SCOTUS Opinion: Court Narrows Scope of Computer Fraud and Abuse Act of 1986

The Computer Fraud and Abuse Act of 1986 imposes criminal liability on anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” 18 U.S.C. sec. 1030(a)(2). The Act defines “exceeds authorized access” as meaning that a person accesses a computer with authorization, but uses that access to obtain or alter information that the person was not authorized to access or alter. In Van Buren v. United States, a police sergeant used his patrol car computer to access a law enforcement database and get information about a license plate in exchange for money. The bribe was part of an FBI sting operation, and the officer was charged with a violation of the Act. The officer argued that he did not “exceed authorized access” because he had access to license plate information as a police officer, and the Act does not extend to those that misuse their authorized access. The officer was convicted by the district court and the Eleventh Circuit upheld the conviction.

The Court, resolving a split among the Circuits as to the scope of the Act, ruled 6-3 that the officer was correct—the Act only prohibited information obtained from a computer that was beyond the authorization credentials of the accessor, and did not criminalize the misuse of information the accessor had authorization to get to. Relying on the text of the Act and its definition of “exceeds authorized access,” the majority opinion by Justice Barrett concluded that the government’s interpretation was overly broad and “would attach criminal penalties to a breathtaking amount of commonplace computer activity.” Justice Thomas, joined by Chief Justice Roberts and Justice Alito, dissented, arguing that the officer exceeded his authorized access under the Act when “he used it under circumstances that were expressly forbidden[.]”

A link to the opinion is here: https://www.supremecourt.gov/opinions/20pdf/19-783_k53l.pdf