The Supreme Court has ruled that a police officer who searched a license plate database for an acquaintance in exchange for cash did not violate U.S. hacking laws.
The landmark ruling concludes a long-running case that clarifies the controversial Computer Fraud and Abuse Act, or CFAA, by putting limits on what kind of conduct can be prosecuted.
The court ruled 6-3 in favor of Nathan Van Buren, a former Georgia police sergeant who brought the case. Van Buren was prosecuted on two counts, one for accepting a kickback for accessing the database as a serving police officer, and another for violating the CFAA. His first conviction was overturned, but the CFAA conviction was upheld — until today.
Although Van Buren was allowed to access the license plate database, the legal question became whether or not he had exceeded his authorized access.
In the ruling, the Supreme Court said that the CFAA “covers those who obtain information from particular areas in the computer — such as files, folders, or databases — to which their computer access does not extend,” and that while Van Buren “plainly flouted” the police department’s rules for law enforcement purposes, he did not violate the CFAA, wrote Justice Amy Coney Barrett, who wrote the majority opinion.
The CFAA was signed into law in 1986 to prosecute hackers who gain “unauthorized” access to a computer or network. But courts have been split on what “unauthorized” means. Legal experts have argued that a broad reading of the law could criminalize violating a site’s terms of service, such as lying on a dating profile or sharing a password to a streaming service. The court said that the government’s interpretation of the law “would attach criminal penalties to a breathtaking amount of commonplace computer activity.”
Not all the justices agreed. “Without valid law enforcement purposes, he was forbidden to use the computer to obtain that information,” wrote Justice Thomas, who filed a dissenting opinion along with Justice Samuel Alito and Chief Justice John Roberts.
Civil liberties experts said Congress should act to amend the CFAA following the court’s ruling.
“This is an important and welcome decision that will help protect digital research and journalism that is urgently necessary. But more is needed,” said Alex Abdo, litigation director of the Knight First Amendment Institute. “Congress should amend the Computer Fraud and Abuse Act to eliminate any remaining uncertainty about the scope of the statute. It should also create a safe harbor for researchers and journalists who are working to study disinformation and discrimination online. Major technology companies should not have a veto over research and journalism that are manifestly in the public interest.”