986 (CFAA). The court rejected the government’s interpretation of the CFAA, which subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access.”
A jury convicted Van Buren and he was sentenced to 18 months in prison. Van Buren appealed to the Eleventh Circuit, arguing that the “exceeds authorized access” clause in the CFAA applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have.
The Eleventh Circuit held that Van Buren had violated the CFAA, finding that an individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases— that are off-limits to him.
In a 5-3 opinion authored by Justice Amy Coney Barrett, the Supreme Court has now found that the Eleventh Circuit erred, rejecting the government’s interpretation of the “exceeds authorized access” clause because it would “attach criminal penalties to a breathtaking amount of commonplace computer activity.”
The court cited examples including where employers commonly state that computers and electronic devices can be used only for business purposes. According to the government’s reading, an employee who sends a personal e-mail or reads the news using a work computer has violated the CFAA.
Barrett wrote that government’s approach would also “inject arbitrariness into the assessment of criminal liability, because whether conduct like Van Buren’s violated the CFAA would depend on how an employer phrased the policy violated (as a “use” restriction or an “access” restriction).”
The Justice Department had argued that in “common parlance,” the phrase “exceeds authorized access” would be understood to mean that Van Buren “exceed[ed] his authorized access” to the law enforcement database when he obtained license plate information for personal purposes.
But the justices said that was not the relevant question. Rather the issue is not whether Van Buren exceeded his authorized access but whether he exceeded his authorized access as the CFAA defines that phrase. The court said Van Buren did not exceed his authorized access under the CFAA.
Unbeknownst to Van Buren, he was part of a Federal Bureau of Investigation sting operation.
According to intellectual property lawyer Joshua Rich, the ruling could limit protections for employers’ against workers’ malicious or dishonest conduct.
“One interesting wrinkle from this case is that most of the employee prosecutions that have occurred under the CFAA would not withstand the Supreme Court’s interpretation, but they are things we definitely want to prevent,” he wrote in an article on the ruling.
Rich, a partner and general counsel at Chicago-based law firm McDonnell Boehnen Hulbert & Berghoff, notes some examples of cases that have all been prosecuted but that no longer can be in light of this ruling include ones involving IRS and Social Security employees accessing ex-spouses data so they can look into their information, police getting information for personal use and IRS officials looking up celebrity tax returns, to name a few.
Rich thinks the Supreme Court’s decision could move Congress to rewrite the CFAA more clearly but “in the meantime,” he said, “the meaning of ‘computer fraud’ has been greatly narrowed.”
The case is Van Buren v. U.S.