“According to the government’s broad interpretation of the CFAA, standard security research practices – such as accessing publicly available data in a way that is beneficial to the public but prohibited by the owner of the data – can be very risky.”
Key context: The case that could determine the scope of the CFAA arises from a dry stab operation. In 2017, a district court convicted police officer Nathan Van Buren for using his license plate database to check whether a strip club dancer was an undercover officer in exchange for a loan from a man acting as the FBI -Informant turned out. Van Buren’s attorneys argued that he had not violated the CFAA’s ban on unauthorized computer access because he had legitimate access to the database as part of his work.
The US Court of Appeals for the 11th Circuit upheld Van Buren’s belief and found that the CFAA prohibited access to a computer for improper purposes, even if the defendant was authorized to use it for other purposes. Four courts of appeal have now interpreted the CFAA so broadly, while three have interpreted it more narrowly.
Previous decisions by the CFAA have raised concerns about the scope of the law. In 2015 convicted by a court in California Local news producer Matthew Keys on hacking fees for giving his work password to hackers who corrupted an article in the Los Angeles Times. Keys, who had not carried out any hacker attacks himself, was subsequently sentenced to two years in prison.
The most controversial CFAA case never came to a verdict. In 2011, Federal Prosecutor charged Well known internet freedom activist Aaron Swartz on hacking fees for downloading millions of magazine articles with a subscription to MIT. Swartz, then 24, was imprisoned for 35 years. He died by suicide in January 2013 pending trial.
A slippery slope? The judges on Monday were alarmed by the broader reading of the CFAA.
Judge Neil Gorsuch suggested that the Van Buren case was the latest example of the government trying to broaden the scope of criminal law in a “contestable” way.
The DOJ’s argument risked “turning us all into federal criminals,” Gorsuch said.
Government attorney, Assistant Attorney General Eric Feigin, argued that the CFAA critics’ warnings about overzealous law enforcement were unfounded strategies of terror. He noted that prosecutors did not accuse anyone of searching Instagram at work while working in any of the judicial circles where an appeals court agreed to the government’s interpretation.
Feigin accused Van Buren’s attorney Jeffrey Fisher at Stanford University of painting a “wild caricature of our position” with “fabricated cases” about CFAA overreach.
“To the extent that we see such cases,” he added, “it will allow the courts, including this court, if necessary, to further articulate these limits.”
However, some judges did not seem convinced of Feigin’s argument that the court could simply cut back the law in the future if prosecutors went too far.
“They are asking us to write definitions to narrow down what might otherwise be seen as very broad and dangerously vague,” said Judge Sonia Sotomayor.
Fisher took up the judges’ concerns about the ambiguity of the CFAA.
“The best the government can say is, ‘We haven’t got a whole bunch of these law enforcement actions in place,” he said, “but they would be available under the government’s reading. “
Other questions: Several judges expressed uncertainty about the definitions of key terms in the law, such as B. “Approval” and spent a lot of time asking both lawyers what the word “so” means in some part of the law.
“What does this law talk about when it comes to information in the computer?” Judge Samuel Alito asked Feigin once. “All information that someone receives on the Internet is in a sense in the computer. I feel like Congress didn’t think about it when it accepted this [law]. ”
“I don’t really understand the potential scope of this law without having an idea of what exactly all of these terms mean,” added Alito.
Elsewhere, Judge Stephen Breyer quoted the story of the CFAA amending an existing cybercrime act that was incorporated into a 1984 collective crime act in 1984 in response to fears sparked by the hacking film WarGames.
The 1984 law specifically prohibited access to a computer for unauthorized purposes. Although the CFAA dropped that language, Breyer suggested, “History says they didn’t want to make a significant change.”
In response, Fisher referred to a report by the Congressional Committee on the CFAA, which referred to a desire to clarify the application of the law.
Similarly, Fisher explained to Justice Elena Kagan that checking Instagram at work is getting words and pictures from one’s Instagram feed. And if a company bans social media browsing on work computers, getting that information would violate the CFAA by violating employer’s guidelines.
On the other hand, the judges also signaled a desire to ban the abuse of workplace privileges such as that committed by Van Buren. Alito pointed out the possibility that a bank employee was misusing customers’ credit card numbers.
When Sotomayor asked Fisher about this, he argued that Congress could pass other laws to prevent this type of abuse.
A specific question came from the new Justice Amy Coney Barrett, who said it sounded like Fisher was treating “authorization” as an “on / off switch”: once someone was authorized to access a database, for legal reasons, it would not How they used this access play a role. Why, she asked, shouldn’t the court see “authorization” as inherently dependent on the purpose of access?
Fisher replied that the CFAA did not specifically state so, and since other laws make this kind of distinction there is good reason to believe that Congress did not intend to do so here.