Photo Courtesy: Cumming Police Dept.
Today, the Supreme Court took up a twisted case of a dirty cop who was bribed by a paranoid FBI informant to run license plate checks on a fictitious undercover stripper. Cop got busted and convicted under the federal anti-hacking law. The Supreme Court will now decide whether this should really be considered criminal hacking. Why should you care? Because the outcome of this mess will help determine whether even some of your online violations can constitute a federal hacking crime.
Problem with the current federal anti-hacking law is that it's so vague that nobody knows when exactly does unauthorized access constitute a crime? Basically, any unauthorized access to obtain data is technically a crime under the somewhat archaic Computer Fraud and Abuse Act of 1986 (CFAA). Perhaps you are not bribing cops to run unauthorized background checks on strippers any time soon. But aren’t you checking your social media profiles, stocks and/or sports scores on work computer in violation of employer’s policy? Harvesting information from others’ websites in violation of their terms of use? Ever lied about your age or weight on a dating website? All of those are examples of activities that the CFAA criminalizes, if we apply its broad definitions literally.
I will now explain:
1) how the CFAA came to be and why is it so overly broad;
2) how a small town dirty cop and paranoid FBI informant are helping narrow down the overly broad CFAA definitions. So that other people's simple terms of use violations do not make them criminals.
I. The CFAA, Old Criminal Hacking Law
The CFAA was enacted in 1984, when Congress became aware of “the activities of so-called ‘hackers’ who have been able to access (trespass into) both private and public computer systems.” To deter and punish this “new dimension of criminal activity,” Congress created a new federal crime, codified at 18 U.S.C. § 1030. Two years later, Congress amended the statute, and it became known as the CFAA. Computer Fraud and Abuse Act of 1986.
Simple violations are punishable by a fine or imprisonment of one year, or both. That misdemeanor becomes a felony, punishable by imprisonment for up to five years, if “the offense was committed for purposes of commercial advantage or private financial gain.”
Obviously, the so-called hackers did not stand still since 1986. They now have so-called mobile phones, so-called dark web with marketplaces full of stolen data and lots of other innovations.
The CFAA, unfortunately, did not keep up pace with those new developments. This is where the dirty cop comes in.
II. The "Hacker" Cop & Fake Stripper Case
Police on the streets of Cumming, GA. Photo: Daily Herald.
For years, police sergeant Nathan Van Buren was patrolling the streets of Cumming, a small town in the northern part of Georgia. So, he knew lots of locals, including one Andrew Albo who “allegedly paid prostitutes to spend time with him” and then called the police to “accuse[] the women of stealing the money he gave them.” Claiming to fear retaliation from these women, he sometimes also asked officers to run searches of allegedly suspicious license plate tags.
In the summer of 2015, the cop asked to borrow money from Albo who secretly recorded their conversations and took the recordings to the FBI. The FBI devised a sting operation “to test how far [the cop] was willing to go for money.”Albo was instructed to ask the cop to run a computer search for the supposed license plate number of a dancer at a local strip club. The FBI directed Albo to say that he liked her and wanted “to know if she was an undercover officer before he would pursue her further.”
The cop completed that search and received $5,000. He offered to pay back the loan but Albo waved that off. Several days later, Albo followed up with the cop, bringing him an additional $1,000 and the “fake license plate number created by the FBI.” After that meeting, petitioner accessed the Georgia Crime Information Center (GCIC) database, which contains license plate and vehicle registration information. As a law enforcement officer, the cop was authorized to access this database “for law-enforcement purposes.” He ran a search for the license plate number that Albo had given him. He then texted Albo that he had information to provide.
But instead of Albo, the FBI “arrived at [the cop’s] doorstep” the next day. He confessed all of the above right then and there. He was charged with two things:
1) felony computer fraud under the CFAA. Because he accessed the license plate database; and
2) honest-services wire fraud. Because of the bribe.
The second charge is a done deal. The Supreme Court will only have to decide on the first charge: whether the cop committed criminal hacking or not. He was allowed to access the database but he did it for the wrong purpose. Like millions of people do when their employer provides them a computer for work only but they end up using it for personal stuff, too. So, that’s why this twisted case is so important to almost everybody who uses a computer.
