The ruling clarifies the scope of the Computer Fraud and Abuse Act of 1986 (CFAA) and what kind of conduct can be prosecuted. The CFAA became law after the US government found cybercrimes and hacking were not sufficiently addressed by legislation at the time.
The case arose after the Federal Bureau of Investigation caught former Georgia police officer, Nathan Van Buren, using his patrol-car computer to access a law enforcement database to retrieve information about a particular license plate number in exchange for money. When making the search, Van Buren used his own, valid credentials.
After Van Buren was first charged, a US District Court convicted him of two charges: Violating police department policy of obtaining database information for a personal purpose and violating the CFAA by using a computer network in a way contrary to his job.
Van Buren appealed those charges, however, which eventually brought the case to the US Supreme Court and its judgment.
At the Supreme Court, the justices ruled 6-3 in favour of Van Buren as he had access to the database as part of his valid credentials.
When making that ruling, the justices framed their judgment on whether Van Buren “exceeded his authorised access” when accessing the license plate database.
“In the computing context, ‘access’ references the act of entering a computer ‘system itself’ or a particular ‘part of a computer system,’ such as files, folders, or databases,” Justice Amy Coney Barrett said, who wrote the majority opinion.
“It is thus consistent with that meaning to equate ’exceed[ing] authorised access’ with the act of entering a part of the system to which a computer user lacks access privileges.”
The three judges who dissented against the decision, Justices Clarence Thomas, Samuel Alito, and John Roberts, believed that Van Buren did breach the hacking laws as he was forbidden from using the computer to obtain the licence information.
“Van Buren’s conduct was legal only if he was entitled to obtain that specific license-plate information by using his admittedly authorised access to the database. He was not. A person is entitled to do something only if he has a ‘right’ to do it,” Thomas wrote in his dissenting opinion.
In making the dissent, Thomas analogised Van Buren’s conduct to an employee pulling an alarm for a self-motivated reason or a valet accessing a patron’s car and then proceeding to go on a joyride.
“An employee who is entitled to pull the alarm in the event of a fire is not entitled to pull it for some other purpose, such as to delay a meeting for which he is unprepared,” Thomas wrote.
With the judgment, the CFAA charge against Van Buren has been dropped, while the charge for violating department policy remains intact.