Supreme Court narrows Computer Fraud and Abuse Act: Misusing access not quite the same as breaking in

We'll explain everything for you

The US Supreme Court on Thursday limited the scope of the 1986 Computer Fraud and Abuse Act (CFAA) in a ruling that found a former sergeant did not violate the law by misusing his access to a police database.

When he was a police officer in Georgia, Nathan Van Buren used his credentials to log into the computer in his patrol car to access a license plate database at the request of an acquaintance – who, unbeknownst to Van Buren, was participating in an FBI sting operation.

Van Buren provided the acquaintance with information from the database, and the FBI arrested Van Buren on the basis that the database search, done outside of the scope of his duties and contrary to department policy, violated the CFAA's "exceeds authorized access" clause of 18 U. S. C. §1030(a)(2).

In 2017, a jury convicted Van Buren, and he subsequently received an 18-month prison sentence. Van Buren appealed, arguing that the CFAA does not apply to misuse of existing system access, but the Eleventh Circuit Court of Appeals upheld his conviction.

The CFAA prohibits accessing a protected computer "without authorization" and accessing a protected computer in a way that "exceeds authorized access." The problem with these ill-defined terms is that there's been disagreement in different courts over whether the law imposes criminal liability for violating Terms of Service (ToS) agreements.

Some US courts have taken the statute to mean that ToS violations constitute criminal offenses, whereas others interpret the law more narrowly to apply only when there's some element of hacking or breaking into a system.

"Access 'without authorization' is understood to require some kind of breaking in," said Orin Kerr, law professor at UC Berkeley School of Law, via Twitter. "The question here is whether 'exceeds authorized access' does, too."

That question was mostly resolved in the Supreme Court's 6-3 decision today in Van Buren v. US [PDF]. Writing for the majority, Associate Justice Amy Coney Barrett said Van Buren, though he flouted departmental policy, did not violate the CFAA by abusing his computer system access.

"This provision [of the CFAA] covers those who obtain information from particular areas in the computer — such as files, folders, or databases — to which their computer access does not extend," Associate Justice Barrett wrote. "It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them."

Qualified support

The ruling was welcomed by the Electronic Frontier Foundation, which has argued for years that the vaguely worded statute needs to be clarified.

"EFF has long fought to reform vague, dangerous computer crime laws like the CFAA," said EFF Senior Staff Attorney Andrew Crocker in a statement to The Register. "We're gratified that the Supreme Court acknowledged that overbroad application of the CFAA risks turning nearly any user of the Internet into a criminal based on arbitrary terms of service.

"We remember the tragic and unjust results of the CFAA's misuse, such as the death of Aaron Swartz, and we will continue to fight to ensure that computer crime laws no longer chill security research, journalism, and other novel and interoperable uses of technology that ultimately benefit all of us."

The ruling means that the violation of ToS rules alone is not a criminal offense under the CFAA, and solidifies lower court rulings that came to that same conclusion, such as Sandvig v. Barr last year. In that case, the US District Court for the District of Columbia ruled that researchers providing false information to employment websites to test for discriminatory algorithms did not violate the CFAA, even if doing so violated the site's ToS.

"I am elated that the Supreme Court made clear today that violations of websites’ terms of service alone do not constitute violations of the Computer Fraud and Abuse Act," said Alan Mislove, one of the plaintiffs in Sandvig, and a professor of computer science at Northeastern University, in a statement issued by the ACLU.

"This decision removes a significant cloud of uncertainty and legal risk for researchers who perform online civil rights testing."

This decision removes a significant cloud of uncertainty and legal risk for researchers who perform online civil rights testing

At the same time, the ruling doesn't entirely clarify the CFAA. Kerr observes that in a footnote, the court appears to adopt an authentication test – whether a user's credentials remove a gate to access. Yet in a different footnote, he points out, the Court says it doesn't need to address whether permissible access depends only on code-based limitations or whether limitations spelled out in contracts or policies come into play.

To resolve the CFAA's ambiguity, the Congressional Research Service argued last September [PDF] that, "regardless of what the Court does in Van Buren," Congress should revise the law to make it clearer. The CRS report, as an example, points to Aaron’s Law, a bill introduced in honor of late internet activist Aaron Swartz, that proposed replacing the ill-defined CFAA "exceeds authorized access" language so criminal charges are only applicable when there's knowing circumvention of technological or physical access methods.

In a statement, US Senator Ron Wyden (D-OR), one of the authors of Aaron's Law, echoed that sentiment.

"The Supreme Court recognized today that the terribly written CFAA crossed the line by criminalizing everyday activities like using your work computer to read the news or send personal emails," he said.

"Today's ruling helps rectify the damage caused by that reactionary law. However, today's case highlights the pressing need for Congress to pass comprehensive privacy legislation and to protect users against corporate employees who abuse their access to databases of sensitive personal information." ®

Broader topics

Other stories you might like

  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading
  • Workday nearly doubles losses as waves of deals pushed back
    Figures disappoint analysts as SaaSy HR and finance application vendor navigates economic uncertainty

    HR and finance application vendor Workday's CEO, Aneel Bhusri, confirmed deal wins expected for the three-month period ending April 30 were being pushed back until later in 2022.

    The SaaS company boss was speaking as Workday recorded an operating loss of $72.8 million in its first quarter [PDF] of fiscal '23, nearly double the $38.3 million loss recorded for the same period a year earlier. Workday also saw revenue increase to $1.43 billion in the period, up 22 percent year-on-year.

    However, the company increased its revenue guidance for the full financial year. It said revenues would be between $5.537 billion and $5.557 billion, an increase of 22 percent on earlier estimates.

    Continue reading

Biting the hand that feeds IT © 1998–2022