My Amicus Brief in Van Buren

A submission for the Supreme Court's big CFAA case.

|The Volokh Conspiracy |

As regular readers know, I've been writing, blogging, and litigating about the scope of the Computer Fraud and Abuse Act (CFAA) for over twenty years.  The Supreme Court is hearing a big CFAA case this fall, Van Buren v. United States.  I figured this was an important case to chime in on, so today I submitted this amicus brief, on my own behalf, in the case.

Bonus: It discusses an old Volokh Conspiracy blog post and covers one of my favorite 1980s movies.

NEXT: ICE's Plan To Kick Out Foreign Students Is Chilling

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. I think this case and Oracle vs. Google really show the limits of textualism and Originalism … like there were briefs arguing, like an api is like a dictionary so google wins or an api is this so oracle wins, all trying to find the right analogy when none actually had any understanding of how computers actually worked.

    The CFAA was written by legislators in the 1970s with no understanding of how computers or computer culture actually work. Your brief points out the analogy between trespassing and unauthorized access … but it should be obvious those are completely different. Trespassing is clearly illegal. Hacking is done as a hobby.

    Prof. Kerr, wouldn’t it be more appropriate to abandon those approaches for these computer related cases and make a Breyer-esque value judgement?

    1. Alladin, I’m not sure I follow. It’s a statutory case, so it doesn’t involve originalism. And the text here doesn’t answer the question, it seems to me. So you’re left with what to do when the text doesn’t provide an answer. If your own answer is that you just make a policy judgment, that’s one view, although that doesn’t answer how you provide a policy judgment: Based on what, with what end, with what institutional assumption, etc.? So I don’t see this case as suggesting we should “abandon” textualism as much as saying it’s about what to do when the text doesn’t provide an answer.

      1. I was more citing originalism in Oracle to note the limits of that in application to a computer case.

        I think it would be appropriate to start with deference to criminal defendants and the on notice requirement. The statute is clearly overbroad, so it would bring up significant fair notice concerns. One can limit it that way. I don’t know if you mentioned that, didn’t read through all of it.

      2. But even in the first theory you mentioned, the CFAA may criminalize all actions of that sort but … there is a world of difference between buying a zero day and using it or … hey the guys password is “password”.

        In other words, yeah the statute criminalizes relatively benign things but even straightforward and limited understandings of the notion of unauthorized use also brings up a bunch of issues.

        And you could make a trespassing analogy with, there is a difference between blowing open the door and walking in if the door is wide open but I don’t know if these analogies are so clear cut.

      3. “So you’re left with what to do when the text doesn’t provide an answer. ”

        If the text of a criminal statute doesn’t provide a clear answer, the defendant should win.

  2. Admitting to a federal crime in an amicus brief is a bold strategy. Let’s see if it pays off.*

    *It should of course.

  3. I never realized until now that I violated the blog’s terms of use when I visited Alaska. Sealanders unite!

  4. I knew it was going to be “Wargames”!

  5. Whatever happened to “executive summaries” — or why don’t briefs have them?

    A concise paragraph — “this case is about X, I think the court should rule Y for reason Z.”

    1. I’m not sure what you mean? The brief (Prof. Kerr’s) does have a summary of argument on pp. 1-2, which is required (by Rule 37.5). It is a concise paragraph, I think, although perhaps not providing the contents you specified, but the rules don’t dictate the summary’s substance, only its existence. Moreover, the ToC, which is also required (by Rule 34.2), functions as a sort of supplemental summary. Finally, although not required, the start of the argument on pp. 2-3 has a further detailed summary, so you really get a 3-for-1 special here.

  6. You really should have concluded your brief with: “The only winning move is not to play.”

  7. From the brief:

    “Congress did define “exceeds authorized access” in 18 U.S.C. § 1030(e)(6), but that definition is notably unhelpful: the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter. This definition is largely circular.”

    So what if it’s circular?

    It’s still pretty clear.

    Also,

    “Express restrictions are treated only as an effort to impose a contractual obligation on the user. Violating those terms might be a breach of contract. But it is not an invasion of the computer owner’s property that is recognized as a trespass.”

    I disagree and give an example if I go into McD’s.

    I can go to the counter and dining area, but I obviously can’t go into the kitchen area and could be found to be criminally trespassing if I don’t leave.

    Also, your Sealand example is ridiculous.

    First, earlier in your brief you state the majority of people don’t read the ToS, yet you actually read Facebook’s ToS and then broke them.

    Second, this is actually a breach of contract/usage which is NOT covered by CFAA because you didn’t “exceed authorized access” (CFAA), you merely entered false info.

    It’s simply head-scratching why you’re on the wrong side of this case.

    1. He didn’t exceed authorized access under the code-limitation he is advocating for. He conceivably did if “authorized access” is defined by the TOS. Going outside of what is permitted by the TOS is exceeding authorized access.

  8. “I can go to the counter and dining area, but I obviously can’t go into the kitchen area and could be found to be criminally trespassing if I don’t leave.”

    McD’s is *required* to have secured barriers such as counters and locked doors to prevent you from accessing the kitchen, and will be shut down if they don’t.

    It’s THEIR problem if you wander in there by mistake.

    1. McD’s is *required* to have secured barriers such as counters and locked doors to prevent you from accessing the kitchen, and will be shut down if they don’t.

      Is that in Leviticus?

Please to post comments