The Supreme Court has significantly limited the scope of the country’s main cybercrime law, limiting a tool that civil liberties advocates say federal prosecutors have abused by seeking prison time for minor computer misdeeds.
According to the 6-3 decision issued on Thursday, federal prosecutors can no longer use the 1986 Computer Fraud and Abuse Act to charge people who misused databases to which they are otherwise entitled. The decision comes six months after justices expressed concern that the government’s broad interpretation of the law could put people in danger for doing something as simple as checking social media on their work computers, with Justice Neil Gorsuch saying prosecutors’ view risked “making a federal criminal of us all.”
The court’s three Trump appointees, who are also the court’s newest justices, joined the court’s three liberals in rejecting the Justice Department’s interpretation of the statute in an unusual lineup. The majority opinion, written by Justice Amy Coney Barrett, is largely devoted to a meticulous parsing of the language of the statue. She did, however, point out the dangers of the approach advocated by prosecutors. While insisting that the court made its decision solely on the basis of reading the statute and not considering its potential consequences, Barrett agreed with critics who said the broader interpretation would “criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook.”
In his dissent, Justice Clarence Thomas argued that the majority’s reading was contrived and incorrect. He also stated that there are many areas of law where permission to do something for one purpose does not imply permission to do it for another.
“For example, a valet may take possession of a person’s car to park it, but he cannot take it for a joyride,” Thomas wrote in an opinion joined by Chief Justice John Roberts and Justice Samuel Alito.
Thomas also pointed out that most violations of the law are misdemeanors, and he stated that the statute’s breadth is no reason to misinterpret it. “Much of the Federal Code criminalizes ordinary conduct,” he wrote. “It’s understandable to be concerned about so much conduct being criminalized, but that doesn’t give us the authority to change the law.” Previous legal controversies included a two-year prison sentence for a journalist who assisted hackers in defacing the Los Angeles Times website and, most infamously, a prosecution that resulted in the suicide of a prominent internet freedom activist who faced decades in prison for downloading millions of scientific journal articles.
Van Buren v. United States, the case decided on Thursday, involved a former police officer who was convicted of violating the CFAA for searching a license plate database in exchange for a bribe as part of an FBI sting operation.
The officer appealed his conviction, claiming that the law did not cover unauthorized use of a computer system that he was permitted to access as part of his job.
The Supreme Court agreed, declaring Nathan Van Buren’s conviction unconstitutional.
A broad coalition of technology experts, civil-society activists, and transparency advocates had flooded the high court with amicus briefs as it considered its first-ever case involving the law.
According to the National Whistleblower Center, applying the CFAA to any unauthorized use of computer data will result in “retaliation against whistleblowers who provide evidence of criminal fraud and other criminal activity” to authorities. According to the libertarian Americans for Prosperity Foundation, the government’s interpretation of the law would cover “violations of the fine print in website terms of service, company computer-use policies, and other breaches of contract,” and would “wrongly criminalize a wide swath of innocent, innocuous conduct.”
However, proponents of broad implementation of the CFAA argued that it was necessary to combat insider threats to sensitive computer systems in businesses and government agencies. The Federal Law Enforcement Officers Association told the court that narrowing the law “would give anyone with legitimate access to the data carte blanche to access and use (or, in many cases, destroy) that data for any manifestly blameworthy reason they choose.”