UPDATE: June 3, 2021: The U.S. Supreme Court, in a 6-3 decision Thursday, held Nathan Van Buren did not violate the Computer Fraud and Abuse Act (CFAA), as the law does not cover incidents where individuals with authorized access to a computer system abuse their extent of access. The CFAA "does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them," Justice Amy Coney Barrett said in the court opinion.
There are a number of criminal laws — federal and state — that prosecute nefarious acts. On Monday the Supreme Court heard oral arguments for Van Buren vs. U.S. and will have until summer 2021 to deliver a decision.
The oral arguments were the latest in a "rather long line of cases" where the government sought the expansion of federal criminal jurisdiction "in pretty significantly contestable ways," said Justice Neil Gorsuch. The court has also rejected those cases.
"I'm just kind of curious why we're back here again, on a rather small state crime … and address conduct that would be rather remarkable, perhaps making a federal criminal of us all," said Gorsuch.
Nathan Van Buren is awaiting further judgement pertaining to a possible violation of the Computer Fraud and Abuse Act (CFAA), a law with known ambiguities waiting for government intervention. If the court rules in favor of the government, advocacy groups argue the newfound scope of the could implicate individuals in violation of service terms on websites. The CFAA could broadly sweep over ethical hacking or common consumer activities.
Van Buren's attorney, Jeffrey Fisher, said private entities can sue individuals in violation of the statute, even without further government interference. "One of the more compelling arguments in my mind was [Fisher's] point that the court shouldn't rely on the government to wield its prosecutorial discretion responsibly," said Dawn Mertineit, partner at Seyfarth, specializing in trade secrets, computer fraud and non-competes.
Justice Brett Kavanaugh joined Gorsuch in his concerns about scaling the CFAA's federal criminal liability. Justice Sonia Sotomayor focused more on DOJ's interpretation of the law's prongs: "exceeds authorized access" and "without authorization."
The DOJ says "exceeds authorized access" means "to access a computer with authorization and to use such access to obtain or alter information in the computer that the [accessor] is not entitled so to obtain or alter," according to the DOJ.
The other judges' leanings weren't quite as transparent. Justices kept deferring back to a single word and the validity of the DOJ's argument against Van Buren: "so."
Fisher's definition of "so," in terms of the law, means that "you access any information by a computer, as opposed to some other means." If the court aligned with Fisher's interpretation, or if the law didn't include the word, "you would concede, wouldn't you, that … you would lose this case?" Justice Elena Kagan asked Eric Feigin, assistant to U.S. Solicitor General.
The word would make it so the CFAA violation applied to authorized persons using their access for improper use. "It would be a much tougher case for us without the word 'so,'" Feigin told Kagan.
"The government's interpretation of 'so' is a stretch, and several justices seemed to be struggling to afford that word the meaning that the government’s advocate was advancing," said Mertineit.
Narrowing authorization
Van Buren's case is centered on the "exceeds authorized access" prong of the CFAA.
Feigin argued Congress intentionally described two groups of people who could violate the prongs. The first group being individuals or "hackers" without authorization, and insiders exceeding their limits.
Feigin tried to prove that there is a "narrowing function" of the definition of access. "Let's assume it's an employee who satisfied the definition of authorization; he's been specifically, individually authorized to use the computer. I don't think the word 'use' necessarily requires that the user do something the user couldn't otherwise do," he said. The statute is designated for insiders.
By trying to persuade the justices that the prong had a specific focus on trusted individuals misusing their access, it was an attempt to sway the hearing from focusing on possible implications on consumer privacy if the court ruled in the DOJ's favor. It was not an easy task for Feigin.
"Adopting your interpretation would criminalize all sorts of activity that people regarded as largely innocuous," said Justice Samuel Alito. "You suggest that there are limiting instructions or limiting interpretations, but I don't know exactly what they are."
The ambiguities of the CFAA unfolded before the justices, with unclear definitions of "authorization" or "obtaining or altering information." Because all information is derived from a computer to a certain extent, "I don't really know what to do … I don't really understand the potential scope of this statute without having an idea about exactly what all of those terms mean," said Alito.
If the court leans toward Feigin's narrow definition of access, it could render the "without authorization" prong of the CFAA irrelevant.
"Justice Sotomayor sounded visibly frustrated with the government's argument, which she characterized as a request that the court rewrite the statute to include definitions that the text doesn’t contain," said Mertineit.
The DOJ's argument rests heavily on narrowing the definition of authorization, which Feiner argued protects consumers from falling under the CFAA's scope, if the court ruled in its favor.
"There's just very serious problems with that," said Fisher. "It escapes me why logging into your work computer does not establish authorization or logging into your Westlaw account … All of these websites and work computers are accessed only with authorization as even Mr. Feigin defines the term."