Last year, the US Supreme Court rendered an opinion that narrowed the scope of the Computer Fraud and Abuse Act ("CFAA"). Last month (probably in response to the SCOTUS opinion) the Department of Justice issued a press release to announce the revision of its policy regarding charging violations under the CFAA. The DOJ toed the line and revised its policy to align with the Supreme Court's interpretation of the statute.
SCOTUS OPINION: NATHAN VAN BUREN v. UNITED STATES
So how did SCOTUS end up deciding a case under the CFAA. Here's how:
Nathan Van Buren, a former police sergeant, ran a license plate search on a law enforcement computer database in exchange for money. Of course, Van Buren was authorized to use the database for law enforcement purposes only. The question for the courts was whether Van Buren also violated the CFAA, which makes it illegal “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
The trial court decided that Van Buren violated the act and the appellate court agreed, but then Van Buren took the case to the highest court in the land - big bad SCOTUS.
Ultimately, our highest Court disagreed with the lower courts' and the Government's interpretation of the statute. The Court decided that Van Buren did not violate the CFAA.
As quoted from the SCOTUS opinion:
This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.
If the “exceeds authorized access” clause criminalizes every violation of a computer-use policy, then millions of otherwise law abiding citizens are criminals. Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA. Or consider the Internet. Many websites, services, and databases—which provide “information” from “protected computer[s],” []—authorize a user’s access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers. And indeed, numerous amici explain why the Government’s reading of subsection (a)(2) would do just that—criminalize everything from embellishing an online dating profile to using a pseudonym on Facebook.
In sum, an individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to her.
NEW DOJ POLICY
Taking its lead from SCOTUS, the new policy focuses the department's resources on cases where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer - such as one email account - and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users' emails.
When the US Supreme Court says something about something, the Government listens.
The new policy states explicitly the longstanding practice that "the department's goals for CFAA enforcement are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems."
IF YOU CAN'T BEAT 'EM, JOIN 'EM!!
From the DOJ's perspective, what's the point of prosecuting claims that the SCOTUS decided is not unlawful under the CFAA. It is a waste of Government resources. So, refocus efforts on what matters - prosecuting unlawful acts.
From my perspective, I am happy to see that the DOJ is promoting privacy and cybersecurity (as should every Government entity).
~ Florida Cyber Lawyer, Robert Stines, Esq., CIPP
Comments