WASHINGTON—The Supreme Court Thursday narrowed the scope of a federal anti-hacking law, ruling that it doesn’t cover individuals who use their authorized access to obtain information for improper purposes.
The decision came in the case of a police officer who ran a woman’s license plate in exchange for cash from a man, something that “plainly flouted his department’s policy,” Justice Amy Coney Barrett wrote for a 6-3 court. But his action didn’t violate the Computer Fraud and Abuse Act of 1986, which authorizes up to 10 years imprisonment for anyone who “intentionally accesses a computer without authorization or exceeds authorized access” to obtain computer information.
In a 20-page opinion that, among other features, focused on the grammatical significance of the modifier “so,” Justice Barrett drew a sharp distinction: The law covers people who, although they are authorized to use a computer system, obtain files that are off-limits to them. But it doesn’t reach those who are entitled to access particular information—like Nathan Van Buren, a former Cumming, Ga., police sergeant who was authorized to use the motor-vehicle database—even if they misuse the data they pull.
To read the law more broadly “would attach criminal penalties to a breathtaking amount of commonplace computer activity,” Justice Barrett wrote. “Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA,” she wrote.
Likewise, many websites and online services impose fine-print terms and conditions that sweep broadly but rarely are read. The government’s theory would “criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook,” Justice Barrett wrote, citing an argument that University of California, Berkeley, law professor Orin Kerr raised in a friend-of-the-court brief.
The decision saw an unusual lineup. The majority included Justices Barrett,
as well as Justices Elena Kagan,
dissented, joined by Chief Justice
Mr. Van Buren obtained the information “for personal gain, not for a valid law enforcement purpose. And without a valid law enforcement purpose, he was forbidden to use the computer to obtain that information,” Justice Thomas wrote.
Justice Thomas doubted that the law would be used against individuals who disregard little-noticed terms and conditions for websites. But in any event, he said, “the majority’s reliance on modern-day uses of computers to determine what was plausible in the 1980s wrongly assumes that Congress in 1984 was aware of how computers would be used in 2021.”
The case began when Mr. Van Buren allegedly sought a loan from a widower he previously had arrested. The man secretly recorded the conversation and, calling it a shakedown, turned it over to authorities. The Federal Bureau of Investigation set up a sting operation in which the widower gave the officer thousands of dollars and asked that he use his access to a police database to look up a woman the widower supposedly met at a strip club.
After Mr. Van Buren did so, he was fired and charged with several federal offenses.
The case attracted interest from an array of technology and civil-liberties groups, as well as the news industry. Dow Jones & Co., publisher of The Wall Street Journal, joined dozens of media organizations in a brief arguing that the government’s view of the law would interfere with newsgathering by criminalizing whistleblowers who hold legitimate access to government and business materials.
Write to Jess Bravin at email@example.com
Corrections & Amplifications
The first name of University of California, Berkeley, law professor Orin Kerr was misspelled as Orrin in an earlier version of this article. (Corrected on June 3.)
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
Appeared in the June 4, 2021, print edition as ‘Justices Limit Anti-Hacking Law’s Reach.’