The federal criminal law prohibiting computer fraud has been in desperate need for a rewrite. Title 18, Section 1030, was drafted at a time in the mid-1980s when computer access was in its infancy — now, computer access is the primary terrain for serious criminal fraud, hacking and other transnational or organized crime. Given the current state of dysfunction in Washington, D.C., it is unlikely that Congress on its own initiative will revise and update the law.
In a recent decision, Van Buren v. United States, the Supreme Court narrowed the application of Section 1030. In a 6-3 decision, the Supreme Court ruled that a Georgia police officer did not violate Section 1030 by gaining unauthorized access to government records when the officer exceeded his authorized access to government records. The officer, Nathan Van Buren, was convicted of a felony for accepting a $6000 payment from a friend to check the police database to determine if a police officer was an undercover officer.
The Supreme Court reversed Van Buren’s conviction under Section 1030 and rejected the Justcie Department’s argument that Section 1030 authorizes the government to pursue criminal charges when an employee breaches a company policy by engaging in “unauthorize” use of a computer. Such a broad standard, the Court reasoned, could lead to “criminal penalties to a breathtaking amount of commonplace computer activity,” Justice Amy Coney Barrett wrote for the majority of the Court. As explained by the majority,”[i]f the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals,” Justice Barrett added.
Justices Stephen Breyer, Sonia Sotomayor, Elena Kagan, Neil Gorsuch and Brett Kavanaugh joined Justice Barrett in the majority decision. Justice Clarence Thomas filed a dissent, joined by Justice Samuel Alito and Chief Justice John Roberts Jr.
Justice Thomas who wrote the dissenting opinion, stated that Section 1030’s “unauthorized access” language was based on established principles of property law, and a long history that has “long punished those who exceed the scope of consent when using property that belongs to others.”.
The Court’s majority ruled that Section 1030 is so broadly written that it has been used well beyond its main purpose – to prohibit and punish illegal hacking of computer networks. The Van Buren case, however, focused on the broad reach of the statute to prohibit conduct by individuals who “access a computer with authorization and use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
The focus of the decision turned on the meaning of “so,” as used in Section 1030. Section 1030 defines the phrase “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
The key word, the majority explained, is “so.” That word, the majority reasoned, is “a term of reference,” and thus the phrase “so to obtain” means to obtain in “the same manner as has been stated.” That manner is “via a computer one is otherwise authorized to access,” and therefore the phrase “is not entitled so to obtain” must be read as “not allowed to obtain by using a computer that he is authorized to access.”
This portion of Section 1030 has been used to prosecute individuals who gain illegal access to a computer through unauthorized usernames and passwords, as well as misuse of company computer systems to steal information and trade secrets. The majority was ultimately persuaded that the reach of the statute was so broad that it could plausibly be used to punish ordinary users of computer networks for a variety of uses, many of which would fall beyond the scope of the law’s intent. For example, if a user was authorized to access a database for a specific purpose but did so for an unauthorized purpose, such conduct could fall under the ambit of the criminal statute.
Once again, the ball is now in Congress’ court – whether the Supreme Court’s decision in Van Buren will spur Congress to revise and update Section 1030, it is not real clear. Privacy advocates and law enforcement should work together to draft a common purpose revised version of the statute, but I would not hold your breath.