CFAA latest: Supremes to tackle old chestnut of what 'authorized use' of a computer really means in America

And it's all thanks to a stripper and a corrupt cop. No, seriously


The US Supreme Court has indicated it will finally address an issue that has been causing legal problems for nearly two decades: what exactly is “authorized use” of a computer?

If someone is authorized to use a computer – to access a database, for example – is that a blanket authorization, and can they use it so long as they continue to use their existing login? Or does it depend on the circumstances? Can someone’s authorization be dependent on the application's terms of service?

The question may seem simple but the bigger issue is how the law – specifically the US Computer Fraud and Abuse Act (CFAA) – sees it. Because while an employee could be warned, or even fired, for abusing their access to information, the CFAA would make it a criminal act. People could go to jail for not following the correct terms of service.

The particular case under review concerns former police sergeant Nathan Van Buren who was convicted in 2017 under the CFAA for running a computer search for a license plate number. Van Buren had authorized access to the police’s database, but in this case he ran a license check in return for cash.

The full details are unedifying: Van Buren needed money and offered to run plate checks for a stripper named Albo. Albo went to the local sheriff’s office, which contacted the FBI and they set up a sting operation giving Albo a fake license which she gave to Van Buren. She said that she wanted to know if it belonged to an undercover cop who was trying to bust her for prostitution. She gave Van Buren cash and he ran the plate.

Van Buren was arrested for breaking the CFAA. But in court, Van Buren’s lawyers argued that he was authorized to use the system as a police officer and that that access couldn’t be unauthorized, regardless of why he performed the search itself.

In other words, he could be taken to task for taking money from a stripper to run a license plate – clearly unethical behavior – but he couldn’t be convicted under the CFAA for doing so.

Honest guv

He was charged with two cases: committing computer fraud for financial gain (violating the CPAA) and honest services fraud and violating the CFAA. He was found guilty on both counts and sentenced to prison for 18 months, with two years of supervised release. He appealed and the “honest services” charge was overturned but the CFAA computer fraud charge was not. And that’s why it may be the perfect test case.

Lawyers and legal minds have been fighting over the question of authorized and unauthorized use under the CFAA ever since it was enacted back in 1986. The advent of the internet however made the issue 100 times bigger and hence 100 times more important.

Illustration of US flag, handcuffs, a computer mouse and code

Relax, breaking a website's fine-print doesn't make you a criminal hacker, says judge in US cyber-law legal row

READ MORE

The case has now been relisted with the Supreme Court because other Appeals Courts have had to decide similar cases in the meantime and have come up with different interpretations. In 2011, the Eleventh Circuit decided that violating a written restriction makes such access unauthorized in Van Buren’s case.

But the Second and Ninth Circuits have since rejected that argument, in large part because it would make criminals out of potentially millions of people for not following the terms of use put out by hundreds of different companies.

As one example, professor of law at UC Berkeley, Orin Kerr, has argued that if the CFAA is used to apply to terms of use then he is guilty of criminal conduct because he has given Facebook a false location for himself, an infringement of the social media giant’s terms of us. And he commits a new crime every time he logs into the service.

Van Buren is a fairly clean one for the Supreme Court in the sense that the legal issues are cleanly decided. He was charged with violating the CFAA, convicted – by a jury – and that conviction was then upheld. But his entire sentence is now based on that interpretation of the CFAA.

And there are other appeals courts that have clearly said they do not agree with the interpretation. Plus, of course, it is of significant public interest and importance because it impacts the behavior of just about every citizen on a daily basis.

Not strong arguments

The government is fearful of losing at the Supreme Court because it would immediately lead to appeals for all those who have been convicted under its current interpretation of the CFAA.

If the Supreme Court does take the case up it will have to dig into such questions as: who sets the usage rules? What is legal and illegal to do from the same computer with the same access? Can an employer effectively turn its employees into criminals if they don’t follow its rules? Can a tech company like Facebook put people in jail if it catches them breaking its terms of use?

And, just to open Pandora’s Box a little more: a change in how the CFAA works would impact one of the most controversial cases it was used in – to prosecute Aaron Swartz for downloading millions of research papers.

Back in 2013, House Representative Zoe Lofgren (D-CA) drafted a bill that would have specifically excluded terms of service from the CFAA because of what happened to Swartz. The young co-founder of RSS was aggressively pursued under that aspect of the law and told he would face a million-dollar fine and up to 35 years in prison for his actions. Unable to deal with the pressure, he committed suicide.

Lofgren’s bill was beaten back – allegedly thanks to lobbying by Oracle – and she reintroduced it in 2015, but it again went nowhere. At the time – five years ago now – Lofgren argued that the CFAA was “long overdue for reform.”

“At its very core,” she argued, “CFAA is an anti-hacking law. Unfortunately, over time we have seen prosecutors broadening the intent of the act, handing out inordinately severe criminal penalties for less-than-serious violations. It's time we reformed this law to better focus on truly malicious hackers and bad actors, and away from common computer and Internet activities."

Somewhat unusually, a corrupt cop and a stripper may bring some much-delayed justice to Swartz and potentially dozens of others who have been found guilty under the government’s interpretation of the CFAA. ®


Biting the hand that feeds IT © 1998–2020