The United States Supreme Court has ruled that a police officer who received money for obtaining data from a law-enforcement database for an associate did not break a controversial federal hacking law, meaning a victory for the ethical hacking community by limiting the law’s scope.
Judges rule that US, Georgia police officer did not violate CFAA when he accessed law-enforcement data in exchange for bribe money, a ruling that takes heat off ethical hackers.
Georgia Police Sergeant
In a landmark ruling in Van Buren v. United States, the court ruled that former Georgia police sergeant Nathan Van Buren did not violate the US Computer Fraud & Abuse Act of 1986 (CFAA) when he accessed a police database to retrieve information about a license plate in exchange for $6k in cash.
Judges ruled in a 6-3 decision–which now limits the scope of the CFAA–that because Van Buren used his own credentials to access the information, he did not violate the law, “which subjects to criminal liability anyone who ‘intentionally accesses a computer without authorisation or exceeds authorised access,’” according to the ruling.
The court pointed to a number of structural issues with the law which go against the federal case for contending that Van Buren violated the CFAA. One of the points in the decision is the phrase “exceeds authorised access,” which would suggest Van Buren overstepped authority as a police officer in accessing the database that held the information that was exchanged, according to the ruling.
“The relevant question, however, is not whether Van Buren exceeded his authorised access but whether he exceeded his authorised access as the CFAA defines that phrase,” according to the ruling. “For reasons given elsewhere, he did not.”
The case emerges from when the FBI caught Van Buren using the computer in his patrol car to access the Georgia Crime Information Centre (GCIC) database to obtain license-plate information in exchange for a cash payment from a person known to have ties to criminals.
Though he used his own valid credentials to access the database, Van Buren’s reason for using the computer was not consistent with performing his duties as a police officer, & he was brought up on federal criminal charges.
18 Months in Prison
The US District Court for the Northern District of Georgia convicted him on 2 charges– violating his department’s policy by obtaining database information for a personal purpose & violating the CFAA by using a computer network for purposes other than his police-officer duties. Van Buren was sentenced to 18 months in prison.
The officer appealed the conviction to the US Court of Appeals for the Eleventh Circuit, where it was upheld. Eventually, it reached the Supreme Court and its aforementioned ruling in favour of Van Buren. The Supreme Court did uphold the previous judgment that Van Buren’s actions violated his department’s policy, however.
Ramifications & Dissent
The case is an important one especially for the ethical hacking community, for whom the CFAA has been historically troubling due to some of its wording, which could be interpreted in an over-reaching way to convict them of violating the law, security experts have said.
The Electronic Frontier Foundation (EFF) went a step further & declared the ruling “a victory for all internet users,” saying that it should now prevent misuse of the CFAA to “prosecute beneficial & important online activity,” according to a blog post published Thurs.
“It affirmed that online services cannot use the CFAA’s criminal provisions to enforce limitations on how or why you use their service, including for purposes such as collecting evidence of discrimination or identifying security vulnerabilities,” according to the post, written by EFF Senior Staff Attorney Aaron Mackey & Deputy Executive Director & General Counsel Kurt Opsahl.
“It also rejected the use of troubling physical-world analogies & legal theories to interpret the law, which in the past have resulted in some of its most dangerous abuses.”
The 3 judges who disagreed with the ruling – Justices Clarence Thomas & Samuel Alito & Chief Justice John Roberts—believed that Van Buren breached the CFAA because he was forbidden to obtain the license-plate information for anything other than law-enforcement purposes.
“A person is entitled to do something only if he has a ‘right’ to do it,” according to the dissenting opinion, penned by Chief Justice Roberts.
“Van Buren never had ‘a right’ to use the computer to obtain the specific license-plate information. Everyone agrees that he obtained it for personal gain, not for a valid law-enforcement purpose.”