Protocol | Policy

SCOTUS limits core anti-hacking law in Van Buren decision

The court overturned the conviction of a police officer who was accused of violating the Computer Fraud and Abuse Act for accessing a government database in exchange for money.

The U.S. Supreme Court

The Supreme Court of the United States

Photo: Angel Xavier Viera-Vargas

The Supreme Court overturned the conviction of a former police officer who was accused of violating the country's core anti-hacking statute by accessing information in a law enforcement database in exchange for money. The decision stands to substantially limit tech companies' ability to enforce their terms of service against users who violate them.

The 6-3 decision in Van Buren v. United States marks the first time the court has ruled on the Computer Fraud and Abuse Act. In a narrow interpretation of the law, the court essentially interpreted the CFAA as a prohibition on breaking into a computer system, whether that's as an outside hacker or as an authorized user breaking into some gated part of that system.

"This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend," the majority opinion reads. "It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them."

The case has been closely watched in tech and privacy circles due to its implications on the legal interpretation of the CFAA, a notoriously vague law that forbids accessing a computer "without authorization or exceeding authorized access." The U.S. government argued that the former police officer, Nathan Van Buren, did just that when he accepted a bribe and improperly accessed a woman's license plate information in a government database as part of what turned out to be an FBI sting. While Van Buren was an authorized user of that database, the state argued he had exceeded his authorization in using it for that purpose.

But Van Buren argued that was an overly broad interpretation of the law. If a user of a computer system is breaking the law simply by violating the terms of that system, he argued, then anyone could be found guilty of violating the CFAA for, say, using their work computer for personal reasons. Recently tech giants like Facebook have sought to shut down research projects for violations of their terms of service, and groups like the Electronic Frontier Foundation that sided with Van Buren argued that expanding the interpretation of CFAA could make it easier for companies to exert legal power over their users.

The court ultimately sided with Van Buren. "The Government's interpretation of the 'exceeds authorized access' clause would attach criminal penalties to a breathtaking amount of commonplace computer activity," the opinion, written by Justice Amy Coney Barrett, reads. "For instance, employers commonly state that computers and electronic devices can be used only for business purposes. On the Government's reading, an employee who sends a personal e-mail or reads the news using a work computer has violated the CFAA."

Defining the word 'so'

The CFAA is pretty clear about what it means to break into a computer system as an unauthorized user. But the Van Buren decision creates an important clarification about what it means to be an authorized user who exceeds that authorized access. The decision rests in part on a close read of the statute, which defines exceeding authorized access to mean accessing a computer "with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."

The question was whether Van Buren was, in fact, "entitled so to obtain" the information in the database he accessed. The government read the clause broadly, interpreting it to mean that authorized users of a computer system could exceed authorized access by accessing readily available information in certain unauthorized circumstances. But Van Buren argued, and the court agreed, that he would only be violating the statute if he had used the computer to access gated information he shouldn't have had access to.

What's less clear from this decision, as Berkeley Law professor Orin Kerr pointed out on Twitter, is how exactly the court defines a gate. "Does there need to be a technological gate, or can a gate of words ('do not access this computer for a bad purpose') suffice?" Kerr asked.

Not everyone viewed the court's framing as particularly helpful and called instead for more extensive reform of CFAA. "We're now going to have an endless string of debates about what the hell 'areas of a computer' means, as though that is a meaningful mental model for thinking about how computers actually work," tweeted Blake Reid, a professor of technology policy at Colorado Law. "I guess the upside is that the court says we're now going to use a sort of geographically oriented frame for that analysis, looking at *what* you're authorized to access and not deeply examining the reasons why."

Still, the majority opinion appears to substantially impact tech companies' ability to argue that its users — all authorized to access their platforms — have violated the CFAA by disobeying their terms of service, which often forbid activities like data scraping or creating false identities. Researchers have argued both tactics are essential to better understanding online platforms.

In his dissent, Justice Clarence Thomas offered a broader interpretation of what it means to exceed authorized access. "The question here is straightforward: Would an ordinary reader of the English language understand Van Buren to have 'exceed[ed] authorized access' to the database when he used it under circumstances that were expressly forbidden?" Thomas wrote. "In my view, the answer is yes."

Thomas also took issue with the court's concerns about criminalizing all kinds of benign behaviors. "Much of the Federal Code criminalizes common activity," Thomas wrote. "It is understandable to be uncomfortable with so much conduct being criminalized, but that discomfort does not give us authority to alter statutes."

This story has been updated to include additional information from the court's decision.

Protocol | China

Beijing meets an unstoppable force: Chinese parents and their children

Live-in tutors disguised as nannies, weekday online tutoring classes and adult gaming accounts for rent. Here's how citizens are finding ways to skirt Beijing's diktats.

Citizens in China are experienced at cooking up countermeasures when Beijing or governments come down with rigid policies.

Photo: Liu Ying/Xinhua via Getty Images

During the summer break, Beijing handed down a parade of new regulations designed to intervene in youth education and entertainment, including a strike against private tutoring, a campaign to "cleanse" the internet and a strict limit on online game playing time for children. But so far, these seemingly iron-clad rules have met their match, with students and their parents quickly finding workarounds.

Grassroots citizens in China are experienced at cooking up countermeasures when Beijing or governments come down with rigid policies. Authorities then have to play defense, amending holes in their initial rules.

Keep Reading Show less
Shen Lu

Shen Lu is a reporter with Protocol | China. Her writing has appeared in Foreign Policy, The New York Times and POLITICO, among other publications. She can be reached at shenlu@protocol.com.


Keep Reading Show less
Nasdaq
A technology company reimagining global capital markets and economies.
Protocol | Policy

Google and Microsoft are at it again, now over government software

The on-again, off-again battle between the two companies flared up again when Google commissioned a study on how much the U.S. government relies on Microsoft software.

Google and Microsoft are in a long-running feud that has once again flared up in recent months.

Photo: Jens Tandler/EyeEm/Getty Images

According to a new report commissioned by Google, Microsoft has an overwhelming "share in the U.S. government office productivity software market," potentially leading to security risks for local, state and federal governments.

The five-page document, released Tuesday by a trade group that counts Google as a member, represents the latest escalation between the two companies in a long-running feud that has once again flared up in recent months.

Keep Reading Show less
Ben Brody

Ben Brody (@ BenBrodyDC) is a senior reporter at Protocol focusing on how Congress, courts and agencies affect the online world we live in. He formerly covered tech policy and lobbying (including antitrust, Section 230 and privacy) at Bloomberg News, where he previously reported on the influence industry, government ethics and the 2016 presidential election. Before that, Ben covered business news at CNNMoney and AdAge, and all manner of stories in and around New York. He still loves appearing on the New York news radio he grew up with.

People

Facebook wants to kill the family iPad

Facebook has built the first portable smart display, and is introducing a new household mode that makes it easier to separate work from play.

Facebook's new Portal Go device will go on sale for $199 in October.

Photo: Facebook

Facebook is coming for the coffee table tablet: The company on Tuesday introduced a new portable version of its smart display called Portal Go, which promises to be a better communal device for video calls, media consumption and many of the other things families use iPads for.

Facebook also announced a revamped version of its Portal Pro device Tuesday, and introduced a new household mode to Portals that will make it easier to share these devices with everyone in a home without having to compromise on working-from-home habits. Taken together, these announcements show that there may be an opening for consumer electronics companies to meet this late-pandemic moment with new device categories.

Keep Reading Show less
Janko Roettgers

Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety's first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.

Protocol | Policy

The techlash is threatening human rights around the world

Some 48 countries introduced laws to regulate tech last year. But researchers say many of those laws are just attempts at censorship and surveillance.

In its latest report, Freedom House President Michael Abramowitz said, "We really see free expression and privacy as under unprecedented strain."

Christopher T. Fong/Protocol

Governments around the world are seizing on widespread frustrations with Big Tech as justification for a spate of increasingly restrictive laws governing online speech, a new report finds, a trend that researchers say puts both free expression and the fate of tech companies' overseas employees at risk.

Over the last year alone, some 48 countries worldwide introduced — and in some cases, passed — laws to regulate tech companies, according to the latest report by Freedom House, a nonprofit that publishes an annual survey on internet freedoms in 70 countries. While those laws have often been passed in the name of promoting competition, protecting people's data and moderating offensive content, the report's authors say that, in many cases, these laws are merely thinly veiled attempts to force companies into censorship and surveillance.

Keep Reading Show less
Issie Lapowsky

Issie Lapowsky ( @issielapowsky) is Protocol's chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol's fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University's Center for Publishing on how tech giants have affected publishing.

Latest Stories