Supreme Court Narrows Scope of CFAA Computer Hacking Law (therecord.media) 79
The United States Supreme Court has ruled today in a 6-3 vote to overturn a hacking-related conviction for a Georgia police officer, and by doing so, it also narrowed down the scope of the US' primary hacking law, the Computer Fraud and Abuse Act. From a report: The ruling, No. 19-783, comes in the Van Buren v. United States case of Nathan Van Buren, a former police sergeant in Cumming, Georgia, who was sentenced to 18 months in prison in May 2018 for taking a bribe of $5,000 to look up a license plate for a woman one of his informants met at a local strip club. Prosecutors charged Van Buren under the CFAA and argued that even if the police officer had been authorized to access the police database as part of his work duties, he "exceeded authorized access" when he performed a search against department internal policies. In subsequent appeals, Van Buren argued that the "exceeds authorized access" language in the CFAA was too broad and requested that the US Supreme Court rule on the matter, in a case the court decided to pick up and heard arguments last year.
a very good ruling in my opinion (Score:5, Insightful)
I am glad they ruled on it narrowly, making AUPs a felony would just be stupid.
Re: (Score:3)
Exactly right. Some other pertinent details from the article:
What today’s ruling means is that the CFAA cannot be used to prosecute rogue employees who have legitimate access to work-related resources, which will need to be prosecuted under different charges.
The ruling does not apply to former employees accessing their old work systems because their access has been revoked and they’re not “authorized” to access those systems anymore.
Basically, no more making felons of anyone and everyone who fell afoul of an IT policy that said, "you are authorized to use it, just not in that way that we don't like" nonsense. As the ruling pointed out, the law's language was so broad that it basically made felons of anyone who has ever checked a personal email account from a work PC. It still preserves the restrictions against people who aren't supposed to be accessing systems in the first pl
Re: (Score:3, Insightful)
Re: (Score:1)
aww... come on....
Re: (Score:2)
Thomas is consistently pro second amendment, which is not consistent with your claim.
Ginsburg on the other hand was consistently against the second amendment, but very much for more Federal power.
Re: (Score:2)
Re: (Score:2)
If you told me this came out 6-3, I'd have switched Roberts for Kavanaugh. Both of them surprised me there.
Re: (Score:2)
I don't think this is that simple. Often people need to be given broad access because (like for police) there is no practical way the system can restrict access to the real world context in which they're accessing the data.
Consider tax agencies, many people (e.g. customer service) need the ability to view specific tax returns related to their current task (e.g. an inbound phone call) this doesn't mean that arbitrarily accessing Tom Cruise's tax return isn't a breach of the system.
Re: (Score:2)
Actually, there's no need to give all employees access to everything. It should require being tasked something in an ticket system before accessing the specific account only.
Re: (Score:1)
Said by someone who likes bigger government who wants more bureaucracy.
*Ring* *Ring* ... 3 hours later ...
"Hello, this is the IRS, please hold"
"Hello, this is the IRS, how may I hinder you?"
"Yes, I'm asking where my refund is"
"OK may I have the account number"
"123-456-7890"
"I'm sorry, I need to request access to your tax records. I've s
Re: (Score:2)
Specific to the IRS (or any bank), most systems require you to provide information to the agent in order for them to access the account. It is far from perfect security, but it is “pretty good.”
I think there are times where violating an Acceptable Use Policy should be a felony, but they are few and far between.
Re: (Score:2)
Re: (Score:2)
Lookup between a phone number + account number happens rapidly now that we have databases.
Re: (Score:2)
True, but it also doesn't mean it should be a felony.
Re: (Score:2)
many people (e.g. customer service) need the ability to view specific tax returns related to their current task (e.g. an inbound phone call) this doesn't mean that arbitrarily accessing Tom Cruise's tax return isn't a breach of the system.
You aren't distinguishing between what's unacceptable and what's criminal in your thinking. It's unacceptable for an employee to access records they have no business accessing, but in the vast majority of cases it isn't reasonable to treat their actions as criminal, let alone a felony. And where such treatment is justified, we generally already have laws on the books to cover it. Checking Twitter from a work PC is no reason to mar someone with a felony conviction for the rest of their life, yet that's exact
Re: (Score:2)
Considering some of the software that is HIPAA certified, I don't find that an argument that the problem is soluble.
Re: (Score:3)
Hah, fair enough, not all "HIPAA-compliant" software actually does what the label says. Even so, suggesting "there is no practical way the system can restrict access" when many of us have worked with or built such systems seems like an overreach. For customer service reps in particular, I'd wager there are already several off the shelf solutions that address the exact issue that was raised.
Re: (Score:3)
Re: (Score:2, Insightful)
Re: (Score:2)
Good chance it would have been 6-3 in the other direction if the defendant had not been a police officer.
Unlikely. All the dissenters, who voted against the cop, were conservatives (Roberts, Thomas, Alito).
I am happy to see the CFAA narrowed, but they picked the wrong case to base it on. This cop clearly exceeded his authority and betrayed the public trust by accepting a bribe to assist a stalker. There is no way that he believed what he was doing was legitimate. He should have gone to prison.
Re: (Score:2)
Why can't what he did still be a crime, just not one that runs afoul of the CFAA? Were there no other charges?
Re: (Score:2)
Why can't what he did still be a crime, just not one that runs afoul of the CFAA?
Perhaps it can. But it is frustrating that after years of dirty cops using the CFAA to railroad innocent people, the law is overturned turned for the benefit of a dirty cop.
Re: (Score:2)
SCOTUS isn't Congress. Six 9-0 rulings in 2 weeks (Score:1)
The Supreme Court actually isn't Congress. The justices aren't running for re-election in two years, as a Democrat or a Republican. They have no need to give red meat to the base of any particular political party.
In the last two weeks, there have been about six cases that were decided 9-0, because generally the justices follow the law.
We mostly see division when we ask the court to decide political questions are are highly divisive. For example the decision that the fourth amendment bar on "unreachable sear
Re: (Score:2)
Most cases before the Supreme Court are there, because different laws and precedent
85% are not 5-4 decisions. Only 7% idealogical (Score:2)
Yes, there can be "conflict of law" issues. And most of the time, those are decided unanimously or near unanimously by the Supreme Court. Because of course you should save your friend.
In a typical term, about 15% of SCOTUS decisions are 5-4. 85% are not 85% of the time, there is general agreement among all the justices. (Contrast the Senate).
Of those 15%, only about half are split down idealogical lines, with textualists / conservatives going one way and and "liberals"(moral reasoning, pragmatists) on the
Re: (Score:2)
No, it just means that someone can't be brought up on felony charges under the CFAA for misusing the office computers to sabotage your career. It's no more legal or ethical for someone to implicate you in pr0n smuggling via computer than it would be in years past for someone to slip nudie rags into your desk at work (or similar).
Re: (Score:2)
Re:a very good ruling in my opinion (Score:5, Insightful)
It means that if someone in IT wants to drop, say, something on your computer like porn, to get you fired, then you have no legal recourse to pursue, because, well, they were authorised to access your system.
that's still a crime, it's just not computer fraud
you could for example exfiltrate sensitive data and leak it, because, well, you had access to that system.
\ that's still a crime, it's just not computer fraud
Someone in HR could publish your personal records publicly including any disciplinaries or poor work records because they had access to that system.
that's still a crime, it's just not computer fraud
It's fairly clear that this ruling has been reached because cops, no matter how dodgy, are above reproach in the US, but the unintended consequences are massive and scary.
Admittedly I did not read the opinion or even TFA but I suspect bribery is still a crime, just not computer fraud. The unintended consequences are appropriate.
HR can now leak and gossip about sensitive data
that's still a crime, it's just not computer fraud
IT can turn company server farms into bitcoin mining operations
Honestly not sure if that's a crime or not. Either way it's probably grounds for termination.
sales people can now sell of sensitive data to get a job at a competitor.
that's still a crime, it's just not computer fraud
Re: (Score:2)
First, IANAL!
Second, read the ruling or a competent analysis of it before posting foolishness. Even the summary makes it pretty clear that the ruling did not in any way exonerate the cop. They simply ruled that the law was not designed or passed to apply to this sort of crime. Prosecutors frequently look for ways to charge a crime based on a law that was never intended to be used this way and it can lead to major injustices. I'll cite Aaron Shwartz as a prime example of this legal over-reach.
Re: (Score:2)
It means that if someone in IT wants to drop, say, something on your computer like porn, to get you fired, then you have no legal recourse to pursue, because, well, they were authorised to access your system.
No, that would still be something you can pursue in court. It could also get the IT person fired.
It just means that for once, adding the phrase "with a computer" doesn't magically morph the whole situation.
Re: (Score:3)
I can see both sides, to be honest.
If unauthorized usage of computing resources carries the threat of an actual criminal penalty there are certainly cases where a person is less likely to want to knowingly try it.
And to that end, I would suggest that whether the unauthorized use is willful should factor into whether or not criminal penalties can apply.
Whether or not the unauthorized use is willful (and therefore criminal) would depend on if the person had any reasonable cause at the time to believe o
Re:a very good ruling in my opinion (Score:4, Interesting)
If unauthorized usage of computing resources carries the threat of an actual criminal penalty there are certainly cases where a person is less likely to want to knowingly try it.
The cop's unauthorized usage was a crime; SCOTUS just ruled it wasn't okay to charge him under this particular law.
Goddamnit (Score:1)
Still cant convict a cop
Re: (Score:3)
So you think violations of acceptable use policies should be felonies? That is the outcome of what you are implying you want.
Re: (Score:2)
Meanwhile, Aaron Swartz.
Re:Goddamnit (Score:4, Insightful)
Swartz would have had any conviction overturned based on this ruling.
Re: (Score:1)
Exactly. Why are only the rich, cops, politicians, and corporations treated as human beings?
Re: (Score:2)
I dont understand your point. In fact this ruling is opposite of all that. What you are wanting to do is throw the baby out with the bath water and making violating AUPs a felony just so a cop can be punished, when there are better ways to punish that cop for his actions other than an overly vague and broad law that criminalizes accessing twitter from a work computer.
Sure a bad cop got off , but think of all those non-elites the law NOW cannot affect.
Re: Goddamnit (Score:1)
This ruling is a step in the direction you want to go. You have the wrong perspective here. Just because this outcome benefits a cop doesn't mean it's not a win for the little guy.
Re: Goddamnit (Score:4, Insightful)
I never said it wasn't a win for the little guy. What I'm expressing is anger that a good person had to die for a bullshit law, and in order to overturn it, they had to decide to save the skin of a piece of shit stalker pig.
It's still a win, but it's bitter af.
Re: Goddamnit (Score:1)
Ah, I see what you meant. Fair point.
Re: (Score:3)
First, Swartz chose to die - he killed himself. He didn't have to die. Swartz rejected a plea bargain that would have given him six months in prison (which would suck, but would seemingly be preferable to a self imposed death sentence). He didn't even wait for a trial, let alone an appeal, let alone an appeal to the Supreme Court. He chose not to enjoy his due process rights (in spite of a great deal of support for his case from many who would almost certainly have
Re: Goddamnit (Score:3)
Swartz was rich.
Re: (Score:2)
Except Swartz was never convicted(Something that already happened to Van Buren) and never appealed his case. It's not like his case was ignored and then he killed himself. He killed himself before availing himself of all legal avenues. No the thing to be angry about in Van Buren's case was SCOTUS' 2016 decision on bribery completely and totally neutering that law.
Re: (Score:2)
Re: (Score:2)
You mean the guy who went into a room he had no authorization to be in and deliberately hid a machine which was connected to a place he had no right to connect to?
Re: (Score:2)
I mean, by their logic, he was authorized.
logo
CYBERCRIME
FEATURED
GOVERNMENT
Supreme Court narrows scope of CFAA computer hacking law
By Catalin Cimpanu
. June 3, 2021
The United States Supreme Court has ruled today in a 6-3 vote to overturn a hacking-related conviction for a Georgia police officer, and by doing so, it also narrowed down the scope of the US’ primary hacking law, the Computer Fraud and Abuse Act.
The ruling, No. 19-783 [PDF], comes in the Van Buren v. United States case of Nathan Van Buren, a former police sergeant in Cumming, Georgia, who was sentenced to 18 months in prison in May 2018 for taking a bribe of $5,000 to look up a license plate for a woman one of his informants met at a local strip club.
Prosecutors charged Van Buren under the CFAA and argued that even if the police officer had been authorized to access the police database as part of his work duties, he “exceeded authorized access” when he performed a search against department internal policies.
In subsequent appeals, Van Buren argued that the “exceeds authorized access” language in the CFAA was too broad and requested that the US Supreme Court rule on the matter, in a case the court decided to pick up and heard arguments last year.
CFAA was making criminals of all Americans
In a ruling delivered today, the court sided with Van Buren and overturned his 18-month conviction.
In a 37-page opinion written and delivered by Justice Amy Coney Barrett, the court explained that the “exceeds authorized access” language was, indeed, too broad.
Justice Barrett said the clause was effectively making criminals of most US citizens who ever used a work resource to perform unauthorized actions, such as updating a dating profile, checking sports scores, or paying bills at work.
What today’s ruling means is that the CFAA cannot be used to prosecute rogue employees who have legitimate access to work-related resources, which will need to be prosecuted under different charges.
The ruling does not apply to former employees accessing their old work systems because their access has been revoked and they’re not “authorized” to access those systems anymore.
I think the law is bad, but the contortions here are even worse.
Re: (Score:3)
Particularly, because he had an account, this was "authorized" under this new interpretation. From Wiki:
Visitors to MIT's "open campus" were authorized to access JSTOR through its network; Swartz, as a research fellow at Harvard University, also had a JSTOR account of his own.
Re: (Score:2)
You mean the guy who went into a room he had no authorization to be in and deliberately hid a machine which was connected to a place he had no right to connect to?
Yes. What Aaron Swartz did was clearly wrong. He should have been punished for it.
Perhaps 8 hours of community service would have been appropriate and proportionate, considering that his actions harmed no one.
Threatening him with 35 years in prison and hounding him to suicide was not appropriate.
that is why you to go count and get an jury trail (Score:2)
that is why you to go count and get an jury trail.
And you make the jury read the full 600 page EULA.
Re: (Score:2)
Re: (Score:2)
When you can murder people with impunity, yes.
As it should be (Score:4, Insightful)
Re: (Score:2)
We need a FERPA/HIPAA based law but for LEOs
Re: (Score:2)
Good luck with that. Try suggesting that the police undergo drug testing and see how fast the union lawyers up. The guys with guns who can easily ruin or end your life can do all the drugs they want while the guy who mops the floor at the station is drug tested.
Retribution (Score:5, Interesting)
From what I understand, abusing the license plate lookup system is one of the few things they come down *hard* on. This is a holdover from when criminal gangs would bribe officers to look up plates so they could get the home addresses of witnesses in court cases. IE - hang out in the parking lot of the courthouse, watch what car the witness gets into, run the plate, pay them a visit.
Re: (Score:2)
Why did they even pursue this? (Score:2)
I expect that the officer was charged with bribery. I wonder why they bothered to also charge him with violating the CFAA. Was it because the bribery charge didn't stick?
Retaliation (Score:2)
Prosecutors *really* don't like it when the police screw up like this. It makes their job harder. "Oh, the prosecutor is calling an officer to the stand who was from that precinct where they were taking bribes?" They probably over-charged to try to put the kibosh on this type of behavior in the future.
Re: (Score:3)
The first footnote in the majority opinion says:
so it appears that at least some other charges were made and, for reasons I don't know, were tossed out by the lower court.
Re: (Score:2)
Re: (Score:2)
Most of those would probably be state level laws (as they should be) vs. federal laws.
I've not researched this, but if the state/county didn't pursue charges it could be because the Feds were pursuing other charges for the same act and the Feds have a bigger arsenal and (typically) have a higher conviction rate and result in harsher sentences.
Equality (Score:5, Insightful)
This seems fair. The proper punishment for the office in question should be exactly the same as if he'd looked up the information in a stack of paper files. The fact that he used a computer to do the research is irrelevant, and if the original violation doesn't carry stiff enough penalties then it should be adjusted for the future.
Re: (Score:3)
The proper punishment for the office in question should be exactly the same as if he'd looked up the information in a stack of paper files. The fact that he used a computer to do the research is irrelevant
Whoa whoa whoa. You must be new around here. If you can add "...but on a computer" to the description of what you're doing, everyone knows that it's something wholly new and different that needs to be evaluated independently of any past precedent, methods, technologies, or principles.
Do you have a process for moving files from point A to point B...but on a computer? What a novel idea! Patent it.
Did your employee make an inappropriate comment...but on a computer? Felony! Put them behind bars.
Do you have a wa
This ruling was made to (Score:2)
This cop violated the public trust(not that there is much of that left these days) and should never be a cop anywhere again.
This ruling will make sure this continues to happen since there is no down side to being a criminal on the public payroll.
Next, reinstatement and back pay!
Re: (Score:2)
It significantly changes the meaning of the word "authorized". Popcorn, anyone?
Re: (Score:2)
I thought this was an interesting tidbit (Score:1)
so.. about those academic journals on JSTOR (Score:2)
Lets say I have legal access to some academic journals, and then use that access to scrape the whole database. I assume that's still illegal, right?
https://en.wikipedia.org/wiki/United_States_v._Swartz
Good news. (Score:1)
Re: (Score:2)
Ah yes the good ol' US of A where corporate rights are FAR more important than personal rights. It's opinions like that allow corporations to kill people and face a lesser penalty than if person does the same.
Cops. Again. (Score:3, Informative)
So because it was a cop, it's fine. Because I'm pretty sure if it was an insurance adjuster using a different computer system (and their authorized account) to do something underhanded, it would be 18 months in the slammer and the SCOTUS wouldn't hear the case. The insurance industry would demand it, because trust is a big part of the product offering. Cops, not so much. Nobody trusts cops, and cops (and their union) neither want nor need our trust. They have a state-sponsored license to do whatever-the-fuk and they use that license all the time, with full immunity, sometimes for personal profit. Welcome to your corrupt police state, have a nice century.
Re: (Score:1)
It's not hacking. He was an authorized user. He wasn't stealing resources. If an Insurance adjuster did this - same thing as long as he was authorized to access the system. He's also not getting off scott free. He's still in trouble for looking up that license plate that wasn't part of his job. Should he go to jail for 18 months for looking up a skank's address? I don't think so. For some people that's the best they can do. Some people can't even get it on with a skank, they have themselves only. Besides ma
Short term pain...long-term gain (Score:2)
I enjoyed reading quite a lot of the comments here. On one hand, it's now blatantly obvious that the US Supreme Court continues to enthusiastically support and expand the corporate-owned police state currently threatening everything America claims to stand for. On the other hand, based on what I've read here and elsewhere, it seems more and more people from across the political spectrum, especially in the US, now realize that the police are among the worst liars, cheats, bullies and murderers in what's le