US Supreme Court restricts broad scope of CFAA law

Today, the US Supreme Court restricted the scope of the federal Computer Fraud and Abuse Act after overturning the conviction of a Georgia police officer who searched a police database for money.

As part of an FBI sting operation, Georgia police sergeant Nathan Van Buren was paid to search a law enforcement database for information about a particular license plate number. After providing the information, Van Buren was charged with a felony violation of the Computer Fraud and Abuse Act (CFAA).

The CFAA is a cybersecurity bill created in 1986 that prohibits unauthorized access to computer systems and networks or acts that "exceeds authorized access." Due to the vague nature of the bill, the CFAA can be broadly interpreted to allow harmless actions such as violating a website's terms of service or violating corporate policies by using work devices to access personal accounts on social sites.

However, Van Buren's lawyers argued that the police officer had authorized access to the police database and did not exceed the authorized access given to him and should not be convicted under the CFAA.

Supreme court narrows scope of CFAA

In a 6-3 ruling in favor of Van Buren written by Justice Amy Coney Barret, the Court stated that while Van Buren's actions were improper, they did not exceed his authorized access and did not fall under the CFAA.

"We must decide whether Van Buren also violated the Computer Fraud and Abuse Act of 1986 (CFAA), which makes it illegal “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter," reads the Supreme Court opinion.

"He did not. This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend."

"It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them."

Barret's opinion was joined by Justices Breyer, Sotomayer, Kaga, Gorsuch, and Kavanaugh.

In a dissenting opinion written by Justice Thomas and joined by Justice Roberts and Alito, Thomas argued that "the common law and statutory law have long punished those who exceed the scope of consent when using property that belongs to others."

"In the end, the Act may or may not cover a wide array of conduct because of changes in technology that have occurred since 1984. But the text makes one thing clear: Using a police database to obtain information in circumstances where that use is expressly forbidden is a crime. I respectfully dissent." - Justice Thomas.

Today's ruling is seen as a step forward for critics of the CFAA and its overly broad interpretation.

"Today's win is an important victory for users everywhere. The Court rightly held that exceeding authorized access under the CFAA does not encompass “violations of circumstance-based access restrictions on employers’ computers," the EFF stated in a blog post about the ruling.

"This means that private parties’ terms of service limitations on how you can use information, or for what purposes you can access it, are not criminally enforced by the CFAA," the EFF added.