Supreme Court Finally Limits Widely Abused Computer Hacking Law... But Just A Bit
from the it's-a-start dept
For many years we've written about the problems with the CFAA. That's the supposedly "anti-hacking" law, with both civil and criminal components, that makes it a violation to use a computer in a manner that "exceeds authorized access." Law enforcement and the courts in the past often (though not always) took an extremely broad read of "unauthorized access" in a such a manner that basically all sorts of cases that involved a computer included CFAA claims. And even if all the other claims fell away, the CFAA claims often lasted, which is why it has been dubbed "the law that sticks." Part of the underlying issue is that law enforcement and some courts wanted to read "unauthorized access" to include using a computer system you had legitimate access to, but for unauthorized purposes.
Famously, this has included cases around not abiding by terms of service that were never read, seemingly benign password sharing, scraping your own data off a web page, and perhaps most troubling of all, downloading too many files.
This week, the Supreme Court finally ruled on the CFAA and its limits in the Van Buren case, which we've covered before, including why the Supreme Court needed to push back on some courts' broad interpretation of the law.
The case involved Nathan Van Buren, a former police sergeant who abused his access to law enforcement databases to run a search that he had no legitimate law enforcement reason for. Now, there are all sorts of reasons people should condemn Van Buren for abusing his power. But the key question in the case was whether or not doing so violated the CFAA and was a form of hacking because the access was unauthorized.
Thankfully, the Supreme Court correctly rules that this particular use did not violate the CFAA. While it may have violated the police department's policies, that does not make it "exceed authorized access."
Beyond that, though, the 6 to 3 decision is... well... a bit of a mess. It could have clearly stated that merely violating a policy while having full practical access to a computer system means there's no CFAA violation. And at times, it seems to suggest that's what it's saying. But it doesn't say that entirely clearly... and, in fact, there's a weird footnote (footnote 8) that seems to undermine that premise.
For present purposes, we need not address whether this inquiry turns only on technological (or “code-based”) limitations on access, or instead also looks to limits contained in contracts or policies.
This has raised some eyebrows among many commentators, though it's all too common with the Roberts Supreme Court these days, in which the court declines to make a clear bright line rule on things it easily could, instead trying to narrowly limit the decisions. Of course, sometimes that's good, but unfortunately it often muddles things as may be the case here.
The actual reasoning behind the decision is interesting in its own way, and includes a detailed discussion on the meaning of the word "so." Specifically, what does "so" mean here:
“to access a computer with authorization and to use such access to obtain . . . information in the computer that the accesser is not entitled so to obtain.”
And thus, you get a debate over what exactly that "so" is doing in there (regulation drafters beware!):
The parties agree that Van Buren “access[ed] a computer with authorization” when he used his patrol-car computer and valid credentials to log into the law enforcement database. They also agree that Van Buren “obtain[ed] . . . information in the computer” when he acquired the license-plate record for Albo. The dispute is whether Van Buren was “entitled so to obtain” the record.
“Entitle” means “to give . . . a title, right, or claim to something.” Random House Dictionary of the English Language 649 (2d ed. 1987). See also Black’s Law Dictionary 477 (5th ed. 1979) (“to give a right or legal title to”). The parties agree that Van Buren had been given the right to acquire license-plate information—that is, he was “entitled to obtain” it—from the law enforcement computer database. But was Van Buren “entitled so to obtain” the license-plate information, as the statute requires?
Van Buren says yes. He notes that “so,” as used in this statute, serves as a term of reference that recalls “the same manner as has been stated” or “the way or manner described.” Black’s Law Dictionary, at 1246; 15 Oxford English Dictionary 887 (2d ed. 1989). The disputed phrase “entitled so to obtain” thus asks whether one has the right, in “the same manner as has been stated,” to obtain the relevant information. And the only manner of obtaining information already stated in the definitional provision is “via a computer [one] is otherwise authorized to access.” Reply Brief 3. Putting that together, Van Buren contends that the disputed phrase—“is not entitled so to obtain”—plainly refers to information one is not allowed to obtain by using a computer that he is authorized to access. On this reading, if a person has access to information stored in a computer— e.g., in “Folder Y,” from which the person could permissibly pull information—then he does not violate the CFAA by obtaining such information, regardless of whether he pulled the information for a prohibited purpose. But if the information is instead located in prohibited “Folder X,” to which the person lacks access, he violates the CFAA by obtaining such information.
The Government agrees that the statute uses “so” in the word’s term-of-reference sense, but it argues that “so” sweeps more broadly. It reads the phrase “is not entitled so to obtain” to refer to information one was not allowed to obtain in the particular manner or circumstances in which he obtained it. The manner or circumstances in which one has a right to obtain information, the Government says, are defined by any “specifically and explicitly” communicated limits on one’s right to access information. Brief for United States 19. As the Government sees it, an employee might lawfully pull information from Folder Y in the morning for a permissible purpose—say, to prepare for a business meeting—but unlawfully pull the same information from Folder Y in the afternoon for a prohibited purpose—say, to help draft a resume to submit to a competitor employer.
The Government’s interpretation has surface appeal but proves to be a sleight of hand. While highlighting that “so” refers to a “manner or circumstance,” the Government simultaneously ignores the definition’s further instruction that such manner or circumstance already will “‘ha[ve] been stated,’” “‘asserted,’” or “‘described.’” Id., at 18 (quoting Black’s Law Dictionary, at 1246; 15 Oxford English Dictionary, at 887). Under the Government’s approach, the relevant circumstance—the one rendering a person’s conduct illegal—is not identified earlier in the statute. Instead, “so” captures any circumstance-based limit appearing anywhere—in the United States Code, a state statute, a private agreement, or anywhere else. And while the Government tries to cabin its interpretation by suggesting that any such limit must be “specifically and explicitly” stated, “express,” and “inherent in the authorization itself,” the Government does not identify any textual basis for these guardrails. Brief for United States 19; Tr. of Oral Arg. 41.
Van Buren’s account of “so”—namely, that “so” references the previously stated “manner or circumstance” in the text of §1030(e)(6) itself—is more plausible than the Government’s. “So” is not a free-floating term that provides a hook for any limitation stated anywhere. It refers to a stated, identifiable proposition from the “preceding” text; indeed, “so” typically “[r]epresent[s]” a “word or phrase already employed,” thereby avoiding the need for repetition. 15 Oxford English Dictionary, at 887; see Webster’s Third New International Dictionary 2160 (1986) (so “often used as a substitute . . . to express the idea of a preceding phrase”). Myriad federal statutes illustrate this ordinary usage. We agree with Van Buren: The phrase “is not entitled so to obtain” is best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.
The Government’s primary counterargument is that Van Buren’s reading renders the word “so” superfluous. Recall the definition: “to access a computer with authorization and to use such access to obtain . . . information in the computer that the accesser is not entitled so to obtain.” §1030(e)(6) (emphasis added). According to the Government, “so” adds nothing to the sentence if it refers solely to the earlier stated manner of obtaining the information through use of a computer one has accessed with authorization. What matters on Van Buren’s reading, as the Government sees it, is simply that the person obtain information that he is not entitled to obtain—and that point could be made even if “so” were deleted. By contrast, the Government insists, “so” makes a valuable contribution if it incorporates all of the circumstances that might qualify a person’s right to obtain information. Because only its interpretation gives “so” work to do, the Government contends, the rule against superfluity means that its interpretation wins. See Republic of Sudan v. Harrison, 587 U. S. ___, ___ (2019) (slip op., at 10).
But the canon does not help the Government because Van Buren’s reading does not render “so” superfluous. As Van Buren points out, without “so,” the statute would allow individuals to use their right to obtain information in nondigital form as a defense to CFAA liability. Consider, for example, a person who downloads restricted personnel files he is not entitled to obtain by using his computer. Such a person could argue that he was “entitled to obtain” the information if he had the right to access personnel files through another method (e.g., by requesting hard copies of the files from human resources). With “so,” the CFAA forecloses that theory of defense. The statute is concerned with what a person does on a computer; it does not excuse hacking into an electronic personnel file if the hacker could have walked down the hall to pick up a physical copy. This clarification is significant because it underscores that one kind of entitlement to information counts: the right to access the information by using a computer. That can expand liability, as the above example shows. But it narrows liability too. Without the word “so,” the statute could be read to incorporate all kinds of limitations on one’s entitlement to information. The dissent’s take on the statute illustrates why.
It then goes into a rebuttal of the dissent, which takes on a different interpretation of "so" but feels that it can get to a reasonable outcome by focusing, instead, on "entitled." But the majority decision notes that such a reading results in problems:
The dissent’s approach to the word “entitled” fares fine in the abstract but poorly in context. The statute does not refer to “information . . . that the accesser is not entitled to obtain.” It refers to “information . . . that the accesser is not entitled so to obtain.” 18 U. S. C. §1030(e)(6) (emphasis added). The word “entitled,” then, does not stand alone, inviting the reader to consider the full scope of the accesser’s entitlement to information. The modifying phrase “so to obtain” directs the reader to consider a specific limitation on the accesser’s entitlement: his entitlement to obtain the information “in the manner previously stated.” Supra, at 7. And as already explained, the manner previously stated is using a computer one is authorized to access. Thus, while giving lipservice to Van Buren’s reading of “so,” the dissent, like the Government, declines to give “so” any limiting function.
The dissent cannot have it both ways. The consequence of accepting Van Buren’s reading of “so” is the narrowed scope of “entitled.” In fact, the dissent’s examples implicitly concede as much: They all omit the word “so,” thereby giving “entitled” its full sweep. See post, at 3–4. An approach that must rewrite the statute to work is even less persuasive than the Government’s.
The majority also points out that the government's own focus on "exceeds authorized access" is equally problematic, first in that it ignores the definition in the actual law:
The Government falls back on what it describes as the “common parlance” meaning of the phrase “exceeds authorized access.” Brief for United States 20–21. According to the Government, any ordinary speaker of the English language would think that Van Buren “exceed[ed] his authorized access” to the law enforcement database when he obtained license-plate information for personal purposes. Id., at 21. The dissent, for its part, asserts that this point “settles” the case. Post, at 9.
If the phrase “exceeds authorized access” were all we had to go on, the Government and the dissent might have a point. But both breeze by the CFAA’s explicit definition of the phrase “exceeds authorized access.”
But, more importantly, the government's approach creates a series of ridiculous interpretations:
By contrast, the Government’s reading of the “exceeds authorized access” clause creates “inconsistenc[ies] with the design and structure” of subsection (a)(2). University of Tex. Southwestern Medical Center v. Nassar, 570 U. S. 338, 353 (2013). As discussed, the Government reads the “exceeds authorized access” clause to incorporate purposebased limits contained in contracts and workplace policies. Yet the Government does not read such limits into the threshold question whether someone uses a computer “without authorization”—even though similar purpose restrictions, like a rule against personal use, often govern one’s right to access a computer in the first place. See, e.g., Royal Truck & Trailer Sales & Serv., Inc. v. Kraft, 974 F. 3d 756, 757 (CA6 2020). Thus, the Government proposes to read the first phrase “without authorization” as a gates-up-or-down inquiry and the second phrase “exceeds authorized access” as one that depends on the circumstances. The Government does not explain why the statute would prohibit accessing computer information, but not the computer itself, for an improper purpose.
The Government’s position has another structural problem. Recall that violating §1030(a)(2), the provision under which Van Buren was charged, also gives rise to civil liability. See §1030(g). Provisions defining “damage” and “loss” specify what a plaintiff in a civil suit can recover. “‘[D]amage,’” the statute provides, means “any impairment to the integrity or availability of data, a program, a system, or information.” §1030(e)(8). The term “loss” likewise relates to costs caused by harm to computer data, programs, systems, or information services. §1030(e)(11). The statutory definitions of “damage” and “loss” thus focus on technological harms—such as the corruption of files—of the type unauthorized users cause to computer systems and data. Limiting “damage” and “loss” in this way makes sense in a scheme “aimed at preventing the typical consequences of hacking.” Royal Truck, 974 F. 3d, at 760. The term’s definitions are ill fitted, however, to remediating “misuse” of sensitive information that employees may permissibly access using their computers. Ibid. Van Buren’s situation is illustrative: His run of the license plate did not impair the “integrity or availability” of data, nor did it otherwise harm the database system itself.
Finally, and rightly, the majority opinion recognizes just how much the CFAA would criminalize under the government's interpretation:
To top it all off, the Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity.....
If the “exceeds authorized access” clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals. Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA. Or consider the Internet. Many websites, services, and databases—which provide “information” from “protected computer[s],” §1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers. And indeed, numerous amici explain why the Government’s reading of subsection (a)(2) would do just that— criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook
The majority was written by new Justice Amy Coney Barrett, and joined by Justices Breyer, Sotomayor, Kagan, Gorsuch, and Kavanaugh. The dissent was written by Justice Thomas, with Chief Justice Roberts and Justice Alito.
Overall, the thrust of the decision is good, with a few oddities and that one weird footnote. But it's much better than simply accepting the government's warped interpretation of the CFAA.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: authorized access, cfaa, exceeds authorized access, supreme court, van buren
Reader Comments
Subscribe: RSS
View by: Time | Thread
Two laws
He was a cop? Sorry, but this doesn't help the average person. This is an exception for our masters.
[ link to this | view in chronology ]
SCOTUS has proven what I have said all along about some things here and elsewhere.
In order for there to be a felony prosecution under the CFAA, you have to have used an hacked or otherwise illegally obtained password, which was not the case with this cop, since the password he had was legally obtained.
It also proves that things I have done, like use my own private VPN, while on road trips to Mexico or Canada, to get iHeart or other US-only content, on my phone, while driving, does not break the CFAA because I am not using an illegally obtained password.
So I am proven right, and other people on here have been proven wrong. Using the VPN on my my network to get US-only content while on road trips to Mexico and Canada does not violate the CFAA.
This also applies to the "hole" I found in the firewall at one Taco Bell restaurant to bypass their filtering using my VPN, by first connecting via SSL VPN on my network, and then using the internal address on my network of 192.168.1.1 instead of the external public IP address, and their firewall would let me connect. That did not break the CFAA, though some thought otherwise, because I was not using any hacked or otherwise illegally obtained password.
And also when I stayed at one hotel on a road trip to San Diego, my 10-watt USB adapater I had let me connect to the WiFi at one hotel down the street, for less than what Westin wanted to charge. That did not break the CFAA because I was paying them $5 a day instead of the $18 that Westin wanted for their WiFi.
It is a 10-watt USB adapter I bought on eBay from a seller in China, that lets me connect to WiFi quite a way away.
It can be quite useful. On one trip to Disneyland where the motel did not have WiFi, I could use public WiFi from Cox, where Cox (like Comcast and Charter) turns their cable modems into public WiFi hotspots. That 10-watt linear amplifier let me connect to that cable modem in a house down the street from quite a ways away. All I had to do was put in my CC information to get the Internet.
It also confirms that war driving, a hobby of mine, is legal, as long as you do not to to access any resource using any illegally obtained password.
[ link to this | view in chronology ]
So
"So" Congress issued a very broad, vague, poorly written, widely abused law ... and one it had no constitutional authority to issue at all.
SCOTUS notices none of this, but just compounds the problem with a vague, narrow decision that addresses none of the basic problems of this reckless Congressional action,
"So" business as usual by our noble Federal guardians.
[ link to this | view in chronology ]
Well... there it is...
This makes a lovely companion piece to the earlier "Nazi's should be able to take legal action if they are kicked off social media." piece earlier in the week.
Here we have Tech Dirt saying that it's not, and shouldn't be illegal, to make it illegal to restrict access to well... anything in a computer.
Want to let cops runs some searches but not others? Nope. Can't do it.
Want to punish cops for doing unconstitutional searches of lawfully held Government data if they are authorized to make any search at all of the data? Nope, can't do that either.
At least if you're going to do something so stupid as to say that any capability to get to the data at all is 'authorized access' have the balls to just say you don't think any crimes can be committed on the internet at all.
[ link to this | view in chronology ]
Re: Well... there it is...
Are you truly that stupid, or are you just pretending to be?
If you use a computer to commit a crime, you can be prosecuted for that crime. There is no need for an imaginary "hacking" charge on top.
Here's an example more suited to your intellectual level:
A friend's invites you to his house. You see $100 dollars lying on the table. Friend leaves the room to get drinks, and you swipe the $100. Your friend notices and calls the police. You're arrested and charged with theft, breaking and entering, and attempted murder.
Wait, where did the latter two come from? Well, you see, you exceeded authorization the friend gave you when he invited you in. That voids the invitation. Therefore, you forced your way in and threatened his life. Tough luck, enjoy life in prison!
[ link to this | view in chronology ]
I think he could still be prosecuted under state computer crime laws in Georgia
While the CFAA requires that you have used an ilegally obtained password, and the Supreme Court has confirmed that, some state laws are not as forgiving as the CFAA is on that one.
For example, the CFAA does not make it illegal to connect to any open WiFi you find, but some state laws are not as forgiving on that, particularly in conservative redneck states like Nevada or Utah
That is why when I travel anywhere on road trips, I use an offshore VPN that has no logging.
That is why when I travel outside California, I have my phone's security dialed up to insane cop proof levels where if my phone is seized, the police will not be able to get at the contents, as well as the booby trap mode where if they try to brute force crack it, the phone will wipe itself and reset after too many failed password attempts.
That "booby trap" mode does not any law in any of the 50 states. If they try to brute force your phone, and it wipes itself and resets after too many failed password attempts.
There is no law you can be prosecuted under if your phone does they if they do too many failed password attempts, and your phones wipes itself and wipes any evidence they are looking for.
With state computer crime laws not as forgiving as the CFAA, dialing up the security on your devices is a must when you travel.
Just like when I go to my favourite campground in Nevada, and have to drive 65 miles to Eureka to get on the Internet, I dial things up to insane levels.
In addition to dialing up security on my devices, I also pay for the gas for the trip back to the campground with cash, and I used anti-camera measures on my licence plate, so that surveillance cameras cannot get my license number.
In addition to Nevada law, I have to be careful becuase I am in the radio quiet zone for Area 51, which extends out quite a ways, which would make my 10-watt amplified USB device illegal to use there.
It is not illegal to use at home here in Ca;lifornia, but in the radio quiet zone for Area 51 it is, hence the offshore VPN, where they are not not subject to any American laws, so I take those insane precuations when I sit at the Chevron station in town and connect to the WiFi as the Sundowner motel, about a mile away.
Technically, the Sundowner Motel is not supposed to have WiFi either, because of the quiet zone, another reason to use an offshore VPN. If they ever do bring tghe hammer down on the Sundowner for having a public WiFi, they will not be able identify me as a user. The only thing they will know is that someone connected to an offshore VPN, where the United States government has no jurisdiction.
This way, if they try to investigate and see who has been using it, the FCC cannot be able to trace me or fine me.
A VPN in Mexico is only subject to Mexican laws, US laws do not apply to a VPN un Cuernavaca, Mexico, even if someone is connecting from the United States.
The only thing that sucks about that is that I cannot get US only services, like iHeart or the US Netflix library, because they see an IP address that is outside the United States.
I get the Netflix library in Mexico, or whatever country the VPN is in, which can often times be different than in America.
[ link to this | view in chronology ]
One thing I see in any CFAA changes is to make the practice of deleting cookies for the purpose of evading paywalls a violation of the CFAA
You can erase your cookies to avoid the free article limiations on many newspaper sites, and that does not violate the CFAA, but I could see that changing, as well at a lot of other things
One thing I see becoming a CFAA violation is one thing that myself and a few tech savvy people did in college years ago. That is to circumvent disk quotas.
There was a pretty sophisticated way to do that, that did not and still does not violate the CFAA.
I could see the CFAA amended to make circumvention of disk quotas a violation of the CFAA.
[ link to this | view in chronology ]