Do You Use Your Company’s Computers to Access Restricted Files?
In a newly decided case, Van Buren v. United States, the United States Supreme Court limited an anti-hacker law. In 1984, Congress enacted the first federal computer-crime statute as part of the Comprehensive Crime Control Act and in 1986, Congress passed the Computer Fraud and Abuse Act (CFAA), which included the provisions that are at issue in this case.
In this case, a former police officer named Nathan Van Buren used his patrol-car computer to run a license-plate search in a law enforcement computer database in exchange for money. The Federal Government then charged Van Buren with a felony violation of the CFAA on the ground that running the license plate violated the “exceeds authorized access” clause.
The Supreme Court held that Van Buren did not violate the CFAA. The Court reasoned that this provision covers those who obtain information from particular areas in the computer (files, folders, or databases) to which their computer access does not extend and does not cover those who (like Van Buren), do not have proper motives for obtaining information that is otherwise available to them.
The Government tried to introduce their interpretation of the statute, but the Court shot it down stating that, “The Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity. If the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals.” So, you may be wondering what constitutes exceeding authorized access. Well, according to the Supreme Court in this ruling, “An individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer— such as files, folders, or databases—that are off-limits to him.” In other words, if you are roaming a computer at work that you are authorized to use, and you access files that are not off-limits to you, then you are not in violation of this Act. On the other hand, if you have the authorization to use a computer at work but are restricted from accessing certain files, then accessing such files may mean that you are violating the Act. Concludingly, employees need to be aware of what they may or may not access while using their employer’s devices.
