Supreme Court Issues Ruling Limit Under CFAA

Share post:

The Supreme Court has issued a ruling limiting what is considered a felony under the Computer Fraud and Abuse Act (CFAA).

This was exemplified in the case of Nathan Van Buren, a former Georgia police sergeant, who used his own login credentials to obtain information about a license plate from a law enforcement database.

The sergeant searched for money and purposes outside of law enforcement, in direct violation of department policy. He was charged with a crime under the CFAA, convicted in May 2018 and sentenced to 18 months in prison.

The federal appeals court upheld the decision, only to be overturned by the Supreme Court in a 6-3 decision that said Van Buren had not violated the CFAA.

Judges noted that the Cybersecurity Act does not make it a crime to obtain information from a computer if the person has access to a machine despite improper motives.

This landmark ruling could have a ripple effect on government prosecutions.

The CFAA originally banned access to certain financial information but has since expanded the scope to include all information that comes from or influences a computer used in interstate or foreign trade and communications.

Violations of the CFAA result in a substantial fine and imprisonment that can last up to 10 years. Persons who suffer loss or damage due to CFAA violations can also seek damages.

When Van Buren appealed his conviction to the U.S. Court of Appeals, he argued that the “exceeds authorized access” clause in the CFFA applies only to those who have received information to which their computer access does not extend, and not to those who misuse existing access.

While the appeals court ruled against it, the Supreme Court agreed with Van Buren’s argument.

The case revolved around the word: as used in the CFAA’s prohibition on obtaining or modifying information on a computer committed by the access that is not authorized to receive or modify information.

The majority of the court disagreed with the government, because the statute is structured in such a way, and “because without ‘so,’,” it could be interpreted as containing all kinds of restrictions on the right to information.

For more information, read the original story in Arstechnica.


Related articles

Cyber Security Today, Week in Review for week ending May 24, 2024

Welcome to Cyber Security Today. I'm Howard Solomon, contributing reporter on cybersecurity for My guest this week is...

Cyber Security Today, May 24, 2024 – A threat actor leverages Windows BitLocker in ransomware attacks, beware of ORB networks, and more

A threat actor leverages Windows BitLocker in ransomware attacks, beware of ORB networks, and more. Welcome to Cyber Security...

Canada centralizing cybersecurity efforts of federal IT departments

Federal departments and agencies are making only marginal progress in improving their cyber maturity, Ottawa said Wednesday as...

US federal government no longer requires degree for cybersecurity jobs. Hashtag Trending Wed May 1st

The US federal government relaxes the requirement for university degrees for cyber security professionals, a new study finds...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways