The Supreme Court has issued a ruling limiting what is considered a felony under the Computer Fraud and Abuse Act (CFAA).
This was exemplified in the case of Nathan Van Buren, a former Georgia police sergeant, who used his own login credentials to obtain information about a license plate from a law enforcement database.
The sergeant searched for money and purposes outside of law enforcement, in direct violation of department policy. He was charged with a crime under the CFAA, convicted in May 2018 and sentenced to 18 months in prison.
The federal appeals court upheld the decision, only to be overturned by the Supreme Court in a 6-3 decision that said Van Buren had not violated the CFAA.
Judges noted that the Cybersecurity Act does not make it a crime to obtain information from a computer if the person has access to a machine despite improper motives.
This landmark ruling could have a ripple effect on government prosecutions.
The CFAA originally banned access to certain financial information but has since expanded the scope to include all information that comes from or influences a computer used in interstate or foreign trade and communications.
Violations of the CFAA result in a substantial fine and imprisonment that can last up to 10 years. Persons who suffer loss or damage due to CFAA violations can also seek damages.
When Van Buren appealed his conviction to the U.S. Court of Appeals, he argued that the “exceeds authorized access” clause in the CFFA applies only to those who have received information to which their computer access does not extend, and not to those who misuse existing access.
While the appeals court ruled against it, the Supreme Court agreed with Van Buren’s argument.
The case revolved around the word: as used in the CFAA’s prohibition on obtaining or modifying information on a computer committed by the access that is not authorized to receive or modify information.
The majority of the court disagreed with the government, because the statute is structured in such a way, and “because without ‘so,’,” it could be interpreted as containing all kinds of restrictions on the right to information.
For more information, read the original story in Arstechnica.
