The United States Supreme Court has ruled that a police officer who received money for obtaining data from a law-enforcement database for an associate did not violate a controversial federal hacking law, marking a victory for the ethical hacking community by limiting the law’s scope.
In a landmark ruling in Van Buren v. United States, the court ruled that former Georgia police sergeant Nathan Van Buren did not violate the Computer Fraud and Abuse Act of 1986 (CFAA) when he accessed a police database to retrieve information about a license plate in exchange for $6,000 in cash.
Judges ruled in a 6-3 decision–which now limits the scope of the CFAA–that because Van Buren used his own credentials to access the information, he did not violate the law, “which subjects to criminal liability anyone who ‘intentionally accesses a computer without authorization or exceeds authorized access,’” according to the ruling.
The court pointed to a number of structural issues with the law which go against the federal case for contending that Van Buren violated the CFAA. One of the keys to the decision is the phrase “exceeds authorized access,” which would suggest Van Buren overstepped his authority as a police officer in accessing the database that held the information that was exchanged, according to the ruling.
“The relevant question, however, is not whether Van Buren exceeded his authorized access but whether he exceeded his authorized access as the CFAA defines that phrase,” according to the ruling. “For reasons given elsewhere, he did not.”
The case stems from an occurrence in which the FBI caught Van Buren using the computer in his patrol car to access the Georgia Crime Information Center (GCIC) database to obtain license-plate information in exchange for a cash payment from a person known to have ties to criminal activity.
Though he used his own valid credentials to access the database, Van Buren’s reason for using the computer was not consistent with performing his duties as a police officer, and he was brought up on federal criminal charges.
The U.S. District Court for the Northern District of Georgia convicted him on two charges– violating his department’s policy by obtaining database information for a personal purpose and violating the CFAA by using a computer network for purposes other than his police-officer duties. Van Buren was sentenced to 18 months in prison.
The officer appealed the conviction to the U.S. Court of Appeals for the Eleventh Circuit, where it was upheld. Eventually, it reached the Supreme Court and its aforementioned ruling in favor of Van Buren. The Supreme Court did uphold the previous judgment that Van Buren’s actions violated his department’s policy, however.
Ramifications and Dissent
The case is an important one especially for the ethical hacking community, for whom the CFAA has been historically troubling due to some of its wording, which could be interpreted in an over-reaching way to convict them of violating the law, security experts have said.
The Electronic Frontier Foundation (EFF) went a step further and declared the ruling “a victory for all internet users,” saying that it should now prevent misuse of the CFAA to “prosecute beneficial and important online activity,” according to a blog post published Thursday.
“It affirmed that online services cannot use the CFAA’s criminal provisions to enforce limitations on how or why you use their service, including for purposes such as collecting evidence of discrimination or identifying security vulnerabilities,” according to the post, written by EFF Senior Staff Attorney Aaron Mackey and Deputy Executive Director and General Counsel Kurt Opsahl. “It also rejected the use of troubling physical-world analogies and legal theories to interpret the law, which in the past have resulted in some of its most dangerous abuses.”
The three judges who disagreed with the ruling–Chief Justice Clarence Thomas and Justices Samuel Alito and John Roberts—believed that Van Buren breached the CFAA because he was forbidden to obtain the license-plate information for anything other than law-enforcement purposes.
“A person is entitled to do something only if he has a ‘right’ to do it,” according to the dissenting opinion, penned by Justice Roberts. “Van Buren never had ‘a right’ to use the computer to obtain the specific license-plate information. Everyone agrees that he obtained it for personal gain, not for a valid law-enforcement purpose.”
Join Threatpost for “A Walk On The Dark Side: A Pipeline Cyber Crisis Simulation”– a LIVE interactive demo on Wed, June 9 at 2:00 PM EDT. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and Register HERE for free.