Supreme Court reins in definition of crime under controversial hacking law

  News
image_pdfimage_print
Protesters walking across a bridge. One holds a sign with a picture of Aaron Swartz that says,
Enlarge / In April 2013, more than 120 people attended a rally in Boston to remember Aaron Swartz and call for reform of the Computer Fraud and Abuse Act.
Getty Images | Boston Globe

The Supreme Court issued a ruling Thursday that imposes a limit on what counts as a crime under the Computer Fraud and Abuse Act (CFAA).

The case involves a former Georgia police sergeant who “used his own, valid credentials” to get information about a license plate number from a law enforcement database, the court decision said. The sergeant ran the search in exchange for money and for non-law enforcement purposes, violating a department policy. He was charged with a felony under the CFAA, which says it’s a crime when someone “intentionally accesses a computer without authorization or exceeds authorized access.” He was convicted and sentenced to 18 months in prison in May 2018.

A federal appeals court upheld the conviction, but the Supreme Court reversed it today in a 6-3 decision that said Van Buren did not violate the CFAA. Justices found that the cybersecurity statute does not make it a crime to obtain information from a computer when the person has authorized access to that machine, even if the person has “improper motives.”

The court wrote:

Nathan Van Buren, a former police sergeant, ran a license-plate search in a law enforcement computer database in exchange for money. Van Buren’s conduct plainly flouted his department’s policy, which authorized him to obtain database information only for law enforcement purposes. We must decide whether Van Buren also violated the Computer Fraud and Abuse Act of 1986 (CFAA), which makes it illegal “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”

He did not. This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.

“The parties agree that Van Buren accessed the law enforcement database system with authorization,” the ruling said. “The only question is whether Van Buren could use the system to retrieve license-plate information. Both sides agree that he could. Van Buren accordingly did not ‘excee[d] authorized access’ to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose. We therefore reverse the contrary judgment of the Eleventh Circuit and remand the case for further proceedings consistent with this opinion.”

Van Buren caught in FBI sting

Van Buren’s disputed computer access occurred after he asked a man named Andrew Albo for a loan. Albo secretly recorded the conversation “and took it to the local sheriff’s office, where he complained that Van Buren had sought to ‘shake him down’ for cash,” the ruling said. The FBI got involved and devised an operation in which “Albo would ask Van Buren to search the state law enforcement computer database for a license plate purportedly belonging to a woman whom Albo had met at a local strip club. Albo, no stranger to legal troubles, would tell Van Buren that he wanted to ensure that the woman was not in fact an undercover officer. In return for the search, Albo would pay Van Buren around $5,000,” the ruling continued.

During oral arguments, Van Buren’s lawyer contended that the government’s interpretation of the law would make it a crime to violate a website’s terms of service or to use a business email or Zoom account for personal purposes if an employer had a policy against doing so. “This construction would brand most Americans criminals on a daily basis,” the lawyer, Jeff Fisher, told justices.

The US Department of Justice argued that the government’s interpretation would not extend the law to public websites, even if they require a username and password. Instead, the government argued that its interpretation of the law applies only to people who are “akin to employees” and have been granted “specific, individualized permission.”

But as we wrote in our story on the oral arguments, the government’s argument “seems hard to square with past CFAA cases. TicketMaster’s website, for example, is available to the general public. People who purchase tickets there aren’t ‘akin to employees.’ Yet people got prosecuted for scraping it. Similarly, JSTOR doesn’t hand-pick who is allowed to access academic articles—yet [Aaron] Swartz was prosecuted for downloading them without authorization.”

Swartz committed suicide in 2013 when he was being prosecuted under the CFAA for downloading over 4 million academic journal papers from JSTOR over MIT’s computer network.

Ruling “radically restrict[s]” scope of law

Harvard Law School Professor Lawrence Lessig applauded the ruling, writing that the court decision written by Justice Amy Coney Barrett “has radically restricted the scope of the Computer Fraud and Abuse Act—the statute that the United States said @aaronsw [Aaron Swartz] had violated. Applying Barrett’s reading, he plainly did not.”

Barrett’s majority opinion was joined by Justices Stephen Breyer, Sonia Sotomayor, Elena Kagan, Neil Gorsuch, and Brett Kavanaugh. Justice Clarence Thomas filed a dissenting opinion, joined by Chief Justice John Roberts and Justice Samuel Alito.

The ruling could have a major effect on government prosecutions. As justices wrote today, the CFAA originally “barred accessing only certain financial information” but “has since expanded to cover any information from any computer ‘used in or affecting interstate or foreign commerce or communication.’ As a result, the prohibition now applies—at a minimum—to all information from all computers that connect to the Internet.”

Violating the CFAA is punishable by fines and imprisonment of up to 10 years. The law also provides for civil liability, as people who suffer “damage” or “loss” from CFAA violations can sue for damages.

Berkeley Law professor Orin Kerr pointed out one caveat that might limit the effect of the Supreme Court ruling. “In a footnote, the Court seems to adopt the authentication test—’whether a user’s credentials allow him to proceed past a computer’s access gate’—that I and others have proposed,” Kerr wrote. “But there’s a big caveat to that. In a different footnote, the Court says it is not reaching whether that ‘gate’ can be imposed only by technology, or by a contract or policy.”

Kerr added that it “might still mean a mostly technological test, but one that can be impacted by written restrictions.”

Case hinged on the word “so”

Van Buren appealed his conviction to the US Court of Appeals for the 11th Circuit, “arguing that the ‘exceeds authorized access’ clause [in the CFAA] applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have,” today’s ruling said. The appeals court ruled against him, but the Supreme Court said it took up the case to resolve a split between the 11th Circuit and “several” other circuit appeals courts that “see the clause Van Buren’s way.”

The case hinged on the word “so” as used in the CFAA’s prohibition on “obtain[ing] or alter[ing] information in the computer that the accesser is not entitled so to obtain or alter.”

“The parties agree that Van Buren ‘access[ed] a computer with authorization’ when he used his patrol-car computer and valid credentials to log into the law enforcement database. They also agree that Van Buren ‘obtain[ed]… information in the computer’ when he acquired the license-plate record for Albo. The dispute is whether Van Buren was ‘entitled so to obtain’ the record,'” the court wrote.

“Van Buren contends that the word ‘so’ serves as a term of reference and that the disputed phrase thus asks whether one has the right, in ‘the same manner as has been stated,’ to obtain the relevant information,” the ruling also said. The US government “argues that ‘so’ sweeps more broadly, reading the phrase ‘is not entitled so to obtain’ to refer to information one was not allowed to obtain in the particular manner or circumstances in which he obtained it.”

The court’s majority said it disagreed with the government because of how the statute is structured and “because without ‘so,’ the statute could be read to incorporate all kinds of limitations on one’s entitlement to information.”

“Van Buren’s account of ‘so’—namely, that ‘so’ references the previously stated ‘manner or circumstance’ in the text of [the law] itself—is more plausible than the Government’s,” the court wrote. “‘So’ is not a free-floating term that provides a hook for any limitation stated anywhere.” Referencing the Oxford English Dictionary and Webster’s Dictionary, the court wrote that “so” refers “to a stated, identifiable proposition from the ‘preceding’ text; indeed, ‘so’ typically ‘[r]epresent[s]’ a ‘word or phrase already employed,’ thereby avoiding the need for repetition.”

US argument a “sleight of hand”

The majority additionally found that the government’s interpretation “has surface appeal but proves to be a sleight of hand”:

While highlighting that “so” refers to a “manner or circumstance,” the Government simultaneously ignores the definition’s further instruction that such manner or circumstance already will “ha[ve] been stated,” “asserted,” or “described.” Under the Government’s approach, the relevant circumstance—the one rendering a person’s conduct illegal—is not identified earlier in the statute. Instead, “so” captures any circumstance-based limit appearing anywhere—in the United States Code, a state statute, a private agreement, or anywhere else. And while the Government tries to cabin its interpretation by suggesting that any such limit must be “specifically and explicitly” stated, “express,” and “inherent in the authorization itself,” the Government does not identify any textual basis for these guardrails.

Meanwhile, the dissenting opinion written by Thomas would essentially remove the word “so” from the statute, the majority wrote:

The dissent accepts Van Buren’s definition of “so,” but would arrive at the Government’s result by way of the word “entitled.” According to the dissent, the term “entitled” demands a “circumstance dependent” analysis of whether access was proper. But the word “entitled” is modified by the phrase “so to obtain.” That phrase in turn directs the reader to consider a specific limitation on the accesser’s entitlement: his entitlement to obtain the information “in the manner previously stated.” And as already explained, the manner previously stated is using a computer one is authorized to access. To arrive at its interpretation, the dissent must write the word “so” out of the statute.

https://arstechnica.com/?p=1769621