The Supreme Court has sharply curtailed the scope of the nation’s main cybercrime law, limiting a tool that civil liberties advocates say federal prosecutors have abused by seeking prison time for minor computer misdeeds.
The 6-3 decision handed down Thursday means federal prosecutors can no longer use the 1986 Computer Fraud and Abuse Act to charge people who misused databases they are otherwise entitled to access. The ruling comes six months after justices expressed concern that the government’s sweeping interpretation of the law could place people in jeopardy for activities as mundane as checking social media on their work computers, with Justice Neil Gorsuch saying prosecutors’ view risked “making a federal criminal of us all.”
In an unusual lineup, the court’s three Trump appointees — who are also the newest justices — joined the court’s three liberals to reject the Justice Department’s interpretation of the statute.
The majority ruling, written by Justice Amy Coney Barrett, is largely devoted to a meticulous parsing of the statue’s language. However, she also noted the dangers of the approach prosecutors have advocated.
“The Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity,” Barrett wrote. “If the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals.”
While insisting that the court arrived at its ruling based solely on reading the statute, and not considering its potential effects, Barrett concurred with critics who said the broader interpretation would “criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook.”
In dissent, Justice Clarence Thomas said the majority’s reading was contrived and off-base. He also said there are many areas of law where permission given to do something for one purpose does not imply permission for an unrelated purpose.
“A valet, for example, may take possession of a person’s car to park it, but he cannot take it for a joyride,” Thomas wrote in an opinion joined by Chief Justice John Roberts and Justice Samuel Alito.
Thomas also noted that violations of the law are typically a misdemeanor, and he said the breadth of the statute is no reason to misread it. “Much of the Federal Code criminalizes common activity,” he wrote. “It is understandable to be uncomfortable with so much conduct being criminalized, but that discomfort does not give us authority to alter statutes.”
Past controversies involving the law included a two-year prison sentence for a journalist who helped hackers deface the Los Angeles Times’ website and, most notoriously, a prosecution that led to the suicide of a prominent internet freedom activist who faced the possibility of decades behind bars for downloading millions of scientific journal articles.
The case decided on Thursday, Van Buren v. United States, involved a former police officer convicted of violating the CFAA for searching a license plate database in exchange for a bribe as part of an FBI sting operation. The officer appealed the conviction, arguing that the law did not cover the unauthorized use of a computer system that the user was allowed to access as part of his job.
The Supreme Court agreed, holding that Nathan Van Buren’s conviction was invalid.
A broad coalition of technology experts, civil-society activists and transparency advocates had poured amicus briefs into the high court as it considered its first-ever case involving the law.
The National Whistleblower Center warned that applying the CFAA to any unauthorized use of computer data would invite “retaliation against whistleblowers who provide evidence of criminal fraud and other criminal activity” to authorities. The libertarian Americans for Prosperity Foundation said the government’s interpretation of the law would cover “violations of the fine print in website terms of service, company computer-use policies, and other breaches of contract” and “wrongly criminalize a wide swath of innocent, innocuous conduct.”
Free-press advocates warned that a ruling for the government “would significantly chill First Amendment activity,” while technologists said it would allow prosecutors to go after good-faith security researchers attempting to raise awareness of digital vulnerabilities.
But supporters of the broad use of the CFAA said it was necessary to combat insider threats facing businesses and government agencies’ sensitive computer systems. Narrowing the law “would allow any person who has legitimate access to the data carte blanche to access and use (or indeed in many cases destroy) that data for any manifestly blameworthy reason they choose,” the Federal Law Enforcement Officers Association told the court.