The Supreme Court issued a ruling today that imposes a limit on what counts as a crime under the Computer Fraud and Abuse Act (CFAA).
The case involves a former Georgia police sergeant who “used his own, valid credentials” to get information about a license plate number from a law enforcement database, the court decision said. The sergeant ran the search in exchange for money and for non-law enforcement purposes, violating a department policy. He was charged with a felony under the CFAA, which says it’s a crime when someone “intentionally accesses a computer without authorization or exceeds authorized access.” He was convicted and sentenced to 18 months in prison in May 2018.
A federal appeals court upheld the conviction, but the Supreme Court reversed it today in a 6-3 decision that said Van Buren did not violate the CFAA. Justices found that the cybersecurity statute does not make it a crime to obtain information from a computer when the person has authorized access to that machine even if the person has “improper motives.”