Supreme Court Places Limits on What Actions Violate Federal Hacking Law

The Supreme Court ruled today that a federal law that criminalizes computer hacking doesn't cover cases where a person misuses data that he has authorized access to. The decision may sound small and technical, but it could have important implications in restraining federal prosecutions.

The Computer Fraud and Abuse Act (CFAA) of 1986 makes it a felony when someone "intentionally accesses a computer without authorized access or exceeds authorized access." While lawmakers' obvious intent was to punish cybercriminals breaking into computer systems or online platforms, it's not clear what "authorized access" fundamentally means. The statute was written before the wide adoption of the internet. What we do online and with computers is fundamentally different from what the world looked like in 1986.

The penalties for violating the CFAA can be extremely harsh, with a sentence of up to 10 years for each violation. Prosecutors use this combination of vague language and severe penalties to get defendants to submit to plea deals. Open-access activist Aaron Swartz was threatened with a lengthy prison sentence if he didn't accept a plea deal for downloading millions of academic papers from an MIT computer with the intent of making them freely available. Instead he killed himself.

Is violating a website's terms of use a violation of the CFAA? In 2008, Lori Drew was convicted for cyberbullying a teen who later committed suicide. Prosecutors used the CFAA in that case because Drew violated MySpace's user terms to make a fake account. In 2009 a judge overruled the verdict, saying it "criminalizes what would be a breach of contract."

The case the Supreme Court decided today, Van Buren v. United States, revolves around another vague application of the CFAA. Georgia Police Sergeant Nathan Van Buren used his access to his police car database to look up a license plate number in exchange for money. This violated his department's policy, but he did have actual authorization to access the database for his work. So did it violate the CFAA to misuse this authorization?

In a 6–3 decision penned by the newest Justice, Amy Coney Barrett, the court ruled that it did not. The law, she writes, does not allow prosecution of those who "have improper motives for obtaining information that is otherwise available to them." Otherwise, Barrett notes, the consequences would be extraordinarily far-reaching:

If the "exceeds authorized access" clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals. Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government's reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA.

She adds that the government's preferred reading of CFAA could go so far as to criminalize lying on a dating profile or using a fake name on Facebook.

Instead, she concludes, "exceeds authorized access" means a person has accessed data that has specifically been declared off-limits. Barrett is joined in the opinion by Justices Stephen Breyer, Sonia Sotomayor, Elena Kagan, Neil Gorsuch, and Brett Kavanaugh.

To be clear, this decision doesn't give police officers a green light to access database information for non-policing purposes. It just means that shouldn't be charged under a federal law intended to catch criminal hackers.

Justice Clarence Thomas wrote the dissent, joined by Chief Justice John Roberts and Justice Samuel Alito. Thomas argues that it's common for the law to punish those who exceed their authorization beyond the scope of consent. In response to Barrett's observation that a broad reading of the CFAA would criminalize a lot of common activity, Thomas notes that "much of the Federal Code criminalizes common activity." He then lists several unusual federal crimes, such as breaking a lamp in a government building or permitting a horse to eat grass on federal land. These odd laws that have been highlighted by Mike Chase, mastermind of the Twitter account @CrimeADay and author of How to Become a Federal Criminal: An Illustrated Handbook for the Aspiring Offender. (Chase noticed the references.)

This shouldn't be taken to mean that Thomas, Roberts, and Alito agree with the CFAA or think it's well-written. They believe the Department of Justice is correct when it argues that misusing authorization in unapproved ways is a violation of the law. Congress can always change the law if members conclude its being used too broadly.

The ruling is important in that it will (one hopes) force federal prosecutors to stop trying to throw more charges at defendants for cases that don't really involve hacking.

For more analysis of the ruling, check out the Twitter feed of Orin Kerr, a Berkeley law professor, Volokh Conspiracy contributor, and CFAA expert. He's so much of an expert that the decision cited him four times.