CFAA latest: Supremes to tackle old chestnut of what 'authorized use' of a computer really means in America

And it's all thanks to a stripper and a corrupt cop. No, seriously


The US Supreme Court has indicated it will finally address an issue that has been causing legal problems for nearly two decades: what exactly is “authorized use” of a computer?

If someone is authorized to use a computer – to access a database, for example – is that a blanket authorization, and can they use it so long as they continue to use their existing login? Or does it depend on the circumstances? Can someone’s authorization be dependent on the application's terms of service?

The question may seem simple but the bigger issue is how the law – specifically the US Computer Fraud and Abuse Act (CFAA) – sees it. Because while an employee could be warned, or even fired, for abusing their access to information, the CFAA would make it a criminal act. People could go to jail for not following the correct terms of service.

The particular case under review concerns former police sergeant Nathan Van Buren who was convicted in 2017 under the CFAA for running a computer search for a license plate number. Van Buren had authorized access to the police’s database, but in this case he ran a license check in return for cash.

The full details are unedifying: Van Buren needed money and offered to run plate checks for a stripper named Albo. Albo went to the local sheriff’s office, which contacted the FBI and they set up a sting operation giving Albo a fake license which she gave to Van Buren. She said that she wanted to know if it belonged to an undercover cop who was trying to bust her for prostitution. She gave Van Buren cash and he ran the plate.

Van Buren was arrested for breaking the CFAA. But in court, Van Buren’s lawyers argued that he was authorized to use the system as a police officer and that that access couldn’t be unauthorized, regardless of why he performed the search itself.

In other words, he could be taken to task for taking money from a stripper to run a license plate – clearly unethical behavior – but he couldn’t be convicted under the CFAA for doing so.

Honest guv

He was charged with two cases: committing computer fraud for financial gain (violating the CPAA) and honest services fraud and violating the CFAA. He was found guilty on both counts and sentenced to prison for 18 months, with two years of supervised release. He appealed and the “honest services” charge was overturned but the CFAA computer fraud charge was not. And that’s why it may be the perfect test case.

Lawyers and legal minds have been fighting over the question of authorized and unauthorized use under the CFAA ever since it was enacted back in 1986. The advent of the internet however made the issue 100 times bigger and hence 100 times more important.

Illustration of US flag, handcuffs, a computer mouse and code

Relax, breaking a website's fine-print doesn't make you a criminal hacker, says judge in US cyber-law legal row

READ MORE

The case has now been relisted with the Supreme Court because other Appeals Courts have had to decide similar cases in the meantime and have come up with different interpretations. In 2011, the Eleventh Circuit decided that violating a written restriction makes such access unauthorized in Van Buren’s case.

But the Second and Ninth Circuits have since rejected that argument, in large part because it would make criminals out of potentially millions of people for not following the terms of use put out by hundreds of different companies.

As one example, professor of law at UC Berkeley, Orin Kerr, has argued that if the CFAA is used to apply to terms of use then he is guilty of criminal conduct because he has given Facebook a false location for himself, an infringement of the social media giant’s terms of us. And he commits a new crime every time he logs into the service.

Van Buren is a fairly clean one for the Supreme Court in the sense that the legal issues are cleanly decided. He was charged with violating the CFAA, convicted – by a jury – and that conviction was then upheld. But his entire sentence is now based on that interpretation of the CFAA.

And there are other appeals courts that have clearly said they do not agree with the interpretation. Plus, of course, it is of significant public interest and importance because it impacts the behavior of just about every citizen on a daily basis.

Not strong arguments

The government is fearful of losing at the Supreme Court because it would immediately lead to appeals for all those who have been convicted under its current interpretation of the CFAA.

If the Supreme Court does take the case up it will have to dig into such questions as: who sets the usage rules? What is legal and illegal to do from the same computer with the same access? Can an employer effectively turn its employees into criminals if they don’t follow its rules? Can a tech company like Facebook put people in jail if it catches them breaking its terms of use?

And, just to open Pandora’s Box a little more: a change in how the CFAA works would impact one of the most controversial cases it was used in – to prosecute Aaron Swartz for downloading millions of research papers.

Back in 2013, House Representative Zoe Lofgren (D-CA) drafted a bill that would have specifically excluded terms of service from the CFAA because of what happened to Swartz. The young co-founder of RSS was aggressively pursued under that aspect of the law and told he would face a million-dollar fine and up to 35 years in prison for his actions. Unable to deal with the pressure, he committed suicide.

Lofgren’s bill was beaten back – allegedly thanks to lobbying by Oracle – and she reintroduced it in 2015, but it again went nowhere. At the time – five years ago now – Lofgren argued that the CFAA was “long overdue for reform.”

“At its very core,” she argued, “CFAA is an anti-hacking law. Unfortunately, over time we have seen prosecutors broadening the intent of the act, handing out inordinately severe criminal penalties for less-than-serious violations. It's time we reformed this law to better focus on truly malicious hackers and bad actors, and away from common computer and Internet activities."

Somewhat unusually, a corrupt cop and a stripper may bring some much-delayed justice to Swartz and potentially dozens of others who have been found guilty under the government’s interpretation of the CFAA. ®

Similar topics


Other stories you might like

  • FTC urged to protect data privacy of women visiting abortion clinics
    As Supreme Court set to overturn Roe v Wade, safeguards on location info now more vital than ever

    Updated Democrat senators have urged America's Federal Trade Commission to do something to protect the privacy of women after it emerged details of visits to abortion clinics were being sold by data brokers.

    Women's healthcare is an especially thorny issue right now after the Supreme Court voted in a leaked draft majority opinion to overturn Roe v Wade, a landmark ruling that declared women's rights to have an abortion are protected by the Fourteenth Amendment of the US Constitution.

    If the nation's top judges indeed vote to strike down that 1973 decision, individual states, at least, can set their own laws governing women's reproductive rights. Thirteen states already have so-called "trigger laws" in place prohibiting abortions – mostly with exceptions in certain conditions, such as if the pregnancy or childbirth endangers the mother's life – that will go into effect if Roe v Wade is torn up. People living in those states would, in theory, have to travel to another state where abortion is legal to carry out the procedure lawfully, although laws are also planned to ban that.

    Continue reading
  • Oracle really does owe HPE $3b after Supreme Court snub
    Appeal petition as doomed as the Itanic chips at the heart of decade-long drama

    The US Supreme Court on Monday declined to hear Oracle's appeal to overturn a ruling ordering the IT giant to pay $3 billion in damages for violating a decades-old contract agreement.

    In June 2011, back when HPE had not yet split from HP, the biz sued Oracle for refusing to add Itanium support to its database software. HP alleged Big Red had violated a contract agreement by not doing so, though Oracle claimed it explicitly refused requests to support Intel's Itanium processors at the time.

    A lengthy legal battle ensued. Oracle was ordered to cough up $3 billion in damages in a jury trial, and appealed the decision all the way to the highest judges in America. Now, the Supreme Court has declined its petition.

    Continue reading
  • UK Supreme Court snubs Assange anti-extradition bid
    Home Secretary ponders putting WikiLeaker on one-way US flight

    Julian Assange has all but lost his fight against extradition from Britain to America after the UK Supreme Court said his case "did not raise an arguable point of law."

    The former WikiLeaks chief's future now rests in the tender hands of British Home Secretary Priti Patel, who must formally decide whether or not to extradite him for trial in the US.

    American prosecutors want the Australian in court over a multitude of espionage charges, including one alleging that he commissioned the cracking of a password protecting US Department of Defense files from unauthorized access.

    Continue reading
  • Alphabet still can't kill off Google+ insecurity lawsuit
    You forgot about this social network? A small army of lawyers haven't

    On Monday the US Supreme Court turned down Alphabet's request to hear it argue for the dismissal of a shareholder lawsuit that claimed Google quietly covered up a security issue that could have exposed almost 500,000 Google+ accounts.

    A lawsuit filed in 2018 accused the search giant of deceiving investors by failing to disclose details of a design blunder in an API for its now-defunct social network Google+. It was estimated that 438 third-party apps could have siphoned off information, such as people's email addresses, genders, and ages, via the privacy shortcoming in the API.

    It was believed as many as 500,000 users could have had their info obtained through this bug, though it's not thought any data actually leaked. Google secretly patched the hole, and everything was hunky-dory until the Wall Street Journal blew the lid off the saga. Google's share price dropped sharply at the disclosure, prompting investors to sue its parent biz Alphabet for failing to disclose the issue.

    Continue reading
  • Google swats away £3bn Safari Workaround ad-tracking cookie lawsuit in Supreme Court victory
    Campaigners' case had 'no real prospect of success'

    Google has successfully fought off a £3bn lawsuit brought in London over ad tracking cookies, beating the Google You Owe Us campaign in the Supreme Court of England and Wales.

    The case, brought in 2017, had "no real prospect of success", the Supreme Court unanimously ruled this morning, in a devastating blow for organisations hoping it would create new law allowing them to easily launch opt-out class action lawsuits against companies who leak user data or whose data stores are broken into.

    Former Which? director Richard Lloyd was the frontman of the case. He lost because his legal team filed suit against Google "without attempting to show that any wrongful use was made by Google of personal data relating to that individual or that the individual suffered any material damage or distress as a result of a breach", as the court ruled.

    Continue reading
  • No return of the JEDI: Supreme Court declines to hear Oracle's challenge to now-dead cloud deal
    Blown up like a Death Star

    The US Supreme Court has brushed off Oracle’s complaint that it wasn't awarded the Pentagon's $10bn winner-takes-all Joint Enterprise Defense Infrastructure (JEDI) cloud contract.

    On Monday, the top judges declined to hear the database giant's case filed back in January. At the time, the Dept of Defense hadn’t yet cancelled its ten-year mega-IT deal that was awarded to Microsoft in 2019. Oracle and Amazon Web Services protested and attempted to overturn that decision by suing the federal government.

    Oracle claimed it was unfair for the DoD to award the contract to a sole company, and that there were clear conflicts of interests in the procurement process since AWS was actively trying to recruit a government employee handling the negotiations.

    Continue reading

Biting the hand that feeds IT © 1998–2022