Supreme Court Agrees to Decide, What is Hacking?

A cert grant in Van Buren.

|The Volokh Conspiracy |

I blogged last week about the Supreme Court's pending cert petition in Van Buren v. United States, on the meaning of unauthorized access to a computer, and why I expected the Supreme Court to take the case.  I'm pleased to that that the Supreme Court has agreed to hear the case.

The fundamental question in the case is what Congress did when it criminalized unauthorized access to a computer.  In particular, what makes an access to a computer unauthorized?   Do the terms of service control?   Does there need to be some sort of technical restriction on access that is breached?

To put the question in colloquial terms, the question is, what is the crime of hacking?**

Given the Supreme Court's recent trend toward favoring the narrow interpretation of vague criminal statutes, I would guess that the Court likely will rule in the defendant's favor.  But every case is different, so we'll have to wait and see.  As always, stay tuned.

_____________

** I realize that there are many in the technical community who insist that the correct word for unlawful unauthorized access to a computer is "cracking," not "hacking," and that most people use the term "hacking" incorrectly.  But most people follow colloquial usage, pretty much by definition, so I think it's fair to put the question that way.

Advertisement

NEXT: Despite COVID-19 Lockdowns, Licensed Marijuana Sales Continue in the Vast Majority of States With Legal Pot

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. That’s a fair description of hacking vs cracking. I have been a hacker of sorts for a long long time, and resent the common usage of it nowadays, but that is how languages evolve.

    1. Crack — as in to break, Hack — as in to cobble together or patch.

      One may hack together a program designed to crack passwords.
      At least that is how I understand it.

  2. I’m curious as to whether the Court is going to focus more on the idea that Congress never meant the statute to sweep this broadly (which might involve legislative history) or whether it will be more focused on the possibility that any broad construction leads to constitutional problems. The Yates approach vs. the Bond approach, if you will.

    1. Hmmmmm — I’d argue *both*…..

      THIS is what Congress sought to outlaw:
      https://www.youtube.com/watch?v=zb1r_uKOew4

    2. Could you elaborate on the potential constitutional problems you see?

      1. If “exceeds authorized access” permits prosecution for using a system with an improper purpose, then the statute might be unconstitutionally vague. The improper purpose approach doesn’t really give notice to anyone that their conduct is criminal, and perhaps more importantly, does not guide government enforcement. This was the conclusion that the district court reached in the Lori Drew case that Orin has mentioned, the government, probably wisely, did not appeal that decision to a circuit court.

        So I think they;re going to go with Congress’s original purpose + lenity + constitutional avoidance = holding that an improper purpose or violation of a TOS is not enough to exceed authorized access.

        1. The government didn’t appeal because they were likely to lose and not be able to threaten to charge people under their over broad interpretation.

          1. Exactly.

        2. The government’s argument isn’t that the statute criminalizes accessing a computer for an “improper purpose”: it’s that it forbids someone who has been given permission to access a computer, but with limitations, from exceeding those limitations. And I don’t think the government is disputing that they have to prove that the defendant knew that their access exceeded those limitations. So I don’t think I see lack of notice as being an issue for constitutional purposes.

          I certainly think that Georgia could (and, if it hasn’t already should) directly criminalize the use of this database for improper purposes. Do you think there would be constitutional issues with that law?

          1. For the second question, I think limiting criminal liability to a specifically identified database would avoid vagueness concerns because 1) it is more likely to put someone on notice as to what conduct is prohibited compared to the simply prohibiting exceeds authorized access on every computer or information system on the planet. And 2) it would certainly cabin government discretion in enforcement. They could only prosecute for exceeding authorized access to the specific database.

            As to your second question: the broad interpretation of “exceeds authorized access” is essentially an improper purpose test. The improper purpose doesn’t necessarily mean its something otherwise illegal or morally questionable. It means a purpose different than the one that was authorized. Authorization can be the terms of service or even an oral agreement potentially.

            The petitioner framed the question this way in their cert petition:

            “Whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose.”

            And I don’t think the knowledge element really limits the government. Knowledge will always be provable if you clicked “yes” on the terms of service. I think the petition’s hypothetical is a good example. Is every law student who used their WestLaw account to look up landlord-tenant law because they had an issue with their landlord a federal criminal because that exceeds the scope of the TOS limiting it to educational purposes? Or what about every March Madness tournament, where people use their work computers to check scores, print brackets, and watch games, even if the TOS says work use only?

            1. The broad reading of the statute is that if the owner of a computer puts conditions on your access to it, you would be violating the law by violating those conditions. Maybe that’s overly restrictive, and maybe the penalties for such minor infractions are overly draconian, maybe so much so that it’s an argument against that reading. But it seems perfectly clear to me what you would and would not be prohibited from doing.

              1. Even if that is correct, is there a way to guide government discretion when almost anyone can potentially be violating the terms of service of any one of the many systems that exist out there?

                1. “almost anyone can potentially be violating the terms of service of any one of the many systems that exist out there?”

                  Almost anyone can potentially be violating ANY contract which may be binding on them, and that doesn’t stop courts from working out who actually is breaching a contract, and who isn’t.

                  1. How often are they trying to figure out if a breach of contract is also a federal felony?

                    1. Dunno. Who cares? The question is whether they can tell if the thing happened or not accurately. If you can do that, it doesn’t matter if you’re resolving a civil breach-of-contract suit or a criminal felony charge.

              2. The fundamental problem is that, collectively, appellate judges don’t understand IT security. Which doesn’t stop them from ruling on matters of IT secuity.

              3. “The broad reading of the statute is that if the owner of a computer puts conditions on your access to it, you would be violating the law by violating those conditions.”

                This is also true of plain old real property. So if the landlord says “no alcohol in the pool area”, you and your short-case can be evicted for tresspass if you’re down in the pool together.

            2. I think the larger issue is the information, not how it was gained.
              It was some teen singer who was murdered because some psycho-stalker got her home address from her driver’s license, and Congress sought to prevent that.

              OK, is the harm any less if the dispatcher accesses the computer for the cop?

              1. “It was some teen singer who was murdered because some psycho-stalker got her home address from her driver’s license, and Congress sought to prevent that.”

                Actress, not singer. Rebecca Schaefer was in the show “My Sister Sam” with Pam Dawber. Murdered by deranged fan.

            3. In a properly-defined information security system, there is a procedure by which access to information is requested, and then approved by someone with the authority to control access, much the way physical resources are handled. So, for example, in a previous job I had all-hours access to the building which was controlled by an access-control database, and I had access to the server closet in the same building by way of being issued a key to the server-room door. Both of these had to be specifically authorized by the owner of the business. Of course, having a key to the building didn’t imply that I could proceed to show up on a weekend, and take all the stuff in the building home with me. I don’t think a court would have trouble determining that if I was accused of burglarizing the business that my possession of key defeated an element of the commercial burglary criminal statute. Similarly, corporate officers can be found to be operating ultra vires even if they’re authorized to write checks on company accounts when they’re writing checks to themselves. So in the CFAA context, I don’t know why some courts choose to interpret “authorized for some purposes” as “authorized for all purposes.”

            4. “Is every law student who used their WestLaw account to look up landlord-tenant law because they had an issue with their landlord a federal criminal because that exceeds the scope of the TOS limiting it to educational purposes?”

              No, because they ARE using it for educational purpose. Now, when a law student takes on a research job with a practicing lawyer and use their academic Westlaw account to do their work research, that’s a nice, clear violation.

        3. “If “exceeds authorized access’ permits prosecution for using a system wi’h an improper purpose, then the statute might be unconstitutionally vague.”

          Meh. Use of a system either IS authorized or it is not. It’s typically a termination offense to access things you aren’t authorized to access. So if I install cryptocurrency-mining software on computers at work, Same thing if you install SETI@work or protein-folding simulators. I had authority to install software in my previous job, but not whatever software I chose. Another common violation is installing consumer-grade wireless routers on the office network. That’s not authorized, no matter what you think you’re accomplishing.

  3. Given the Supreme Court’s recent trend toward favoring the narrow interpretation of vague criminal statutes, I would guess that the Court likely will rule in the defendant’s favor.

    If I had to make a prediction, I would agree with this. And I think I’m persuaded by Prof. Kerr’s arguments that this would be the correct result. On the other hand, this fact pattern strikes me as one of the best illustrations of why the broader reading is appropriate, and in light of both the deep circuit split and the unusual importance of uniformity for a statute like this, the cert grant is even less of an indicator of the justice’s views on the merits than usual. So, I guess we will see what happens!

    1. Give the facts of this case I wonder why he wasn’t charged with more serious crimes, like taking a bribe. But then as police officer he gets a pass most of the time.

      1. He was charged with (and convicted of) taking a bribe. The 11th Circuit reversed that conviction due to a flaw in the jury instructions.

    2. I’d argue that there is a need for a specific statute along the lines of the National Security Act — that you have to sign something to have access to specific governmental data (i.e. DMV data) and that the criminal penalty will be for being a person who (a) signed for access and then (b) violated the restrictions he/she/it agreed to.

      As this is interstate data — all the DMVs have been linked for decades now — I’d argue that a Federal statute would pass muster.

      1. Dr. Ed, I agree. I’ve been saying this for years: Courts should construe the CFAA narrowly and that Congress should then enact a new law specifically prohibiting government employee access to sensitive govt databases for prohibited reasons. The government does have a legitimate interest in prosecuting those wrongs; the problem is that the CFAA is the wrong statute in which to do it.

        1. AND it really doesn’t matter if the employee database personally or obtained the info second/thirdhand from someone else who had legitimately accessed the database. Yet CFAA wouldn’t apply there.

      2. “As this is interstate data — all the DMVs have been linked for decades now — I’d argue that a Federal statute would pass muster.”

        Unless you wanted the statute to apply to data and systems that are in private hands. As the CFAA does.

  4. I still say that an interlocutory grant of cert to a case where the actus reus of CFAA precisely overlays that of Honest Services is the worst conceivable way of fixing this problem in the law.

    That said, have fun storming the castle.

    Mr. D.

    1. Glad the Court didn’t agree with you on this, TD. 🙂

      1. Well, four of them, at least. Cheers. 🙂

        Mr. D.

  5. ** I realize that there are many in the technical community who insist that the correct word for unlawful unauthorized access to a computer is “cracking,” not “hacking,” and that most people use the term “hacking” incorrectly. But most people follow colloquial usage, pretty much by definition, so I think it’s fair to put the question that way.

    If that is so why isn’t the word “hacking” actually mentioned in the text of a law?

    As someone who has been in information security for twenty years – neither is used commonly within the community. When we speaking of someone attempting to break into something – we use phrases like “attack”, “breach”, “bad actor”, etc. Unfortunately journalists who like to get headlines continue the practice of misusing the words.

    1. It’s a pop-culture thing. They never get the details right, because they don’t know any better. All you have to do is watch an episode of CSI:Cyber (not actually recommended) to see how stupidly wrong Hollywood understands actual IT security subjects. Examples: In one episode, the “hacker” is terrorizing people by reprogramming electronic devices in their home remotely. One of the devices shown to be compromized is a digital clock. Not as bad as the NCIS episode where the bad guy is actively penetrating the good guys’ computer system, so the good guys try to stop them by having two agents both typing on the same keyboard.
      In either case, the shows skewed to an older audience, so the show’s producers assumed they could get away with claiming ridiculous capabilities of the bad guys. Old people scare easily..

  6. “The people” need to be corrected. It’s “cracking.” Furthermore “data are” and “media are.” It appears that the CCP virus will leave us all with “data is.” Not acceptable.

    1. “Furthermore ‘data are’ and ‘media are.’”Depends on whether you consider “data” and “media” to be Latin words, or English. If they’re Latin, then they “are” (plural), but in English they be well be “is” (singular). Just because we adopt a foreign-language word doesn’t mean we have to take it “as-is”. For example, consider the word”igloo”. Does that give you an image of a dome of ice blocks with an arched entryway? That’s what it means in English. But to the Inuit people who invented the word, “igloo” means “house”.

    2. What about stamina?

      1. What is the plural of “stamina”.

  7. I don’t know if the statute can be saved by a court. It’s very possible that Congress intended to criminalize TOS violations. Accessing a computer in violation of the owners’ instructions was a very different thing in 1986 than in 2020.

    Maybe Congress needs to fix it.

    1. Also accessing versus using.

      Those are very different verbs….

    2. “Maybe Congress needs to fix it.”

      Congress can’t fix their shoelaces without help from staffers.

      1. “Congress can’t fix their shoelaces without help from staffers.”

        That’s unfair. Heck, there are some congresspeople who even brush their staffers’ hair.

  8. “The First, Fifth and Seventh circuits joined the Eleventh Circuit in applying the anti-hack law to people with authorized access to computers. The Second, Fourth and Ninth circuits have adopted a narrower approach of applying the law only to people who hack into a system, or use it without permission.”

    I hope the actual question is well defined because the two scenarios listed are completely different.

    So what will the Supreme Court actually be deciding?

  9. “I realize that there are many in the technical community who insist that the correct word for unlawful unauthorized access to a computer is “cracking,” not “hacking,” and that most people use the term “hacking” incorrectly. But most people follow colloquial usage, pretty much by definition, so I think it’s fair to put the question that way.”

    Do you react similarly when people who aren’t lawyers use legal terms of art incorrectly, and then excuse it by explaining that their usage is common and therefore perfectly acceptable?

Please to post comments

Comments are closed.