Ruling Demonstrates Need for Other Checks on Government Misconduct
Are the police breaking the law when, using their official credentials, they access a database for an illicit purpose? This week, in a 6-3 decision, the Supreme Court said no.
In 1986, in response to rising cybercrime, Congress passed the Computer Fraud and Abuse Act (CFAA) to impose criminal punishment on anyone who “intentionally accesses a computer without authorization or exceeds authorized access.”
Nathan Van Buren, while a Georgia police sergeant, ran afoul of the CFAA when he conducted a license-plate search on a law enforcement database in exchange for a bribe. Because his department’s policy authorized him to access the database only for law enforcement purposes, Van Buren was convicted for “exceed[ing his] authorized access” and sentenced to 18 months’ imprisonment.
Van Buren appealed to the Eleventh Circuit, arguing that CFAA only applies to those who obtain information to which their authorized access did not extend. The Eleventh Circuit disagreed, adopting a broader view of the statute under which someone exceeds authorized access when that person intentionally accesses information within the scope of one’s credentials, but for an inappropriate reason.
Justice Barrett, writing for the majority, rejected that broader view as contrary to the language of the statute. Interpreting the CFAA definition of “authorized access” as creating a simple “gates-up-or-down” inquiry, she concluded that the statutory language imposed criminal liability only when a person accessed a computer system—or areas within that system—beyond what their official credentials would allow. Because Van Buren’s license-plate search violated his departmental policy but was performed with valid credentials, he did not exceed his authorized access under the CFAA.
Justice Barret’s opinion warned that a broader reading of the CFAA could have the effect of “criminaliz[ing] every violation of a computer-use policy”—potentially subjecting “millions of otherwise law-abiding citizens” to criminal punishment for relatively harmless acts like sending personal emails or checking the news on a work computer.
Nevertheless, the Court’s ruling has the effect of immunizing bad-faith government actors who abuse their official computer- and database-access.
The Supreme Court’s decision highlights a critical need for other enforcement tools to check government misconduct.
While PPSA recognizes both the legal and policy reasons underlying the Court’s decision, Van Buren removes the threat of criminal prosecution as a deterrent to government computer-search abuses. If the CFAA’s broad criminal liability is too sweeping a tool to prevent the ever-present danger of government overreach, then clearly a more appropriate mechanism is needed. New legislation, perhaps targeted just to official government misconduct, could avoid overcriminalization while giving official-use policies some needed teeth.