The U.S. Department of Justice has used the Computer Fraud and Abuse Act to prosecute whistleblowers for supposedly “exceed[ing] authorized access” on a computer system by arguing that downloading material contrary to the rules of use of the system is an example of “exceed[ing] authorized access.” But the Supreme Court has ruled that a person with valid credentials to access material is not in violation of the CFAA, even if they end up leaking or selling material that they were able to access without hacking. This requires an actual hack or violation of technical security protocols to be charged under this section of the CFAA.
The case was brought by a police officer who accepted payments from individuals in exchange for looking up information about license plate numbers in a law enforcement database. While this behavior clearly violated department protocols and may, indeed, be illegal, the question is whether he had violated the law against a person who “intentionally accesses a computer without authorization or exceeds authorized access.”
The Supreme Court ruling explains what this law will be taken to mean: “An individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer — such as files, folder, or databases — that are off limits to him.” The police officer did have authorization to the law enforcement database, and therefore did not break the CFAA.
Violation of the CFAA was among Chelsea Manning’s convictions. But her defense team had pointed out that she “was authorized to access each and every piece of information [she] accessed.” The government never claimed that Manning was not permitted to view the cables she leaked.
The political prosecution of Thomas Drake ended in his pleading guilty to “exceeding authorized access” of a government computer. But Drake had the proper security clearance to access each piece of information that he leaked to a Baltimore Sun reporter.
How does this apply to Assange? He is charged with actually breaking into computer systems, which is indeed against the CFAA. But that is a conspiracy charge, and Manning never required Assange’s assistance in accessing the databases from which she downloaded materials to leak.
This ruling is important because companies have attempted to use the fact that employees have violated the rules of use of their systems to attempt to have them charged criminally with violating the CFAA. But violating the rules of computer use, without hacking or breaking into forbidden files, is not against the CFAA, the Supreme Court has ruled. The ruling explains: “If the ‘exceeds authorized access’ clause criminalizes every violation of a computer use policy, then millions of otherwise law-abiding citizens are criminals.” Under the legal theory advanced by the government, “An employee who sends a personal email or reads the news using her work computer” could be guilty of violating the CFAA.
Whether this ruling will reduce the prosecution of whistleblowers — or simply require prosecutors to develop new tactics — remains to be seen.
