The Supreme Court Narrowed the CFAA
In a 6-3 ruling, the Supreme Court just narrowed the scope of the Computer Fraud and Abuse Act:
In a ruling delivered today, the court sided with Van Buren and overturned his 18-month conviction.
In a 37-page opinion written and delivered by Justice Amy Coney Barrett, the court explained that the “exceeds authorized access” language was, indeed, too broad.
Justice Barrett said the clause was effectively making criminals of most US citizens who ever used a work resource to perform unauthorized actions, such as updating a dating profile, checking sports scores, or paying bills at work.
What today’s ruling means is that the CFAA cannot be used to prosecute rogue employees who have legitimate access to work-related resources, which will need to be prosecuted under different charges.
The ruling does not apply to former employees accessing their old work systems because their access has been revoked and they’re not “authorized” to access those systems anymore.
More.
It’s a good ruling, and one that will benefit security researchers. But the confusing part is footnote 8:
For present purposes, we need not address whether this inquiry turns only on technological (or “code-based”) limitations on access, or instead also looks to limits contained in contracts or policies.
It seems to me that this is exactly what the ruling does address. The court overturned the conviction because the defendant was not limited by technology, but only by policies. So that footnote doesn’t make any sense.
I have written about this general issue before, in the context of adversarial machine learning research.
echo • June 7, 2021 7:52 AM
I personally felt it was a stupid court decision but this is more a comment on the US legal system as a whole than this one case. The basic law itself was correct and no there is no real difference between a technological or policy rule because they are both rules even if they are different forms of rules. The issue really is the threshold between criminality and civil case, and whether there is a case to answer and if there is a case to answer whether it is in the public interest or not.
The UK has the Computer Misuse Act which isn’t much different. The US is a hybrid legal system of civil and common law. The US system can be both a bit literal in legal practice and also the none legal “soft law” which is more about institutional practcies and attitudes. If you judge every single case in the most literal sense against the law as read then pretty much everyone even if it is an accident or simply a means to an end to achieve a proportional and legitimate purpose enabled by other law and policy they will land in jail. This is because all the other steps necessary to evaulate things at a prosecutorial level were not taken. Funnily enough the US Supreme Court takes the exact opposite view with copyright and “fair use”. Fair use equires a number of steps to be taken. You cannot just use something because you see it and if those steps are not taken then even if reproduction is covered by fair use then the reproduction will be unlawful. Why the court did not see that the act was being imposed in a literal way without any due process considering criminal intent and civil liability I do not know then then I am a European not a US lawyer.
I still believe Bruce was wrong to have my post on the US military banning the pride flag deleted without consideration or examination of the legal argument and I am never going to forgive him for this. And by never I really do mean never. There are some things I do not forgive and this is one of them.
Congratulations. You now have a computer misuse law which allows criminals and human rights abusers including those with professional standards and duties of care to uphold with access to sensitive information within a human rights context to get off.
Pass the equality act.