The United States Supreme Court has said it will finally resolve a problem that has been causing legal problems for almost two decades: what exactly is “authorized use” of a computer?
If someone is authorized to use a computer – to access a database, for example – is this a general authorization and can he use it as long as he continues to use his existing connection? Or does it depend on the circumstances? Can a person's authorization depend on the conditions of use of the application?
The question may seem simple, but the biggest problem is how the law – in particular the US Computer Fraud and Abuse Act (CFAA) – sees her. Because even if an employee can be warned, even dismissed, of having abused his access to information, the CFAA would make it a criminal act. People could go to jail for not following the right conditions of service.
The particular case under consideration concerns former police sergeant Nathan Van Buren who was convicted in 2017 under the CFAA for having carried out a computer search for a license plate number. Van Buren had granted access to the police database, but in this case, he carried out a license check in exchange for money.
The details are not edifying: Van Buren needed the money and offered to do plate checks for a stripper named Albo. Albo went to the local sheriff's office, which contacted the FBI and they set up an injection operation giving Albo a false license which she gave to Van Buren. She said she wanted to know if she belonged to an undercover cop who was trying to arrest him for prostitution. She gave money to Van Buren and he led the plate.
Van Buren was arrested for violating the CFAA. But in court, Van Buren's lawyers argued that he was authorized to use the system as a police officer and that this access could not be prohibited, regardless of the reason why he had carried out the search himself. .
In other words, he could be reprimanded for taking money from a stripper to run a license plate – clearly unethical behavior – but he could not be convicted under the CFAA for that.
He was charged with two cases: having committed computer fraud for financial gain (in violation of CPAA) and honest service fraud and in violation of the CFAA. He was found guilty on both counts and sentenced to 18 months in prison with two years of supervised release. He appealed and the charge of “honest services” was quashed, but not the CFAA computer fraud charge. And that's why this can be the perfect test case.
Lawyers and jurists have disputed the question of authorized and unauthorized use under the CFAA since it was promulgated in 1986. The advent of the Internet, however, made the question 100 times more important and therefore 100 times greater.
Relax, breaking the fine print of a website does not make you a criminal hacker, according to a judge of the American cyberlegislation
The case has now been referred to the Supreme Court because other courts of appeal have had to decide similar cases in the meantime and have offered different interpretations. In 2011, the eleventh circuit decided that the violation of a written restriction made such access unauthorized in the case of Van Buren.
Van Buren is clean enough for the Supreme Court in the sense that legal issues are decided properly. He was charged with raping the CFAA, convicted – by a jury – and this conviction was later confirmed. But his entire sentence is now based on this interpretation of the CFAA.
And there are other courts of appeal that have made it clear that they disagree with the interpretation. In addition, of course, it is of great interest and importance to the public, as it has a daily impact on the behavior of almost all citizens.
Not solid arguments
The government is concerned about losing to the Supreme Court, as this would immediately result in appeals to all those who have been convicted under its current interpretation of the CFAA.
And, just to further open Pandora's box: a change in the way the CFAA works would impact one of the most controversial cases in which it has been used – to sue Aaron Swartz for downloading millions of research papers.
In 2013, the representative of the House of Commons, Zoe Lofgren (D-CA), drafted a bill that would have specifically excluded the conditions of service of the CFAA because of what happened in Swartz. The young co-founder of RSS was aggressively prosecuted under this aspect of the law and said he would face a million dollar fine and 35 years in prison for his actions. Unable to cope with the pressure, he committed suicide.
Lofgren's bill was pushed back – allegedly through Oracle lobbying – and she reintroduced in 2015, but he still went nowhere. At the time – five years ago now – Lofgren argued that the CFAA was “long overdue for reform.”
“Basically,” she explained, “the CFAA is anti-piracy law. Unfortunately, over time, we have seen prosecutors broaden the intent of the law, imposing overly harsh criminal penalties for less serious offenses. It is time that we reform this law to better focus on truly malicious hackers and bad actors, and away from everyday computer and Internet activities. “
Slightly unusual, a corrupt cop and a stripper can bring Swartz and possibly dozens of others to justice much later, who have been convicted under government interpretation of the CFAA. ®
Office 365 client-to-client migration tips