A former Georgia police officer who was wrongly convicted under the notoriously vague Computer Fraud and Abuse Act ("CFAA") is asking the Supreme Court to reject a dangerously overbroad interpretation of the law. In Van Buren v. United States, Nathan Van Buren was accused of taking money in exchange for looking up a license plate in a law enforcement database. He was convicted of violating the CFAA because he allegedly used that database for an improper purpose, even though it was a database that he was allowed to access for work purposes. Under this expansive interpretation of the CFAA, it would be a federal crime any time a person violates a website's terms of service. If violating terms of service is a crime, private companies get to decide who goes to prison and for what, putting us all at risk for everyday online behavior.
Mr. Van Buren successfully petitioned the Supreme Court to review his case. EFF filed briefs both encouraging the Court to take the case and urging it to make clear that violating terms of service is not a crime under the CFAA. In an amicus brief filed on behalf of computer security researchers and organizations that employ and support them, we explained that the broad interpretation of the CFAA puts computer security researchers at legal risk for engaging in socially beneficial security testing through standard security research practices, such as accessing publicly available data in a manner beneficial to the public yet prohibited by the owner of the data.