Supreme Court Weighs Proper Access Under Anti-hacking Law
In 2015, a police sergeant from Cumming, GA, accepted money from a widower he’d previously arrested and who was apparently known for frequenting prostitutes. The money was a loan, given on condition that Sergeant Nathan Van Buren use the license plate database to find out if a girl the widower had met in a strip club was actually an undercover policewoman. Van Buren looked up the information — and was busted. The widower was part of a sting operation set up by the FBI.
Van Buren was convicted of both wire fraud and computer fraud, but on appeal, the 11th Circuit overturned the wire fraud verdict because of faulty jury instructions. That case was sent back for a new trial, but the 11th Circuit did affirm the computer fraud conviction. The court did so in spite of “the vague language of the CFAA.” Van Buren was sentenced to 18 months in prison on the computer fraud conviction. He appealed to the Supreme Court of the U.S.
The Computer Fraud and Abuse Act (CFAA) became law in 1986. It provides the current basis for protection against illegal hacking, but its provisions are quite broad. For the Van Buren case, the pertinent provision of the statute reads:
“(a) Whoever . . . (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . (C) information from any protected computer . . . shall be punished.” 18 U.S.C. 1030(a).
Van Buren argues that as a policeman he had authorized access and that accessing sensitive information with permission, even for an improper purpose, did not breach the statute or the authority given him by the police department.
The Supreme Court agreed to hear the case based upon this question:
“Whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose.”
On November 30, 2020, oral arguments were presented before the Supreme Court. Briefs provided to the Justices included amicus briefs from a wide variety of groups, including The Wall Street Journal, the American Civil Liberties Union, Flip Side (a consumer privacy group), The Managed Fund Association, and many others.
The defense lawyer is Jeffrey Fisher, a Stanford University Professor who works with the Stanford Law School Supreme Court Litigation Clinic. He argued that the 11th Circuit’s statutory interpretation could make a myriad of innocuous behaviors illegal. He specifically cited lying about one’s weight on a dating website, which would fall afoul of the website’s terms of service by getting interested messages from others based upon falsified information. He also cited the possibility that using work-related computers to create NCAA men’s basketball tournament brackets could be criminalized using the 11th Circuit’s “expansive interpretation of the CFAA.”
The government’s position, as delivered by Deputy Solicitor General Eric Feigin, is that “Such serious breaches of trust by insiders are precisely what the statutory language is designed to cover.” He also called Attorney Fisher’s hypotheticals a “wild caricature” of the law, saying that such things haven’t happened in the decades of the CFAA’s history. Fisher said, “The best thing the government can say is we haven’t brought a whole bunch of those prosecutions — yet.”
In response, Justice Samuel Alito, Jr. questioned Fisher about whether Congress was concerned at the time the law was enacted about the potential abuses contained in the variety of amicus briefs on the government side, with their worry over breaches of personal privacy and the potential for use of protected information to make money and cause other damage. Fisher’s response was no, and he noted that in 1986 Congress was more worried about the relatively new issue of computer hacking. Fisher contended that other laws could cover the kinds of abuses contained in those briefs and that if they wished, Congress could amend CFAA to cover them.
The government also provided hypotheticals in its brief, about which Fisher said, “. . .almost every one of them is already addressed by some other provision in the U.S code, let alone state law.”
The Justices spent a fair amount of time querying the definition or use of specific words during the arguments. Justice Alito asked, “What is this statute talking about when it speaks of information in the computer? All information that somebody obtains on the web is in the computer in a sense. I have a feeling that’s not what Congress was thinking about when it adopted this.”
Justices Neil Gorsuch and Sonia Sotomayor seemed to be resistant to the government’s attempt to allow a broad interpretation of the statute. Justice Gorsuch said, “This does appear to be the latest . . . in a rather long line of cases in recent years in which the government has consistently sought to expand federal criminal jurisdiction in pretty significantly contestable ways that this court has rejected. . .And I would have thought that the Solicitor General’s office isn’t just a rubber stamp for the U.S. Attorney’s offices, and that there would be some careful thought given as to whether this is really an appropriate reading of these statutes.” Justice Sotomayor used the term “dangerously vague” to describe the statute.
Justice Alito said, “I find this a very difficult case to decide based on the briefs that we’ve received.”
The judges have until they break for the summer to finalize their opinions; a decision in this case is expected by June. If the decision comes to a majority in favor of Van Buren, perhaps Congress will take it as a sign that the statute requires updating.
