Enlarge /. Judges Sonia Sotomayor and Neil Gorsuch (back) and Stephen Breyer (right) appeared skeptical of the broad reading of the CFAA's government. Justice Thomas, center, seemed more sympathetic to the government's view. Chief Justice Roberts, left, held his cards close to his chest.
The Supreme Court on Monday was considering how broadly to interpret the Computer Fraud and Abuse Act, America's premier anti-hacking law.
This is how I described the case in September:
The case arose after a Georgian police officer named Nathan Van Buren was caught bribing to look up confidential information in a police database. The man who paid the bribe had met a woman in a strip club and wanted to confirm she was not an undercover cop before engaging in a sexual – and presumably commercial – relationship with her.
Unfortunately for Van Buren, the other man was working for the FBI, which arrested Van Buren and charged him with violating the CFAA. The CFAA prohibits unauthorized access to a computer system – in other words, hacking – but also prohibits "exceeding authorized access" to obtain data. Prosecutors argued that Van Buren "exceeded authorized access" when looking up information on the woman from the strip club.
But Van Buren lawyers denied this. They argued that his police credentials gave him access to all data in the database. Offering confidential information in exchange for a bribe may be against the department's policies and state law, she argued, but it has not exceeded authorized access as far as the CFAA is concerned.
Apparently no one will defend a police officer who allegedly takes bribes to divulge confidential government information. The case is important, however, as the CFAA has been called in to prosecute more sympathetic defendants. For example, prosecutors used the CFAA to prosecute Aaron Swartz for wiping academic papers from the JSTOR database. They also pursued a small company that used automated scraping software to buy and resell ticket blocks from the TicketMaster website.
The CFAA provides for both civil and criminal penalties. For example, LinkedIn sued a small data analytics company for removing data from its website. Last year, the 9th Circle Appeals Court dismissed the lawsuit, stating that the CFAA should crack down on computer hacking, not conduct that merely violated a website's terms of service.
On Monday, the court's nine judges appeared to have different views on the issue. Some seemed willing to accept the government's broad reading of the statute, while others feared that doing so could criminalize many harmless online activities.
"Parade of the Terrible"
At the heart of Van Buren's argument is that conviction could open the door to prosecution of other people who are more harmless.
"This construction would brand most American criminals on a daily basis," said Jeff Fisher, the defendant's attorney, during the oral argument over Zoom on Monday. "Imagine a secretary with a staff handbook stating that their email or Zoom account is only for business purposes. Or, imagine a person using a dating site that users might not be on Include false information on their profile to obtain information about prospective partners, or think of a law student who has been issued with Westlaw or Lexis credentials for educational purposes only.
"If the government is right, a computer user who disregards any of these stated usage restrictions is committing a federal crime," Fisher continued. "For example, any employee who used a Zoom account to contact distant relatives over Thanksgiving would be at the mercy of the federal prosecutor."
These kinds of hypotheses – called a "parade of the terrible" – came up again and again on Monday in the argument about Zoom. Much of the argument on Monday centered on whether the government's position would open the floodgates to federal law enforcement in such cases.
The government took a surprising position
Justice Department attorney Eric Feigin turned down Fischer's Parade of the Terrible, arguing that none of Fisher's scenarios would actually result in federal prosecution. He argued that when the law spoke of "authorized access" it did not mean covering public websites – even websites that required a username and password.
"What Congress was aiming for here were people who were particularly trusted – people who are similar to employees, the kind of person who was actually specifically considered and individually authorized," Feigin said Monday. According to his theory, anyone who broke the rules of a dating website or social media platform would not be covered by the CFAA no matter what they did.
But Judge Stephen Breyer seemed surprised by Feigin's argument.
"There are dozens and dozen of websites that state that if you agree to the terms of access, you can access this website and use the information on this site. And then you have a large, lowercase list that takes a long time, I assume that the access conditions regulate what is allowed and what is not. Authorized and not. Right? "
Feigin disagreed, arguing that the CFAA's "approval" was only required if someone had been given "specific, individualized approval".
This seems difficult to reconcile with previous CFAA cases. For example, TicketMaster's website is open to the general public. People who buy tickets there are not "related to employees". Still, people were charged with scratching. Similarly, JSTOR does not manually select who can access academic articles. However, Swartz has been prosecuted for downloading them without permission.
And there have been several CFAA lawsuits based on information from public websites. For example, in a 2008 lawsuit, Facebook sued a startup called Power Ventures for using its users' credentials with their permission to send messages through Facebook's messaging platform. Power Ventures ultimately lost that case, but it seems like Feigin's logic was that the CFAA shouldn't have applied at all, with Facebook offering accounts to anyone who wants one (except young children).
In another case, Craigslist successfully sued a competitor named 3taps under the CFAA for scraping classified ads and offering them in an alternative format. In this case, the content in question was freely available to the public without a username and password. However, a judge believed 3taps had "exceeded" authorized access under the CFAA when it ignored cease and desist statements from Craigslist.
When Judge Samuel Alito asked Feigin about the TicketMaster case, Feigin dismissed him because the defendants had "hired Bulgarian hackers to circumvent some technological restrictions" – an obvious indication of the defendants' efforts to use TicketMaster's CAPTCHAs and other efforts Bypass prevention of scratches. But according to the government's current theory, the CFAA should not have applied at all.
"I've never heard any suggestions from the DOJ before."
Some legal scholars scratched their heads because of the government's position.
"Up to this point, everyone, including the Justice Department, has agreed that the statute is incredibly broad, except for the issue of approval," wrote Orin Kerr, a legal scholar who supports a narrow reading of the law. "In this case, however, the DOJ rejects the DOJ's earlier views on the matter. It not only rejects, but mocks it as an extremely ridiculous, pure fantasy."
"Aside from being inconsistent with the DOJ's previous positions, the DOJ's new views appear to have no textual basis in the statute," added Kerr. "I've never heard the DOJ's suggestions before reading your letter, and I've been living this stuff for over 20 years, including while I'm at the DOJ."
Indeed, if the Supreme Court chooses this latter option, the change in interpretation of the CFAA could be greater. It would subject defendants to criminal penalties for improperly using certain types of online databases. But it could largely neutralize the CFAA when it comes to information on public websites. Companies like Facebook, Craigslist, and LinkedIn could have less and no more power over how people use their websites.
Monday's oral presentation did not provide much information on how the court would decide. Some judges – Sotomayor, Gorsuch, and possibly Breyer – appeared ready to side with the defendants. A few others – Thomas and Barrett – seemed to agree with the government's position. But the others kept their views close to their vests – and the judges' questions don't necessarily predict how they will ultimately rule. Sometimes judges will ask harder questions aside that they prefer to make sure they are not lacking important counter-arguments.