By Sehseh Sanan
The United States Supreme Court recently heard arguments on the reach of the federal Computer Fraud and Abuse Act (CFAA). The case, Van Buren v. United States considers the CFAA’s definition of “exceeding authorized access.” It is the first time the Supreme Court has reviewed the CFAA, which was enacted in 1986 to address hacking but which has been amended a number of times since.
The Court’s decision may have implications for computer use policies in a variety of business situations involving employee and licensee access to computers and databases.
The CFAA aims to penalize anyone who intentionally accesses a computer without authorization or who exceeds authorized access and obtains information stored on that computer.
18 U.S. Code § 1030(a) states:
(a) Whoever—
(2) Intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;
(6) the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the access-er is not entitled so to obtain or alter…
With the text of the statute in mind, Van Buren addresses the CFAA by asking whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he/she accesses the same information for an improper purpose.
Nathan Van Buren was a police officer in Georgia who utilized a police database to search license plates in exchange for money, and not in the course of his employment.
Van Buren argued the federal CFAA statute is meant to prevent computer hacking and unauthorized use of electronic systems, and it applies only if the defendant obtains information that he was under no circumstances entitled to obtain. Under Van Buren’s argument, the CFAA was not intended to and should not penalize defendants under federal criminal law when they are authorized to access a computer or database but use it in an unauthorized way.
The government’s argument hinges on the inclusion of “so” in the clause “is not entitled so to obtain or alter” in the definition of “exceeds authorized access.” If the Court accepts the government’s argument, then investigations, prosecutions, and sanctions under the CFAA will broaden significantly.
What does this case mean for entrepreneurs? Businesses that depend on employee and licensee access to computer processes and databases may need to carefully review computer access policies and provide adequate guidance to employees and licensees.
Examples of potential areas of prosecution include:
- Using a database of customer information to provide customer information to someone outside the company.
- Accessing a licensed database and using the information for other unauthorized purposes.
- Using a work computer to download personal programs.
- An employee modifying system files that are not in the scope of their job.
- Making files public that are supposed to be private.
- An employee utilizing a password that does not belong to them.
- An employee utilizing their own password to access information that is prohibited by computer use policies, confidentiality agreements, and employment contracts.
- An employee using a work computer to download trade secrets in order to compete against their employer.
However the Court decides the decision is likely to influence computer-based businesses, including users such cybersecurity experts, journalists, and researchers who may have difficulty accessing information.
If the Court rules in favor of the government’s prosecution under CFAA, the scope of what is considered a computer crime will broaden, and the control exerted over users will increase. On the other hand, if the Court does not support the application of CFAA to unauthorized uses of information, there are concerns that privacy rights will decrease.