Journalists may face less risk for commonplace investigative computer reporting techniques thanks to a ruling today from the U.S. Supreme Court.
In its June 3 decision, the Court, in Van Buren v. United States, narrowly interpreted the criminal provisions of the Computer Fraud and Abuse Act (CFAA), which punishes certain types of access to websites and computer systems. The Court, in a 6-3 decision, held that the statute’s reach to anyone who “exceeds authorized access” does not apply to people who have permission to access the information, but then use it in an unauthorized fashion.
The case concerned former Georgia police sergeant Nathan Van Buren, who, in exchange for money, agreed to use his police car computer to provide motor vehicle records about an individual. That violated the department’s policy against obtaining database information for non-law-enforcement purposes. Prosecutors charged him with a felony violation of the CFAA, which subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” 18 U.S.C. §1030(a)(2). A jury convicted Van Buren, and the 11th Circuit upheld the conviction, finding that he violated the CFAA by “accessing the law enforcement database for an ‘inappropriate reason’.”
The Supreme Court today reversed the conviction, holding that a person “exceeds authorized access” only when they “obtain information from particular areas in the computer – such as files, folders, or databases – to which their computer access does not extend.” The Court held the statute “does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.” The Court noted, that the government’s broad interpretation “would attach criminal penalties to a breathtaking amount of commonplace computer activity” by potentially criminalizing “every violation of a computer-use policy” including “an employee who sends a personal email or reads the news using her work computer.”
Importantly, the Court also gave a nod to friend-of-the-court briefs, including a brief from the Reporters Committee for Freedom of the Press, agreeing with the argument that, if read too broadly, the statutory language “exceeds authorized access” and could criminalize violations of web providers’ terms of service. In that event, the Court noted, “everything from embellishing an online dating profile to using a pseudonym on Facebook” could be deemed a criminal act.
The Court’s narrow interpretation of the statute’s reach may give journalists and their sources some comfort. Until now, newsroom practices such as data scraping from publicly available websites, or working with sources who may be violating their employer’s computer use policies, may have, to some prosecutors, appeared to be within the CFAA’s criminal prohibitions. The Court’s decision today makes the success of any prosecutions for these techniques seem less likely.
The opinion was written by Justice Amy Coney Barrett, and joined by Justices Stephen G. Breyer, Sonia Sotomayor, Elena Kagan, Neil M. Gorsuch and Brett M. Kavanaugh. Justice Clarence Thomas filed a dissent, in which Chief Justice John G. Roberts and Justice Samuel A. Alito joined.
Ballard Spahr’s Media and Entertainment Law attorneys represent clients across platforms and industries in navigating their most challenging issues—during newsgathering, the editing process, and in court.