Thursday, June 3, 2021
The Supreme Court issued the Van Buren case this morning, providing a strict interpretation to the words "intentionally accesses a computer without authorization or exceeds authorized access." It's a 6-3 decision with an odd mix of the players. Writing the majority opinion is Justice Barrett, joined by Justices Breyer, Sotomayor, Kagan, Gorsuch, and Kavanaugh. On the dissent writing the opinion is Justice Thomas, joined by Chief Justice Roberts and Justice Alito. In summary, the opinion holds:
"In sum, an individual 'exceeds authorized access' when he accesses a computer with authorization but then obtains information located in particular areas of the computer - such as files, folders, or databases - that are off limits to him. The parties agree that Van Buren accessed the law enforcement database system with authorization. The only question is whether Van Buren could use the system to retrieve license-plate information. Both sides agree that he could. Van Buren accordingly did not 'excee[d] authorized access' to the database, as the CFAA defines the phrase, even though he obtained information from the database for an improper purpose. We therefore reverse the contrary judgment of the Eleventh Circuit and remand the case for further proceedings consistent with this opinion."
So the question will be asked whether the Computer Fraud and Abuse Act should be rewritten to cover this conduct? Or perhaps civil remedies may be more appropriate here? Or should this be left to employment law?
With the importance of cybersecurity today, and the importance of focusing on those breaking into crucial computer systems, it seems like both the government and private industry need to be important gatekeepers in protecting information. This decision lets everyone know what is criminal under the statute and what is not, and now it needs to be determined how to better manage computer security.