Responding to a third party who offered to pay him to search the database — a person who turned out to be an FBI informant — Van Buren agreed, leading to what the US government alleged was a violation of the Computer Fraud and Abuse Act.
Barrett wrote that Van Buren’s conduct “plainly flouted” his department’s policy, which authorized him to obtain database information only for law enforcement purposes.
But, she said, the court had been asked whether he violated the CFAA, which “he did not,” she wrote. Barrett said the provision of the law at issue does not cover those “who have improper motives for obtaining information that is otherwise available to them.”
“To top it all off,” she wrote, the government’s expansive interpretation of the law “would attach criminal penalties to a breathtaking amount of commonplace computer activity.”
Simply checking personal email or reading the news on a work computer would be considered a crime, Barrett added.
The court’s ruling adds definition to a long-running public debate over the breadth of the CFAA, and whether it applies to misconduct that stops short of breaking into a computer. In the past, the law has been invoked in cases involving website defacement and violations of terms of service, prompting digital rights groups to argue that it has been interpreted far too broadly.
Thursday’s ruling establishes a precedent that makes it harder to apply the CFAA in cases where an individual is authorized to access information on a computer but does so for “improper” reasons.
“Today’s decision is going to make it incumbent upon businesses and governments to be far more specific in their policies governing access to databases — not just about who is allowed to access particular databases, but about the specific purposes for which those individuals are and are not allowed to access that database,” said Steve Vladeck, CNN Supreme Court analyst and professor at the University of Texas School of Law.
“In the process, the court has made it a lot harder to punish those who misuse databases to which they generally have lawful access — and a lot more important for database owners to expressly prohibit uses of the data that aren’t specifically permitted,” he added.
Barrett’s majority opinion was joined by Justices Stephen Breyer, Sonia Sotomayor, Elena Kagan, Neil Gorsuch and Brett Kavanaugh. Justice Clarence Thomas dissented, joined by Justice Samuel Alito and Chief Justice John Roberts.
In his dissent, Thomas compared Van Buren’s actions to a valet charged with parking a car, writing that the law should have covered the police officers’ actions.
The valet, Thomas wrote, may “take possession of a person’s car to park it, but he cannot take it for a joyride,” Thomas wrote. He noted that Van Buren had permission to retrieve license plate information, but only for “law enforcement purposes.”
When the police officer accessed the database in exchange for a bribe from an acquaintance, Thomas stressed, he “exceeded authorized access” under the law. “Without valid law enforcement purposes, he was forbidden to use the computer to obtain that information,” Thomas wrote.
In another example, Thomas said that an employee may be entitled to pull the alarm in the event of a fire, “but he is not entitled to pull it for some other purpose, such as to delay a meeting for which he is unprepared.”
“Van Buren’s conduct was legal only if he was entitled to obtain that specific license plate information by using his admittedly authorized access to the data base,” he wrote in his dissent.
Conservatives at odds over textualism
The case produced odd bedfellows, splitting the conservatives and continuing a debate they have engaged in over the last two terms concerning a judicial philosophy called “textualism” that was championed by the late Justice Antonin Scalia. Scalia insisted that judges put a sharp focus on what Congress actually said when it passed a law, and not on what it might have intended.
For some, like the majority opinion Thursday, Barrett, Kavanaugh and Gorsuch turned to the literal meaning of the words on the page, which, they noted, subjects an individual to criminal liability if he “exceeds authorized access” to the database. The majority ruled in favor of Van Buren because he did have access to the database even if he used it improperly.
But Thomas’ dissent said that the court should have deferred to the “ordinary” interpretation of the law.
“Would an ordinary reader of the English language understand Van Buren to have “exceeded authorized access” to the database? Thomas asked.
“In my view the answer is yes,” he wrote. That’s because even though Van Buren had authorized access to the database, he did not have the authority to search it improperly for his personal gain.
“The text makes one thing clear: Using a police database to obtain information in circumstances where that use is expressly forbidden is a crime,” Thomas wrote.
This story has been updated with additional information from the opinion.