What the Supreme Court’s decision on federal computer crime law means to you

Elevate your enterprise data technology and strategy at Transform 2021.


For the technology enthusiasts among us, last week’s Supreme Court decision in Van Buren v. United States is one we shouldn’t soon forget. In a 6-3 opinion written by Justice Barrett, the Supreme Court reversed the decision of the United States Court of Appeals for the Eleventh Circuit, remanding the case for further proceedings.

Nathan van Buren was a former Georgia police officer who was convicted under the Computer Fraud and Abuse Act (CFAA). He was accused of taking money in exchange for looking up a license plate in a law enforcement database and was convicted by the district court for violating the CFAA because he allegedly used that database for an improper purpose, even though it was a database that he was allowed to access for work purposes.

The CFAA, 18 U.S. Code §1030, makes it a federal crime to access a computer without authorization or to exceed authorized access, and get any information in this way. Exceeding authorized access is defined in §1030(e)(6) as using authorized access to a computer to obtain or even alter information that the person with authorization is not entitled to.

Yet the CFAA has plenty of critics, including the Center for Democracy and Technology, New America’s Open Technology Institute, and the Electronic Frontier Foundation, all of whom filed amicus briefs in this case. Each of these advocacy organizations believes that the CFAA itself is vague and the decision of the district court and the Eleventh Circuit is a very dangerous and far too broad interpretation of the law. Pragmatists on both sides of the argument agree that the goal of Congress in enacting the CFAA was to make it illegal to destroy or even temporarily disrupt the functionality of a computer (which today would include the many forms of computers we use). Where the sides diverge is whether Congress also intended to extend this illegality to include things that a service provider didn’t want us to do, which is at least in the proximity of multiple slippery slopes.

In writing the majority opinion, Justice Barrett argued that under the CFAA, exceeding authorized access does not include “violations of circumstance-based access restrictions on employers’ computers.” So “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer — such as files, folders, or databases — that are off limits to him.”

The Court firmly disagreed with the government’s argument that terms of service violations on the sites we visit are a CFAA violation. Instead, Barrett suggests that the correct approach is “gates-up-or-down” — either we are entitled to access the information or we are not.

So what does this mean for you and me?

First, it means that we need to continue to be smart about what we do with computers and what we choose to do online. Josh Geist, a partner at the Pittsburgh law firm Goodrich & Geist, cautions us that as individual users of the Internet, we should always be vigilant when it comes to terms of service:

“Terms of service are a contract between you and the sites, software, and programs you use. While not many people read the terms of service, everyone needs to understand that not reading them isn’t a valid legal defense.”

As of today, the most comprehensive and accurate interpretation of where we all stand legally, is that the CFAA has no business criminally enforcing the terms of service limitations set by private parties (such as Google, your employer, your college) as to what purposes you can access information for or even how you can use this information.

Had the Court upheld the Eleventh Circuit, it could mean that we would be committing a federal crime each time we violate a website’s terms of service, which could honestly mean that we would be committing federal crimes daily. The danger is that a broad legal interpretation of the CFAA becomes a true Pandora’s Box, with private companies getting to decide which of our daily user behaviors (such as “embellishing an online dating profile,” as quoted from Barrett’s opinion) they would seek to prosecute and when.

For those who are thinking of Aaron Swartz, you’re sadly in the right ballpark. A decade ago, Swartz was arrested by MIT police on Massachusetts breaking-and-entering charges, after he connected a computer to the MIT network and set it to download academic journal articles systematically from JSTOR using a guest user account issued to him by MIT.

So that parallel is clear: Both van Buren and Swartz had at least limited legal access of use and in both cases the CFAA was applied (or misapplied, depending upon your orientation here) to charge them. Finally, in both cases, critics felt that the charges were overzealous (“Nixonian,” in Swartz’s case) and overreaching, yet led to van Buren’s conviction and Swartz’s suicide before his trial.

But nothing is yet written in stone by Van Buren. At least not yet. In his dissenting opinion, Justice Thomas, joined in his dissent by Justices Alito and Chief Justice Roberts, throws a softball for the Court to use in any future similarly-situated case:

“The question here is straightforward: Would an ordinary reader of the English language understand Van Buren to have ‘exceed[ed] authorized access’ to the database when he used it under circumstances that were expressly forbidden? In my view, the answer is yes. The necessary precondition that permitted him to obtain that data was absent.”

What is becoming clear is that this incarnation of the Supreme Court is proving themselves to be unpredictable, occasionally surprising, and always entertaining for those who like to watch Supreme Courts do their thing. The 6-3 majority opinion here is a serious hodgepodge of political leanings, from Barrett, Gorsuch, and Kavanaugh on the right to Breyer, Sotomayor, and Kagan on the left. The ideological differences between the two extremes in this group (arguably Barrett on the right and pretty clearly Sotomayor on the left) are fairly massive.

Especially in dealing with an unpredictable Court, no one should believe that this issue is settled. Don’t be surprised if a similar issue plays chutes and ladders in the courts and ends up back in front of the Supreme Court as early as their 2021-2022 term, set to begin this October. As content as advocates of our digital rights feel this week, they could feel equally aggrieved a year from now if not before.

Aron Solomon is the Head of Strategy for Esquire Digital and an adjunct professor of business management at the Desautels Faculty of Management at McGill University. Since earning his law degree, Solomon has spent the last two decades advising law firms and attorneys. He founded LegalX, the world’s first legal technology accelerator and was elected to Fastcase 50, recognizing the world’s leading legal innovators.

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Source

Leave a Comment