The Supreme Court will finally rule on controversial US hacking law

  News
image_pdfimage_print
Justices Sonia Sotomayor and Neil Gorsuch, back, and Stephen Breyer, right, seemed skeptical of the government's broad reading of the CFAA. Justice Thomas, center, seemed more sympathetic to the government's view. Chief Justice Roberts, left, kept his cards close to his chest.
Enlarge / Justices Sonia Sotomayor and Neil Gorsuch, back, and Stephen Breyer, right, seemed skeptical of the government’s broad reading of the CFAA. Justice Thomas, center, seemed more sympathetic to the government’s view. Chief Justice Roberts, left, kept his cards close to his chest.

The Supreme Court on Monday considered how broadly to interpret the Computer Fraud and Abuse Act, America’s main anti-hacking statute.

Here’s how I described the case back in September:

The case arose after a Georgia police officer named Nathan Van Buren was caught taking a bribe to look up confidential information in a police database. The man paying the bribe had met a woman at a strip club and wanted to confirm that she was not an undercover cop before pursuing a sexual—and presumably commercial—relationship with her.

Unfortunately for Van Buren, the other man was working with the FBI, which arrested Van Buren and charged him with a violation of the CFAA. The CFAA prohibits gaining unauthorized access to a computer system—in other words, hacking—but also prohibits “exceeding authorized access” to obtain data. Prosecutors argued that Van Buren “exceeded authorized access” when he looked up information about the woman from the strip club.

But lawyers for Van Buren disputed that. They argued that his police login credentials authorized him to access any data in the database. Offering confidential information in exchange for a bribe may have been contrary to department policy and state law, they argued, but it didn’t “exceed authorized access” as far as the CFAA goes.

Obviously, no one is going to defend a cop allegedly accepting bribes to reveal confidential government information. But the case matters because the CFAA has been invoked in prosecutions of more sympathetic defendants. For example, prosecutors used the CFAA to prosecute Aaron Swartz for scraping academic papers from the JSTOR database. They also prosecuted a small company that used automated scraping software to purchase and resell blocks of tickets from the TicketMaster website.

The CFAA allows for civil as well as criminal penalties. For example, LinkedIn sued a small data-analytics company for scraping data from its website. Last year, the 9th Circuit Appeals Court rejected the lawsuit, holding that the CFAA was intended to address computer hacking, not conduct that merely violated a site’s terms of service.

In short, the core issue in the case was when—if ever—violating the terms of use of a website or other computer system can lead to legal trouble. While the CFAA has been on the books since the 1980s, the nation’s highest court has never addressed the question.

On Monday, the court’s nine justices seemed to have a range of views on the question. Some seemed ready to accept the government’s broad reading of the statute, while others worried that doing so could criminalize a lot of innocuous online activity.

“Parade of horribles”

The core of Van Buren’s argument is that, if he is convicted, it could open the door to criminal prosecution of others engaged in more innocuous conduct.

“This construction would brand most Americans criminals on a daily basis,” Jeff Fisher, the defendant’s lawyer, said during Monday oral arguments conducted over Zoom. “Imagine a secretary whose employee handbook says that her email or Zoom account may be used only for business purposes. Or consider a person using a dating website, where users may not include false information in their profile to obtain information about potential mates. Or think of a law student who is issued login credentials for Westlaw or Lexis for educational uses only.

“If the government is right, then a computer user who disregards any of these stated use restrictions commits a federal crime,” Fisher continued. “For example, any employee who used a Zoom account over Thanksgiving to connect with distant relatives would be subject to the grace of federal prosecutors.”

These kinds of hypotheticals—dubbed a “parade of horribles”—came up over and over again in Monday’s argument over Zoom. Much of Monday’s argument focused on whether the government’s position would open the floodgates to federal prosecutions in these kinds of cases.

The government took a surprising position

Eric Feigin, the attorney representing the Department of Justice, rejected Fisher’s parade of horribles, arguing that none of Fisher’s scenarios would actually lead to federal prosecution. He argued that when the law talks about “authorized access,” it didn’t mean to cover public websites—even websites that require a username and password.

“What Congress was aiming at here were people who were specifically trusted—people akin to employees, the kind of person who has actually been specifically considered and individually authorized,” Feigin said on Monday. Under his theory, someone who broke the rules of a dating website or a social media platform wouldn’t be covered by the CFAA no matter what they did.

But Justice Stephen Breyer seemed surprised by Feigin’s argument.

“There are dozens and dozens and dozens of sites where they say you may enter this site and use the information here if you agree to the terms of access. And then you have a big list in small print that goes on for quite a long ways. I take it what would be covered in the terms of access would be what’s permitted and what isn’t. Authorized and not. Correct?”

Feigin disagreed, arguing that the CFAA’s “authorization” was required only when someone had been granted “specific, individualized permission.”

This seems hard to square with past CFAA cases. TicketMaster’s website, for example, is available to the general public. People who purchase tickets there aren’t “akin to employees.” Yet people got prosecuted for scraping it. Similarly, JSTOR doesn’t hand-pick who is allowed to access academic articles—yet Swartz was prosecuted for downloading them without authorization.

And there have been several CFAA lawsuits based on information from public websites. In a 2008 lawsuit, for example, Facebook sued a startup called Power Ventures for using the credentials of its users—with their permission—to send messages through Facebook’s messaging platform. Power Ventures ultimately lost that case, but it seems like under Feigin’s logic the CFAA shouldn’t have applied at all, since Facebook offers accounts to anyone who wants one (aside from young children).

In another case, Craigslist successfully sued a competitor called 3taps under the CFAA for scraping classified ads and offering them in an alternative format. In this case, the content at issue was freely available to the public without even a username and password. Yet a judge held that 3taps had “exceeded authorized access” under the CFAA when it ignored cease-and-desist letters from Craigslist.

When Justice Samuel Alito asked Feigin about the TicketMaster case, Feigin dismissed it because the defendants had “hired Bulgarian hackers to circumvent some technological limitations”—an apparent reference to the defendants’ efforts to circumvent TicketMaster’s CAPTCHAs and other efforts to prevent scraping. But it seems like, under the government’s current theory, the CFAA shouldn’t have applied at all.

“I’ve never heard DOJ’s proposals before”

The government’s position left some legal scholars scratching their heads.

“Until this case, everyone up to now, including [the Department of Justice], has agreed that the statute is incredibly broad other than the matter of authorization,” wrote Orin Kerr, a legal scholar who supports a narrow reading of the law. “In this case, though, DOJ rejects DOJ’s past views on this. Not just rejects, but mocks as utterly ridiculous, pure fantasy.”

“Beyond being inconsistent with DOJ’s past positions, DOJ’s new views don’t seem to have a textual basis in the statute,” Kerr added. “I’ve never heard DOJ’s proposals before I read their brief, and I’ve been living this stuff, including while at DOJ, for over 20 years.”

In a sense, this leaves the Supreme Court with two different ways to limit the scope of the CFAA. One way—the way favored by the defendant—would be to hold that violating a site’s terms of use doesn’t violate the law, even in egregious cases. The other option—the one now favored by the government—is to hold that violating a site’s terms of use is only a federal crime if it’s a site that provides sensitive private information and tightly limits who can access it.

If the Supreme Court chooses this latter option, the change to the way the CFAA is interpreted could actually wind up being larger. It would expose defendants to criminal penalties if they made inappropriate use of certain types of online databases. But it could largely neuter the CFAA when it comes to information on public websites. Companies like Facebook, Craigslist, and LinkedIn could wind up with less, not more, power over how people use their sites.

Monday’s oral arguments didn’t give much indication of how the court would rule. A few justices—Sotomayor, Gorsuch, and possibly Breyer—seemed ready to side with defendants. A couple of others—Thomas and Barrett—seemed sympathetic to the government’s position. But the others held their views close to their vests—and justices’ questions don’t necessarily predict how they will ultimately rule. Sometimes justices ask tougher questions of the side they favor to make sure they aren’t missing any important counterarguments.

https://arstechnica.com/?p=1726430