Supreme Court

Supreme Court Places Limits on What Actions Violate Federal Hacking Law

Prosecutors like to use the law against people who clearly weren't engaged in hacking. The Court is trying to rein them in.

|

The Supreme Court ruled today that a federal law that criminalizes computer hacking doesn't cover cases where a person misuses data that he has authorized access to. The decision may sound small and technical, but it could have important implications in restraining federal prosecutions.

The Computer Fraud and Abuse Act (CFAA) of 1986 makes it a felony when someone "intentionally accesses a computer without authorized access or exceeds authorized access." While lawmakers' obvious intent was to punish cybercriminals breaking into computer systems or online platforms, it's not clear what "authorized access" fundamentally means. The statute was written before the wide adoption of the internet. What we do online and with computers is fundamentally different from what the world looked like in 1986.

The penalties for violating the CFAA can be extremely harsh, with a sentence of up to 10 years for each violation. Prosecutors use this combination of vague language and severe penalties to get defendants to submit to plea deals. Open-access activist Aaron Swartz was threatened with a lengthy prison sentence if he didn't accept a plea deal for downloading millions of academic papers from an MIT computer with the intent of making them freely available. Instead he killed himself.

Is violating a website's terms of use a violation of the CFAA? In 2008, Lori Drew was convicted for cyberbullying a teen who later committed suicide. Prosecutors used the CFAA in that case because Drew violated MySpace's user terms to make a fake account. In 2009 a judge overruled the verdict, saying it "criminalizes what would be a breach of contract."

The case the Supreme Court decided today, Van Buren v. United States, revolves around another vague application of the CFAA. Georgia Police Sergeant Nathan Van Buren used his access to his police car database to look up a license plate number in exchange for money. This violated his department's policy, but he did have actual authorization to access the database for his work. So did it violate the CFAA to misuse this authorization?

In a 6–3 decision penned by the newest Justice, Amy Coney Barrett, the court ruled that it did not. The law, she writes, does not allow prosecution of those who "have improper motives for obtaining information that is otherwise available to them." Otherwise, Barrett notes, the consequences would be extraordinarily far-reaching:

If the "exceeds authorized access" clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals. Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government's reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA.

She adds that the government's preferred reading of CFAA could go so far as to criminalize lying on a dating profile or using a fake name on Facebook.

Instead, she concludes, "exceeds authorized access" means a person has accessed data that has specifically been declared off-limits. Barrett is joined in the opinion by Justices Stephen Breyer, Sonia Sotomayor, Elena Kagan, Neil Gorsuch, and Brett Kavanaugh.

To be clear, this decision doesn't give police officers a green light to access database information for non-policing purposes. It just means that shouldn't be charged under a federal law intended to catch criminal hackers.

Justice Clarence Thomas wrote the dissent, joined by Chief Justice John Roberts and Justice Samuel Alito. Thomas argues that it's common for the law to punish those who exceed their authorization beyond the scope of consent. In response to Barrett's observation that a broad reading of the CFAA would criminalize a lot of common activity, Thomas notes that "much of the Federal Code criminalizes common activity." He then lists several unusual federal crimes, such as breaking a lamp in a government building or permitting a horse to eat grass on federal land. These odd laws that have been highlighted by Mike Chase, mastermind of the Twitter account @CrimeADay and author of How to Become a Federal Criminal: An Illustrated Handbook for the Aspiring Offender. (Chase noticed the references.)

This shouldn't be taken to mean that Thomas, Roberts, and Alito agree with the CFAA or think it's well-written. They believe the Department of Justice is correct when it argues that misusing authorization in unapproved ways is a violation of the law. Congress can always change the law if members conclude its being used too broadly.

The ruling is important in that it will (one hopes) force federal prosecutors to stop trying to throw more charges at defendants for cases that don't really involve hacking.

For more analysis of the ruling, check out the Twitter feed of Orin Kerr, a Berkeley law professor, Volokh Conspiracy contributor, and CFAA expert. He's so much of an expert that the decision cited him four times.

NEXT: Why Did It Take Stanford So Long To Recognize This Satirical Flyer As Protected Speech?

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. Man, what’s the world come to, when a man can’t teach a hawk how to reach his full hunting potential.

    1. Chipper Morning Wood————————————————————————–
      May.26.2021 at 6:29 pm
      Flag Comment Mute User
      Libertarians have more in common with Marxism than with modern conservatism.

      1. Making money online more than 15$ just by doing simple work from home. I have received $18376 last month. Its an easy and simple job to do and its earnings are much ds better than regular office job and even a little child can do this and earns money. Everybody must try this job by just use the info
        on this page…..VISIT HERE

  2. Stop teaching criminals to code.

    1. Smart criminals learn to code on their own, and sell their virus’s, worms and crypto-lockers to the stupid criminals. Less chance of getting caught that way. It is the stupid ones that go to jail. And don’t forget the government built TOR, the network the dark web operates on. Makes you wonder?
      An old computer tech saying, “If man can code it, man can hack it”.

  3. I love how every depiction of a hacker has them wearing a hoodie.

    1. And a constant clickity click on the keyboard. Hacking is actually quite boring.

      1. There was an old internet ‘meme’ before ‘meme’ was a word that mocked how hollywood portrayed computers and their use.

        The one I remember was:

        “Furious typing on the keyboard is required to keep an animated image moving”

      2. Hacking step 1: install wireshark
        Hacking step 2: watch traffic on Wireshark for 3 weeks

      3. Gives you a lot of time to drink.

        Just kidding. You’ve never hacked anything.

        1. He was going to, but the javascript on the page told him he had to disable his ad blocker and he couldn’t figure out. Lmfao.

      4. Lol. Hey master hacker, remember the last time you were playing this LARP and even in your fantasy you admitted to lifting all your code from Stack Exchange? And then when you lied and said you were leaving for Glibertarians.com and never coming back and the first thing you did when you arrived there was ask how to use basic HTML commands to underline, bold, and italicize text because you were using tags that were deprecated with HTML 4.0? Lmfao. Even the street shitting pajeet webdevs know basic HTML.

  4. related: The White House apparently warned business leaders last that “no business is safe from ransomware attacks”.

    I don’t know why all of their helpful warnings always sound like threats, but they do.

    1. *last year

    2. “Nice IT infrastructure you have there. It would be a shame…”

  5. Yeah like with sleepy Joe Biden’s claim that our worst problem is white supremacist gangs (fact check: FALSE), the worst hackers are not from here. But we don’t actually do anything about our worst problems, just made up shit that doesn’t help with rainbow colored bandaids.

  6. Hello Dr. Falken. Would you like to play a game?

    1. Pre-Breakfast Club Ally Sheedy was hot.

      1. indeed. I didn’t care for her in the parka but after Molly dolled her up they’d have made for a more fun detention than Judd bothered to set up.

  7. “To be clear, this decision doesn’t give police officers a green light to access database information for non-policing purposes.”

    Why? If not the CFAA then is there a different law somewhere?

    1. “If not the CFAA then is there a different law somewhere?”

      Rest assured that States have plenty of laws.

      1. Yes. If a state police officer accesses a state license plate database when he shouldn’t, it should be the state that punishes him.

        … of course, the fact that the federal government felt the need to prosecute the case makes me conclude (without actually checking) that the state showed zero interest in doing a thing to him.

  8. I think this article did a terrible job at characterizing the dissent. Thomas did a great job of pointing out how lots of things are very reasonably illegal when the person doing them knows that they are not allowed to be doing what they are doing. Some great examples from the dissent include: The fact that you can still be convicted of trespass even if you have permission to be on a property for a specific reason, but instead do something else. You are still authorized to be there, but you are violating the reason for that access. Similarly (another example from the dissent), you authorize a valet to temporarily take custody of your car and drive it, but that doesn’t mean they can take it on a joy ride. The courts could have drawn a line at knowingly and willfully violating the operating policy. It is not in dispute that Van Buren both knew the department policy and willfully violated it. A mens rea requirement could have very easily been articulated without making the CFAA a weapon that could be used against everyone.

    1. Hacking is gaining entry to a system you’re not authorized to use. Could mean a brute force attack by running a program that tries millions of passwords, spear fishing to gain a specific person’s username and password or trying ports that may not be secure. But they’re all equivalent to breaking and entering.

      That’s totally different than misusing something you are authorized to use.

      I agree with the decision.

      1. Since you were on wikipedia already searching for the term “hacker”, you could have looked up “white hat”. But then again, you’re the programming and opsec hotshot who can’t figure out how to underline text in HTML Lmfao

  9. “She adds that the government’s preferred reading of CFAA could go so far as to criminalize lying on a dating profile or using a fake name on Facebook.”

    In my wildest dreams!
    Imagine a Facebook where everyone had to provide verifiable ID and use their full real live actual name. Oh, wait. That would never work.

  10. I think that together with hacks, you can spend time with benefit and pleasure. For example, on https://fishinggameszone.com/, where you can calmly relax your thoughts and relax after a hard day’s work

  11. Thomas and Alito are correct.

    The law needs to scrapped and rewritten by someone who knows what the fuck theyre talking about.

    They should probably go through the effort of defining terms like “authorized access” if theyre going to bother making the pointless laws in the first place.

Please to post comments