The Supreme Court Reins in the CFAA in Van Buren

A very important ruling.

|

The Supreme Court handed down its first big decision construing the Computer Fraud and Abuse Act last week, Van Buren v. United States Van Buren is a major victory for those of us who favor a narrow reading of the CFAA.  It doesn't answer everything.  But it answers a lot.  And it frames the debate over how the CFAA applies going forward on what I think is ultimately the right question.

First, some context.  The CFAA criminalizes unauthorized access to a computer.  For years, the big question raised by the CFAA is what counts as an unauthorized access. The statute speaks of two ways of violating the statute—"access without authorization" and "exceed[ing] authorized access"—but the cases had not drawn sharp distinctions between them and the government's briefs often had just spoken of 'unauthorized access' as an undifferentiated whole.  And the basic concept of authorization was largely up for grabs.  What makes an access unauthorized?  Is that hacking in?  Is that violating terms of service? Or just visiting a computer in circumstances the computer owner wouldn't like?

Before Van Buren, we really didn't know.  The facts of Van Buren presented a perfect opportunity to shed light on that.  Nathan Van Buren used a government database for personal reasons after being told he could only use it for work reasons.  Was he engaging in authorized access (because he had access to the database), or was he engaging in unauthorized access (because he was violating the access policy)?

Van Buren goes a long way toward answering those questions.  In the Court's view, the CFAA is all about gates.  "Access without authorization" and "exceed[ing] authorized access" both call for the same basic test: A "gates-up-or-down inquiry."  To violate the CFAA, a person needs to bypass a gate that is down that the person isn't supposed to bypass. As the court puts it, a person needs to enter "particular areas of the computer— such as files, folders, or databases—that are off limits to him."

Under this view, the two ways of violating the statute work together. The prohibition on "access without authorization" bans entering a computer one is not authorized to access, "targeting so-called outside hackers—those who access a computer without any permission at all."  The prohibition on "exceed[ing] authorized access bans "entering a part of the system to which a computer user lacks access privileges." That language "target[s] so-called inside hackers—those who access a computer with permission, but then exceed the parameters of authorized access by entering an area of the computer to which that authorization does not extend."

As the Court puts it, "liability under both clauses stems from a gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system." Van Buren didn't violate the statute because he was provided access to the database; the workplace rule wasn't a closed gate. (Some of the quoted language above is from the Court's description of the petitioner Van Buren's interpretation of the CFAA, rather than the Court's explicit statement of its view, but the Court then says it is persuaded by Van Buren's interpretation and that it is the best reading of the statute. I think means we can treat the Court's description of Van Buren's interpretation as its own.)

The Court also suggests that the basic gates-up-or-down inquiry might rest on authentication, such as bypassing a password gate by giving the correct user credentials.  Here's the language, in Footnote 9, which it presents in the course of explaining why the Court is persuaded by Van Buren's gates-up-or-down interpretation:

Van Buren's gates-up-or-down reading also aligns with the CFAA's prohibition on password trafficking. See Tr. of Oral Arg. 33. Enacted alongside the "exceeds authorized access" definition in 1986, the password-trafficking provision bars the sale of "any password or similar information through which a computer may be accessed without authorization." §1030(a)(6). The provision thus contemplates a "specific type of authorization—that is, authentication," which turns on whether a user's credentials allow him to proceed past a computer's access gate, rather than on other, scope-based restrictions. Bellia, A Code-Based Approach to Unauthorized Access Under the Computer Fraud and Abuse Act, 84 Geo. Wash. L. Rev. 1442, 1470 (2016); cf. A Dictionary of Computing, at 30 (defining "authorization" as a "process by which users, having completed an . . . authentication stage, gain or are denied access to particular resources based on their entitlement").

Let's pause and step back. What does it mean?

First and foremost, this is a major victory for those of us who favor a narrow reading of the CFAA.  It settles that the CFAA is fundamentally a trespass statute.  The basic wrong is bypassing a closed gate, going where you're not supposed to go.  The CFAA does not make it a crime to break a promise online.  It does not make it a crime to violate terms of service.  The statute is all about gates: When a gate is closed to a user, the user can't wrongfully bypass the gate.

But wait, you're wondering: What counts as a "gate" that is "down"?  When I first read Van Buren, I was a bit bummed that it didn't answer that as clearly as I hoped.  On one hand, Footnote 9 seems to suggest that authentication might be key.  But on the other hand, Footnote 8 seemed to leave open what might count as a closed gate.  Here's Footnote 8:

For present purposes, we need not address whether this inquiry turns only on technological (or "code-based") limitations on access, or instead also looks to limits contained in contracts or policies. Cf. Brief for Orin Kerr as Amicus Curiae 7 (urging adoption of code-based approach).

My first reaction to this footnote was puzzlement. Isn't the basic issue in Van Buren whether a policy (here, not to use a work database for personal reasons) matters?  How can the Court reject the government's view that the policy controls and yet also leave open whether liability looks to policies? How do you reconcile Footnote 8 with the rest of the opinion, especially Footnote 9?

There are a few ways of reconciling Footnote 8 with the rest of the opinion.  My best sense at this point runs something like this: With Van Buren casting the CFAA a trespass statute that is all about gates, figuring out what counts as a closed gate on the Internet can be complicated. As I argued in my article Norms of Computer Trespass, once you see the CFAA as a trespass statute, "the challenge for courts is to distinguish provider-imposed restrictions and limits that are at most speed bumps (that cannot trigger trespass liability) from the real barriers to access (that can)."  As Norms explains, the line between real barrier and mere speed bump can be subtle. It can rest on "shared views about what invades another's private space and what doesn't."  It's not just about technology, but also on social understandings of technology.

One way to read Van Buren—not the only way, but the way that seems most plausible to me at this point—is that it does the major conceptual work of reining in the CFAA by casting it properly as a trespass statute.  It now leaves to lower courts the largely interstitial work of figuring out the hard line-drawing of what exactly counts as enough of a closed gate to trigger liability.  The authentication test suggested in Footnote 9 is one way to do it.  And I personally tend to think it's the right way; for what it's worth, it's the test I argued for in Norms of Computer Trespass. But whatever the specific right answer is, the Court has now directed lower courts to the right question.

In the end, Van Buren doesn't answer everything.  But it answers a lot.  And I think it  focuses the lower courts on the right set of questions going forward.

(Cross-posted at Lawfare)

NEXT: A Case with "All the Trappings of a Bingeworthy (or Cringeworthy) Primetime Soap Opera"

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. This is as good a place as any to mention one of my pet peeves. The CFAA is a criminal statute. It also has a civil remedy provision for victims of that crime (with a certain damages threshold). I once had to litigate that in a civil case. The violation was in the grey area, and we lost because the judge did not want to broadly consture a criminal statute.

    IMO, it is a mistake to make civil liability dependent on a criminal statute. (Apart from the CFAA, you also have this for RICO and DTSA, among others). Civil statutes have a different purpose, and it defeats their purpose to limit them with the baggage of criminal law.

    A better model is the Trademark Act. It has special civil remedies for counterfeiting. A separate criminal statute, 18 USC 2320. While the two are obviously related, courts are not constrained in applying the Trademark Act by the criminal provision.

    1. I don’t think you will ever totally free yourself from this. Under negligence per se doctrine, criminal statutes are one of the major mechanisms to supply tort duties. And legislatures know this.

    2. I get the concern (yours and the judge’s), but if the same conduct that might violate a criminal statute also causes damages to a victim, why shouldn’t the victim be able to seek recovery in a civil action upon a showing that the statute’s elements were met?

      There are obviously different burdens of proof anyway and meeting the preponderance standard doesn’t at all imply that a jury’s also going to find beyond a reasonable doubt if a criminal prosecution were brought. A victim may not be inclined to press criminal charges either.

      It’s not quite the same of course, but as is well known, plenty of torts are both civil and criminal. Assault and conversion/larceny. People sometimes sue for assault damages, but aren’t interested in having the perpetrator prosecuted. In this context, I don’t see how the CFAA is much of an outlier.

      Anyway, I think given the narrowing done in this SCOTUS decision, the opportunities for bringing civil cases are going diminish considerably. So it may end up being sort of moot in the end.

  2. interstitial???
    Based on my biology-related use of this term; can you explain its meaning in the legal context. Looking up definitions online was no help (even though I can make an educated guess based on the context).

    1. As I understand (just now) the biology use, the legal use is quite similar. It’s also gap-filling. Here, SCOTUS clarified that only bypassing a “down” gate counts as a violation for the CFAA. But it didn’t give any explicit guidance on how to determine whether a gate is “down” in the first place. (I think it at least made some hints though.) So that is the gap left open (the puns just write themselves) by the SCOTUS opinion. It then falls to the lower courts to fill that gap by devising a test for identifying “down” gates.

    2. “I recognize without hesitation that judges do and must legislate, but they can do so only interstitially; they
      are confined from molar to molecular motions.” — Justice Holmes, dissenting in Southern Pacific v. Jensen.

  3. If a cop has been told that he can only access a database for professionally authorized reasons, and he uses it to get the address and phone number of a woman he met on the job, it seems to me that he went through a gate. He’s been told not to do it, and he did it. Legitimate access was defined, and he violated a restriction. If I understand this decision – and the aim of this author – his behavior, although against department regulations, would not be against this law. Don’t like it.

    1. No, being told not to do something is not a gate. Think of a physical gate, not a checklist. If my front yard is fenced and there’s a locked gate, it’s pretty clear that the yard is off limits to casual visitors. If there’s just a sign saying “please keep off the grass” but not “no trespassing”, it’s less clear: I probably can’t picnic, but can I retrieve my frisbee?

      Since the law has criminal penalties, it should be clearly established what the rules are, and they should be legally defined. “Whatever the owner says” isn’t a reasonable basis to sentence someone to jail. Otherwise I could put up a sign saying “all visitors must dance on the way to the door”, and some zealous prosecutor could charge anyone who didn’t.

      In your example, anyone who violates the rules of their employer (or a website!) can still be punished by whoever made the rule – fired or lose access. But creating a private rule shouldn’t create a criminal offense.

    2. Too much gray area there, suppose he’s on patrol and he encounters her, thinks she is attractive and asks her name.

      Then he inquires online to “check for warrants” and get her address and phone number. His pretextual inquiry on warrants is likely sufficient to protect him from unauthorized access, but is there a crime in converting the knowledge obtained to contact her personally?

      And then I’ll also point out maybe he should just be fired for breaking work rules, not everything needs to be a federal case.

      1. Yes, the problem with the CFAA (up until now) is that breaking work rules IS a federal case.

      2. You don’t even need a pretext. What if he legitimately pulls someone over for speeding who, after rolling down her window, turns out to be a stunningly beautiful, single woman. As part of the standard process, he will certainly retrieve all her info using his patrol car’s data terminal. Then let’s say he just sends her off with a warning. At that point he still has done absolutely nothing wrong and hasn’t relied on any pretext either. But maybe the woman made such an impression on him that her name, address, and perhaps even phone number, stuck in his memory. Then a week goes by and he’s still thinking about her. So he works up the nerve to call her or pay her an in-person visit. And of course at that point his actions would violate clear departmental policy. But the suggestion that they also bear even the slightest resemblance to “exceeding authorized access” is just beyond absurd.

    3. There’s a lot of leeway there for professionally authorized reasons. Perhaps he just has a hunch. Or a weak suspicion. Or a curiosity. He heard the name somewhere. And then he obtains the data.

    4. In light of this decision, what he did wouldn’t violate this particular federal law, yes. But did he bypass a gate as described in the decision? No. He literally had access to the info in the database in the sense that nothing—physical or otherwise—was preventing him from viewing/obtaining it. Think about it this way. Let’s say you work at a company that has a customer database for use during normal business hours. In one scenario, the database continues to be available on the weekends, but the company simply tells employees to refrain from using it during that time. In another scenario, the company configures the database to be offline during the weekend. Hopefully we’d all agree that in the latter scenario, the database could be described as “inaccessible” on weekends, or that the company has “disabled access” to it. But would anyone say the same about the former scenario? I really don’t think so. Employees can absolutely still access the database on weekends if it stays available. In doing so they have certainly violated a separate promise made to their employer about *when* they would—or wouldn’t—access the database, but they haven’t gotten any extra or improper access that wasn’t already available to them.

      But I’m not saying his behavior wasn’t repulsive. It was. And he did commit a crime. It just wasn’t a CFAA violation. Rather, it was a garden variety instance of soliciting or taking a bribe. (Albo offered and Van Buren accepted something of value—money—for Van Buren to perform an official act—running a license plate. That seems like a classic bribery situation to me.) Why he wasn’t pursued for run of the mill bribery is beyond me. Anyone unhappy about him getting off on the CFAA violation should be directing their complaints to the GA authorities and the FBI for being cute and trying to make a federal case out of it.

      1. They did charge him with honest-services wire fraud (the statute used for federal bribery) and he was convicted on that. But the Eleventh Circuit vacated and remanded because the jury instructions had not properly alleged an “official act” (i.e., “cause,” “suit,” “proceeding,” or “controversy”, or a “formal exercise of governmental power”) per the Supreme Court’s McDonnell opinion.

        The issue on the bribery was a jury instruction so maybe it’s curable on remand, though the way the Eleventh Circuit opinion reads suggests that will be an uphill battle. So the Supreme Court has really limited what can constitute an “official act” for federal bribery and said that because the officer had access to the law enforcement database (because of his official capacity) he did not violate CFAA. That’d mean the officer could not be convicted of any crime federally even though the underlying conduct seems very clearly to be bribery, i.e. taking $5,000 to do something that you have special access to as a law enforcement officer.

        I guess the retort could be for Congress to make CFAA more clear, provide a more comprehensive definition of “official acts,” charge these cases under state law, etc. But taking a step back and looking at the result (no federal criminal liability), I wonder if perhaps the Supreme Court is getting a little too cute in interpreting some of these federal criminal statutes.

        1. Those are good points. I think I’m in the minority for VC, but I don’t agree with McDonnell, and similarly, Kelly. So I would agree SCOTUS got too cute there. But those involved bribery statutes, and the CFAA isn’t one, so to me, the correct solution is not to repurpose the CFAA to cover something it shouldn’t, but to take the bribery statutes you already have and just make sure they function effectively. And/or use whatever state laws are out there, but it seems like everyone always defaults to federal for some reason.

        2. I guess the retort could be for Congress to make CFAA more clear, provide a more comprehensive definition of “official acts,” charge these cases under state law, etc. But taking a step back and looking at the result (no federal criminal liability), I wonder if perhaps the Supreme Court is getting a little too cute in interpreting some of these federal criminal statutes.

          Why is that cute? Why should there be federal criminal liability here? The state assuredly has an anti-bribery statute. Why on earth do the feds need to prosecute this at all?

  4. On the Internet, the standards (RFCs) published by the Internet Engineering Task Force should help inform when something is actually a gate (security control) versus a speed bump. They often discuss security concerns for the protocols they are documenting. If the RFC says a specific field shouldn’t be used as a password or for security purposes, that’s most likely a speed bump, not a gate.

    1. It always warms my heart to see the RFCs mentioned, although I’m not sure why they’d be particularly useful here. But then I don’t go in for the speed bump/gate paradigm anyway.

      1. RFCs aren’t really relevant to this particular case, just figuring out how determine if access is authorized or not in general.

        Generally I agree with Prof Kerr that software based controls are the way to go, but the corner cases get tricky. Vulnerabilities exist where security controls are missing or defective. Is a directory traversal attack against a website simply an unorthodox request, but legitimate request or exceeding authorized access? What about SQL injection? Does it matter if you’re injecting SQL commands to simply view the data or destroy it? What if the website includes SQL commands in the URI and you change them? What about if there is a security control in place that attempts to strip out special characters to prevent such an attack, but you mange to bypass it?

        That’s where I think the idea of looking at norms from physical trespass law can be helpful. If someone exposes something to public view, even accidentally, it’s not a trespass to inspect it or use the information you’ve gained as use see fit. The desires of the owner or even how you use that information is to the disadvantage of the owner don’t matter. The same should be true for the anti-hacking laws. But, on the public Internet, Courts should look to RFCs to determine norms, not just how well the general public knows specific commands that are documented in the standards.

        1. Fair point. I generally agree with most of that. For sure in some cases it’s going to be complicated to figure out what access was or wasn’t authorized, and stuff like RFCs and other standards can be helpful, but you’re still operating in the technical, not contract/policy, realm no matter what, so I think that is in keeping with Prof. Kerr’s approach.

          That said, I don’t find your corner cases that difficult really. I query (no pun!) whether they’re even corner cases. You cite examples of well known attacks that involve malformed and/or unexpected inputs to a system. I don’t see how it would require an excessive amount of effort to show that the inputs are intended to get the system to do something it’s not designed to do. Certainly that means getting into the technical weeds to some extent, but it’s not a Herculean task either. For example, if I exploit some kind of bug on a shopping website to allow me to pull up all customers’ credit card info, that’s sort of res ipsa or hacking per se. You don’t need to be Alan Turing to figure that one out.

          One area where I part ways a little is your trespass analogy. Your example is more like the shopping website either deliberately (unlikely, I know) or inadvertently had its site configured to display all the credit card info each time someone visited a particular page as part of the legitimate shopping process. Certainly in that case, I agree that anyone who opportunistically—and *passively*—seizes on that info to purchase a bunch of stuff without having to pay for it personally didn’t “trespass” or “hack” the website. But your corner cases are quite different because there a particular individual has to take some *special affirmative* action to *cause* the otherwise unavailable info to be disclosed. It’s the difference between being unscrupulous enough to snatch a bag of cash lying on the ground that someone mistakenly failed to store in a vault, and getting at bags inside the locked vault by using some sort of technical means to trick the lock mechanism into opening.

    2. See Norms of Computer Trespass at 1162-63 (describing the role of RFC1945 and RFC2616 in the proper interpretation of the CFAA).

      1. Thanks, I’ve read some of your other work, but not that specific article. Auernheimer was the first case that came to mind where consulting the RFCs would show that the activity in question was authorized, so it was good to see you mention it. But I don’t recall RFCs being brought up there. It’s been a few years, so maybe I’ve forgotten. Are you aware of any CFAA cases where the court has looked at RFCs to determine if access was authorized?

        Sierra Corporate Design, Inc. v. Ritz, where the defendant was found guilty of unauthorized access under a state CFAA analog is another case where I think looking at the RFCs would have shown the access was authorized. Ritz preformed a zone transfer from the DNS server of a company he was investigating as a spammer. The court found that a zone transer was an obscure command and referenced some security guidance from Microsoft that says denying off network zone transfers is a best practice. But just because someone might not have intended to expose certain information or it would have been better practice to block access, doesn’t mean a gate has been put up preventing access.

  5. A helpful distinction to understand this ruling is to understand the difference between authentication and authorization.

    Authentication is establishing “you are who you say you are”. When I log in to Reason, I present my credentials to establish that I am “ah_clem” and Reason’s website accepts them and lets me in.

    Authorization is “now that we know who you are, what can you do”. In this case, I can post comments as “ah_clem”, but I am not authorized to make front page posts, delete comments, edit the stylesheets, or any of a number of things that more privileged users may.

    If I were able to obtain, say, Josh Blackman’s login credentials and post something to the front page by spoofing “authentication* it’s probably a crime. If I were able to log in as “ah_clem” and somehow delete articles or edit the stylesheet, by escalating *authorization* that would also be a crime.

    But if I just ignore EV’s admonition to be civil in the comments, that’s not a crime. Or if I download and cache every comment posted in the comments, and repost some of the jucier ones on Twitter, it’s not a crime under CFAA since I haven’t spoofed the *authentication* piece, nor have I hacked the *authorization* piece.

    Assuming I read the ruling right.

    1. All this is helpful background for the most part, although the aspects discussing authentication aren’t really that relevant to the decision. The case didn’t involve any questions about authentication. But on the escalating authorization part, yes that’s the essence of it. Likewise the list of examples in the last big paragraph.

      It’s also not really correct to say that misappropriating Blackman’s credentials and posting as him (most farfetched hypo of all time? who on earth would ever be masochistic enough to do that?) is spoofing. Actually, spoofing is kind of the opposite. That would involve making a post show up on VC that appeared to be from Blackman *without* using his credentials to do it.

  6. Prof. Kerr, congrats on the multiple citations and the substantial vindication from the outcome.

    I was puzzled by FN8 as well. The way I reconcile it is just that the majority wanted to endorse the code-based approach, but for whatever reason (maybe to secure enough votes) couldn’t come out and say so. It’s clearly implied to the greatest extent possible. That would also nicely address the potential “awkward results” posited by the dissent on p. 8. I’ll skip the first one—about client credit card purchasing histories—because it’s underspecified. The second example involves an employee who tries to delete computer files either right before or after announcing a resignation. Under the code-based approach, liability isn’t subject to the vagaries of timing, because the employee still can technically access the files either way, so isn’t committing a violation by deleting them. Of course, if the company got wise to the employee’s plans in advance and disabled access to the files or password-protected them, or did so after the resignation was announced, then it would indeed be a violation to circumvent those measures somehow. Likewise for the final example about Windows solitaire. Even if an employer completely prohibits playing it under all circumstances, as long as it’s still sitting there physically accessible from the Games folder, then it’s no violation to fire it up despite running afoul of the company’s honor system. Again, if the company did in fact install software that prevents running apps in the Games folder, and then a particularly desperate employee figured out how to bypass the software lock, I suppose that could be a violation.

    Speaking of puzzlement, I’m a little surprised that your takeaway is the CFAA being a “trespass” statute. As I read the opinions, the trespass concept was rejected by the majority and instead used to support the dissent’s position. It seems like you might be using it as a shorthand way of referring to the majority’s “gates up or down” approach. But if so, isn’t that sort of inviting confusion? Please set me straight in case I missed something.

  7. One last thing that might help put the case in context.

    I think some folks may have a misconception about the relative frequency of “outsider” and “insider” hacking. The former happens pretty much all the time on a regular basis. It also tends to make the headlines when it concerns a significant target. Case in point being the recent pipeline ransomware attack.

    Given the prevalence and high profile of outsider hacking, I suspect people may assume that insider hacking is just as common. But it really isn’t these days. It was more of a thing in the 80s when the CFAA was enacted. At the time, a lot of institutions like gov’t agencies and big companies relied on multiuser systems (e.g., Unix), which afforded plenty of opportunity and/or temptation to escalate access and probe other users’ files and data. Nowadays it’s not so relevant since everyone has their own Mac or Windows machine. Of course there are still shared systems like file servers and databases, but usually all users have equal access to those anyway.

    Actually, it’s sort of challenging to think of genuine instances of insider hacking that have occurred lately. They only can really happen in settings where some data is so sensitive that access has to be restricted to a small subset of users. Maybe the Manning/Assange password cracking incident comes close, but in that case Manning already had access to the system in question under her own account; she was just trying to crack a password for a different account to access the same system. If you changed the facts a little so the attempted cracking was for a password to some ultra super top secret system that Manning couldn’t ordinarily access, I think you have a pretty decent example of real insider hacking. But again, such instances tend to be rare.

    1. You must not work with classified material. Every year, I have to take a training course on how to identify “insider threats”. I agree with you that “insider hacks” are not that newsworthy unless you work in computer security.

    2. It depends on how you define “hacking.” If you accept the broader definition that the Supreme Court rejected here, then it is quite common. There are many trade secret cases in which an employee downloads critical information from the employer, then jumps ship, taking it with him.

      1. Yeah, I think it’s no secret (no pun!) that I don’t see all TS theft as automatically involving insider hacking. Certainly the latter can be used to achieve the former, but that’s it. I also agree completely that TS theft, or at least allegations thereof, happens all the time. (So many of the cases end short of going to trial I think you can be skeptical whether some of the alleged TS would have actually have passed the legal test to qualify as such.)

        That sort of responds to TTT too. I don’t quite know what s/he/it gets at with “insider threats”, but assuming it involves both TS theft and hacking, then yes I likewise agree it’s common—but mostly because of the former component—and I certainly recognize that companies and gov’ts have good reason to be concerned about it and want to take precautions to prevent it. If you look at so many of the big insider cases, they either don’t or almost entirely don’t involve any hacking, just straight leaking or retention. For example, Manning aside from the cracking episode, Snowden, Vault 7, Reality Winner, Harold Martin, etc. etc. All of them already had available access to the disclosed/retained stuff. If you want to have any hope of avoiding detection and capture, it’s also kind of stupid to attempt hacking as an insider. Obviously, it’s always easier to identify an insider because you start with a limited group of potential suspects. So why on top of that would you want to draw attention to yourself by engaging in hacking? It doesn’t make a lot of sense to me.

  8. I’m curious how, or if, this ruling affects the government’s case against Assange. The CFAA aspect always seemed very weak to me to start with, I think this ruling only further weakens it.

    1. Good question. I think it has some indirect relevance at least, but I don’t see how it has much impact one way or the other. Certainly I don’t think it weakens it at all.

      For one, as I understand the Assange superseding indictment, the CFAA count charges him with “access without authorization” based on conspiring with Manning to crack another user’s password for a system Manning also had access to. Obviously that’s different from Van Buren’s charge under “exceeding authorized access” for the database info misuse. While the former provision was also discussed at points in this case, nobody (VB or the gov’t) disputes that it already works in a “gates up or down” fashion.

      So as I see it, this case did nothing to alter the existing interpretation of the “access without authorization” provision; it simply acknowledged it. And under that interpretation—or even a narrower one that somebody might imagine—I don’t think there’s any dispute that Assange’s conduct amounted to a violation. Password cracking is sort of the quintessential example of “access without authorization”; it’s CFAA 101.

      I understand Assange may be pushing some defenses like it wasn’t really unauthorized access because Manning could already user her own account to access the system anyway. That is a legal defense, but I can’t see how it would fly because having one’s own separate account doesn’t somehow make cracking someone else’s password authorized. It seems like there’s also more of a factual argument based on the cracking attempts themselves being so inept that they never actually succeeded. But that’s obviously no defense to a conspiracy charge whatsoever. Last, he’s putting forth a possible vagueness challenge, but that doesn’t even go to the merits.

      Whatever your opinion about anything else Assange has done, the other charges, and his motivations generally, from the looks of it, he does seem to be pinned down pretty well on this CFAA conspiracy charge. Of course, as it stands now, he’s not getting extradited unless the U.S. can reverse the initial court decision in his favor, so it may all be moot anyway.

  9. Since we are on this case, let me give you a scenario that I actually litigated, which I don’t think has been setteled by the Van Buren case.
    Company has a website. Part of it is open to the public, part not. To get into the more private part, you have to sign up for an account. As part of the sign-up you have to represent that you are a member of the profession that the website services (i.e. lawyers), representing the state where you are admitted to the bar, your law school and year of graduation.
    Someone from a rival company decides to spy on Company’s website. So he signs up, using a fictitious name and fake credentials. He is not a lawyer, never got beyond a B.A., and is not a member of the bar, and lies about all these facts in his applicaiton. Once he gets his account, he goes into the private portion of the site, and gathers sensitive information.
    CFAA violation?

    1. Maybe your specific case came out differently, but I’d say definitely not. I actually think VB pretty much resolves it too.

      At the most basic level, the rival company employee *had* access when he retrieved the “private section” info. So, speaking in the language of VB, the “gates” were “up” already in that case. The other company seems to have been exceedingly careless in giving out access based on the honor system, but that doesn’t change the fact that, once given, access existed and was available for the rival employee to use.

      You can also analogize the facts to the facts in VB. While VB didn’t involve an express misrepresentation like your case did, I’d say it still involved a similar misrepresentation, just an implicit one instead. In VB, there was obviously a policy the officer expressly agreed to when he initially got database access that he’d never use it for non-official purposes. So in essence, every time he accesses the database, he makes a new implicit representation that his purpose for that particular access is proper. It’s also not really different from there being no express policy at the outset, but instead, being prompted to make a new express representation each separate time you access the database. And as I said, in your case too, an express representation was required as a condition of access. Given that the VB court rejected the idea that the facts of VB’s case made out a CFAA violation, I don’t see how the outcome would be any different in yours.

      I look forward to your response!

      -hr

      1. But the point is, he got the gates to go up by fraud. Had he hacked into the system (let’s say by using some password bypass software), he clearly would have violated the CFAA. Instead he bypassed the system with lies about his education and profession.
        When we litigated this, we analogized it to tresspass, which is often what the CFAA is analogized to. Let’s say someone comes to your house and says, I am from the electric company, I need to get in to read your meter. If they are telling the truth, and you let them in, that is not tresspass, even if they also snoop around on your furniture.
        But what if someone outright lies — pretends to be an electric company employee, and produces a forged i.d., just to get in? That is tresspass, or tresspass by fraud. See Shiffman v. Empire Blue Cross and Blue Shield, 256 A.D.2d 131 (NY 1st Dep’t 1998), where the NY Appellate Division, affirmed the trial court’s denial of a motion to dismiss a trespass claim where “it was undisputed that defendants gained entry to plaintiff’s private medical office by having a reporter pose as a potential patient using a false identity and bogus insurance card.” Id. https://casetext.com/case/shiffman-v-empire-blue-cross-blue-shield-1
        That is what we argued, but we lost.

        1. I totally see what you’re getting at, and that’s a great case to analogize to, but still, VB rejected the common law trespass analogy; that was the losing side’s position on the dissent. And like I said, just on the facts, VB’s case involved a very similar kind of misrepresentation, albeit implicit not express, but yet it wasn’t enough to carry the day.

          Also, while it has surface appeal, I don’t know that Shiffman is really so close on the facts. Your website example is more like having a big library that’s mostly open to the public, except one small section is for VIPs only. Nothing physically prevents someone from entering that section. Outside are posted instructions for “self-service” entry. They say that anyone who writes their name in the visitor log and also checks a box to affirm that they are indeed a VIP may enter. Oh, and the instructions also note that the visitor log affirmations are never verified or maybe only a handful of times a year. So I write down “Potter Stewart” in the visitor log and check off the box, walk in, look at some books and maybe even copy a few passages of interest, then leave. Have I seriously “defrauded” the library of anything or committed “trespass” into the VIP section? I think it’s highly debatable. Maybe I breached some kind of contract with the library, but that’s about it. You can at least see how different it is from Shiffman if nothing else. And again, the VB Court has said trespass analogies aren’t valid for the CFAA anyway.

          You could reformulate VB’s facts the same way as my library example. Most areas of the police station where he works are open to all officers unconditionally, except for the room where license plate files are kept. Any officer can go in there too, but each time the officer must write her/his name and date in a log, and check a box that the entry is for an official purpose. The Court has now said that’s not a violation if a hypothetical officer dishonestly checked the box when entering. And that’s functionally no different from my library example, which is in turn adopted from your website case.

          Maybe there’s an objection that the above is too “I know it when I see it” and fails to ensure that socially engineering someone’s password is still covered by the statute. Or that the statute covers the initial part of WarGames, where the “hacking” isn’t really so much David’s war dialing that discovers WOPR, as his failure to disconnect immediately despite obviously knowing he’s not an authorized user—so by staying connected he’s implicitly misrepresenting himself as one. I think the distinction is, in those settings there is a fixed, predefined, discrete list of authorized users, and you’re either on the list ahead of time or not. So social engineering is still a violation because you’ve improperly acquired a specifically identifiable authentication credential. Again, the VB Court discussed this somewhat in FN9. Likewise, in WarGames, although David didn’t implicitly represent himself to be a certain user, once his identity came to light (no pun!) it was straightforward to look at the WOPR user list and realize that he wasn’t on it. Again, that’s why I wish the Court had done the whole enchilada and expressly signed on to the code-based approach.

          Sorry that you ended up losing your case though. That always sucks. You put forward the best possible argument I think.

          1. I think Bored is correct that Van Buren leaves open the question of fraudulently acquired authorization. One may argue the user had authorization irrespective of how he obtained it, and that by analogy with contract this constitutes fraud in the inducement rendering the agreement voidable but not void. Or, analogize to trespass as Bored did, or argue that the misrepresentation was so complete that the authorization used was granted to a different (fictitious) person which is a clear CFAA violation. It could go either way.

  10. The new “gates totality” inquiry, perhaps.

    Imo, the best way to reconcile the footnote is to say that asserting a purely permission/policy theory of the crime doesn’t meet the necessary element, but that a comprehensive inquiry into the circumstances can include permission/policy (in addition to code, etc.).

    I’m the only one who thinks this, but I think the easiest way out of the maze is to take the third party out of the question completely. As a matter of public law, (I think) unauthorized possession of a firearm means that you haven’t licensed it, or that your possession of it is inherently criminal — not that the “Stop & Shop” has a “no guns” sticker on the front door. So if one’s access of the computing system is part of a crime (fraud, etc.), one’s access would be unauthorized from the point of view of public law.

    Just my $0.02.

    Mr. D.

Please to post comments