Supreme Court Limits Prosecutions for Unauthorized Computer Use
WASHINGTON — A U.S. Supreme Court ruling Thursday makes it harder to impose liability on workers who use their employers’ computers for unauthorized purposes.
The ruling restricts the Justice Department’s authority to prosecute unauthorized computer use under the 1986 Computer Fraud and Abuse Act. It also makes it harder for employers to sue their workers when they abuse their rights to computer access.
“The government’s interpretation of the [law] would attach criminal penalties to a breathtaking amount of commonplace computer activity,” Justice Amy Coney Barrett wrote for the majority.
The issue arose in the case of Cumming, Georgia police officer Nathan Van Buren, who accepted $6,000 from an acquaintance to check a computer database to determine whether a stripper was an undercover law enforcement agent.
The acquaintance who requested the database search was an FBI informant who was helping in the arrest of Van Buren.
He was found guilty of violating the Computer Fraud and Abuse Act in a jury trial and sentenced to 18 months in prison. Van Buren’s appeals led him to the Supreme Court.
The ruling comes at a time the government is struggling with strategies to halt damaging cyberattacks, which could originate from insider use of an organization’s computers.
Ironically, the Supreme Court released its decision the same day the Justice Department announced it was elevating its enforcement against hacking of big corporation and government computer networks to the same level as terrorism.
Recent cyberattacks against energy company Colonial Pipeline, meat processor JBS S.A. and government agencies infiltrated by the SolarWinds hackers helped to provoke the Justice Department’s policy revision.
Prosecutors’ primary legal tool against insider hacking of government and private computer networks is the Computer Fraud and Abuse Act. Historically it has been used by businesses seeking to stop insiders from inappropriately tapping into their trade secrets.
The clause of the law considered by the Supreme Court forbids persons from using their computer access “to obtain or alter information in the computer that the accessor is not entitled to obtain or alter.”
Van Buren’s attorney argued the federal law allows prosecutions or lawsuits for deviations from employee job duties as minor as a secretary opening a work Zoom account for personal use.
Justice Department attorneys said Van Buren’s attorney exaggerated the risk of liability.
Eric J. Feigin, a Justice Department deputy solicitor general, said the defense’s description of the law’s liability risks was a “wild caricature of our position.”
Nevertheless, the 6-to-3 majority opinion said that if the Computer Fraud and Abuse Act “criminalizes every violation of a computer-use policy … then millions of otherwise law-abiding citizens are criminals.”
The court’s opinion added that a broad interpretation of the Computer Fraud and Abuse Act would “criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook.”
The dissent written by Justice Clarence Thomas says the majority reached a conclusion different from the language of the federal law. The Computer Fraud and Abuse Act was intended to place limits on employee authorizations, similar to a valet parking a car instead of driving away with it on a joyride, the dissent said.
Thomas wrote, “It is understandable to be uncomfortable with so much conduct being criminalized but that discomfort does not give us authority to alter statutes.”
The ruling also overturned Van Buren’s criminal conviction.
The case drew numerous amicus curiae — or friend of the court — briefs from industry and civic groups.
The nonprofit employee advocacy group National Whistleblower Center said that although the Computer Fraud and Abuse Act was not intended to cause reprisals against employees who report bad conduct, “whistleblowers have nevertheless been subjected to retaliatory lawsuits by bad actors under the CFAA.”
However, the Federal Law Enforcement Officers Association wrote in a brief that narrowing enforcement authority under the Computer Fraud and Abuse Act “would allow any person who has legitimate access to the data carte blanche to access and use (or indeed in many cases destroy) that data for any manifestly blameworthy reason they choose.”
The case is Van Buren v. U.S., case number 19-783, in the U.S. Supreme Court.