Supreme Court narrows scope of CFAA computer hacking law
Catalin Cimpanu June 3, 2021

Supreme Court narrows scope of CFAA computer hacking law

Supreme Court narrows scope of CFAA computer hacking law

The United States Supreme Court has ruled today in a 6-3 vote to overturn a hacking-related conviction for a Georgia police officer, and by doing so, it also narrowed down the scope of the US’ primary hacking law, the Computer Fraud and Abuse Act.

The ruling, No. 19-783 [PDF], comes in the Van Buren v. United States case of Nathan Van Buren, a former police sergeant in Cumming, Georgia, who was sentenced to 18 months in prison in May 2018 for taking a bribe of $5,000 to look up a license plate for a woman one of his informants met at a local strip club.

Prosecutors charged Van Buren under the CFAA and argued that even if the police officer had been authorized to access the police database as part of his work duties, he “exceeded authorized access” when he performed a search against department internal policies.

In subsequent appeals, Van Buren argued that the “exceeds authorized access” language in the CFAA was too broad and requested that the US Supreme Court rule on the matter, in a case the court decided to pick up and heard arguments last year.

CFAA was making criminals of all Americans

In a ruling delivered today, the court sided with Van Buren and overturned his 18-month conviction.

In a 37-page opinion written and delivered by Justice Amy Coney Barrett, the court explained that the “exceeds authorized access” language was, indeed, too broad.

Justice Barrett said the clause was effectively making criminals of most US citizens who ever used a work resource to perform unauthorized actions, such as updating a dating profile, checking sports scores, or paying bills at work.

What today’s ruling means is that the CFAA cannot be used to prosecute rogue employees who have legitimate access to work-related resources, which will need to be prosecuted under different charges.

The ruling does not apply to former employees accessing their old work systems because their access has been revoked and they’re not “authorized” to access those systems anymore.

Justices Barrett, Breyer, Sotomayor, Kagan, Gorsuch, and Kavanaugh agreed, while justices Thomas, Roberts, and Alito dissented in a 6-3 vote.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.