Computer Fraud and Abuse Act (CFAA)
The US Supreme Court has agreed to hear Van Buren v. United States. At issue in the case is whether the Computer Fraud and Abuse Act makes it is a federal crime for someone with permission to access a website for certain purposes to access that information for an improper purpose.
The Computer Fraud and Abuse Act (CFAA) makes it a federal crime to “access a computer without authorization or exceed authorized access, and thereby obtain information from any protected computer.” 18 U.S.C.§ 1030(a)(2)(C). Under the Act, to “exceed authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
In the case, petitioner, a police officer, was convicted under the CFAA after he accessed a police computer database in order to look up a license plate record for personal purposes, in violation of database rules that permitted him to access only for "law enforcement purposes."
Petitioner argues that because he had permission to access the website, he cannot be convicted under the CFAA. He argues that if the lower court is correct, any “trivial breach” of the conditions imposed by, for example, employers or the terms of service for a website – “from checking sports scores at work to inflating one’s height on a dating website” – would be a federal crime.
There is a division in the opinions of the appellate courts on this question.