Supreme Court mulls whether a cop looking up a license plate for cash is equivalent to watching Instagram at work

America's outdated Computer Fraud and Abuse Act gets a roasting


Analysis There’s a growing problem with computer laws written in the late 1980s and early 1990s. They were produced just as PCs began entering widespread personal usage but they failed to account for what electronic devices would soon be used for most of the time: accessing information over the internet.

Nowhere is that more clear than in a case heard in the US Supreme Court on Monday, covering a cop – former police sergeant Nathan Van Buren – who was convicted of breaking the Computer Fraud and Abuse Act in 2017 after using his access to a police database of license plate numbers to look up the owner of a specific car for a cash payment.

Van Buren challenged that conviction, and an appeals court overturned one of the two criminal charges against him (it ordered a new trial) but upheld the second – computer fraud – despite what it said was the “vague language of the CFAA.”

And it is that “vague language” that has led the case all the way up the Supremes, with the court choosing to hear “whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose.”

Van Buren’s lawyer, Jeffrey Fisher, argued that once someone is authorized to access a database, such a cop authorized to use a plate database, that’s pretty much it – you can’t be found guilty of fraud under the CFAA. The law, he argued, was intended only to address hacking – and his client didn’t hack the computer.

Trade secrets

He also pointed out that there are plenty of other laws that can be used against someone who does something wrong with information they have access to: anti-stalking laws, for example. Or misuse of trade secrets. But seemingly nothing that would get a cop convicted for looking up people's license plate numbers for cash.

Fisher was particularly keen to argue the danger of interpreting the CFAA in the way the government had in this case. It opens up a Pandora’s Box of legal nasties, he warned: suddenly anyone and pretty much everyone would be guilty of criminal conduct.

Computer with a police crime scene banner over it

CFAA latest: Supremes to tackle old chestnut of what 'authorized use' of a computer really means in America

PREVIOUS REPORT

If you broke a service contract, or a company’s terms of use, or an employee handbook, or even if you ignored a verbal instruction and used your authorized access to a computer at the wrong time, you could be convicted, he argued.

He even argued that accessing Instagram at work would fallen under the criminal statute. “It's obtaining information because you are literally obtaining the words or pictures out of Instagram, and it would violate the government's rule,” he argued in response to questions from the Justices.

Fortunately, the Supreme Court was not in the mood for super-hypothetical nightmare situations of Janice from accounting being dragged off to the cells for looking at someone’s cat pictures. At least four Justices referred to Fisher’s list of problems as a “parade of horribles,” while digging into the reality.

And the reality is that the CFAA is – as everybody knew already – really badly worded. The law was originally passed in 1984 to deal with wrongly accessing computer databases but it originally only applied to federal employees. In 1986, the law was expanded to include everybody and in doing so a few key phrases were changed. The idea was the same but the language of the law became less precise.

Of course the government’s lawyer, DoJ deputy solicitor general Eric Feigin, feels that the law is absolutely fine: the intention of the law is clear, the wording can be read in a specific way that avoids all the nightmare scenarios and the legal system will clear it up through case law. Nothing to see here. The cop knew he was wrong, he got caught, and was prosecuted.

Avalanche

“Such serious breaches of trust by insiders are precisely what the statutory language is designed to cover,” Feigin argued. He also had some harsh words for Van Buren’s case.

“What he's instead relying on here is a wild caricature of our position that tries to bury his own heartland statutory violations beneath an imaginary avalanche of hypothetical prosecutions that he can't actually identify in the real world for seemingly innocent conduct,” he barked.

But then Feigin also demonstrated his ignorance of how computers work in the real world. Asked why accessing a service like Facebook wasn’t also included under the CFAA, he argued: “On the public website, that is not a system that requires authorization. It's not one that uses required credentials that reflect some specific individualized consideration.”

Such serious breaches of trust by insiders are precisely what the statutory language is designed to cover

Except of course, it does. Especially if someone is using two-factor authentication for additional security.

In response to the “don’t worry about it, we’ve won’t go overboard” argument from the government, the cop’s lawyer warned, not unreasonably, that “because this is a criminal case, we think it's improper if not, at the very least, very dangerous to rely on legislative history to resolve ambiguity.”

And he argued that “the opportunities for prosecutorial discretion are probably broader than any statute the Court has ever seen if the government is right in literal terms.” In other words, this law could end up being used to come down on someone and exert massive pressure for the wrong reasons.

That is not a hypothetical because it’s exactly what happened to Aaron Swartz, who was prosecuted for downloading millions of research papers. He was aggressively pursued under the CFAA, and told he could face a million-dollar fine and up to 35 years in prison for his actions.

Unable to deal with the pressure, Swartz killed himself. And the tech community recoiled in horror at what the government was willing to do when it felt there was wrongdoing.

Legislative failure

Swartz’s case led to repeat efforts to tidy up the CFAA to make it clear that terms of service were specifically excluded from the law. But thanks to both Congress’ dysfunction, and the general lack of interest in and knowledge of technical and computer issues among lawmakers, the efforts have never made sufficient progress.

In that respect, the case in front of the Supreme Court today was completely avoidable: it should have been resolved through the legislative process five years ago. And in fact Van Buren’s lawyer repeatedly argued that the issue – the dangerous ambiguity – was something that Congress had to sort out by amending the statute.

Justice Statue, blind folded

Surprise! Voting app maker roasted by computer boffins for poor security now begs US courts to limit flaw finding

READ MORE

However, that’s currently not the case and the Supreme Court has to decide what to do with a law that was designed for one purpose, squeezed to fit another, and is now being applied to a third that was never envisioned.

The solution is not even that difficult: the law needs to recognize the difference between someone given access to privileged data through a specific, individual login and a simple login to a publicly available service. And it needs to make clear that misuse of that information is the crime.

The Justices kept putting forward suggestions. Justice Sotomayor noted that using information “for financial gain” was a common differentiator; Justice Barrett referenced the idea of a “scope” of authorization.

In fact, everyone in the courthouse – well, on the Supreme Court Zoom channel – was pretty much in agreement: the CFAA has a clear purpose that everyone agrees with but its wording is creating a major legal headache.

Like we said, computer law from the 1980s is a mess. ®


Biting the hand that feeds IT © 1998–2021