Connect with us

Hi, what are you looking for?



Supreme Court Limits Prosecutors’ Use of Anti-Hacking Law

The Supreme Court on Thursday limited prosecutors’ ability to use an anti-hacking law to charge people with computer crimes.

The Supreme Court on Thursday limited prosecutors’ ability to use an anti-hacking law to charge people with computer crimes.

Conservative and liberal justices joined to vote 6-3 to overturn the conviction of a police sergeant who used a work database to run a license plate search in exchange for money. The justices ruled prosecutors had overreached in using the federal Computer Fraud and Abuse Act to charge him. The case is important guidance in narrowing the scope of the law.

Lawyers for the police sergeant had warned when the case was argued in late November that if the court ruled against him it could have sweeping consequences. They argued it could make a federal crime out of using a computer for virtually any unauthorized purpose, from “checking sports scores at work to inflating one’s height on a dating website.”

The court agreed, rejecting the arguments of former President Donald Trump’s administration for a broad reading of the statute. Trump’s three appointees to the court joined the three liberals to rule for the police sergeant. Justice Amy Coney Barrett, Trump’s most recent appointee, wrote for the majority that the government’s interpretation of the law “would attach criminal penalties to a breathtaking amount of commonplace computer activity.” She said if the government’s interpretation of the law were correct then “millions of otherwise law-abiding citizens are criminals.”

“Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated” the law, she wrote.

The Computer Fraud and Abuse Act became law in 1986 and was a response by Congress to a growing need to address computer crimes. It imposes criminal liability on anyone who “intentionally accesses a computer without authorization or exceeds authorized access.”

A majority of the justices concluded that the law “does not cover those who … have improper motives for obtaining information that is otherwise available to them.”

Advertisement. Scroll to continue reading.

In a dissent, Justice Clarence Thomas said that an “ordinary reader of the English language” would have concluded that the police sergeant in the case exceeded his “authorized access.” And he called the majority’s interpretation of the law “contrary to the plain meaning of the text.” He was joined by fellow conservatives Chief Justice John Roberts and Justice Samuel Alito.

The case in which the justices ruled involved Nathan Van Buren, a police sergeant in Cumming, Georgia. As part of his job, he had access to a law enforcement database of license plate and vehicle registration information. As part of an FBI sting operation Van Buren was asked to conduct a license plate search in exchange for money. After he ran the search, prosecutors charged him with fraud and with violating the Computer Fraud and Abuse Act.

Van Buren was convicted on both counts and sentenced to 18 months in prison. He argued the Computer Fraud and Abuse Act didn’t apply because he accessed a database that he was authorized to access.

Van Buren’s lawyer, Jeffrey Fisher, wrote in an email: “We’re very pleased with the Court’s opinion and are glad that the CFAA is now restricted to its proper reach.” A spokeswoman for the Department of Justice did not immediately respond to an email requesting comment.

The case is Van Buren v. United States, 19-783.

Related: Inside the Legislative and Regulatory Minefield Confronting Cybersecurity Researchers

Related: Countermeasure: Hack the Hacker?

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...