The U.S. Supreme Court has ruled 6-3 in favor of Nathan Van Buren, a ruling that limits the Computer Fraud and Abuse Act (CFAA), which many have claimed to be overly broad.
Van Buren, a former Georgia police sergeant who searched a license plate database for an acquaintance in exchange for bribes, had been prosecuted on two counts: one for accepting a kickback for accessing the database as a serving police officer, and another for violating the CFAA. He has now been cleared on both counts.
The legal question in the case was not whether he had access to the database, but whether he had exceeded "authorized access" to the database.
The prosecution argued this in front of the court, putting the former police sergeant in violation of the CFAA.
However, Justice Amy Coney Barrett, who wrote the majority opinion, argued that interpretation "would attach criminal penalties to a breathtaking amount of commonplace computer activity. If the 'exceeds authorized access' clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals."
This broad interpretation of the law could have made untold employees insider threats, many of them accidental insiders. And some say it could mean simple things like sharing streaming service passwords or lying on an online dating profile would be criminalized.
However, the dissenting justices certainly see this case differently.
Justice Clarence Thomas wrote the dissenting opinion:
"What is true for land is also true in the computer context; if a company grants permission to an employee to use a computer for a specific purpose, the employee has no authority to use it for other purposes."
CFAA Supreme Court decision will have major impact
Depending on where you fall on the "unauthorized access" part of the argument, you will feel one way or the other about the ruling.
Robert Cattanach, a partner at international law firm Dorsey & Whitney, shared his thoughts on the case:
"The consequences of the decision will be far-reaching, as an important tool for law enforcement will now be strictly limited to outside intruders. Conversely, however, the decision avoids the specter of vague line-drawing, and the threat of criminal prosecution, for when a user's activities were 'authorized.'
In a divided decision, the Supreme Court ruled that individuals with approved access to computers, but misusing that access for improper purposes, do not violate the Computer Fraud and Abuse Act (CFAA). The decision resolves a split among U.S. Circuit Courts of Appeal, which had adopted conflicting interpretations of the law.
In a rare alliance of liberal and conservative Justices, in an opinion authored by Justice Barrett, the Court ruled that the language of the CFAA regarding unauthorized access meant whether the user was allowed to access the computer system itself, and not whether the use made of the system was within the scope of authority of the user."
The cybersecurity industry has been waiting a long time for a defining ruling on the Computer Fraud and Abuse Act.
So what do you think: was this the right decision and why?