Computer Fraud and Abuse Act: Van Buren v. US

by Dennis Crouch

A lot has changed since President Reagan signed the Computer Fraud and Abuse Act of 1984 (CFAA) and amended it in 1986.  Still, the CFAA remains Federal Law’s primary anti-hacking statute and provides for both civil and criminal penalties.  The most-oft used provision reads as follows:

(a)Whoever … (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … (C) information from any protected computer … shall be punished.

18 U.S.C. 1030(a). The broad and potentially uncertain scope of “exceeds authorization” is the Focus of the Supreme Court’s November 30, 2020 oral arguments in Van Buren v. United States.

As a police officer, Mr. Van Buren was authorized to search the Georgia Crime Information Center database, but only for police business. As part of a broader FBI sting, Van Buren agreed to and did-actually search the database at the request of private citizen (Albo).  In particular, Albo paid Van Buren $6,000 to search the license-plate records of a prostitute that Albo was considering hiring.

A jury convicted Van Buren for both wire-fraud and computer-fraud.  On appeal, the 11th Circuit overturned the wire-fraud verdict on faulty jury instructions (ordering a new trial); but affirmed the computer fraud conviction despite the “vague language of the CFAA.”  U.S. v. Van Buren, 940 F.3d 1192 (11th Cir. 2019), cert. granted, 140 S. Ct. 2667 (2020).   The Supreme Court granted certiorari on the following question:

Whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose.

[Petition].  The statute does provide a definition:

(6) the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;

18 U.S.C.A. § 1030(e)(6). Martin’s simple statutory argument: As a police officer, he was authorized to access and obtain the license-plate information, even if he did so here for an inappropriate reason.  The 11th Circuit disagreed and followed its prior precedent in U.S. v. Rodriguez (11th Cir. 2010). Rodriguez is a closely parallel case of an SSA employee who conducted personal searches on the SSA databases. In that case, the 11th Circuit affirmed the CFAA conviction.

One underlying issue here is that the 11th Circuit’s approach seemingly makes it a federal crime for an individual to obtain information after violation of a terms-of-use.  The government argues that prosecutorial discretion is sufficient to avoid these concerns and that the statute should be “specifically and  authorized” individuals, not the general public.

So.  The government argues that its statutory interpretation turns on the word “so” as used in the statute.  I’m still struggling with how that argument works.

= = = =

Read the Transcript and Listen to the Audio.  The outcome here is a bit unclear to me, but I expect the Supreme Court to at least offer a set of limiting principles for the statute — if not going as far as suggested by Van Buren.  That said, I would not be surprised with a 7-2 Sotomayor decision favoring Van Buren. That outcome would then serve as notice to Congress to update the 35-year-old law.

The government repeatedly worked to draw an analogy between the information at issue here and property rights.  The case may turn on the extent that the Supreme Court finds that analogy appropriate.  In particular, the government will likely win if we think of exceeding access as a form of “stealing information” as parallel to that of a brick-and-mortar store employee taking money from the till.  The employee has access to the money, but exceeds access by taking it out.

17 thoughts on “Computer Fraud and Abuse Act: Van Buren v. US

    1. 3.1

      That is so true (and also very appetizing!). But to some extent I do sympathize with Justice Alito’s lament about the case’s difficulty because Van Buren’s counsel wasn’t really giving much of an affirmative hook to run with either. As I said below, I do think that was deliberate and unavoidable because the technical issues would be lost on the Justices (except maybe Kavanaugh). It almost feels like a claim construction point where the court ultimately has to reject both parties’ constructions and come up with its own instead.

  1. 2

    This is an everyday, real world issue in systems design.

    I think the issue should turn on the phrase “exceeds authorized access”.

    I think in the vernacular, and looking at the legislative history, and looking for those elements that normally define criminal conduct, that the phrase “exceeds authorized access” for a CFAA violation would require an offender to take some affirmative act to defeat or evade established technical access controls.

    The act of consuming content not intended for a user, but provided to that user technically, should be an organizational or civil offense, or a criminal offense for some later use of such content) but not treated as a hacking event violating what was intended to be an anti-hacking statue.

    It’s common sense that the drafters of the CFAA did not expect the Act to be used as a template for organizational information access discipline.

    So IMOP, privilege escalation via technical means is what the CFAA aims to criminalize.

    1. 2.1

      I completely agree with all this, as has been suggested elsewhere by Prof. Kerr, as well as others I’m sure.

      For those of us who are technically inclined, it just seems so incredibly obvious. As you note, the “exceeds authorized access” scenario would involve a multiuser system, where someone has a legitimate account (user A) and thus can “access [the] computer with authorization” via that account. But ordinarily user A can only access that person’s files and not the files of anyone else, e.g., user B. The illegal conduct would happen when user A “use[s] such access”–i.e., takes advantage of the existing authorized access to the system–to employ some technical measure that gives user A the ability to view and modify user B’s files. User A “is not entitled so to obtain or alter” user B’s files because–regardless of whether the same files and/or underlying content might be available to user A through some other means–user A isn’t entitled to those files on the system in question.

      Of course, the Justices are utterly computer illiterate, so in that sense I don’t blame the attorneys for skipping the technical weeds and focusing mostly on policy arguments. But it does make the back-and-forth of the argument much less satisfying. That said, I do think Justice Kavanaugh got about as close as one could hope to grasping the technical issue on pages 56-57 of the transcript. And the response from the gov’t was really inadequate. Maybe Justice Kavanaugh will have the majority opinion.

      Going the other way, Justice Barrett just did not seem to comprehend it at all. She was quite fixated on the concept of exceeding the “scope” of authority. I could see her writing a dissent for sure.

      1. 2.1.1

        However, ‘scope of authority’ is dispositive, and thus earns the attention.

        “so” as a focal point is simply inadequate, as the “so” is merely a linking word, and one need to be concerned with the items being linked.

        Bottom line is that even if one is authorized for access for a purpose, access is NOT there for ANY purpose.

        Quite the opposite of the purported position here, it very much is a “organizational information access discipline” – both extra and intra organization access. It merely stands to reason that ‘authorization’ has a spectrum of meaning, with those outside the organization clearly having a place far different on that spectrum, but even those within the organization still having a span of permissibility on the spectrum.

        1. 2.1.1.1

          Well, sure, I will grant you that the “scope” idea _could_ be dispositive, but not inevitably. As I see it, there a couple problems with that argument.

          One is that, as was noted, the statute doesn’t speak in terms of scope or purpose. So that’s a problem at the outset.

          Conversely, there is language in the statute that supports the idea of authorization being an “on/off” proposition—i.e., one lacks any authorization whatsoever (“off”) or one is authorized without inquiring as to the purpose for which access will be used (“on”). For example, subsection (a)(6) forbids “traffic[king] in any password or similar information through which a computer may be accessed without authorization”. So this provision contemplates an “on/off” scenario. If one accesses a computer through a password etc. that was received legitimately (e.g. from an admin), there’s no problem and the access was authorized—regardless of the purpose for access. But if the password was obtained via trafficking, the access is per se unauthorized. It would be quite sensible—and extremely straightforward—for “exceeds unauthorized access” to mirror this “on/off” structure that doesn’t include a purpose inquiry.

          Likewise, as Martin Snyder pointed out, in the technical vernacular, “access” refers to a binary setting. I wouldn’t say I lack access to a particular file when I do have access to it as a technical matter—i.e., based on system access policies—even if on some occasions that access might be forbidden (but not actually denied physically) as an organizational policy matter.

          To put it another way, Van Buren’s counsel referred at one point to preventing “insider hacking”. Later, the gov’t’s counsel, Mr. Feigin, discussed this concept repeatedly. But Mr. Feigin kept suggesting that someone who simply misuses otherwise accessible data for an organizationally forbidden purpose is an insider hacker. That’s not correct. Nobody who’s technically well-apprised would say that. If someone violated a corporate policy, then certainly that person is a misbehaving employee and may well deserve to be sacked. But that’s not the same as insider hacking. Those who are technically knowledgeable recognize that insider hacking requires actually circumventing a system-based access control—e.g., the user A/user B scenario discussed previously. Of course, doing so would most likely also violate corporate policy, but a mere violation standing alone isn’t enough to transform one into an insider hacker.

          It just seemed like Justice Barrett in particular had real trouble coming to grips with the idea of three different categories of files/data on a system: (1) files that are technically accessible, where accessing them for purpose X doesn’t violate an organizational policy, (2) the same files as (1), but where accessing them for different purpose Y violates a policy, and (3) files that are not technically accessible, short of improperly obtaining another user’s credentials or circumventing a system-based control. Justice Barrett only seems to recognize (1) and (2), not (3). But at least as I see it, only (3) is the one that “exceeds authorized access” is actually designed to address. (1) and (2) are just two different species of authorized access. However, because Justice Barrett doesn’t recognize (3), she would say—wrongly, I think—that (1) is ok, but (2) is a violation. Mr. Feigin seemed happy to go along with her too, but the hypotheticals and examples he gave along those lines didn’t come off as particularly convincing. And as I noted previously, Justice Kavanaugh, in contrast, does seem to be aware of (3).

          Last, as a practical matter, I didn’t get the sense that anyone else was on board with Justice Barrett on that point. She was the only one harping on scope of authorization for the most part. Maybe she could get Justice Alito to come along too—he seemed genuinely on the fence, albeit for different reasons—but otherwise I doubt she can muster even a bare majority.

          1. 2.1.1.1.1

            hardreaders,

            Your post deserves some thought and not just a quick reply (of which, would be to point out that we have a Supreme Court unfettered with any sense of being bound by anything and only too willing to reach their Desired Ends regardless of Means).

            I will attempt to circle back to this over the weekend.

            1. 2.1.1.1.1.1

              anon,

              Thanks for that, I would certainly welcome an extended discussion as your schedule permits, recognizing that each individual comment section necessarily has a limited shelf-life. As you can see, although some might consider it an “undercard” of sorts to the more “glamorous” constitutional cases, this one is a bit of a mini-obsession for me.

              Until such time, have a good rest of the week.

              Best.

              1. 2.1.1.1.1.1.1

                So far, the transcript is not impressive.

                I am seeing naked conclusory assertions that simply do not fit the words of the statute.

              2. 2.1.1.1.1.1.2

                hardreaders,

                I wanted to let you know that outside of the facts of THIS case, I do see a number of cases that DO reflect some of the “parade of horribles” that DID serve as the (attempted) hook that Fisher was aiming for.

                But I think that you even noticed that Fisher’s aim was NOT complete, and that he simply did NOT draw the hypotheticals (of woe) BACK TO the facts of his client’s issues.

                I would HOPE that the Justices themselves act in a restrained manner, avoid the urge to rewrite law with a penchant for a “Bigger Picture” and rule on the case immediately before them.

                Of note, in the actual parade of horribles (outside of the facts of this case), the link here:

                link to readingroom.law.gsu.edu

                does provide the ‘bite’ that OTHER courts – and other cases – MAY provide grist for some of the advised caution that runs rampant in the Amicus Briefs. I am NOT ‘blind’ to these concerns, but merely would point out that such cannot overpower the ACTUAL case before the Court. Those other cases simply are not before the Court.

                As you may surmise, my overall view of the power of the Supreme Court runs MORE to the concerns as expressed in the Federalist Papers.

                1. anon,

                  Thanks for linking this article! I was aware of a few of these cases, and some very similar ones, but a lot of these are new to me.

                  And I agree that (1) these qualify as horribles and (2) Fisher didn’t really tie that in at all. Maybe that’s because, as only involving civil penalties, they aren’t so compelling, and likewise aren’t so comparable to VB’s case.

                  To me, a far more compelling and comparable one would be Aaron Swartz, but I didn’t see that in the transcript anywhere. I haven’t looked closely at the amicus briefs except Prof. Kerr’s, but surely it came up in another brief somewhere.

                  I totally share your sentiment that the Court shouldn’t dwell on horribles–imagined or real-world–and just follow the actual facts at issue.

                  Cheers.

          2. 2.1.1.1.2

            hardreaders,

            I have reviewed in more detail this case, starting with the oral transcript (informed LESS by any particular amicus brief, and more by my developed sense of what each Justice views their role – and how they go about their role – on the bench).

            Since this delves into areas of law outside of my forte, I did provide some leniency for the expressed views, although that provision did NOT stop my mind from raising flags when I see an OVER-reach argument, such as a parade of horribles.

            As you also mentioned Kerr, I read his amicus brief, and while not agreeing – or disagreeing – completely one way or another, I did provide a modicum of weight to his concerns.

            Importantly though, I did two more things.

            I read the statute itself, and I read the case below.

            First and foremost, THIS CASE does not reach the parade of horribles that have been presented.

            Secondly – and in direct response to your statement – there is NO such ‘binary’ state of authorized or not authorized – and certainly not as being dispositive to THIS case, on the facts of THIS case.

            There is a clear and unmistakable element that one may have some authority, and yet — by statute — exceed that authority.

            Further, there is NO basis that any such exceeding authority MUST BE by some ‘physical’ or ‘technical means’-defeating action. You put too much weight on ‘hacking.’ I suggest that you read the actual text of the statute, rather than relying on any sense of ‘technical detail.’ To this point, I think that you overly subscribe to the Kerr view. The statute simply is NOT written in the strict ‘code-view’ that would be required to apply that view.

            There MAY be issues because of this lack — but do not be confused with thinking that the statute is something that it is not JUST to prevent any type of such issues from arising. Do NOT be so falsely lulled into Legislating from the Bench.

            That Officer Van Buren did here was clearly a violation of the law.

            I “get” the arguments being raised in an attempt to change the meaning of the law, as I “get” the parade of horribles, but the law itself – when any such ‘facts’ of the parade of horribles may be presented – removes the ‘sting’ of that parade.

            Note that this is NOT to say that the Supreme Court will not in fact change the existing law. If you have been involved in any way in the patent world, you would realize that the Score board is Broken (in that sense).

            I think that the attempts to reframe this to remove level of authorization are beyond cramped. Your attempt to support “access” simply — and grossly — misses the factual point that the law is NOT limited to merely accessing with NO authorization, but fully includes access WITH ‘some’ authorization, but still detailing impropriety with that ‘some’ access.

            I also suggest that you take another (and clean) read of the transcript.

            Knowing that certain Justices have certain ideologies, one can than more objectively view the interchanges.

            In those interchanges, Feigin was far better than Fisher.

            It is not even close.

            I struggle to see how you think the ‘brick and mortar’ response to Kavanaugh does not clearly portray the difference between a binary view of access making the action in the case ‘ok,’ and that action falling within the statute’s present demarcation that NOT all access is thus a green light for any subsequent, or tied-to event. IF (and that’s a might big IF), you believe ONLY in the binary setting, you are NOT looking at the actual text of the statute.

            I refer you to Feigin’s emasculating of Sotomayor’s rather obvious ploy on pages 50-52.

            1. 2.1.1.1.2.1

              Oof, this is a lot to consider, so forgive me for only addressing what I perceive as the key points. Also, I’m really depleted tonight, so if anything seems incoherent, I’ll blame that—conveniently, of course—on fatigue.

              “First and foremost, THIS CASE does not reach the parade of horribles that have been presented.”

              I sort of agree with you, I think, assuming you meant Van Buren’s parade—the gov’t also invoked its own set of horribles after all. What I mean is, I didn’t find VB’s parade especially convincing. (In general I don’t find such arguments to be persuasive either.) As a consequence I’m not relying on it. But as I’ve said, I still don’t think his or similar cases fall under the statute. FWIW, the gov’t’s horribles were lame as well. (Although ironically, just about everyone seemed to agree that data privacy is a big concern these days. Gee, I wonder if Congress will ever get around to legislating that.)

              “Secondly – and in direct response to your statement – there is NO such ‘binary’ state of authorized or not authorized – and certainly not as being dispositive to THIS case, on the facts of THIS case.

              There is a clear and unmistakable element that one may have some authority, and yet — by statute — exceed that authority.”

              Again, I agree to some extent, in the sense that “authority” is not itself defined in the statute and as a general matter can have a variety of meanings in different contexts. You are right that in some of those contexts, authority is treated as a continuum and the concept of “partial” or “full” authority is recognized. For example, agency law, which is where, as I’ve noted, Justice Barrett seemed to be fixated. It’s understandable too, because that’s a familiar area for most judges.

              But the CFAA also obviously addresses a quite different topic from agency law and other areas implicating “scope” of authority. It’s centered around computers. We know that just from the very first word of the Act’s title. And in that context, I would argue that authority—or rather, “authorized access”, because that’s really the relevant term—is well understood as having a binary nature. (Maybe it’s more accurate to say it consists of discrete tiers, where “binary” refers to the simplest 2-tier instance.)

              I do want to harp on the importance of it being “authorized access” and not just “authority”. Were it the latter, it would make sense to speak of “some” authority and “scope” of authority, and I think VB would be likely to lose. But when you consider the full term “authorized access”—where access is the focus, and “authorized” is just a modifier—then it’s different. It is binary then. This is reflected in the language of the statute, which uses “authorized” and “unauthorized”. You have it—meaning authorized *access*—or you don’t. It would be nonsensical to speak of “some authorized access” or the “scope of authorized access.” Another example, which I gave previously, is the text of the statute about password trafficking. This is binary too. If you have a password, you can engage in authorized access. And if you don’t, you can’t. There are no gradations of authority or access involved.

              But what, you say, about the critical language—for purposes of this case—“exceeds authorized access”? You don’t exceed just “authority”, what you exceed is a kind of access, one that is authorized. And that makes a lot of sense in the relevant context of computers. You can have some data that’s accessible to a particular user, and some that isn’t. If a user can access certain data, then by definition, the user is authorized to access that data. And the converse holds for data a user can’t access. So it very much is an “either/or” situation. In that context, exceeding authorized access refers to using some improper means to go beyond the data a user is authorized to access to obtain or alter *other* data for which the user lacks authorization.

              “Further, there is NO basis that any such exceeding authority MUST BE by some ‘physical’ or ‘technical means’-defeating action. You put too much weight on ‘hacking.’ I suggest that you read the actual text of the statute, rather than relying on any sense of ‘technical detail.’ To this point, I think that you overly subscribe to the Kerr view. The statute simply is NOT written in the strict ‘code-view’ that would be required to apply that view.”

              You got me there somewhat. I think earlier I did make too big a deal of code-based or technical mechanisms. What I should have focused on, as I did above, is just that conduct addressed by the statute involves using some improper means to get at some other data for which a user lacks authorization. I’m totally agnostic as to what the improper means would be. That said, in context as a practical matter, it’s typically going to be either a code-based method or social engineering.

              “There MAY be issues because of this lack — but do not be confused with thinking that the statute is something that it is not JUST to prevent any type of such issues from arising. Do NOT be so falsely lulled into Legislating from the Bench.
              That Officer Van Buren did here was clearly a violation of the law.”

              Believe me, the last thing I want is judicial legislation here. Unlike some others, I don’t actually think the statute is excessively broad or badly drafted, at least when it’s properly understood. It’s clear to me that Congress wanted to capture every species of hacking possible—both external and internal. But they obviously couldn’t predict what forms it would take down the road, so they tried to be expansive as possible. I support that approach and I think in that sense, the broad language is effective to that end.

              As I’ve described above and earlier, this approach does capture *actual* insider hacking. If a user escalates access so as to view unauthorized data—it could be via technical means, but again, I’m indifferent—that’s unquestionably a violation of the statute. So we should all rest easy because the statute is comprehensive on that score.

              But we should also be clear that what VB did was *not* insider hacking. While he was certainly an insider as far as it goes, he never employed code-based or any other means to access data that he originally wasn’t authorized for. Had he done so, then yeah, he should have been locked up as a CFAA-violator.

              “I think that the attempts to reframe this to remove level of authorization are beyond cramped. Your attempt to support “access” simply — and grossly — misses the factual point that the law is NOT limited to merely accessing with NO authorization, but fully includes access WITH ‘some’ authorization, but still detailing impropriety with that ‘some’ access.”

              I’ll mostly refer to what’s been said above, except to reiterate that never does the statutory language speak of “some” authorization or the “scope” of authorization or any other increments of authorization. We’re binary folks living in a binary world (apologies to Madonna).

              “I struggle to see how you think the ‘brick and mortar’ response to Kavanaugh does not clearly portray the difference between a binary view of access making the action in the case ‘ok,’ and that action falling within the statute’s present demarcation that NOT all access is thus a green light for any subsequent, or tied-to event. IF (and that’s a might big IF), you believe ONLY in the binary setting, you are NOT looking at the actual text of the statute.”

              Assuming you mean the response on page 57, it’s a bad analogy. If you change it to fit my approach though, it works. The difference would be that instead of simply being *told* not to open the petty cash box in the back office, the box is actually a digital safe protected a key code. And only a subset of employees are senior enough to know the key code. Those employees have authorized access to the petty cash box; the rest don’t (although just by virtue of being employees they are authorized to access the back office itself). In that case, it would make ample sense to say a junior employee who, once inside the back office, managed to crack the safe—such as by technically disarming it or social engineering the key code—exceeded authorized access.

              If you think about it more, the brick and mortar hypo doesn’t even make sense on its own terms. The petty cash in that example is clearly not “information” as contemplated by the statute. Likewise it would be absurd to speak of “alter[ing]” paper money (unless I suppose one is committing a different crime of defacing currency).

              Relatedly, I think my approach actually makes it easier to identify and convict perpetrators. That’s because it avoids the messy problems of proof that arise under the “scope” or “purpose”-type interpretation. For example, in VB’s own case, they went to great lengths to set up an elaborate sting so they would have evidence of what his “purpose” was in querying the database. Otherwise, the theory goes, they couldn’t have distinguished between him making an authorized or unauthorized access.

              Similarly, the gov’t’s interpretation causes timing issues. You can see that by modifying VB’s case so that, instead of having to make a brand new query for the info requested as part of the sting, he happened to know the info offhand because had made the query previously while doing legitimate work. At the time then, his access was authorized. But suddenly when he divulges the info to his criminal buddy (secretly in cahoots with the feds), his prior access becomes unauthorized in retrospect. I submit that would be quite bizarre.

              But under my approach, you don’t need any of that fancy stuff, or encounter any of those awkward problems. The violation is consummated *the very instant the improper means (code-based, social engineered password, whatever) are used* to exceed authorized access. And invariably it leaves behind an evidentiary trail. (Of course, you need technical expertise to follow it, but that’s a separate issue.) The best part is, you don’t have to concern yourself with what was on the hacker’s mind either at the time or at any later point. What the hacker did at a single point in time is all that matters. To put it concisely, hacking is something that’s done, not a mindset.

              “I refer you to Feigin’s emasculating of Sotomayor’s rather obvious ploy on pages 50-52.”

              You do know that Justice Sotomayor is female, right? Perhaps you meant to say “eviscerating” or “disemboweling”?

              In all seriousness though, I was unimpressed. Focusing just on the first part of the exchange—i.e., skipping the latter part about fraudulent purpose—to me, it reflects a misunderstanding of the statute. Of course, I doubt Mr. Feigin really doesn’t understand it, but he’s just not letting on here.

              He says if Congress only cared about unauthorized information access, it could have enacted a simple 1-prong statute. That’s true, as far as it goes. He then says that because we actually have a 2-prong statute, the first prong addresses “hackers” while the second captures “insiders” like VB. This is where he starts to go astray because his categories are wrong. It’s not “hackers” one the one hand and “insiders” on the other; they’re both subsets of hacking—one by outsiders and one by insiders.

              The proof of this is in the statutory text itself. Prong #1 talks about unauthorized access to a *”computer”*. It’s like a criminal trespass by a complete stranger who picks a lock to the front gate (code-based) or gets a copy of the key through fraud (social engineering). The violation occurs as soon as the system is compromised—such as via a code-based technique or an illicitly obtained password. It doesn’t actually matter what information is obtained and/or altered subsequently. So in a way, Mr. Feigin was right. Congress didn’t just worry about people getting their hands on information they aren’t entitled to see, it also protected the sanctity of a computer’s very perimeter in prong #1. Admittedly, this is the species of hacking that makes headlines whenever some very sensitive or high-profile system is breached. So it’s understandable that laypeople think hacking consists solely of that. But Mr. Feigin obviously knows better. And so did Congress.

              That’s where prong #2 comes in. Instead of being about a computer in its entirety, it’s about particular *”information”* on a computer. That’s a huge distinction I think. An insider hacker already has authorized access to a system and some of the data on it, but then uses improper technical means etc. to gain access to other data on that system. Granted, this kind of insider hacking isn’t as headline-grabbing as the outsider kind, and isn’t all that common, at least nowadays. But nonetheless, it does happen on occasion, and that’s what Congress was targeting with prong #2. It’s also clearly distinct from the conduct implicated by prong #1, so it makes sense to have separate prongs. (Major kudos to anyone who can think of a common-law crime analogy for this one.)

              In the final analysis, it helps to step back a bit and consider things holistically. Because it’s 2020 and the age of Google and Facebook, and Snowden and Wikileaks, everyone’s got data privacy and leakers/whistleblowers on their minds. I totally understand that, and it sure would be nice if Congress actually did something tangible about it, like in the EU (lucky they are), instead of just holding pointless hearings. But that’s got nothing to do with the CFAA. Data privacy issues weren’t on Congress’s mind at the time, because it wasn’t even a thing back then. Hacking sure was though, and that’s what Congress sought to combat—successfully too. So just like you say, we shouldn’t cave in to the temptation to alter the statute by judicial interpretation. But if anyone’s trying to do that here, it’s the gov’t. Data privacy etc. is a serious issue for sure, but it should be addressed deliberately and head-on with new legislation, instead of by trying to repurpose a statute from a different era meant for a very different problem. To put it more succinctly, Congress in 1986 did not mean to—and in fact did not—brand Reality Winner and her ilk as “insider hackers” in 2017.

              On that same note, sorry that I’ve now gotten pretty far afield from the patent (and sometimes trademark) purposes of this blog. Thanks to anyone who bothered to read any or all of this, and thanks to anon for inspiring some fascinating discussion.

              1. 2.1.1.1.2.1.1

                Excellent exchange – and worth some time for me to formulate a detailed reply.

                In the short term though, even as you seem willing to draw back from having a physical (technical) limitation, the notion of scope of authority — in and of itself — does not impel such an item in the actual statute.

                Lacking that aspect — AND having the affirmative notion of range of authority — even as that affects “access” truly does change the ‘access’ notion to a non-binary state.

                The notion of “but that creates a problem of timing” is not a problem per se (but I can see the Kerr view on wanting it to be a problem).

              2. 2.1.1.1.2.1.2

                Hardreaders,

                If you are still with this thread, then I give you credit, as your last reply took some time to go through.

                Unfortunately, that time felt like multiple passes around the same four sided block, as you continued to repeat a fallacy of yours (even as you have attempted to step back away from that fallacy).

                For normal banter, a quick blurb often suffices here. For more nuanced, detailed, or in certain instances (like when a ‘count filter’ limit is being approached), I will instead write my words down separately, and then paste them to the board.

                Here, my notes may make better (and shorter and certainly with less repetition) if I gather YOUR repeated views into distinct sections, rather than address them as they unfold over your 22 paragraphs and 2,102 words all of your own – interspersed with your quotes of my paragraphs (and not counted in that 22 and 2,102). By the way, the use of”<” as an opening tag, followed by an appropriate tag – for example “I” for italic and “b” for bold, followed by a closing tag of BOTH “/” and a “<” does make following along a bit easier.

                On the other hand, since I will be using tagging, and to give your own repetition its own ‘effect,” I will add my comments interspersed to snippets of your own reply, without summarizing and condensing your reply.

                Buckle up – this might even take more than one post.

                You state as to parade of horribles “I sort of agree with you,” but then go on about some same device of the government “not being effective.” One big problem – Feigin did NOT use that device. Note that his defusing of questions that sound in that device is NOT the same as his advancing arguments to that effect. What “horribles” of the government are you thinking of?

                You then say “Again, I agree to some extent” to my EXCEED authority statement. But then you confuse yourself by saying that ‘authority ‘ is not defined in the statute (as if that were THE problem). You say I am right “in some of those contexts” as if you can ELIMINATE those contexts with presence of other contexts. That is not how one reads the law. MY ‘right’ in the contexts provided PROVE my point and throw your view out. You need to read the law to handle ALL of those (legitimate) contexts.

                It is NOT a matter that agency law may address scope of authority for different aspects. And being ‘centered around computers’ simply does NOT eliminate scope of authority. Here, you have a serious problem getting out of your own way, and this is the first (OF MANY) times that you cycle back to (without necessarily being explicit about it) to ‘MUST HAVE‘ physical or technical’ aspect coupled with a binary access.

                You seem genuinely confused on this point. Like pregnancy, you cannot “agree to some extent.” THIS is a binary situation on the LACK of binary FOR the range of authorization point (I hope that you appreciate the ‘turn of phrase’ there). Bottom line is that ‘access’ is not – and cannot be – the binary point that you so ardently want it to be. This is NOT something ‘limited to some contexts.’ Again, I attribute this to your underlying (even though you seem to want to distance yourself from a strict view of that underlying) viewpoint of yours related to some type of physical or technical “flip the switch.”

                The notion of “also address” does not save you. No one is saying that THAT ‘also addresses’ is NOT there, but YOU cannot read the statute in such a pigeonholing manner. What you are doing is ignoring the portion of the statute (that IS there) that does not fit your desired end take-away.

                Further, whether or not “centered around computers” ALSO does not save you. As I have stressed, merely being “centered around computers” simply does not invoke the HARD ‘must be physical or technical restriction’ element. This IS expressly because authorization – all on its own – carries ‘scope,’ AND the statute itself reflects that scope is involved.

                There is NO ‘binary’ at the heart of your position that requires ‘binary.’

                You continue to strive for something that is just not there.

                And no, I think that your attempted reasoning vis a vis “authorized access” in comparison to singular terms of “authorized” (and “access”) does NOT support your assertion. In fact, they directly refute your assertion. Again, you have become locked into a “must be binary” view, and the law – as written – simply does not accord with that view. ONLY “access” itself – WITH NO modification – may get you to your point. But that is just not how the law was written.

                As to my comments on Kerr and your over-reliance on h1 jacking, you state “You got me there somewhat

                Not just somewhat. I ‘got you’ in a critical point.

                Again, the words and setting of the actual statute simply are not as pigeonholed as EITHER you or Kerr would prefer. I actually went back on this point today and looked at the evolution of this as being part of an omnibus effort as well as being modified – by Congress – repeatedly and each time continuing to clarify a more expansive view. I do “get” Kerr’s viewpoint, and I am not entirely dismissive of it. At the same time, it just does not have the weight that you think that it does.

                To your snippet of “just that conduct addressed by the statute involves using some improper means to get at some other data for which a user lacks authorization. I’m totally agnostic as to what the improper means would be”…

                This is a hard “NO.” that is simply not (at all) what the words of the statute dictate. That is NOT what ‘exceed authorization” means. At all. This attempt is NOT an ‘exceeds’ attempt. This attempt is a pure binary DO YOU HAVE (binary) authorization. ALL that you are doing is retreading the same position that you want to put some distance away from. You are most definitely NOT being ‘totally agnostic.’ As this line of thinking requires vitiation against a sum total of ALL authorization. The words of Congress simply are not those words. You wanted to insert a ‘lack of defining,’ and yet you yourself engage in a manner of RE-defining a word to wipe out not only the meaning of the word, but also wipe out the words of Congress. IF there were ONLY a ‘binary’ meaning, than only WITHOUT AUTHORIZATION would suffice in the words of Congress, and there would be NO ‘beyond the LEVEL of authorization having even a need to be present.

                And yet, present it is.

                You again MISS with “Unlike some others, I don’t actually think the statute is excessively broad or badly drafted, at least when it’s properly understood. It’s clear to me that Congress wanted to capture every species of hacking possible—both external and internal. But they obviously couldn’t predict what forms it would take down the road, so they tried to be expansive as possible. I support that approach and I think in that sense, the broad language is effective to that end.

                Here, HOW you miss (and what you do NOT miss are key: yet again, you have fallen back into the trap that I have identified with YOUR emphasis on ‘hacking’ and this being attached to a physical or technical barrier AND ‘binary’ authorization. The breadth that HERE you recognize simply means more than you are willing to accept. This is a YOU problem.

                You ‘go round the block’ several times in quick succession on this avenue of your thinking.

                If a user escalates access so as to view unauthorized data—it could be via technical means, but again, I’m indifferent

                No, you are NOT indifferent, because you are still insisting on SOME physical or technical AND binary view. Note here how you have parsed the words, moving ‘authorized’ to modify data and treat ‘access’ as if that were a mere UNMODIFIED word. This is legal error on your part on how you are reading the legal text.

                You state “But we should also be clear that what VB did was *not* insider hacking.”…and fall back into the trap warned against. The ‘insider’ angle is NOT so limited to the type of ‘hacking’ that you read into the words of Congress. That is just not what Congress wrote. That is just NOT what the (properly understood) NON-binary – and NOT parsed apart – “level of authorized access” means.

                In fact, you go so far (and in clear error) to state: “except to reiterate that never does the statutory language speak of “some” authorization or the “scope” of authorization or any other increments of authorization. We’re binary folks living in a binary world (apologies to Madonna).

                Apologies would not likely be accepted – as your own words LATER provide a clear contradiction to this assertion. Sorry, but you are clearly wrong on this point, and only you can come to realize how your own writings show the contradiction.

                As to Feigin deconstructing Kavanaugh with the analogy, you state that it is a ‘bad analogy.’

                I cannot disagree more. You seem to want to make it into a bad analogy BECAUSE it makes the point that you do not want to accept. That is NOT what it means to be a bad analogy. “If you change it to fit my approach…” – Not needed – it is YOUR approach that is in error, and you are trying to force fit a round analogy into the square hole of your approach.

                the box is actually a digital safe… [different levels of employees],” Here – yet again – you fall back into your ‘physical or technical’ MUST trap.

                NO NO NO – your square hole is rewritten to be exceeded technical access. View it this way: change your hypo from ‘junior employee’ to one of the senior employees, who happen to know and have ‘technical access,’ but may lack a scope of authorized access. Your square hole attempt does not ‘make the analogy work,’ but instead ignores the analogy altogether.

                If you think about it more, the brick and mortar hypo doesn’t even make sense on its own terms.

                I posit that the lack of understanding of the analogy does exist between you and I, but it is not I that lacks the understanding. Your desired end state is blocking you from understanding.

                Relatedly, I think my approach actually makes it easier to identify and convict perpetrators.

                This (unfortunately) is PART of the trap that you fall into. You set another context, and that other context provides SOME solid reasoning for the end result that you want to reach. But the fallacy is in the statement of the ‘other context’ AS IF that other context controls. It simply does not.

                Perhaps in a certain way – but only in a way that does not correctly read the statute itself. Again, this is a type of Kerr-view that you have ascribed to, and merely follows that IF you view the statute as you want it to be, A purpose that you want the statute to serve IS served. The (admittedly smarmy) ‘legal response’ to this type of logical fallacy is: “yeah, so?”

                Just because you (and Kerr) MAY want to avoid ‘messy’ does NOT mean that you can read out of the statute the actual (and clear) use of ‘authorized’ (with its necessary range of scope) AS modifying ‘access’ and thus destroying your required position of ‘binary.’

                But under my approach, you don’t need any of that fancy stuff, or encounter any of those awkward problems

                “yeah, so?” ;-)

                To put it concisely, hacking is something that’s done, not a mindset.

                Your comment betrays the very thing that you attempted to distance yourself form: a physical or technical ‘trap’ as it were. That is just not actually required. To put it concisely – you ERR with emphasizing ‘hacking’ and NO ONE said anything about “mindset instead of something done.” Your comment betrays the very thing that you attempted to distance yourself form: a physical or technical ‘trap’ as it were. That is just not actually required for the words of Congress in the UN-parsed “level of authorized access” to have the meaning that I have presented.

                You do know that Justice Sotomayor is female, right? Perhaps you meant to say “eviscerating” or “disemboweling”?

                I do chuckle, but no, I would posit that even though Sotomayor is female, HER ploy may take on a masculine form of the word (sorry, but I do NOT ascribe to the neo-liberal identity politics of requiring words to be EITHER ‘neutral’ or necessarily reflecting the gender of the user. A ship is a ‘she,’ no matter whether the owner of the ship is a male or female.

                Focusing just on the first part of the exchange—i.e., skipping the latter part about fraudulent purpose—to me, it reflects a misunderstanding of the statute

                I am not only not impressed with you not being impressed, I also posit that it is you that is misunderstanding the statute in your attempt here to only focus on a part of the exchange. It is as if you do NOT want to credit Feigin for his end result which DOES emasculate Sotomayor’s attempt.

                By the way – and reflected in other decisions in the sphere of patent law for which I am an expert – Sotomayor is perhaps one of the very worst Supreme Court Justices that we have ever had, as she pretends NOT to be an “Ends justifies the Means” person, but comes to every decision with her own preconceived notions and literally legislates from the Bench in every case.

                This is one reason why Feigin’s actual point NEEDS to be noticed. That actual point illustrates only too well that Sotomayor was asking a loaded question – to which Feigin not only UNloaded, but Feigin turned the tables on Sotomayor (if you DO grasp the legal points at hand). This is a very nuanced legal understanding of how a person of power (Sotomayor) was respectfully fully OWNED in an exchange.

                He then says that because we actually have a 2-prong statute, the first prong addresses “hackers” while the second captures “insiders” like VB. This is where he starts to go astray because his categories are wrong.

                He does not go astray

                His categories are not wrong

                He is not parsing as you attempt to so portray, but he IS pointing out something that you have not (truly) accepted: the statute DOES have outsider AND insider concerns and thus “hacking” ALONE simply is not the key point to be understood. It is NOT “insider hacking is synonymous with lacking ALL authority.”

                The proof of this is in the statutory text itself.

                Absolutely – just not how you want the stature to be – and directly to the points as I have presented them.

                This is MY summation point – not yours.

                such as via a code-based technique or an illicitly obtained password” – AND INTO your ‘trap’ yet again.

                Certainly PART of the statute – and CRITICALLY – certainly NOT ALL OF the statute. Here again, you attempt a reading of the statute tied to ‘physical or technical AND binary access’ that simply is not in accord with ALL of the words of the statute – AS written by Congress.

                So in a way, Mr. Feigin was right

                And there is the ‘little bit pregnant’…

                it also protected the sanctity of a computer’s very perimeter” – AND INTO your ‘trap’ yet again.

                An insider hacker already has authorized access to a system and some of the data on it, but then uses improper technical means etc. to gain access to other data on that system

                Here is where you contradict your earlier assertion – AND still not get the statutory words quite right. You fall into your trap of SOME IMPROPER TECHNICAL MEANS… access to other…. Your admission here of two prongs is the contradiction to your earlier assertion against what I proposed. But on top of that, you employ your fallacy. To exceed one’s authority does NOT need improper technical means. Access to the other data is all that occurs – with the technical means themselves being purely proper. I have addressed this in my initial comments.

                In the final analysis, it helps to step back a bit and consider things holistically
                Again absolutely – but this is my point, not yours.

                I totally understand that, and it sure would be nice if Congress actually did something tangible about it
                They did. It’s just that – like Kerr – you do not want to see this in the words of a statute already written. Alas, those words are already there.

                but it should be addressed deliberately and head-on with new legislation

                That’s a ‘nice to have’ that calls forth the same (albeit smarmy) legal response of “Yeah, so what?”

                and thanks to anon for inspiring some fascinating discussion.

                And thank you for actually devoting so much time and energy. While at bottom I disagree with you, I DO appreciate the fact that you have come to the table of discussion in earnestness and attempted at all times to be inte11ectaully honest and above board. I think that you have errors of logic and approach that limit your legal take-aways, but those are honest errors. It is NOT that you are trying to play legal (or rhetorical) tricks in wanting a legal position that you KNOW to be an incorrect one (which IS something that happens OFTEN on this blog).

  2. 1

    That outcome would then serve as notice to Congress to update the 35-year-old law.

    Did you type that with a straight face?

Comments are closed.