In an important 6-3 decision, the Supreme Court pushed back against prosecutorial overreach in computer-related misconduct. What's most interesting about the case is the breakdown among the justices: On one side, all five justices appointed since 2008 — by Barack Obama and by Donald Trump — plus Justice Stephen Breyer; on the other side, three conservative justices appointed before 2005, two by George W. Bush and one by George H.W. Bush. Generational change is afoot on the Supreme Court, at least with respect to cases involving computers.
At issue in the case, Van Buren v. U.S., was the scope and meaning of the Computer Fraud and Abuse Act, enacted in the aftermath of the 1983 movie "WarGames" and the emergence of fears about hacking.
The relevant sections of the law first say that someone who "exceeds authorized access" on a computer commits a crime. Then the law defines exceeding authorized access to mean accessing a computer with authorization "to obtain information … that the accesser is not entitled so to obtain."
The Department of Justice's interpretation of exceeding authorized access was literal. The government took the view that anyone who was using a computer system with authorization but then broke the rules set by whoever granted access was committing a felony.
Seen through the lens of ordinary criminal law interpretation, this reading of the law was not impossible. There are plenty of situations where we want to grant someone the right to do or use something in one way, but not another. Criminal law can and sometimes does enforce partial authorization.
Take the facts of the Van Buren case. Van Buren was a police sergeant in Georgia who took a bribe of $5,000 to look up a license plate in a police database and see if it was registered to an undercover police officer. Unfortunately for Van Buren, the bribe was part of an FBI sting operation.
As a cop, Van Buren was authorized to check the database. He obviously wasn't authorized to check it for the criminal purpose of outing an undercover officer. To the Justice Department, that meant his act was a felony under the CFAA.
The problem with the government's interpretation is that, in the hands of aggressive prosecutors, this reading of the law could criminalize every violation of terms of service set by any platform or app. As various parties before the court pointed out, in particular computer crime scholar Orin Kerr, whom the court cited, reading the law the government's way would even criminalize "embellishing an on-line dating profile."