Supreme Court Limits Prosecutions for Unauthorized Computer Use
WASHINGTON — A U.S. Supreme Court ruling Thursday makes it harder to impose liability on workers who use their employers’ computers for unauthorized purposes.
The ruling restricts the Justice Department’s authority to prosecute unauthorized computer use under the 1986 Computer Fraud and Abuse Act. It also makes it harder for employers to sue their workers when they abuse their rights to computer access.
“The government’s interpretation of the [law] would attach criminal penalties to a breathtaking amount of commonplace computer activity,” Justice Amy Coney Barrett wrote for the majority.
The issue arose in the case of Cumming, Georgia police officer Nathan Van Buren, who accepted $6,000 from an acquaintance to check a computer database to determine whether a stripper was an undercover law enforcement agent.
The acquaintance who requested the database search was an FBI informant who was helping in the arrest of Van Buren.
He was found guilty of violating the Computer Fraud and Abuse Act in a jury trial and sentenced to 18 months in prison. Van Buren’s appeals led him to the Supreme Court.
The ruling comes at a time the government is struggling with strategies to halt damaging cyberattacks, which could originate from insider use of an organization’s computers.
Ironically, the Supreme Court released its decision the same day the Justice Department announced it was elevating its enforcement against hacking of big corporation and government computer networks to the same level as terrorism.
Recent cyberattacks against energy company Colonial Pipeline, meat processor JBS S.A. and government agencies infiltrated by the SolarWinds hackers helped to provoke the Justice Department’s policy revision.
Prosecutors’ primary legal tool against insider hacking of government and private computer networks is the Computer Fraud and Abuse Act. Historically it has been used by businesses seeking to stop insiders from inappropriately tapping into their trade secrets.
The clause of the law considered by the Supreme Court forbids persons from using their computer access “to obtain or alter information in the computer that the accessor is not entitled to obtain or alter.”
Van Buren’s attorney argued the federal law allows prosecutions or lawsuits for deviations from employee job duties as minor as a secretary opening a work Zoom account for personal use.
Justice Department attorneys said Van Buren’s attorney exaggerated the risk of liability.
Eric J. Feigin, a Justice Department deputy solicitor general, said the defense’s description of the law’s liability risks was a “wild caricature of our position.”
Nevertheless, the 6-to-3 majority opinion said that if the Computer Fraud and Abuse Act “criminalizes every violation of a computer-use policy … then millions of otherwise law-abiding citizens are criminals.”
The court’s opinion added that a broad interpretation of the Computer Fraud and Abuse Act would “criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook.”
The dissent written by Justice Clarence Thomas says the majority reached a conclusion different from the language of the federal law. The Computer Fraud and Abuse Act was intended to place limits on employee authorizations, similar to a valet parking a car instead of driving away with it on a joyride, the dissent said.
Thomas wrote, “It is understandable to be uncomfortable with so much conduct being criminalized but that discomfort does not give us authority to alter statutes.”
The ruling also overturned Van Buren’s criminal conviction.
The case drew numerous amicus curiae — or friend of the court — briefs from industry and civic groups.
The nonprofit employee advocacy group National Whistleblower Center said that although the Computer Fraud and Abuse Act was not intended to cause reprisals against employees who report bad conduct, “whistleblowers have nevertheless been subjected to retaliatory lawsuits by bad actors under the CFAA.”
However, the Federal Law Enforcement Officers Association wrote in a brief that narrowing enforcement authority under the Computer Fraud and Abuse Act “would allow any person who has legitimate access to the data carte blanche to access and use (or indeed in many cases destroy) that data for any manifestly blameworthy reason they choose.”
The case is Van Buren v. U.S., case number 19-783, in the U.S. Supreme Court.
In The News
The Supreme Court on Wednesday ruled that a Pennsylvania school district violated the First Amendment by punishing a student over a vulgar social-media rant sent away from school grounds. The vote was 8 to 1, with Justice Clarence Thomas dissenting. The underlying case was filed on... Read More
In a unanimous decision Monday, the justices held the NCAA can’t enforce rules limiting education-related benefits — like computers and paid internships — that colleges offer to student athletes. The case doesn’t decide whether students can be paid salaries. Instead, the ruling will help determine whether... Read More
WASHINGTON - The Supreme Court ruled on Monday that Congress erred when it set up a board to oversee patent disputes by failing to make the judges properly accountable to the president. As a result, it said, more than 200 administrative judges who preside over patent... Read More
The Supreme Court on Thursday dismissed a challenge to the Affordable Care Act, preserving insurance coverage for millions of Americans. By a 7-2 vote, the justices left the entire law intact and ruled that Texas and other Republican-led states (as well as two individual plaintiffs) have... Read More
WASHINGTON (AP) — With abortion and guns already on the agenda, the conservative-dominated Supreme Court is considering adding a third blockbuster issue — whether to ban consideration of race in college admissions. The justices on Monday put off a decision about whether they will hear an... Read More
The Supreme Court this week decided to leave in place a $2 billion verdict in favor of women who claim they developed ovarian cancer from using Johnson & Johnson talc products. As is their custom, the justices did not comment Tuesday on why they rejected Johnson & Johnson's... Read More