Partner
In Brief: The US Supreme Court pretty much removed the stinger from the hornet that was Computer Fraud and Abuse Action (CFAA).
Here’s What Happened: The CFAA was passed in 1986 to address growing concerns about former employees and competitors inappropriately using computer information. The CFAA carried both civil and criminal penalties for exceeding authorized access to electronic information for an improper purpose. The two operative phrases are “exceeding access” and “improper purpose”. The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
Nathan Van Buren was a police sergeant in Georgia. His patrol car had a computer that could access a database with information about license plates. Nathan became buddies with Andrew Albo. The friendship blossomed despite warnings from the deputy chief of Nathan’s department that Andrew was a volatile person and to deal with him carefully. Nathan asked Andrew for a loan. Andrew went to the local sheriff and complained that Nathan was shaking him down. They went to the FBI who devised a sting operation to see how far Nathan would go for the money. Andrew asked Nathan to search the state law enforcement computer database for the license plate of a women Andrew supposedly met at a strip club. Andrew told Nathan that he wanted to be sure she wasn’t an undercover officer. In return for the information, Andrew promised to pay Nathan $5,000. Nathan searched the database and obtained an FBI created license plate entry. When he met up with Andrew to share the information, he was arrested under the CFAA for criminal computer fraud.
Nathan was convicted and he appealed to the Eleventh Circuit. He lost the appeal. The US Supreme Court agreed to hear the case because there was a split among the circuits as to how to interpret the CFAA.
The issue centered on the parties’ differing interpretations of the phrase “is not entitled so to obtain” within the statutory definition of “exceeds authorized access”.
Nathan argued that the phrase should be read narrowly. The government asserted that a broad reading would be more appropriate. Agreeing with Nathan, the Supreme Court reversed the Eleventh Circuit’s decision, finding that the phrase “is not entitled so to obtain” is “best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.”
The Supreme Court found that Nathan had not violated the CFAA because he had authority (1) to access the state law enforcement computer database; and (2) to use the database to search a license plate number and retrieve the corresponding record. Under this reading, the fact that Nathan had done this search for an improper purpose and in violation of his employer’s policy was entirely irrelevant, according to the Supreme Court.
WHY YOU SHOULD KNOW THIS: The goal of the CFAA was to have civil and criminal consequences for misusing access to computer data. After this decision, CFAA is so narrow that it’s pretty useless except in the case of an outside hacker. Consider the situation where a sales manager downloaded their former employer’s customer list to give to their new employer. The former employer would have to prove that the sales manager wasn’t authorized to access the customer list or the part of the employer’s data base that contained the customer list. That would be highly unlikely.
The CFAA was enacted in the ancient times of information technology. It’s time for Congress to amend the CFAA and bring it up to date.