Supreme Court Rules Officer’s Improper Access to License Plate Record Does Not Violate Computer Crimes Law
June 3, 2021
In today’s decision in Van Buren v. United States, the Supreme Court determined that a police officer who improperly accessed a license plate record could not be held liable under a federal computer crimes law, the Computer Fraud and Abuse Act. EPIC highlighted the serious privacy concerns with government employees’ improper access to sensitive personal information in government databases in the amicus brief we filed in this case, and several justices echoes these concerns during oral argument. The outcome of this case highlights the urgent need for comprehensive privacy legislation. We need enforceable rules to prevent improper access to and misuse of personal information contained in both government and private databases.
The Court also did not resolve what it means for someone to have “authorization” to access a computer or to be “entitled” to access information in the computer. The Court endorsed a general “gates-up-or-down approach”—meaning an individual either has authorization to access the computer or specific information within the computer or it does not—but explicitly left open the question whether the prohibitions on access must be technical or whether they can be contract-based. The range of criminalized activities may, in some respects, still be much broader than even the Government was advocating. Certain website terms of service that prohibit specific individuals or groups from accessing the website may still be enforceable even if the individuals have no knowledge of the restrictions and the website owners do nothing else to limit access. An 18 year-old who accesses a website restricted to those over the age of 21 may violate the CFAA, but a police officer who knowingly accesses personal information to stalk and harass the individual does not.
The Court also did not clearly answer more complicated access questions about web scraping, and the Court should grant the pending petition in LinkedIn v. hiQ Labs to resolve these questions. Web scraping involves accessing a computer using a technical method that is often prohibited by a website's terms of service and also blocked using technical barriers. EPIC filed an amicus brief in support of the petition.