Supreme Court Pares Back Anti-Hacking Law

In a closely watched case, the Supreme Court Thursday voted 6-3 to narrow the scope of a 1980s-era anti-hacking law.

Writing for the majority, Justice Amy Coney Barrett said former police sergeant Nathan Van Buren didn't violate the Computer Fraud and Abuse Act by allegedly accessing an official database for non-work reasons. That law prohibits people from exceeding their authorized access to computer servers.

Van Buren was charged with running afoul of the anti-hacking law by accepting a $5,000 bribe to access a license-plate database in order to look up information about a woman. (The person who offered the bribe said he was trying to research a woman he met at a strip club. In actuality, the briber was working undercover with the FBI.)

While Van Buren was authorized to access the database, he violated an internal police department policy by using the information for purposes other than law enforcement.

A jury found Van Buren guilty, and the 11th Circuit upheld his conviction.

The Supreme Court reversed, essentially ruling that Van Buren's violation of his employer's policies didn't invalidate his authorization to access the database.

“In sum, an individual 'exceeds authorized access' when he accesses a computer with authorization but then obtains information located in particular areas of the computer -- such as files, folders, or databases -- that are off limits to him,” Barrett wrote. “The parties agree that Van Buren accessed the law enforcement database system with authorization. The only question is whether Van Buren could use the system to re­trieve license-plate information. Both sides agree that he could.”

She noted in the opinion that a contrary interpretation of the law could transform many everyday activities into crimes.

“If the 'exceeds authorized access' clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals,” she wrote.

For instance, she wrote, if people could violate the anti-hacking law by flouting a website's terms of use, then “everything from embellishing an online-dating profile to using a pseudonym on Facebook” might be a crime.

The dispute drew the attention of numerous outside organizations, including the Reporters Committee for Freedom of the Press, the Knight First Amendment Institute, Mozilla, tech news site the Markup and digital rights groups including the Electronic Frontier Foundation.

Those organizations sided with Van Buren, arguing in a friend-of-the-court briefs that a broad interpretation of the Computer Fraud and Abuse Act could harm news-gathering as well as research.

The Reporters Committee for Freedom of the Press specifically said a broad interpretation of the law would allow prosecutors to charge journalists who scrape data with exceeding their authorized access to a website, if the site bans scraping in its terms of service.

The Electronic Privacy Information Center was among the groups that sided against Van Buren, arguing in a friend-of-the-court brief that the anti-hacking law should apply when people access government databases for improper purposes.

The Knight First Amendment Institute on Thursday praised the result in the case, but suggested there are still unanswered questions about the law.

“Congress should amend the Computer Fraud and Abuse Act to eliminate any remaining uncertainty about the scope of the statute,” Alex Abdo, litigation director of the Knight First Amendment Institute, stated. “It should also create a safe harbor for researchers and journalists who are working to study disinformation and discrimination online. Major technology companies should not have a veto over research and journalism that are manifestly in the public interest.”

Next story loading loading..