SCOTUS limits core anti-hacking law in Van Buren decision

The court overturned the conviction of a police officer who was accused of violating the Computer Fraud and Abuse Act for accessing a government database in exchange for money.

The U.S. Supreme Court

The Supreme Court of the United States

Photo: Angel Xavier Viera-Vargas

The Supreme Court overturned the conviction of a former police officer who was accused of violating the country's core anti-hacking statute by accessing information in a law enforcement database in exchange for money. The decision stands to substantially limit tech companies' ability to enforce their terms of service against users who violate them.

The 6-3 decision in Van Buren v. United States marks the first time the court has ruled on the Computer Fraud and Abuse Act. In a narrow interpretation of the law, the court essentially interpreted the CFAA as a prohibition on breaking into a computer system, whether that's as an outside hacker or as an authorized user breaking into some gated part of that system.

"This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend," the majority opinion reads. "It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them."

The case has been closely watched in tech and privacy circles due to its implications on the legal interpretation of the CFAA, a notoriously vague law that forbids accessing a computer "without authorization or exceeding authorized access." The U.S. government argued that the former police officer, Nathan Van Buren, did just that when he accepted a bribe and improperly accessed a woman's license plate information in a government database as part of what turned out to be an FBI sting. While Van Buren was an authorized user of that database, the state argued he had exceeded his authorization in using it for that purpose.

But Van Buren argued that was an overly broad interpretation of the law. If a user of a computer system is breaking the law simply by violating the terms of that system, he argued, then anyone could be found guilty of violating the CFAA for, say, using their work computer for personal reasons. Recently tech giants like Facebook have sought to shut down research projects for violations of their terms of service, and groups like the Electronic Frontier Foundation that sided with Van Buren argued that expanding the interpretation of CFAA could make it easier for companies to exert legal power over their users.

The court ultimately sided with Van Buren. "The Government's interpretation of the 'exceeds authorized access' clause would attach criminal penalties to a breathtaking amount of commonplace computer activity," the opinion, written by Justice Amy Coney Barrett, reads. "For instance, employers commonly state that computers and electronic devices can be used only for business purposes. On the Government's reading, an employee who sends a personal e-mail or reads the news using a work computer has violated the CFAA."

Defining the word 'so'

The CFAA is pretty clear about what it means to break into a computer system as an unauthorized user. But the Van Buren decision creates an important clarification about what it means to be an authorized user who exceeds that authorized access. The decision rests in part on a close read of the statute, which defines exceeding authorized access to mean accessing a computer "with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."

The question was whether Van Buren was, in fact, "entitled so to obtain" the information in the database he accessed. The government read the clause broadly, interpreting it to mean that authorized users of a computer system could exceed authorized access by accessing readily available information in certain unauthorized circumstances. But Van Buren argued, and the court agreed, that he would only be violating the statute if he had used the computer to access gated information he shouldn't have had access to.

What's less clear from this decision, as Berkeley Law professor Orin Kerr pointed out on Twitter, is how exactly the court defines a gate. "Does there need to be a technological gate, or can a gate of words ('do not access this computer for a bad purpose') suffice?" Kerr asked.

Not everyone viewed the court's framing as particularly helpful and called instead for more extensive reform of CFAA. "We're now going to have an endless string of debates about what the hell 'areas of a computer' means, as though that is a meaningful mental model for thinking about how computers actually work," tweeted Blake Reid, a professor of technology policy at Colorado Law. "I guess the upside is that the court says we're now going to use a sort of geographically oriented frame for that analysis, looking at *what* you're authorized to access and not deeply examining the reasons why."

Still, the majority opinion appears to substantially impact tech companies' ability to argue that its users — all authorized to access their platforms — have violated the CFAA by disobeying their terms of service, which often forbid activities like data scraping or creating false identities. Researchers have argued both tactics are essential to better understanding online platforms.

In his dissent, Justice Clarence Thomas offered a broader interpretation of what it means to exceed authorized access. "The question here is straightforward: Would an ordinary reader of the English language understand Van Buren to have 'exceed[ed] authorized access' to the database when he used it under circumstances that were expressly forbidden?" Thomas wrote. "In my view, the answer is yes."

Thomas also took issue with the court's concerns about criminalizing all kinds of benign behaviors. "Much of the Federal Code criminalizes common activity," Thomas wrote. "It is understandable to be uncomfortable with so much conduct being criminalized, but that discomfort does not give us authority to alter statutes."

This story has been updated to include additional information from the court's decision.


Why foundation models in AI need to be released responsibly

Foundation models like GPT-3 and DALL-E are changing AI forever. We urgently need to develop community norms that guarantee research access and help guide the future of AI responsibly.

Releasing new foundation models doesn’t have to be an all or nothing proposition.

Illustration: sorbetto/DigitalVision Vectors

Percy Liang is director of the Center for Research on Foundation Models, a faculty affiliate at the Stanford Institute for Human-Centered AI and an associate professor of Computer Science at Stanford University.

Humans are not very good at forecasting the future, especially when it comes to technology.

Keep Reading Show less
Percy Liang
Percy Liang is Director of the Center for Research on Foundation Models, a Faculty Affiliate at the Stanford Institute for Human-Centered AI, and an Associate Professor of Computer Science at Stanford University.

Every day, millions of us press the “order” button on our favorite coffee store's mobile application: Our chosen brew will be on the counter when we arrive. It’s a personalized, seamless experience that we have all come to expect. What we don’t know is what’s happening behind the scenes. The mobile application is sourcing data from a database that stores information about each customer and what their favorite coffee drinks are. It is also leveraging event-streaming data in real time to ensure the ingredients for your personal coffee are in supply at your local store.

Applications like this power our daily lives, and if they can’t access massive amounts of data stored in a database as well as stream data “in motion” instantaneously, you — and millions of customers — won’t have these in-the-moment experiences.

Keep Reading Show less
Jennifer Goforth Gregory
Jennifer Goforth Gregory has worked in the B2B technology industry for over 20 years. As a freelance writer she writes for top technology brands, including IBM, HPE, Adobe, AT&T, Verizon, Epson, Oracle, Intel and Square. She specializes in a wide range of technology, such as AI, IoT, cloud, cybersecurity, and CX. Jennifer also wrote a bestselling book The Freelance Content Marketing Writer to help other writers launch a high earning freelance business.

The West’s drought could bring about a data center reckoning

When it comes to water use, data centers are the tech industry’s secret water hogs — and they could soon come under increased scrutiny.

Lake Mead, North America's largest artificial reservoir, has dropped to about 1,052 feet above sea level, the lowest it's been since being filled in 1937.

Photo: Mario Tama/Getty Images

The West is parched, and getting more so by the day. Lake Mead — the country’s largest reservoir — is nearing “dead pool” levels, meaning it may soon be too low to flow downstream. The entirety of the Four Corners plus California is mired in megadrought.

Amid this desiccation, hundreds of the country’s data centers use vast amounts of water to hum along. Dozens cluster around major metro centers, including those with mandatory or voluntary water restrictions in place to curtail residential and agricultural use.

Keep Reading Show less
Lisa Martine Jenkins

Lisa Martine Jenkins is a senior reporter at Protocol covering climate. Lisa previously wrote for Morning Consult, Chemical Watch and the Associated Press. Lisa is currently based in Brooklyn, and is originally from the Bay Area. Find her on Twitter ( @l_m_j_) or reach out via email (ljenkins@protocol.com).


Indeed is hiring 4,000 workers despite industry layoffs

Indeed’s new CPO, Priscilla Koranteng, spoke to Protocol about her first 100 days in the role and the changing nature of HR.

"[Y]ou are serving the people. And everything that's happening around us in the world is … impacting their professional lives."

Image: Protocol

Priscilla Koranteng's plans are ambitious. Koranteng, who was appointed chief people officer of Indeed in June, has already enhanced the company’s abortion travel policies and reinforced its goal to hire 4,000 people in 2022.

She’s joined the HR tech company in a time when many other tech companies are enacting layoffs and cutbacks, but said she sees this precarious time as an opportunity for growth companies to really get ahead. Koranteng, who comes from an HR and diversity VP role at Kellogg, is working on embedding her hybrid set of expertise in her new role at Indeed.

Keep Reading Show less
Amber Burton

Amber Burton (@amberbburton) is a reporter at Protocol. Previously, she covered personal finance and diversity in business at The Wall Street Journal. She earned an M.S. in Strategic Communications from Columbia University and B.A. in English and Journalism from Wake Forest University. She lives in North Carolina.


New Jersey could become an ocean energy hub

A first-in-the-nation bill would support wave and tidal energy as a way to meet the Garden State's climate goals.

Technological challenges mean wave and tidal power remain generally more expensive than their other renewable counterparts. But government support could help spur more innovation that brings down cost.

Photo: Jeremy Bishop via Unsplash

Move over, solar and wind. There’s a new kid on the renewable energy block: waves and tides.

Harnessing the ocean’s power is still in its early stages, but the industry is poised for a big legislative boost, with the potential for real investment down the line.

Keep Reading Show less
Lisa Martine Jenkins

Lisa Martine Jenkins is a senior reporter at Protocol covering climate. Lisa previously wrote for Morning Consult, Chemical Watch and the Associated Press. Lisa is currently based in Brooklyn, and is originally from the Bay Area. Find her on Twitter ( @l_m_j_) or reach out via email (ljenkins@protocol.com).

Latest Stories