"We must decide whether Van Buren also violated
the Computer Fraud and Abuse Act of 1986 (CFAA), which
makes it illegal “to access a computer with authorization
and to use such access to obtain or alter information in the
computer that the accesser is not entitled so to obtain or
alter.”
He did not. This provision covers those who obtain information from particular areas in the computer—such as
files, folders, or databases—to which their computer access
does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that
is otherwise available to them"
Thomas, Alito and Roberts dissented, and I hate to say it, but I agree with them.
"The question here is straightforward: Would an ordinary
reader of the English language understand Van Buren to
have “exceed[ed] authorized access” to the database when
he used it under circumstances that were expressly forbidden? In my view, the answer is yes. The necessary precondition that permitted him to obtain that data was absent."
I very much feel their ruling is correct. The CFAA is intended to target "hackers," not policy violations.
Here's a quote from the ruling making the point that applying the law to something like access policy is far too broad to be viable
> The Government’s interpretation of the “exceeds authorized access” clause would attach criminal penalties to a breathtaking amount of commonplace computer activity. For instance, employers commonly state that computers and electronic devices can be used only for business purposes. On the Government’s reading, an employee who sends a personal e-mail or reads the news using a work computer has violated the CFAA. The Government speculates that other provisions might limit its prosecutorial power, but its charging practice and policy indicate otherwise. The Government’s approach would also inject arbitrariness into the assessment of criminal liability, because whether conduct like Van Buren’s violated the CFAA would depend on how an employer phrased the policy violated
I agree that the ruling is correct. The officer was granted the accesses he had, and he was fully authorized to use them. He violated a department policy by using his access improperly. The government wants to turn policy violations into a felony, and even set up a sting operation in this case to get a felony conviction. The officer should be disciplined/fired/etc. for violating department policy, but the CFAA should not be used to turn him into a felon.
The problem is that the officer is corrupt, and he should be charged for taking a bribe. I don't think corruption is "just a policy violation", but I don't know enough about US law to know if taking bribes make you a felon or not (I would hope so, but I assume it depends on circumstances).
In any case, it shouldn't matter that he used a computer to commit a crime. If he had gotten the relevant information by reading them from a paper file or by asking a coworker the crime should be the same, in my opinion.
But then he should be charged under the set of laws pertaining to bribery or corruption. I don't think anyone here disagrees with that. The question is should this crime of corruption get a massive additional pentaly specifically because it was committed on a computer.
The supreme court says that this law has a purpose: to catch people who gain unauthorized access to computers. If laws are interpreted too broadly, they can be used to overcharge people. The example given by the supreme court is that if this law covers unauthorized use of a computer you are authorized to have access to, then sending a personal email on a work computer can be a felony.
One thing that's weird about the Justice system is that there are so many laws. I agree that what the police officer did should be a crime, but it seems like there are potentially many ways to slice it. Maybe it's bribery, stalking, sharing privileged information, prior to this ruling CFAA, maybe other crimes too.
If you add up all the crimes that may have been committed here it seems like the punishment gets pretty severe. Even 18 months in prison for this already seems severe to me. I would think justice is more like getting fired, fined, and community service rather than prison.
I think that what the officer did is likely illegal for other reasons. So this ruling doesn't mean the officer deserves no punishment, it just means they committed some other crime than unauthorized access to a computer system.
This line is the crux, and the problem is that "authorized" means subtle, yet critically important, different things to different people.
The officer was surely "authorized" in the sense that he had technical authorization to log into the system and accomplish the task.
But in the sense that "authorization" is defined by more than just technical controls, and also has to do with many dynamic situations that technical controls can't often restrict (or just aren't in place), it doesn't sound like was "authorized".
Think of walking into a restaurant and they have a sign that says "Employees Only Behind Counter". Even if there was no technical/physical control preventing you from going behind the counter (eg there was no locked door or anything like that), I think it would still be understood that you as a customer do not have "authorization" to go back there.
In my experience as a security consultant, my technically-minded clients typically think of "authorization" as the first way, defined by technical controls and thinking that lack of technical controls in a system means they have carte blanche to do whatever they want with that system. But my experience with anyone outside of tech is that they don't think of it that way at all, and that just because you have the physical/technical ability to do something does not make it okay to do that.
"Authorization" is an overloaded term and the CFAA suffer for it, but personally I do not think an average person would think the officer was "authorized" to do what he did, even if he did have the technical access to do it.
The points about "average employees technically violating the CFAA by doing stuff like reading the news on their work laptop" are valid concerns and I think they need to be resolved, but I think that is a completely different concern than someone like this officer abusing their access for legitimately bad acts.
I like your restaurant analogy but I draw the opposite conclusion. Imagine a restaurant which has a sign saying, "You must be dressed appropriately to enter - no shoes, no socks, no service." A family goes in to dine. About halfway through their meal, the cops come and arrest the father. Turns out, although nobody noticed at first, he wasn't wearing socks, and was therefore trespassing according to store policy. Is that fair though? It's one thing to ask the family to leave, but should the father be charged with an actual crime for unauthorized entry?
And at worse he's guilty of trespass, not breaking and entering.
If there were a filing cabinet that he had keys to, he wouldn't be charged with breaking into the cabinet if he grabbed the wrong files. What's the penalty for using the wrong physical file he has direct access to? That's what we should be talking about.
You're right about a lot of that, but there are huge problems with making mere policy violations into federal felonies. We want to stop people from hacking stuff, but at the same time, we can't do that by giving every random company the power to make things into federal felonies via their own complex and often-ignored rules.
I posted up thread too, but my own personal view is that unauthorized access should hinge on whether the person used deception to obtain access. That provides a clear separation between lawful and unlawful conduct without giving private parties the power to define new felonies.
With computers, I don't think that the proverbial "employees only" sign on a load of private data means anything and the incentive should be on the business to provide a proper access control there. Meanwhile, if they add a guard who asks "are you an employee?" and you lie to them to get access, I would say you're unauthorized.
That gives us some semblance of mens rea while not going to far in any direction, I believe.
>Think of walking into a restaurant and they have a sign that says "Employees Only Behind Counter". Even if there was no technical/physical control preventing you from going behind the counter (eg there was no locked door or anything like that), I think it would still be understood that you as a customer do not have "authorization" to go back there.
But if a customer was invited back there because they said they wanted to thank the chef? They're told not to touch anything, they touch something. Do we view that touching something as breaking the same rule as someone who just walks back there uninvited or is it another rule they are breaking?
I can definitely see arguments for both views. Especially compelling to me based on the analogy is once you've taken the first unauthorized by policy action no other actions other than leaving would be authorized though this interpretation would lead to its own absurdities.
I would hope that there are stronger protections against such abuses of authorization. What if a police officer (or system administrator, etc.) sold information about a potential victim to a criminal that resulted in physical or financial harm to said victim?
That is / should be illegal on its own, the fact that the information was obtained through a computer system instead of a paper file doesn't change anything in your example.
"The CFAA is intended to target "hackers," not policy violations."
However, they also explicitly write that they're not addressing that distinction (footnote 8 on page 13, to my best ability to parse it). There's some semantic gap between "policy violations" and "improper motives".
"For present purposes, we need not address whether this inquiry turns only on technological (or “code-based”) limitations on access, or instead also looks to limits contained in contracts or policies. Cf. Brief for Orin Kerr as Amicus Curiae 7 (urging adoption of code-based approach)."
I discovered this nuance from Orin Kerr's twitter (the same one cited in this footnote); he says he's not confident he understands this footnote.
I don't know if it can always be avoided, but I think it makes sense for a court to try to avoid the code-based approach.
It seems to be all downside (exploiting bugs will typically be OK because the code said this was OK, even if the people who wrote it never intended that) with no upside (the things rendered illegal already don't work, because code forbade them).
Courts ought to be familiar with the fact that they're present mostly to make decisions about fuzzy things like "Did the accused intend to cause harm to the victim?" and not simple mechanics like "Does being injected with cyanide kill people?".
I agree, I don't think it can always be code-only. If you socially engineer someone into giving you an account, I really think that should be fraud.
I've thought about this for some years now and looked at various different cases tried under the CFAA or otherwise claimed to be unauthorized access.
I personally believe it should turn on whether or not you used deception as the means to gain access. That is, but for your deception, would you have gained access?
This, in my mind, proves they were up to no good (mens rea) and acts to make it clearer whether or not you were authorized. It also connects to the idea that the law is mean to counteract a type of fraud in general. I mean, how can anyone say they had authorized access if they had to lie to gain access?
>I very much feel their ruling is correct. The CFAA is intended to target "hackers," not policy violations.
ok, but devil's advocate for a second - much hacking is actually just lying to people to get access to things you shouldn't have access to - so pretty much closer to policy violations than the stuff most people associate with 'hacking'
I believe this would still be covered by the first clause, the one not even being argued in this decision.
> Subsection (a)(2) specifies two distinct ways of obtaining information unlawfully—first, when an individual “accesses a computer without authorization,” §1030(a)(2), and second, when an individual “exceeds authorized access” by accessing a computer “with authorization” and then obtaining information he is “not entitled so to obtain,” §§1030(a)(2), (e)(6).
I fraudulently obtain and use credentials to a system which authorize another person to access it. I am still "accessing a computer without authorization", because those credentials never authorized me.
This starts to get really fuzzy if I fraudulently have credentials explicitly granted to me...
But let’s say you called someone on the phone and lied to them to gain access to a computer system, you committed wire fraud doing so. It’s just a different crime because the thing you did wrong involves lying on the phone.
I think the other judges have the better reading of the specific language of the text. Thomas, Alito, and Roberts don't even take their dissent on the interpretation offered by the Government, but have to craft their own—extremely broad—interpretation of "entitled".
Since I think the opinion (at least, the little bit of it that I've skimmed) makes a fairly compelling case around the majority's interpretation of the words "so" and "entitled" I won't rehash that here. But, if we back up to the purpose and intent of the legislation, I think this outcome also better aligns with that.
The CFAA was designed to curtain the unauthorized use of computers. To make it illegal for people to deliberately circumventing the security measures built into computers to obtain information or cause other harm. If I hand you a computer, tell you the password, and ask you to login to my computer and respond to an email for me, but then ask you not to look in the `Taxes` folder on the desktop should it be a felony for you to open the `Taxes` folder? That conceptually feels wrong to me. I have violated your trust, sure, but I haven't committed fraud, and I haven't abused any access control mechanisms on the computer.
Or another scenario: your work gives you a work computer, and has a paragraph in the employee handbook that says you are never allowed to visit news.ycombinator.com on the work computer. At some point while working at the company, you visit news.ycombinator.com on the work computer. Have you just committed a felony? You've "exceeded the authorized access", if you interpret "entitled" and "authorized" as broadly as Thomas, Alito, and Roberts seem to. Should that really be a felony?
That interpretation leads to such a massive broadening of felony criminal liability. It doesn't gut-check for me. That, combined with what I perceive as the better textual reading of the phrases "so" and "entitled", I have to disagree with you. I think the other 6 justices had the better argument at multiple levels.
That interpretation leads to such a massive broadening of felony criminal liability. It doesn't gut-check for me
I agree with you, it totally fails the gut check, but it is because the law is poorly written. The Supreme Court bailed out the lawmakers by winging it here. The minority opinion is the worse, but more accurate plain reading of the law.
The alternative would be declaring the act void for vagueness. A statute that "forbids or requires something in terms so vague that men of common intelligence must necessarily guess at its meaning and differ as to its application" violates the constitutional provision of due process. So the SCOTUS ruling makes sense in terms of choosing the least disruptive option wrt. general expectations.
Not really. I would just read the word "fraud" in the very title of the act and decide that means that whether or not the access was unauthorized depends on whether you lied to gain access.
I won't claim that test is perfect, but it's a lot clearer than the current standards and when I go through past cases, I don't see it coming to any indefensible conclusions.
Yes, that would agree with the majority holding in this case. It's important to note that even if they didn't violate the CFAA, they likely broke plenty of other laws and can be punished for that.
So this conduct absolutely deserves to be punished, just not under the CFAA.
Well, that ignores the part where I agree with the textual reading and interpretation of the majority.
I think the majority opinion is also the more accurate plain reading of the law. So, from my perspective, no bailing out is necessary. The gut check and the plain reading both seem to align.
intentionally accesses a computer without authorization or exceeds authorized access
Did he exceed authorized access? He did, and therefore he broke the plain reading of the law. The law should be better, and separate violating access controls from violation of access policy, but it doesn't.
He did not. He was given a level of authorization that he did not exceed.
The problem, again, is in the ambiguity of the word “authorized” that allows multiple plain readings.
To me, it’s absolutely plain that “authorized access” refers to system authorization (that is, what the computer tells the user their permissions are), and “exceeds authorized access” refers to bypassing the system authorization limits. That’s absolutely the plain reading to me.
To you, you read “authorization” as “policy authorization” (that is, where another human tells you what your permission levels are).
The fact is, there are multiple kinds of “authorization” involved in this case, which means different people can have different plain readings of the statute. While your reading seems obvious to you, it seems strained to me. My reading might be strained to you, but it’s obvious to me.
*To you* the plain reading is what you say. To *other* people the plain reading is different.
I, for example, don’t think the plain reading of something typically involves taking the union of definitions for each word in the sentence. To me, most plain readings involve selecting the single most appropriate definition for a word based on the surrounding context.
My point is that there isn’t an objectively correct “plain reading”. You are not the arbiter of what a plain reading is, nor am I.
Would you agree that different people can read the same sentence and in good faith have a different understanding of what “the plain reading” is?
For the requisite car analogy: one is like a mechanic taking your car for a joyride after you give them the key, the other is a stranger taking it for a joyride after breaking in and stealing it out of your driveway.
One of them is misusing a car that you gave them access to, the other one is stealing it.
That's because you're assuming the stranger doesn't return the car. If your mechanic takes your car for a joyride after you give them the key for purposes of repairing your car, and a stranger steals my car when I'm not using it and brings it back before I notice it's missing, I don't understand why one is any different or worse than the other.
> but then ask you not to look in the `Taxes` folder on the desktop should it be a felony for you to open the `Taxes` folder? That conceptually feels wrong to me. I have violated your trust, sure, but I haven't committed fraud
You accessed privileged information that you were explicitly not allowed. To me, asking you not to look at certain information is effectively the same as putting a password on it, then having you break it. In both cases, the intent of the owner is clear: do not access these files. And in both cases, the actions of the perpetrator very clearly disregard the owners intent.
Your example about accessing a website is not the same. It's pretty clear that the person going to new.ycombinator.com is not stealing or accessing privileged information. There have been separate rulings dealing with whether or not employees can use corporate equipment for personal reasons.
A more analogous example to the case at hand would be an employee at Google/Humana/Tinder selling your private details to a third party. This ruling means that such activity is perfectly legal, even if the terms of their employment state the opposite.
Unless, of course, the only reason the court ruled in favor of this person was that they are a police officer. But I guess we have to wait until the FBI attempts to press charges against someone at Google selling personal details to third parties to find out.
> A more analogous example to the case at hand would be an employee at Google/Humana/Tinder selling your private details to a third party. This ruling means that such activity is perfectly legal, even if the terms of their employment state the opposite.
No, this isn't what this means at all. This ruling just means you haven't committed a crime under the Computer Fraud and Abuse Act by accessing that data if you didn't "hack" to get access to it. Depending on the information you sold, you could've violated other laws and you definitely violated the Non-Disclosure agreement you signed with those companies.
For reference, the cop in this case had other convictions under wire fraud laws that weren't changed by this.
> To me, asking you not to look at certain information is effectively the same as putting a password on it, then having you break it.
To me, they are not effectively the same at all. I see there being two different types of "authorization" at play. One is a mechanical authorization built into the computer systems (a password, for example). The other is a policy authorization, built into how I convey to you what is "allowed" on the system. They seem fundamentally different to me.
To 6 justices on the Supreme Court, they are not effectively the same thing either. To 3 justices, they are. The ambiguity of English is definitely annoying when we get into the nitty-gritty of laws!
> A more analogous example to the case at hand would be an employee at Google/Humana/Tinder selling your private details to a third party. This ruling means that such activity is perfectly legal, even if the terms of their employment state the opposite.
That's simply not what this ruling holds. That would be an accurate summary of this ruling if and only if the CFAA were the only law that exists in the United States Code!
"Legal" is also an ambiguous word in this context. Such an activity may break other laws, or it may not. I'm not familiar with what other criminal liability may attach to such behavior. But that activity almost certainly would be a civil violation. I would potentially be able to sue Google/Humana/Tinder (though there's a chance their privacy policy already gives them the option to sell my information). And Google/Humana/Tinder could certainly sue the rogue employee for damages caused by such a sale.
If Google/Humana/Tinder wanted to go further to protect themselves from bad-acting employees, they could use actual access controls (instead of mere policy) to restrict the ability for employees to access such data and only give access to employees who need such access. While it's certainly not the thing a Supreme Court ruling should hinge on, it's a nice added bonus that this gives a further incentive for companies to implement actual least access control rather than just making it a policy.
> If Google/Humana/Tinder wanted to go further to protect themselves from bad-acting employees, they could use actual access controls (instead of mere policy) to restrict the ability for employees to access such data and only give access to employees who need such access.
I'm pretty sure the exact fact that Amazon did not appropriate restrict access in this way is one of the points being considered in the antitrust case. Specifically, that people who shouldn't have been able to, and who shouldn't have by policy, still could access seller data.
>There have been separate rulings dealing with whether or not employees can use corporate equipment for personal reasons.
Such rulings are about different laws. The government's interpretation would criminalize violating a protected computer's terms-of-service regardless of whether it is part of a corporate intranet or an ordinary website on the Internet. And yes, the government has pursued criminals charges for violating a website's ToS; see United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009).
>A more analogous example to the case at hand would be an employee at Google/Humana/Tinder selling your private details to a third party. This ruling means that such activity is perfectly legal, even if the terms of their employment state the opposite.
As to Humana, it would likely be a criminal HIPAA violation.
Judges interpret ambiguous laws narrowly to avoid criminal liability, as you say.[1] Three justices dissented though, I take it, because in their view the words weren't ambiguous, even if leniency would have been the better public policy.
> "This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them"
I think this would have acquitted Aaron Swartz (though he likely would have been acquitted anyway since they didn't even allege improper motive iirc).
In his case he accessed journals that were available to him via MIT's open network. There is the second issue of his trespassing in a closet to leave a laptop on the network, but that would have been minor when compared to the string of felonies they charged him with which was tied to the CFAA.
This seems like a good restriction to me at first glance.
Do you think people will be able to acknowledge that predisposition to suicide is what killed him and not the gravity of the DA obsession to convict him? The US doesn't have the most people in prison because long sentences caused everyone to kill themselves first, its because people do the time.
I just see so much focus on needing to identify a catalyst (which doesn't affect most people) instead of the pre-existing mental health issue of the person. I think this hampers the necessary conversations to be had on suicide.
> "Do you think people will be able to acknowledge that predisposition to suicide is what killed him and not the gravity of the DA obsession to convict him?"
This is itself presumptive and I think largely wrong. Like most things it's a combination of factors. No doubt Aaron was struggling with depression, but facing federal prison with a trial defense costing $1.5M (even if acquitted in the end) is enough pressure to break even an otherwise healthy person.
I don't understand the need for people to frame this as you are.
I suspect Aaron would be alive today if the prosecution had shown some discretion. In this specific case, it would also have been the right/just thing as well as the legally correct thing.
Look up the eggshell doctrine. From wikipedia: The rule states that, in a tort case, the unexpected frailty of the injured person is not a valid defense to the seriousness of any injury caused to them.
I don't see the need to assign a single cause to a given event, to the exclusion of all others. Most events that occur have multiple causes, with varying degrees of importance.
(6) the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;
The language here is relatively narrow. Nathan did "access a computer with authorization", and he didn't obtain information that he was "not entitled so to obtain or alter".
He may have obtained it for a purpose that was expressly forbidden by the department policy, but he was permitted to obtain the information in and of itself. To qualify as being "under circumstances that were expressly forbidden", I think it would have to be a situation wherein he wasn't allowed to obtain the information in general, e.g. if he were only allowed to access it within certain hours or with a superior present.
It's like the difference between giving someone your phone (which, for the sake of argument, qualifies as a "protected computer" in this scenario) and telling them that they can go through your photos so long as they don't take out their own phone and photograph any of them, and telling them that they can only open your photos while you're watching.
It would be extremely rude in either case to secretly take your phone and exfiltrate your photos — and may even still be a crime in and of itself (and/or lead to follow-on crimes) — but I wouldn't consider the former to violate this particular law.
> For instance, employers commonly state that computers and electronic devices can be used only for business purposes. On the Government’s reading, an employee who sends a personal e-mail or reads the news using a work computer has violated the CFAA.
Accessing data for a forbidden reason should be a fireable offense, but not criminal. So if Thomas is right, it's a very bad law.
I'm not sure I agree with him though. I think if you asked an average person, they might say something like "yes I am authorized to access that database, because I have credentials, but I'm not supposed to without a good reason". I don't think there is a single plain English reading of this phrase that any large group of people would agree on.
The heart of this is the difference between legal authorization vs technical authorization. Legally, it is (or rather, used to be) OK to say "you have have access to data X for purpose Y." While the technical controls could not enforce restrictions on the purpose, it was understood that purpose limitation was valid. There was an understanding that technical controls are only an approximation of policy, and it's the policy that has legal weight when determining what access is authorized.
Hopefully this particular case also runs afoul of other laws. Like something about granting access to unauthorized individuals, which is what the defendant was doing (selling government data). That can, and perhaps should be, separately illegal from accessing data for improper purposes.
This is a very good point and what people often confuse.
There is a crime of breaking and entering - and thats well defined.
Then there are permissions of: "you can be in my house as long as you dont use the bathrolm and only wear pink socks" - if a person were to wear green socks, you can icik them out, but it does not suddenly become a home invasion
Exceeded authorized access commonly refers to privilege escalation, which means access to a resource beyond his/her level of granted permission, whether by modification of technical controls, social engineering, or physical access. That is not what happened here. The access to the resource occurred exactly in accordance with the access controls and authority granted, but the motivation and intention were in clear ethical violation.
Civil and criminal law are distinct for a reason. In criminal law the consequences for your wrongs are much more dire-- you face the power of the state against you and you can be denied your freedom.
Triggering the CFAA on policy violations creates a general tool to convert civil matters into not just a crime, but a relatively serious one! It essentially lets system operators write private law with criminal enforcement without the oversight of the public.
To give a silly example: Your landlord prohibits you from painting your walls. Their payments website has some terms of US that makes it a CFAA violation to use their site with painted walls. Suddenly what otherwise might be a lawsuit over the $500 cost to repaint is a state funded attack where you face ten years in prison.
It's clearly wrong to use the CFAA that way in the silly example, but it's no less wrong in less silly cases. Saying the CFAA can't be used to create private criminal law doesn't mean that policy violations can't be prosecuted-- but it means they should be prosecuted under other laws (with intentionally matched terms and penalties) or as civil matters.
Actual hacking into a network with intent should be on the order of breaking-and-entering, not robbing a bank, murder, or committing acts of terrorism. Hacking to rob a bank should be the same as robbing a bank. Hacking to intentionally poison a water supply is something like terrorism.
Cracking, gnireenigne copy-protection, copying a publicly-/privately-available archive of information, etc. should be "speeding tickets" not 50 years in pound-me-in-the-ass federal pen.
Hacking should be seen as an amoral means to commit another act, not a specific criminal, malicious activity in-and-of-itself.
This is the outcome of a legislative branch which can no longer legislate effectively. The courts have to "interpret" the laws into a sensible form of common law which minimizes the difference between the legislation, and practical governance concerns.
Interpreting the law in such a way as to make private policy makers the arbiters of felony charges is not compatible with our society. This would be the equivalent of a restaurant letting you in, asking you to take a seat, and then charging you with a felony for choosing the wrong seat as listed on a tiny sign in the back of the restaurant.
A policy change by your employer shouldn't lead to the possibility of a criminal prosecution for "hacking" and that's the net result of what you're suggesting and what that interpretation would mean.
It sounds similar to the problem of someone with access to a file cabinet, where they aren't allowed to use some of the files in the cabinet, but are allowed to access other files in the same cabinet.
Based on your quote, with no other context, using your authentication to access information you aren’t supposed to access is verbatim the scenario the law speaks to.
"We must decide whether Van Buren also violated the Computer Fraud and Abuse Act of 1986 (CFAA), which makes it illegal “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” He did not. This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them"
Thomas, Alito and Roberts dissented, and I hate to say it, but I agree with them.
"The question here is straightforward: Would an ordinary reader of the English language understand Van Buren to have “exceed[ed] authorized access” to the database when he used it under circumstances that were expressly forbidden? In my view, the answer is yes. The necessary precondition that permitted him to obtain that data was absent."
That's Thomas dissenting.