Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
United States Security The Courts

Supreme Court Narrows Scope of CFAA Computer Hacking Law (therecord.media) 79

The United States Supreme Court has ruled today in a 6-3 vote to overturn a hacking-related conviction for a Georgia police officer, and by doing so, it also narrowed down the scope of the US' primary hacking law, the Computer Fraud and Abuse Act. From a report: The ruling, No. 19-783, comes in the Van Buren v. United States case of Nathan Van Buren, a former police sergeant in Cumming, Georgia, who was sentenced to 18 months in prison in May 2018 for taking a bribe of $5,000 to look up a license plate for a woman one of his informants met at a local strip club. Prosecutors charged Van Buren under the CFAA and argued that even if the police officer had been authorized to access the police database as part of his work duties, he "exceeded authorized access" when he performed a search against department internal policies. In subsequent appeals, Van Buren argued that the "exceeds authorized access" language in the CFAA was too broad and requested that the US Supreme Court rule on the matter, in a case the court decided to pick up and heard arguments last year.
This discussion has been archived. No new comments can be posted.

Supreme Court Narrows Scope of CFAA Computer Hacking Law

Comments Filter:
  • by thaylin ( 555395 ) on Thursday June 03, 2021 @11:17AM (#61450858)

    I am glad they ruled on it narrowly, making AUPs a felony would just be stupid.

    • Exactly right. Some other pertinent details from the article:

      What today’s ruling means is that the CFAA cannot be used to prosecute rogue employees who have legitimate access to work-related resources, which will need to be prosecuted under different charges.

      The ruling does not apply to former employees accessing their old work systems because their access has been revoked and they’re not “authorized” to access those systems anymore.

      Basically, no more making felons of anyone and everyone who fell afoul of an IT policy that said, "you are authorized to use it, just not in that way that we don't like" nonsense. As the ruling pointed out, the law's language was so broad that it basically made felons of anyone who has ever checked a personal email account from a work PC. It still preserves the restrictions against people who aren't supposed to be accessing systems in the first pl

      • Re: (Score:3, Insightful)

        Thomas is known to always side with the authoritarians, powerful people and against the little guy. Roberts is a surprise, he is quite sensible. Alito is a wannabe Thomas but does not have a thick enough skin to be one.
        • Flamebait? ... this.? .. this thing that is not even 1% of what my usenet trolling skills ....

          aww... come on....

        • Thomas is consistently pro second amendment, which is not consistent with your claim.

          Ginsburg on the other hand was consistently against the second amendment, but very much for more Federal power.

          • He sides with the corporations. Shielding gun makers from liability and such stuff. Thomas is also blatantly political. He would go down as one of the worst justices ever. History will not be kind to him, nor his ardent supporters.
        • Except for qualified immunity. Thomas has some idiosyncratic issue with QI and frequently advocates abolishing it. Interestingly, since we know he's against it, certain cert decisions have let us infer that at least 1 justice on the liberal side is completely uninterested in even limiting it.
          If you told me this came out 6-3, I'd have switched Roberts for Kavanaugh. Both of them surprised me there.
      • by Luthair ( 847766 )

        I don't think this is that simple. Often people need to be given broad access because (like for police) there is no practical way the system can restrict access to the real world context in which they're accessing the data.

        Consider tax agencies, many people (e.g. customer service) need the ability to view specific tax returns related to their current task (e.g. an inbound phone call) this doesn't mean that arbitrarily accessing Tom Cruise's tax return isn't a breach of the system.

        • Actually, there's no need to give all employees access to everything. It should require being tasked something in an ticket system before accessing the specific account only.

          • by tlhIngan ( 30335 )

            Actually, there's no need to give all employees access to everything. It should require being tasked something in an ticket system before accessing the specific account only.

            Said by someone who likes bigger government who wants more bureaucracy.

            *Ring* *Ring*
            "Hello, this is the IRS, please hold" ... 3 hours later ...
            "Hello, this is the IRS, how may I hinder you?"
            "Yes, I'm asking where my refund is"
            "OK may I have the account number"
            "123-456-7890"
            "I'm sorry, I need to request access to your tax records. I've s

            • Specific to the IRS (or any bank), most systems require you to provide information to the agent in order for them to access the account. It is far from perfect security, but it is “pretty good.”

              I think there are times where violating an Acceptable Use Policy should be a felony, but they are few and far between.

              • But not because the AUP says something. There should be laws specifically protecting the privacy of personal information like that.
            • Lookup between a phone number + account number happens rapidly now that we have databases.

        • by nasch ( 598556 )

          True, but it also doesn't mean it should be a felony.

        • many people (e.g. customer service) need the ability to view specific tax returns related to their current task (e.g. an inbound phone call) this doesn't mean that arbitrarily accessing Tom Cruise's tax return isn't a breach of the system.

          You aren't distinguishing between what's unacceptable and what's criminal in your thinking. It's unacceptable for an employee to access records they have no business accessing, but in the vast majority of cases it isn't reasonable to treat their actions as criminal, let alone a felony. And where such treatment is justified, we generally already have laws on the books to cover it. Checking Twitter from a work PC is no reason to mar someone with a felony conviction for the rest of their life, yet that's exact

          • by HiThere ( 15173 )

            Considering some of the software that is HIPAA certified, I don't find that an argument that the problem is soluble.

            • Hah, fair enough, not all "HIPAA-compliant" software actually does what the label says. Even so, suggesting "there is no practical way the system can restrict access" when many of us have worked with or built such systems seems like an overreach. For customer service reps in particular, I'd wager there are already several off the shelf solutions that address the exact issue that was raised.

        • Comment removed based on user account deletion
      • Re: (Score:2, Insightful)

        by jbengt ( 874751 )
        Good chance it would have been 6-3 in the other direction if the defendant had not been a police officer.
        • Good chance it would have been 6-3 in the other direction if the defendant had not been a police officer.

          Unlikely. All the dissenters, who voted against the cop, were conservatives (Roberts, Thomas, Alito).

          I am happy to see the CFAA narrowed, but they picked the wrong case to base it on. This cop clearly exceeded his authority and betrayed the public trust by accepting a bribe to assist a stalker. There is no way that he believed what he was doing was legitimate. He should have gone to prison.

          • by narcc ( 412956 )

            Why can't what he did still be a crime, just not one that runs afoul of the CFAA? Were there no other charges?

            • Why can't what he did still be a crime, just not one that runs afoul of the CFAA?

              Perhaps it can. But it is frustrating that after years of dirty cops using the CFAA to railroad innocent people, the law is overturned turned for the benefit of a dirty cop.

          • Blame the prosecutor. He should have been charged appropriately. Accepting a bribe to perform an official duty to help someone is illegal (unless you call it a campaign contribution of course). Disclosing private law enforcement information to the public is illegal. For whatever reason, the prosecutor wanted this CFAA precedent. It wasn't the only thing even possibly illegal to charge in this case.
      • The Supreme Court actually isn't Congress. The justices aren't running for re-election in two years, as a Democrat or a Republican. They have no need to give red meat to the base of any particular political party.

        In the last two weeks, there have been about six cases that were decided 9-0, because generally the justices follow the law.

        We mostly see division when we ask the court to decide political questions are are highly divisive. For example the decision that the fourth amendment bar on "unreachable sear

        • by Sique ( 173459 )
          What you are completely missing are cases of conflicting law provisions. The classic example from the Bronze Age is the biblical commandment of a Day of Rest (the 3rd or Sabbath commandment). What if your pal falls in a deep well during Sabbath? Are you allowed to work to rescue him, violating the 3rd commandment, or would it rather be better to do nothing, honor the 3rd, but run afoul the 5th commandment and kill your pal?

          Most cases before the Supreme Court are there, because different laws and precedent

          • Yes, there can be "conflict of law" issues. And most of the time, those are decided unanimously or near unanimously by the Supreme Court. Because of course you should save your friend.

            In a typical term, about 15% of SCOTUS decisions are 5-4. 85% are not 85% of the time, there is general agreement among all the justices. (Contrast the Senate).

            Of those 15%, only about half are split down idealogical lines, with textualists / conservatives going one way and and "liberals"(moral reasoning, pragmatists) on the

    • by mark-t ( 151149 )

      I can see both sides, to be honest.

      If unauthorized usage of computing resources carries the threat of an actual criminal penalty there are certainly cases where a person is less likely to want to knowingly try it.

      And to that end, I would suggest that whether the unauthorized use is willful should factor into whether or not criminal penalties can apply.

      Whether or not the unauthorized use is willful (and therefore criminal) would depend on if the person had any reasonable cause at the time to believe o

  • Still cant convict a cop

    • by thaylin ( 555395 )

      So you think violations of acceptable use policies should be felonies? That is the outcome of what you are implying you want.

      • Meanwhile, Aaron Swartz.

        • Re:Goddamnit (Score:4, Insightful)

          by thaylin ( 555395 ) on Thursday June 03, 2021 @11:23AM (#61450876)

          Swartz would have had any conviction overturned based on this ruling.

          • Exactly. Why are only the rich, cops, politicians, and corporations treated as human beings?

            • by thaylin ( 555395 )

              I dont understand your point. In fact this ruling is opposite of all that. What you are wanting to do is throw the baby out with the bath water and making violating AUPs a felony just so a cop can be punished, when there are better ways to punish that cop for his actions other than an overly vague and broad law that criminalizes accessing twitter from a work computer.

              Sure a bad cop got off , but think of all those non-elites the law NOW cannot affect.

            • This ruling is a step in the direction you want to go. You have the wrong perspective here. Just because this outcome benefits a cop doesn't mean it's not a win for the little guy.

              • Re: Goddamnit (Score:4, Insightful)

                by lessSockMorePuppet ( 6778792 ) on Thursday June 03, 2021 @11:30AM (#61450910) Homepage

                I never said it wasn't a win for the little guy. What I'm expressing is anger that a good person had to die for a bullshit law, and in order to overturn it, they had to decide to save the skin of a piece of shit stalker pig.

                It's still a win, but it's bitter af.

                • Ah, I see what you meant. Fair point.

                • by uncqual ( 836337 )

                  a good person had to die for a bullshit law

                  First, Swartz chose to die - he killed himself. He didn't have to die. Swartz rejected a plea bargain that would have given him six months in prison (which would suck, but would seemingly be preferable to a self imposed death sentence). He didn't even wait for a trial, let alone an appeal, let alone an appeal to the Supreme Court. He chose not to enjoy his due process rights (in spite of a great deal of support for his case from many who would almost certainly have

            • Swartz was rich.

            • Except Swartz was never convicted(Something that already happened to Van Buren) and never appealed his case. It's not like his case was ignored and then he killed himself. He killed himself before availing himself of all legal avenues. No the thing to be angry about in Van Buren's case was SCOTUS' 2016 decision on bribery completely and totally neutering that law.

            • If Schwartz hadn't killed himself, he might have been the winning party in this case. He is certainly more sympathetic than a bribe-taking cop.
        • Meanwhile, Aaron Swartz.

          You mean the guy who went into a room he had no authorization to be in and deliberately hid a machine which was connected to a place he had no right to connect to?
          • I mean, by their logic, he was authorized.

            logo
            CYBERCRIME
            FEATURED
            GOVERNMENT
            Supreme Court narrows scope of CFAA computer hacking law
            By Catalin Cimpanu
            . June 3, 2021
            The United States Supreme Court has ruled today in a 6-3 vote to overturn a hacking-related conviction for a Georgia police officer, and by doing so, it also narrowed down the scope of the US’ primary hacking law, the Computer Fraud and Abuse Act.

            The ruling, No. 19-783 [PDF], comes in the Van Buren v. United States case of Nathan Van Buren, a former police sergeant in Cumming, Georgia, who was sentenced to 18 months in prison in May 2018 for taking a bribe of $5,000 to look up a license plate for a woman one of his informants met at a local strip club.

            Prosecutors charged Van Buren under the CFAA and argued that even if the police officer had been authorized to access the police database as part of his work duties, he “exceeded authorized access” when he performed a search against department internal policies.

            In subsequent appeals, Van Buren argued that the “exceeds authorized access” language in the CFAA was too broad and requested that the US Supreme Court rule on the matter, in a case the court decided to pick up and heard arguments last year.

            CFAA was making criminals of all Americans
            In a ruling delivered today, the court sided with Van Buren and overturned his 18-month conviction.

            In a 37-page opinion written and delivered by Justice Amy Coney Barrett, the court explained that the “exceeds authorized access” language was, indeed, too broad.

            Justice Barrett said the clause was effectively making criminals of most US citizens who ever used a work resource to perform unauthorized actions, such as updating a dating profile, checking sports scores, or paying bills at work.

            What today’s ruling means is that the CFAA cannot be used to prosecute rogue employees who have legitimate access to work-related resources, which will need to be prosecuted under different charges.

            The ruling does not apply to former employees accessing their old work systems because their access has been revoked and they’re not “authorized” to access those systems anymore.

            I think the law is bad, but the contortions here are even worse.

            • Particularly, because he had an account, this was "authorized" under this new interpretation. From Wiki:

              Visitors to MIT's "open campus" were authorized to access JSTOR through its network; Swartz, as a research fellow at Harvard University, also had a JSTOR account of his own.

          • You mean the guy who went into a room he had no authorization to be in and deliberately hid a machine which was connected to a place he had no right to connect to?

            Yes. What Aaron Swartz did was clearly wrong. He should have been punished for it.

            Perhaps 8 hours of community service would have been appropriate and proportionate, considering that his actions harmed no one.

            Threatening him with 35 years in prison and hounding him to suicide was not appropriate.

      • that is why you to go count and get an jury trail.

        And you make the jury read the full 600 page EULA.

      • Violations of acceptable use by government employees that involve sharing personal information should definitely be felonies.
      • When you can murder people with impunity, yes.

  • As it should be (Score:4, Insightful)

    by Brooklynoid ( 656617 ) on Thursday June 03, 2021 @11:27AM (#61450894)
    IMHO, this is a case of improper use of computing resources. The ability to look up a license plate was apparently granted to the officer, so he did not exceed any authorization limits when he did so. Fair call by SCOTUS, but this should not mean that the officer is off the hook - he still abused his authority and should be punished for that.
    • by thaylin ( 555395 )

      We need a FERPA/HIPAA based law but for LEOs

      • Good luck with that. Try suggesting that the police undergo drug testing and see how fast the union lawyers up. The guys with guns who can easily ruin or end your life can do all the drugs they want while the guy who mops the floor at the station is drug tested.

    • Retribution (Score:5, Interesting)

      by JBMcB ( 73720 ) on Thursday June 03, 2021 @11:45AM (#61450960)

      From what I understand, abusing the license plate lookup system is one of the few things they come down *hard* on. This is a holdover from when criminal gangs would bribe officers to look up plates so they could get the home addresses of witnesses in court cases. IE - hang out in the parking lot of the courthouse, watch what car the witness gets into, run the plate, pay them a visit.

    • by Dusanyu ( 675778 )
      Computer or not, this sort of violation should be handled by the Police department using administrative punishment / termination
  • I expect that the officer was charged with bribery. I wonder why they bothered to also charge him with violating the CFAA. Was it because the bribery charge didn't stick?

    • Prosecutors *really* don't like it when the police screw up like this. It makes their job harder. "Oh, the prosecutor is calling an officer to the stand who was from that precinct where they were taking bribes?" They probably over-charged to try to put the kibosh on this type of behavior in the future.

    • by uncqual ( 836337 )

      The first footnote in the majority opinion says:

      Van Buren also was charged with and convicted of honest-services wire fraud. In a separate holding not at issue here, the United States Court of Appeals for the Eleventh Circuit vacated Van Buren’s honest services fraud conviction as contrary to this Court’s decision in McDonnell v. United States, 579 U. S. 550 (2016).

      so it appears that at least some other charges were made and, for reasons I don't know, were tossed out by the lower court.

      • Honest services wire fraud sounds like just as bad a fit. There's no doubt laws against taking bribes, and disclosing LE privileged info. Should be asked why not those charges.
        • by uncqual ( 836337 )

          Most of those would probably be state level laws (as they should be) vs. federal laws.

          I've not researched this, but if the state/county didn't pursue charges it could be because the Feds were pursuing other charges for the same act and the Feds have a bigger arsenal and (typically) have a higher conviction rate and result in harsher sentences.

  • Equality (Score:5, Insightful)

    by rjstanford ( 69735 ) on Thursday June 03, 2021 @11:40AM (#61450938) Homepage Journal

    This seems fair. The proper punishment for the office in question should be exactly the same as if he'd looked up the information in a stack of paper files. The fact that he used a computer to do the research is irrelevant, and if the original violation doesn't carry stiff enough penalties then it should be adjusted for the future.

    • The proper punishment for the office in question should be exactly the same as if he'd looked up the information in a stack of paper files. The fact that he used a computer to do the research is irrelevant

      Whoa whoa whoa. You must be new around here. If you can add "...but on a computer" to the description of what you're doing, everyone knows that it's something wholly new and different that needs to be evaluated independently of any past precedent, methods, technologies, or principles.

      Do you have a process for moving files from point A to point B...but on a computer? What a novel idea! Patent it.

      Did your employee make an inappropriate comment...but on a computer? Felony! Put them behind bars.

      Do you have a wa

  • protect all government workers who use their employers government resources to spy, track and otherwise mess with other people for fun and personal profit($5,000).
    This cop violated the public trust(not that there is much of that left these days) and should never be a cop anywhere again.
    This ruling will make sure this continues to happen since there is no down side to being a criminal on the public payroll.

    Next, reinstatement and back pay!
    • It significantly changes the meaning of the word "authorized". Popcorn, anyone?

    • Perhaps the judgement would have been different if the person who's license plate the officer looked up was a judge or lawyer or other member of the criminal justice system. Which has happened.
  • It's interesting to note that, with the exception of Breyer, this opinion seems to be mostly divided along age lines (although Sotomayor is a year older than Roberts).
  • Lets say I have legal access to some academic journals, and then use that access to scrape the whole database. I assume that's still illegal, right?

    https://en.wikipedia.org/wiki/United_States_v._Swartz

  • The cop should be punished under some other law, but this is a big improvement. The US has some of the worst computer laws in the world. The CFAA still makes no allowance for the *severity* of the misuse, which I feel is an important oversight. The 13 year old hacking someone's multiplayer game shouldn't be treated the same as someone hacking a corporate network to steal sensitive data. One is a nuisance, the other is potential corporate espionage.
    • by nzkbuk ( 773506 )

      The 13 year old hacking someone's multiplayer game shouldn't be treated the same as someone hacking a corporate network to steal sensitive data. One is a nuisance, the other is potential corporate espionage

      Ah yes the good ol' US of A where corporate rights are FAR more important than personal rights. It's opinions like that allow corporations to kill people and face a lesser penalty than if person does the same.

  • Cops. Again. (Score:3, Informative)

    by theCat ( 36907 ) on Thursday June 03, 2021 @01:17PM (#61451364) Journal

    So because it was a cop, it's fine. Because I'm pretty sure if it was an insurance adjuster using a different computer system (and their authorized account) to do something underhanded, it would be 18 months in the slammer and the SCOTUS wouldn't hear the case. The insurance industry would demand it, because trust is a big part of the product offering. Cops, not so much. Nobody trusts cops, and cops (and their union) neither want nor need our trust. They have a state-sponsored license to do whatever-the-fuk and they use that license all the time, with full immunity, sometimes for personal profit. Welcome to your corrupt police state, have a nice century.

    • by ebvwfbw ( 864834 )

      It's not hacking. He was an authorized user. He wasn't stealing resources. If an Insurance adjuster did this - same thing as long as he was authorized to access the system. He's also not getting off scott free. He's still in trouble for looking up that license plate that wasn't part of his job. Should he go to jail for 18 months for looking up a skank's address? I don't think so. For some people that's the best they can do. Some people can't even get it on with a skank, they have themselves only. Besides ma

  • I enjoyed reading quite a lot of the comments here. On one hand, it's now blatantly obvious that the US Supreme Court continues to enthusiastically support and expand the corporate-owned police state currently threatening everything America claims to stand for. On the other hand, based on what I've read here and elsewhere, it seems more and more people from across the political spectrum, especially in the US, now realize that the police are among the worst liars, cheats, bullies and murderers in what's le

Trap full -- please empty.

Working...