By: Dr Tristan Jenkinson
The case of Van Buren v. United States is currently being heard in the US Supreme Court. I have written about the case before commenting that the case could have an effect on how employees who steal or sell data that was collected through their work can be held to account.
A recent article by Lam Thuy Vo in the MIT Technology Review provides an additional viewpoint. This relates to the use of web scraping (copying publically available information) as a tool to collect data to identify or prove corporate misdeeds – A common approach in OSINT (Open Source Intelligence) investigations.
The Van Buren case centres around former police officer Nathan Van Buren, who was (as part of an FBI sting operation) asked by a wealthy individual to look up a license plate on police systems – which he did and was subsequently sentenced to 18 months in jail.
The reason that this matter has gone to the Supreme Court is because of issues surrounding the wording of the Computer Fraud and Abuse Act (“CFAA”). Of particular focus is assessing when access to a computer or data “exceeds authorised access” – wording used in the CFAA. Van Buren claims that his actions were not in breach of the CFAA because he was (as a police officer) authorised to use the police systems, therefore was not exceeding his authorised access.
The MIT Technology Review article suggests that the vague wording of the CFAA means that it could be interpreted such that accessing publically available information using online and programmatic tools may fall foul of the law.
Whatever the Supreme Court decide, additional guidance on how the CFAA should be interpreted will hopefully make the position clearer for the future, but could also throw open some further issues.