Unauthorized Access To Public Databases

09 Dec 2025 --
0 Comments

“Unauthorized access” means entering a computer system, network, or database without permission, in violation of statutory or administrative rules.
Even if the information is public-facing, the method of access or intent may still make the act illegal.

Common legal issues include:

1. Exceeding Authorized Access

Accessing data beyond the scope of permission granted.

2. Circumventing Technical Barriers

Bypassing login requirements, CAPTCHA, or scraping restrictions.

3. Violating Terms of Service (sometimes criminal if explicit prohibitions exist)

4. Government or Public Agency Databases

Special protections often apply to:

DMV records

Police databases

Social service records

Public agency internal systems

Unauthorized access is usually prosecuted under laws such as:

U.S. Computer Fraud and Abuse Act (CFAA)

U.K. Computer Misuse Act 1990

India's Information Technology Act 2000

Other national cybercrime statutes

📚 DETAILED CASE LAW (More than 5 Cases)

Below are seven important cases, each explained in detail.

1. United States v. Drew (C.D. Cal. 2008)

Issue: Whether violating a website’s Terms of Service constitutes “unauthorized access.”

Facts:
Lori Drew created a fake MySpace profile and accessed the site in violation of its terms. Prosecutors charged her under the CFAA, arguing that breaching TOS amounted to unauthorized access.

Ruling:
The court rejected this theory.
It held that violating a website’s terms does not automatically equal criminal unauthorized access, because it would make millions of people criminals for everyday violations.

Importance:
Established the principle that not all policy or TOS violations amount to illegal access; some require intentional circumvention or malicious conduct.

2. United States v. Nosal (Nosal I & II) (9th Cir. 2012 & 2016)

Issue: Using login credentials to access a company database after leaving employment.

Facts:
David Nosal, a former Korn/Ferry employee, convinced current employees to use legitimate credentials to download database information for him.

Rulings:

Nosal I (2012):
The court ruled that violating company policies or misusing access does not equal exceeding authorized access.

Nosal II (2016):
When former employees used passwords after their access was revoked, this did constitute unauthorized access.

Importance:
Established that:

Misusing information you are allowed to access is not always a CFAA violation.

Using someone else’s credentials after access is revoked is criminal.

3. Van Buren v. United States (U.S. Supreme Court, 2021)

Issue: Whether accessing a police database for a prohibited reason is “unauthorized.”

Facts:
A police officer accessed the Georgia law enforcement database (which he was authorized to use) for personal reasons in exchange for money.

Ruling:
The Supreme Court held that:

Accessing information one is authorized to view, even for a forbidden purpose, is not criminal unauthorized access.

Unauthorized access refers to entering data or areas you are not permitted to access at all, not misuse of authorized data.

Importance:
Clarified “exceeds authorized access” under CFAA:

It’s about the “gates you pass,” not the reasons you accessed them.

4. R v. Bow Street Magistrates Court, ex parte Allison (UK, 2000)

Issue: Unauthorized access to a government computer under the UK Computer Misuse Act.

Facts:
Allison, who had no authorization, attempted to access a UK police national computer system.

Ruling:
He was convicted because the act of attempting to access a secure public database itself constituted an offense, regardless of whether data was obtained.

Importance:
Established that in the UK:

Unauthorized access attempts to public agency systems are criminal.

5. R v. Whitaker (UK, 1993)

Issue: Use of insider credentials to access confidential public records.

Facts:
Whitaker used credentials to access his partner’s records on a medical database without legitimate purpose.

Ruling:
Held guilty of unauthorized access because:

Even though he had general system access, his role did not authorize him to open those specific files.

Importance:
Clarified that:
Authorization is content-specific, not system-wide.

6. State v. Allen (U.S. Georgia, 2015)

Issue: Unauthorized access to a public welfare database.

Facts:
A state employee accessed a welfare assistance database repeatedly to look up acquaintances without business justification.

Ruling:
Even though he had credentials, the court held the access unauthorized because agency policy restricted queries to official duties.

Importance:
Government databases often include:

Role-based access

Strict audit logs

Internal-use-only restrictions

Unauthorized use can be criminal even without hacking.

7. United States v. Rodriguez (11th Cir. 2010)

Issue: Misusing access to a Social Security Administration (SSA) database.

Facts:
Rodriguez, an SSA employee, accessed personal records of women he found attractive, without legitimate purpose.

Ruling:
Conviction upheld.
He exceeded authorized access because his use was:

Not work-related

Explicitly prohibited by agency rules

Importance:
Government public-benefit databases are tightly controlled;
personal curiosity access is criminal.

🧠 Key Legal Principles Across These Cases

1. Permission Matters More Than Purpose

Van Buren and Nosal I emphasize that simply using data for the wrong reason isn’t always unauthorized access.

2. Revoked or Shared Passwords = Unauthorized

Nosal II

3. Public Databases ≠ Public Access

Many “public” systems (DMV, welfare, police) are publicly operated, not publicly accessible.

4. Attempts Can Be Criminal

Allison confirmed that even attempted access is a violation.

5. Role-Based Authorization Is Crucial

Rodriguez and Allen show misuse of role-specific databases is criminal even without hacking.