Supreme Court Holds Lawfully Accessing A Computer Database For An “Improper Purpose” Is Not A Crime
Computer hacking has been a known problem since the advent of computers themselves. When a person improperly gains access to a computer system, they violate federal law, specifically the Computer Fraud and Abuse Act (CFAA) of 1986. The CFAA also makes it a crime to “exceed[] authorized access” to a computer system. In other words, if you log on to your work computer using valid employee credentials, but then attempt to access any files that you were not authorized to see, then you have still committed a crime.
The U.S. Supreme Court recently addressed a related question: Does a person violate the CFAA if they use a computer system to access information that is available to them but their reasons for doing so were improper?
The case before the justices, Van Buren v. United States, involved a former police officer from Georgia. The federal government charged the defendant with violating the CFAA after he used his access to Georgia’s state law enforcement computer database to search for a license plate that belonged to a particular woman. The defendant executed this search at the behest of another man, who said he was looking for the woman, whom he suspected was an undercover police officer. The man offered the defendant $5,000 to perform the search.
As it turned out, there was no woman. The FBI created a fake entry in the database as part of a sting against the officer. For his part, the man had previously reported the defendant to the local sheriff, alleging the defendant was trying to “shake him down” for money.
In court, the government pointed to police department policies, which expressly forbade officers from using the database for “an improper purpose” which included “any personal use.” By violating the policy, the government reasoned, the defendant also violated the CFAA, since his actions effectively exceeded his “authorized access” to the database. A jury accepted this argument and convicted the defendant, who then received an 18-month prison sentence.
The Supreme Court threw out the conviction. It held that the language of the CFAA only covered situations where a person “accesses a computer with authorization but then obtains information located in particular areas of the computer–such as files, folders, or databases–that are off-limits to [them].” Here, there was no question the defendant had the authority to access the database and the specific file he searched for. But the CFAA says nothing about accessing files for an “authorized purpose.” In other words, the defendant’s motives may have been improper and a breach of department policy, but it did not violate federal law.
Speak with Orlando Criminal Defense Lawyer Jose Baez Today
At first glance, you may wonder why this decision matters. As the Court explained in its opinion, to read an “improper purpose” prohibition into the CFAA would “attach criminal penalties to a breathtaking amount of commonplace computer activity.” For example, many businesses have policies banning the use of company computers for personal use by employees. But under the government’s proposed CFAA definition in this case, an employee would conceivably commit a felony if they sent a personal email from a work computer. Similarly, a user who violates a website’s terms of service–say, posting a tweet that violates Twitter rules–could also technically face felony charges for “unauthorized access.” In short, the Court’s opinion creates an important restraint on prosecutors who might have otherwise sought to criminalize everyday conduct by law-abiding citizens.
If you have been charged with any type of white collar crime, including a computer-related offense, and need legal representation, contact the Orlando white collar crime lawyers at the Baez Law Firm today.
Source:
supremecourt.gov/opinions/20pdf/19-783_k53l.pdf