SCOTUS limits core anti-hacking law in Van Buren decision

The court overturned the conviction of a police officer who was accused of violating the Computer Fraud and Abuse Act for accessing a government database in exchange for money.

The U.S. Supreme Court

The Supreme Court of the United States

Photo: Angel Xavier Viera-Vargas

The Supreme Court overturned the conviction of a former police officer who was accused of violating the country's core anti-hacking statute by accessing information in a law enforcement database in exchange for money. The decision stands to substantially limit tech companies' ability to enforce their terms of service against users who violate them.

The 6-3 decision in Van Buren v. United States marks the first time the court has ruled on the Computer Fraud and Abuse Act. In a narrow interpretation of the law, the court essentially interpreted the CFAA as a prohibition on breaking into a computer system, whether that's as an outside hacker or as an authorized user breaking into some gated part of that system.

"This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend," the majority opinion reads. "It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them."

The case has been closely watched in tech and privacy circles due to its implications on the legal interpretation of the CFAA, a notoriously vague law that forbids accessing a computer "without authorization or exceeding authorized access." The U.S. government argued that the former police officer, Nathan Van Buren, did just that when he accepted a bribe and improperly accessed a woman's license plate information in a government database as part of what turned out to be an FBI sting. While Van Buren was an authorized user of that database, the state argued he had exceeded his authorization in using it for that purpose.

But Van Buren argued that was an overly broad interpretation of the law. If a user of a computer system is breaking the law simply by violating the terms of that system, he argued, then anyone could be found guilty of violating the CFAA for, say, using their work computer for personal reasons. Recently tech giants like Facebook have sought to shut down research projects for violations of their terms of service, and groups like the Electronic Frontier Foundation that sided with Van Buren argued that expanding the interpretation of CFAA could make it easier for companies to exert legal power over their users.

The court ultimately sided with Van Buren. "The Government's interpretation of the 'exceeds authorized access' clause would attach criminal penalties to a breathtaking amount of commonplace computer activity," the opinion, written by Justice Amy Coney Barrett, reads. "For instance, employers commonly state that computers and electronic devices can be used only for business purposes. On the Government's reading, an employee who sends a personal e-mail or reads the news using a work computer has violated the CFAA."

Defining the word 'so'

The CFAA is pretty clear about what it means to break into a computer system as an unauthorized user. But the Van Buren decision creates an important clarification about what it means to be an authorized user who exceeds that authorized access. The decision rests in part on a close read of the statute, which defines exceeding authorized access to mean accessing a computer "with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."

The question was whether Van Buren was, in fact, "entitled so to obtain" the information in the database he accessed. The government read the clause broadly, interpreting it to mean that authorized users of a computer system could exceed authorized access by accessing readily available information in certain unauthorized circumstances. But Van Buren argued, and the court agreed, that he would only be violating the statute if he had used the computer to access gated information he shouldn't have had access to.

What's less clear from this decision, as Berkeley Law professor Orin Kerr pointed out on Twitter, is how exactly the court defines a gate. "Does there need to be a technological gate, or can a gate of words ('do not access this computer for a bad purpose') suffice?" Kerr asked.

Not everyone viewed the court's framing as particularly helpful and called instead for more extensive reform of CFAA. "We're now going to have an endless string of debates about what the hell 'areas of a computer' means, as though that is a meaningful mental model for thinking about how computers actually work," tweeted Blake Reid, a professor of technology policy at Colorado Law. "I guess the upside is that the court says we're now going to use a sort of geographically oriented frame for that analysis, looking at *what* you're authorized to access and not deeply examining the reasons why."

Still, the majority opinion appears to substantially impact tech companies' ability to argue that its users — all authorized to access their platforms — have violated the CFAA by disobeying their terms of service, which often forbid activities like data scraping or creating false identities. Researchers have argued both tactics are essential to better understanding online platforms.

In his dissent, Justice Clarence Thomas offered a broader interpretation of what it means to exceed authorized access. "The question here is straightforward: Would an ordinary reader of the English language understand Van Buren to have 'exceed[ed] authorized access' to the database when he used it under circumstances that were expressly forbidden?" Thomas wrote. "In my view, the answer is yes."

Thomas also took issue with the court's concerns about criminalizing all kinds of benign behaviors. "Much of the Federal Code criminalizes common activity," Thomas wrote. "It is understandable to be uncomfortable with so much conduct being criminalized, but that discomfort does not give us authority to alter statutes."

This story has been updated to include additional information from the court's decision.


Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.


Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories