The US Supreme Court issued its long-awaited-by-cybersecurity-nerds opinion on Van Buren v. United States. The case examined whether it was a violation of the Computer Fraud and Abuse Act (CFAA) for a police officer to access a law enforcement database to obtain information, which the officer then used for a non-law enforcement purpose in violation of his department policy.
[Rapid7 joined an amicus brief in the Van Buren case, focusing on the problems a broad CFAA interpretation would create for beneficial cybersecurity research.]
The Supreme Court’s Van Buren opinion establishes a narrower interpretation of the CFAA. According to the Court, it is not a CFAA violation to obtain or use information on a computer for impermissible purposes, so long as you are authorized to access the information in the first place. [Pg. 20] The implication is that CFAA violations do not encompass breach of TOS or contract terms which grant access but limit that access or use based on purpose, intent, or manner of access. [Pgs. 14-15] However, the Court seems to uphold the validity of technological (code-based) access limitations, as well as contract/policy-based limits on access to information, as valid means of establishing authorization under CFAA. [FN 8, pg. 13]
The Court goes out of its way to note the problems a broad reading of CFAA would pose for commonplace computer activity. Per the Court: ‘If the “exceeds authorized access” clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals,’ such as those that contravene an employee computer use policy by checking sports scores on ..
Support the originator by clicking the read the rest link below.
