Computer Crime Law Scrutinized at Supreme Court

(AP Photo/Wilfredo Lee, File)

WASHINGTON (CN) — The U.S. Supreme Court heard arguments Monday over whether a police officer broke a federal computer crime law when he accessed a government database to check a license plate for someone who bribed him.

Nathan Van Buren was working as a law enforcement officer in Georgia in 2015 when he was propositioned by a man supposedly known to frequent prostitutes to search the license plate number of a car belonging to a potential companion. In exchange, Van Buren was given $6,000 to ferret out whether the woman was a police officer.

After the request was revealed to be part of an FBI sting operation, Van Buren was charged with violating the Computer Fraud and Abuse Act, or CFAA. He was charged with violating a specific section of the law – Section 1030(a)(2) – that outlines the criminality of fraudulent access with authorized use.

Disputing the charge, Van Buren argued accessing sensitive information with permission – even for an improper purpose – did not run afoul of Section 1030(a)(2) or the authorization given to him by the police department.

But a jury didn’t buy the argument and convicted him in October 2017. He was sentenced to 18 months in prison. The 11th Circuit rejected Van Buren’s appeal, prompting him to take his case to the nation’s top court.

Jeffrey Fisher, an attorney with the Stanford Law School Supreme Court Litigation Clinic representing Van Buren, argued Monday that a violation of the CFAA depends on the authorized access given to the individual.

In a brief to the court, Fisher claimed the 11th Circuit’s “expansive interpretation of the CFAA” could criminalize a litany of innocuous behavior, such as using work PCs to create NCAA men’s basketball tournament brackets.

In response to a hypothetical from Justice Elena Kagan, Fisher said even checking Instagram at work could be a violation of the CFAA on the basis that it could be seen as accessing unauthorized information, if the scope of authorized information is not clearly defined.

“It’s obtaining information because you are literally obtaining the words or pictures out of Instagram,” the attorney said. “It would violate the government’s rule because the employee would be, at least theoretically, prohibited from using her work computer for personal reasons.”

Justice Neil Gorsuch said there are several potential disadvantages to interpreting the CFAA broadly, noting other criminal laws could cover conduct not specifically outlined in the statute.

Fisher agreed, pointing to a Georgia law related to hacking or misusing computer information.

“The government gave few hypotheticals in its brief and almost every one of them is already addressed by some other provision in the U.S. code, let alone state law,” Fisher said.

Deputy Solicitor General Eric Feigin argued for the government and said the issue of whether Van Buren had access to the license plate search function before he used it for an unauthorized purpose was irrelevant.

He posed the hypothetical of an employee with access to a warehouse used to store work material who takes those items for personal use.

“Section 1030 uses the same language to extend the same property-based protections to the private computer records that contain our most sensitive, financial, medical and other data,” Feigin said. “Petitioner is trying to gut the statute and leave all of that data at the mercy of anyone who ever has any legitimate ground to see it under any circumstance.”

But Chief Justice John Roberts asked whether someone violates the CFAA when they break a workplace’s authorization policy or even a website’s terms of use. Feigin replied that it wouldn’t be a violation in the case of a website that does not require credentials.

“What Congress was aiming at here were people who are specifically trusted, people akin to employees, the kind of person that’s actually been specifically considered and individually authorized,” Feigin said.

%d bloggers like this: