Supreme Court Weighs Breadth of Computer Hacking Law
The Computer Fraud and Abuse Act (CFAA) needs updating, and the case currently considered by the U.S. Supreme Court may be the spur to getting this very important law up to 2021 standards.
We certainly hope so. In 2016 Francesco Portelos, a computer teacher in New York City, used his knowledge about computers to hack into one of my blogs, NYC Rubber Room Reporter. He deleted the column of articles that were placed by me in a column to the right of the blog's home page under "3020-a Arbitration Newswire". He copied one article with a video that he wanted for his website and placed it on his website saying he had found the video but not from whom or where. He followed up with a campaign of harassment and defamation that still goes on today. I sued him in Federal Court under the CFAA, but the Judge dismissed the case saying I didn't give proof that I had spent more than $5000 to remedy the situation even though in my pleading I wrote that I had, indeed, surpassed this amount.
We believe that the law must be updated, and will be the most important law of 2021, and beyond.
Editor, ADVOCATZ blog
Editor, New York Court Corruption
Editor, NYC Rubber Room Reporter
Editor, NYC Public Voice
Editor, National Public Voice
Editor, Inside 3020-a Teacher Trials
Supreme Court Weighs Breadth of Computer Hacking Law
Officer allegedly used a law-enforcement database for personal purposes in a case that has drawn widespread attention
By Brent Kendall, Wall Street Journal, November 30, 2020
WASHINGTON—When a Georgia police officer ran a license plate check-in 2015 for an acquaintance who paid him for the favor, he received a felony conviction—and set the stage for a hotly debated Supreme Court case about the sweep of federal law on computer hacking.
The case has attracted wide interest, pitting consumer groups, civil libertarians, and media organizations against privacy advocates and hedge funds worried about data theft.
Stanford University law professor Jeffrey Fisher, representing the since-fired officer, Nathan Van Buren, argued that federal prosecutors have embraced a sweeping view of the law that defines unauthorized computer use so broadly as to transform everyday activities into federal crimes. “It is no overstatement to say that this construction would brand most Americans criminals on a daily basis,” he told the justices.
Under the government’s legal theory, accessing Instagram on a work computer or using an employer’s Zoom account to connect with relatives over Thanksgiving would potentially violate the law, Mr. Fisher said, as would lying about your weight on a dating website, because such sites prohibit the use of falsehoods to obtain information about potential mates.
Arguing for the Justice Department, Eric Feigin dismissed such claims as “an imaginary avalanche of hypothetical prosecutions” that the government could never bring based on seemingly innocent conduct. The officer’s case, the lawyer said, was far different because a law-enforcement official abused his credentials to access a database in exchange for a bribe.
“Such serious breaches of trust by insiders are precisely what the statutory language is designed to cover,” Mr. Feigin said.
The case drew mixed reactions from the court. Some justices said they were concerned about employee abuses of sensitive data they access at work.
“There are many government employees who are given access to all sorts of highly personal information for use in performing their jobs,” Justice Samuel Alito said. “But if they use that for personal purposes to make money, protect or carry out criminal activity, to harass people they don’t like, they can do enormous damage.”
The same was true, he said, for private-sector employees. But Justice Alito later said the case was a difficult one because it wasn’t clear how to read the law to allow the prosecution of clear abuses but not innocuous conduct.
Picking up on that point, Justice Sonia Sotomayor called the law “dangerously vague,” while Justice Neil Gorsuch suggested the case was the latest in a string of prosecutions over a decade or more that sought to expand federal criminal jurisdiction too far.
“I’m just kind of curious why we’re back here again on a rather small state crime that is prosecutable under state law, and perhaps under other federal laws,” Justice Gorsuch noted, saying the Justice Department was taking a position “perhaps making a federal criminal of us all.”
The case began when Mr. Van Buren, then a sergeant in Cumming, Ga., allegedly sought a loan from a widower he had previously arrested. The matter drew the attention of the FBI, which set up a sting operation in which the widower gave the officer thousands of dollars and asked that he use his access to a police database to look up a woman the widower supposedly met at a strip club.
After Mr. Van Buren ran a license plate search on the woman, he was arrested, charged with federal computer fraud, and later convicted.
Dow Jones & Co., publisher of The Wall Street Journal, was one of many media organizations that signed an amicus brief arguing against the government’s interpretation. The press advocates said that such a broad construction of the law could harm news gathering because sources could face legal vulnerability any time they accessed their work computers for information they gave to reporters.
The American Civil Liberties Union argued that the government’s view could inhibit research and investigations into online discrimination in lending and employment, while consumer groups said a broad view of the law would make it easier for dominant tech platforms to prohibit the use of their data by potential competitors.
Consumer privacy advocates and the Managed Funds Association, a trade group representing hedge funds that expressed concerns about financial-firm employees stealing client data or intellectual property, supported the government.
A decision is expected by the end of June.
Write to Brent Kendall at email@example.com
Computer Fraud and Abuse Act: Van Buren v. US
November 30, 2020
by Dennis Crouch
A lot has changed since President Reagan signed the Computer Fraud and Abuse Act of 1984 (CFAA) and amended it in 1986. Still, the CFAA remains Federal Law’s primary anti-hacking statute and provides for both civil and criminal penalties. The most-oft used provision reads as follows:
(a)Whoever … (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … (C) information from any protected computer … shall be punished.
18 U.S.C. 1030(a). The broad and potentially uncertain scope of “exceeds authorization” is the Focus of the Supreme Court’s November 30, 2020 oral arguments in Van Buren v. United States.
As a police officer, Mr. Van Buren was authorized to search the Georgia Crime Information Center database, but only for police business. As part of a broader FBI sting, Van Buren agreed to and did-actually search the database at the request of a private citizen (Albo). In particular, Albo paid Van Buren $6,000 to search the license-plate records of a prostitute that Albo was considering hiring.
A jury convicted Van Buren for both wire-fraud and computer-fraud. On appeal, the 11th Circuit overturned the wire-fraud verdict on faulty jury instructions (ordering a new trial); but affirmed the computer fraud conviction despite the “vague language of the CFAA.” U.S. v. Van Buren, 940 F.3d 1192 (11th Cir. 2019), cert. granted, 140 S. Ct. 2667 (2020). The Supreme Court granted certiorari on the following question:
Whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose.
[Petition]. The statute does provide a definition:
(6) the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter;
18 U.S.C.A. § 1030(e)(6). Martin’s simple statutory argument: As a police officer, he was authorized to access and obtain the license-plate information, even if he did so here for an inappropriate reason. The 11th Circuit disagreed and followed its prior precedent in U.S. v. Rodriguez (11th Cir. 2010). Rodriguez is a closely parallel case of an SSA employee who conducted personal searches on the SSA databases. In that case, the 11th Circuit affirmed the CFAA conviction.
One underlying issue here is that the 11th Circuit’s approach seemingly makes it a federal crime for an individual to obtain information after a violation of a terms-of-use. The government argues that prosecutorial discretion is sufficient to avoid these concerns and that the statute should be “specifically and authorized” individuals, not the general public.
So. The government argues that its statutory interpretation turns on the word “so” as used in the statute. I’m still struggling with how that argument works.
Read the Transcript and Listen to the Audio. The outcome here is a bit unclear to me, but I expect the Supreme Court to at least offer a set of limiting principles for the statute — if not going as far as suggested by Van Buren. That said, I would not be surprised with a 7-2 Sotomayor decision favoring Van Buren. That outcome would then serve as notice to Congress to update the 35-year-old law.
The government repeatedly worked to draw an analogy between the information at issue here and property rights. The case may turn on the extent that the Supreme Court finds that analogy appropriate. In particular, the government will likely win if we think of exceeding access as a form of “stealing information” as parallel to that of a brick-and-mortar store employee taking money from the till. The employee has access to the money but exceeds access by taking it out.
About Dennis Crouch
Law Professor at the University of Missouri School of Law.