by Dennis Crouch
A lot has changed since President Reagan signed the Computer Fraud and Abuse Act of 1984 (CFAA) and amended it in 1986. Still, the CFAA remains Federal Law’s primary anti-hacking statute and provides for both civil and criminal penalties. The most-oft used provision reads as follows:
(a)Whoever … (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … (C) information from any protected computer … shall be punished.
18 U.S.C. 1030(a). The broad and potentially uncertain scope of “exceeds authorization” is the Focus of the Supreme Court’s November 30, 2020 oral arguments in Van Buren v. United States.
As a police officer, Mr. Van Buren was authorized to search the Georgia Crime Information Center database, but only for police business. As part of a broader FBI sting, Van Buren agreed to and did-actually search the database at the request of private citizen (Albo). In particular, Albo paid Van Buren $6,000 to search the license-plate records of a prostitute that Albo was considering hiring.
A jury convicted Van Buren for both wire-fraud and computer-fraud. On appeal, the 11th Circuit overturned the wire-fraud verdict on faulty jury instructions (ordering a new trial); but affirmed the computer fraud conviction despite the “vague language of the CFAA.” U.S. v. Van Buren, 940 F.3d 1192 (11th Cir. 2019), cert. granted, 140 S. Ct. 2667 (2020). The Supreme Court granted certiorari on the following question:
Whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose.
[Petition]. The statute does provide a definition:
(6) the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;
18 U.S.C.A. § 1030(e)(6). Martin’s simple statutory argument: As a police officer, he was authorized to access and obtain the license-plate information, even if he did so here for an inappropriate reason. The 11th Circuit disagreed and followed its prior precedent in U.S. v. Rodriguez (11th Cir. 2010). Rodriguez is a closely parallel case of an SSA employee who conducted personal searches on the SSA databases. In that case, the 11th Circuit affirmed the CFAA conviction.
One underlying issue here is that the 11th Circuit’s approach seemingly makes it a federal crime for an individual to obtain information after violation of a terms-of-use. The government argues that prosecutorial discretion is sufficient to avoid these concerns and that the statute should be “specifically and authorized” individuals, not the general public.
So. The government argues that its statutory interpretation turns on the word “so” as used in the statute. I’m still struggling with how that argument works.
= = = =
Read the Transcript and Listen to the Audio. The outcome here is a bit unclear to me, but I expect the Supreme Court to at least offer a set of limiting principles for the statute — if not going as far as suggested by Van Buren. That said, I would not be surprised with a 7-2 Sotomayor decision favoring Van Buren. That outcome would then serve as notice to Congress to update the 35-year-old law.
The government repeatedly worked to draw an analogy between the information at issue here and property rights. The case may turn on the extent that the Supreme Court finds that analogy appropriate. In particular, the government will likely win if we think of exceeding access as a form of “stealing information” as parallel to that of a brick-and-mortar store employee taking money from the till. The employee has access to the money, but exceeds access by taking it out.