Supreme Court Narrows Computer Crime Law
The U.S. Supreme Court recently held that the Computer Fraud and Abuse Act (CFAA) is not applicable to someone who accesses a computer he or she is allowed to access, and does not exceed the scope of the information he or she is permitted to access, but does so for a prohibited purpose. In a 6-3 split, the justices reversed the Eleventh Circuit’s October 2019 decision to uphold an ex-police officer’s conviction for having “exceeding” his authorized access to a law enforcement database by accepting money to run a license-plate search using his computer system access.
The CFAA, which is the main federal anti-hacking law used by prosecutors when individuals are accused of breaking into government or private computer networks, makes it illegal “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
While the officer clearly violated his department’s policy, which authorized him to obtain database information for law enforcement purposes only, the court held that he did not violate the CFAA. The Court held that an individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer – such as files, folders, or databases – that are off limits to him, but not by using resources he would normally be entitled to use.
The parties agreed that the officer accessed a computer with authorization, the issue, however, was whether he was “entitled so to obtain” that information. The Court reasoned that the government’s interpretation of the “exceeds authorized access” clause would attach criminal penalties to a “breathtaking amount of commonplace computer activity,” such as employees who use computers or electronic devices for personal purposes despite company policies that they are to be used for business purposes only. Because the officer was authorized to use the law enforcement database and was authorized to obtain this type of information, he did not violate the CFAA.