Jonathan Greig
| June 4, 2021 — 03:18 GMT (04:18 BST)
| Topic: Government
The Supreme Court ruled against the government in a case centered around the Computer Fraud and Abuse Act (CFAA) on Thursday, writing that the Justice Department’s interpretation of the law was too broad and effectively attached “criminal penalties to a breathtaking amount of commonplace computer activity.”
The 6-3 decision put a limit on how the federal government can use the law to prosecute those who unlawfully access a system. In her majority opinion, Justice Amy Coney Barrett wrote that Nathan Van Buren — a police officer from Cummings, Georgia who was convicted for taking a bribe to look up a license plate — did not violate the CFAA because as an officer he was given full access to the license plate database.
Barrett was joined by Justices Sotomayor, Gorsuch, Kagan, Kavanaugh and Breyer, while Thomas, Alito and Chief Justice Roberts dissented. The CFAA is split into two clauses, criminalizing not just the unlawful entry into a system but the specifically unlawful access to certain systems or folders.
Barrett argued that by saying Van Buren exceeded his “authorized access” as a police officer, the government was criminalizing “every violation of a computer-use policy.” If that was the case, Barrett said it would mean that “millions of otherwise law-abiding citizens are criminals.”
“Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes,” Barrett wrote. “So on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA.”
Much of the decision focused on the lingual disputes between Van Buren’s lawyers and the Justice Department, which initially convinced a jury to convict Van Buren. A district court sentenced him to 18 months in prison but he appealed the decision to the 11th Circuit Court, which also sided with the government’s reading of the law.
But the Supreme Court ruling backed Van Buren’s stance, which said that liability under both clauses of the CFAA stem from a “gates-up-or-down” inquiry.
“One either can or cannot access a computer system, and one either can or cannot access certain areas within the system. If the ‘exceeds authorized access’ clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers,” the ruling said.
“And indeed, numerous amici explain why the Government’s reading of subsection (a)(2) would do just that — criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook. The Government’s reading leaves unanswered why the statute would prohibit accessing computer information, but not the computer itself, for an improper purpose.”
Lawyers and legal experts had a wide range of responses to the ruling depending on the client base. The ACLU praised the decision, listing specific instances where the expanded reading of the law criminalized everyday activity and research.
Esha Bhandari, deputy director of the ACLU’s Speech, Privacy, and Technology Project, called it an “important victory for civil liberties and civil rights enforcement in the digital age,” adding that it will “allow researchers and journalists to use common investigative techniques online without fear of CFAA liability.”
Erez Liebermann, a partner at Linklaters, said companies and government entities now need to take extra steps to place technological barriers around data in their companies if they want to restrict access to employees.
While this will add costs, Liebermann said it may make data more secure, both from internal users and hackers roaming through a company’s system.
“The Court’s opinion removes a strong criminal deterrent. Employees who might have shied away from theft of internal data because of the fear of prosecution or civil action have caught a break,” Liebermann explained. “Terms of Use and Authorized Use Policies, which already had little teeth given that most people don’t read them, just had a few more teeth knocked out. It’s doubtful that they could form the basis of a criminal prosecution or civil action.”
Mark Langer, a privacy associate with Aleada, said critics and activists have fought against the law for years because the CFAA’s current structure gives the government broad authority to prosecute and then rely on prosecutorial discretion to ensure that this authority is not abused.
“Having the Supreme Court push back on this sweeping interpretation of the CFAA is a huge step for reining in the CFAA’s scope. Solving this problem goes far beyond the scope and facts of one case, and it is the job for a legislature, not a judge. Hopefully this case will provide momentum to Congress’s efforts to bring these laws into the 21st century,” Langer said.
Epstein Becker Green lawyer Aime Dempsey explained that since the law was passed in the 1980s, it was used to prosecute hackers and as a way for companies to sue certain employees for damages and other penalties.
Dempsey echoed Liebermann’s sentiment, telling ZDNet that employers needed to place more stringent limits on employee access now that the Supreme Court has ruled that even if unlawful access may violate company policy, it would not violate the CFAA.
“If a company has a policy that someone will get fired if they misuse information, this decision wouldn’t change that at all. It would only change the access to this particular statute of the CFAA criminally or civilly,” Dempsey said.
Alan Brill, senior managing director in the Cyber Risk practice of law firm Kroll said that the ruling “isn’t giving people a free pass to steal or misuse data because there are other laws to use in certain cases.”
Companies will need to look at how their systems are built and whether they are giving too many employees access to too much information, he said.
“I would probably call together the general counsel, the HR manager, the IT manager and the compliance officer and I would look at what our organization’s rules are for use and misuse of data. I would want to make sure that they were very clearly spelled out and I would want to make sure that they were spelled out appropriately in light of the other laws and labor laws,” Brill explained.
Rules and penalties should be explained and sketched out in compliance with collective bargaining agreements, Brill added, noting that some companies should consider having employees sign updated non-disclosure agreements or computer use agreements.
“This is a multi-dimensional problem that needs a well-thought-out, multi-dimensional answer,” Brill said.
“But if we stick with the basics, giving people access to what they need and not giving them access to what they don’t need, we’re going a long way to immunizing ourselves from the effects of this decision.”
See this
Hacking vulnerabilities with the Internet of Things: Risks and security loopholes
The Internet of Things opens up a world of possibilities for our connected lives. But what if a hacker could gain control of the things that mean the most to us. Here we investigate some possible hacking scenarios that could just happen.
Read More
Related Topics:
Data Management
CXO
Security
Innovation
Smart Cities
Jonathan Greig
| June 4, 2021 — 03:18 GMT (04:18 BST)
| Topic: Government