The US Supreme Court has indicated it will finally address an issue that has been causing legal problems for nearly two decades: what exactly is “authorized use” of a computer?
If someone is authorized to use a computer – to access a database, for example – is that a blanket authorization, and can they use it so long as they continue to use their existing login? Or does it depend on the circumstances? Can someone’s authorization be dependent on the application's terms of service?
The question may seem simple but the bigger issue is how the law – specifically the US Computer Fraud and Abuse Act (CFAA) – sees it. Because while an employee could be warned, or even fired, for abusing their access to information, the CFAA would make it a criminal act. People could go to jail for not following the correct terms of service.
The particular case under review concerns former police sergeant Nathan Van Buren who was convicted in 2017 under the CFAA for running a computer search for a license plate number. Van Buren had authorized access to the police’s database, but in this case he ran a license check in return for cash.
The full details are unedifying: Van Buren needed money and offered to run plate checks for a stripper named Albo. Albo went to the local sheriff’s office, which contacted the FBI and they set up a sting operation giving Albo a fake license which she gave to Van Buren. She said that she wanted to know if it belonged to an undercover cop who was trying to bust her for prostitution. She gave Van Buren cash and he ran the plate.
Van Buren was arrested for breaking the CFAA. But in court, Van Buren’s lawyers argued that he was authorized to use the system as a police officer and that that access couldn’t be unauthorized, regardless of why he performed the search itself.
In other words, he could be taken to task for taking money from a stripper to run a license plate – clearly unethical behavior – but he couldn’t be convicted under the CFAA for doing so.
He was charged with two cases: committing computer fraud for financial gain (violating the CPAA) and honest services fraud and violating the CFAA. He was found guilty on both counts and sentenced to prison for 18 months, with two years of supervised release. He appealed and the “honest services” charge was overturned but the CFAA computer fraud charge was not. And that’s why it may be the perfect test case.
Lawyers and legal minds have been fighting over the question of authorized and unauthorized use under the CFAA ever since it was enacted back in 1986. The advent of the internet however made the issue 100 times bigger and hence 100 times more important.
Relax, breaking a website's fine-print doesn't make you a criminal hacker, says judge in US cyber-law legal rowREAD MORE
The case has now been relisted with the Supreme Court because other Appeals Courts have had to decide similar cases in the meantime and have come up with different interpretations. In 2011, the Eleventh Circuit decided that violating a written restriction makes such access unauthorized in Van Buren’s case.
Van Buren is a fairly clean one for the Supreme Court in the sense that the legal issues are cleanly decided. He was charged with violating the CFAA, convicted – by a jury – and that conviction was then upheld. But his entire sentence is now based on that interpretation of the CFAA.
And there are other appeals courts that have clearly said they do not agree with the interpretation. Plus, of course, it is of significant public interest and importance because it impacts the behavior of just about every citizen on a daily basis.
Not strong arguments
The government is fearful of losing at the Supreme Court because it would immediately lead to appeals for all those who have been convicted under its current interpretation of the CFAA.
And, just to open Pandora’s Box a little more: a change in how the CFAA works would impact one of the most controversial cases it was used in – to prosecute Aaron Swartz for downloading millions of research papers.
Back in 2013, House Representative Zoe Lofgren (D-CA) drafted a bill that would have specifically excluded terms of service from the CFAA because of what happened to Swartz. The young co-founder of RSS was aggressively pursued under that aspect of the law and told he would face a million-dollar fine and up to 35 years in prison for his actions. Unable to deal with the pressure, he committed suicide.
Lofgren’s bill was beaten back – allegedly thanks to lobbying by Oracle – and she reintroduced it in 2015, but it again went nowhere. At the time – five years ago now – Lofgren argued that the CFAA was “long overdue for reform.”
“At its very core,” she argued, “CFAA is an anti-hacking law. Unfortunately, over time we have seen prosecutors broadening the intent of the act, handing out inordinately severe criminal penalties for less-than-serious violations. It's time we reformed this law to better focus on truly malicious hackers and bad actors, and away from common computer and Internet activities."
Somewhat unusually, a corrupt cop and a stripper may bring some much-delayed justice to Swartz and potentially dozens of others who have been found guilty under the government’s interpretation of the CFAA. ®