Here is a scenario that serves as a transitional lead-in to today’s blog post on a major federal computer crime law.
Meet Jim (or substitute name of your choice). Jim has lawful access at work to a number of computer programs that are restricted to most employees. It turns out that Jim has been engaging with one such program in a manner that has been expressly deemed off limits by company managers.
Here’s another scenario, this time featuring James (Jim’s alter ego). James is also using a computer program for a disallowed reason, but his interaction is barred in the first place. That is, he never received program access at all.
The bottom line: Both Jims used a computer for unauthorized reasons, with one having access to an employed program and the other lacking authorization, respectively.
Should their stories play out the same or differently concerning any penalty meted out in their unlawful use?
Spotlighting the 1986 Computer Fraud and Abuse Act
The above-cited federal computer law (the CFAA) has commanded center stage in online-based criminal prosecutions for decades. Its application in crime matters is manifestly robust, with the enactment often being lambasted by critics for alleged overreach and draconian results.
Here is how the two cases sketched above would traditionally play out under the CFAA: Both Jims – regardless of lawful access or not – would face criminal sanctions for unauthorized use. No exception. No mitigation. Any party accessing a computer and thereby garnering information he or she is not entitled to commits a punishable criminal act.
Major change: SCOTUS pares back the CFAA
That unquestionably sums up the sentiments of legions of CFAA critics in the wake of a recent 6-3 U.S. Supreme Court ruling addressing the seminal legislation’s criminal application. The comment was offered by a principal of one computer rights organization praising an announced pull back of major magnitude in the CFAA.
In a nutshell, the high court’s ruling now provides for this: no further prosecutorial grant enabling criminal charges under the CFAA in cases where an individual authorized to use a computer program/application accesses information for an improper purpose.
Put another way, as stressed by one national news report on the case holding: The CFAA will now cover “only those who look into areas of a computer system that they’re not authorized to access.”
It merits noting that the new curb doesn’t free lawful accessors who improperly collect or manipulate data from punishment. They can still be charged with other crimes linked to theft and other offenses.