Supreme Court Limits Prosecutors’ Use of Anti-Hacking Law

The Supreme Court on Thursday limited prosecutors’ ability to use an anti-hacking law to charge people with computer crimes.

Conservative and liberal justices joined to vote 6-3 to overturn the conviction of a police sergeant who used a work database to run a license plate search in exchange for money. The justices ruled prosecutors had overreached in using the federal Computer Fraud and Abuse Act to charge him. The case is important guidance in narrowing the scope of the law.

Lawyers for the police sergeant had warned when the case was argued in late November that if the court ruled against him it could have sweeping consequences. They argued it could make a federal crime out of using a computer for virtually any unauthorized purpose, from “checking sports scores at work to inflating one’s height on a dating website.”

The court agreed, rejecting the arguments of former President Donald Trump’s administration for a broad reading of the statute. Trump’s three appointees to the court joined the three liberals to rule for the police sergeant. Justice Amy Coney Barrett, Trump’s most recent appointee, wrote for the majority that the government’s interpretation of the law “would attach criminal penalties to a breathtaking amount of commonplace computer activity.” She said if the government’s interpretation of the law were correct then “millions of otherwise law-abiding citizens are criminals.”

“Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated” the law, she wrote.

The Computer Fraud and Abuse Act became law in 1986 and was a response by Congress to a growing need to address computer crimes. It imposes criminal liability on anyone who “intentionally accesses a computer without authorization or exceeds authorized access.”

A majority of the justices concluded that the law “does not cover those who … have improper motives for obtaining information that is otherwise available to them.”

In a dissent, Justice Clarence Thomas said that an “ordinary reader of the English language” would have concluded that the police sergeant in the case exceeded his “authorized access.” And he called the majority’s interpretation of the law “contrary to the plain meaning of the text.” He was joined by fellow conservatives Chief Justice John Roberts and Justice Samuel Alito.

The case in which the justices ruled involved Nathan Van Buren, a police sergeant in Cumming, Georgia. As part of his job, he had access to a law enforcement database of license plate and vehicle registration information. As part of an FBI sting operation Van Buren was asked to conduct a license plate search in exchange for money. After he ran the search, prosecutors charged him with fraud and with violating the Computer Fraud and Abuse Act.

Van Buren was convicted on both counts and sentenced to 18 months in prison. He argued the Computer Fraud and Abuse Act didn’t apply because he accessed a database that he was authorized to access.

Van Buren’s lawyer, Jeffrey Fisher, wrote in an email: “We’re very pleased with the Court’s opinion and are glad that the CFAA is now restricted to its proper reach.” A spokeswoman for the Department of Justice did not immediately respond to an email requesting comment.

The case is Van Buren v. United States, 19-783.

Related: Inside the Legislative and Regulatory Minefield Confronting Cybersecurity Researchers

Related: Countermeasure: Hack the Hacker?