Policy

SCOTUS limits core anti-hacking law in Van Buren decision

The court overturned the conviction of a police officer who was accused of violating the Computer Fraud and Abuse Act for accessing a government database in exchange for money.

The U.S. Supreme Court

The Supreme Court of the United States

Photo: Angel Xavier Viera-Vargas

The Supreme Court overturned the conviction of a former police officer who was accused of violating the country's core anti-hacking statute by accessing information in a law enforcement database in exchange for money. The decision stands to substantially limit tech companies' ability to enforce their terms of service against users who violate them.

The 6-3 decision in Van Buren v. United States marks the first time the court has ruled on the Computer Fraud and Abuse Act. In a narrow interpretation of the law, the court essentially interpreted the CFAA as a prohibition on breaking into a computer system, whether that's as an outside hacker or as an authorized user breaking into some gated part of that system.

"This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend," the majority opinion reads. "It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them."

The case has been closely watched in tech and privacy circles due to its implications on the legal interpretation of the CFAA, a notoriously vague law that forbids accessing a computer "without authorization or exceeding authorized access." The U.S. government argued that the former police officer, Nathan Van Buren, did just that when he accepted a bribe and improperly accessed a woman's license plate information in a government database as part of what turned out to be an FBI sting. While Van Buren was an authorized user of that database, the state argued he had exceeded his authorization in using it for that purpose.

But Van Buren argued that was an overly broad interpretation of the law. If a user of a computer system is breaking the law simply by violating the terms of that system, he argued, then anyone could be found guilty of violating the CFAA for, say, using their work computer for personal reasons. Recently tech giants like Facebook have sought to shut down research projects for violations of their terms of service, and groups like the Electronic Frontier Foundation that sided with Van Buren argued that expanding the interpretation of CFAA could make it easier for companies to exert legal power over their users.

The court ultimately sided with Van Buren. "The Government's interpretation of the 'exceeds authorized access' clause would attach criminal penalties to a breathtaking amount of commonplace computer activity," the opinion, written by Justice Amy Coney Barrett, reads. "For instance, employers commonly state that computers and electronic devices can be used only for business purposes. On the Government's reading, an employee who sends a personal e-mail or reads the news using a work computer has violated the CFAA."

Defining the word 'so'

The CFAA is pretty clear about what it means to break into a computer system as an unauthorized user. But the Van Buren decision creates an important clarification about what it means to be an authorized user who exceeds that authorized access. The decision rests in part on a close read of the statute, which defines exceeding authorized access to mean accessing a computer "with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."

The question was whether Van Buren was, in fact, "entitled so to obtain" the information in the database he accessed. The government read the clause broadly, interpreting it to mean that authorized users of a computer system could exceed authorized access by accessing readily available information in certain unauthorized circumstances. But Van Buren argued, and the court agreed, that he would only be violating the statute if he had used the computer to access gated information he shouldn't have had access to.

What's less clear from this decision, as Berkeley Law professor Orin Kerr pointed out on Twitter, is how exactly the court defines a gate. "Does there need to be a technological gate, or can a gate of words ('do not access this computer for a bad purpose') suffice?" Kerr asked.

Not everyone viewed the court's framing as particularly helpful and called instead for more extensive reform of CFAA. "We're now going to have an endless string of debates about what the hell 'areas of a computer' means, as though that is a meaningful mental model for thinking about how computers actually work," tweeted Blake Reid, a professor of technology policy at Colorado Law. "I guess the upside is that the court says we're now going to use a sort of geographically oriented frame for that analysis, looking at *what* you're authorized to access and not deeply examining the reasons why."

Still, the majority opinion appears to substantially impact tech companies' ability to argue that its users — all authorized to access their platforms — have violated the CFAA by disobeying their terms of service, which often forbid activities like data scraping or creating false identities. Researchers have argued both tactics are essential to better understanding online platforms.

In his dissent, Justice Clarence Thomas offered a broader interpretation of what it means to exceed authorized access. "The question here is straightforward: Would an ordinary reader of the English language understand Van Buren to have 'exceed[ed] authorized access' to the database when he used it under circumstances that were expressly forbidden?" Thomas wrote. "In my view, the answer is yes."

Thomas also took issue with the court's concerns about criminalizing all kinds of benign behaviors. "Much of the Federal Code criminalizes common activity," Thomas wrote. "It is understandable to be uncomfortable with so much conduct being criminalized, but that discomfort does not give us authority to alter statutes."

This story has been updated to include additional information from the court's decision.

Entertainment

The (gaming) clones never stopped attacking

Clones keep getting through app review despite App Store rules about copying. It's a sign of the weaknesses in mobile app stores — and the weakness in Big Tech’s after-the-fact moderation approach.

Clones aren't always illegal, but they are widely despised.

Image: Disney

Two of the most fundamental tenets of the mobile gaming market:

  1. Free always wins.
  2. No good gaming idea is safe from copycats.

In combination, these two rules help produce what the industry calls a clone. Most often, clones are low-effort, ripped-off versions of popular games that monetize in not-so-savory fashion while drawing in players with a price tag of zero.

Keep Reading Show less
Nick Statt
Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at nstatt@protocol.com.
Sponsored Content

A CCO’s viewpoint on top enterprise priorities in 2022

The 2022 non-predictions guide to what your enterprise is working on starting this week

As Honeywell’s global chief commercial officer, I am privileged to have the vantage point of seeing the demands, challenges and dynamics that customers across the many sectors we cater to are experiencing and sharing.

This past year has brought upon all businesses and enterprises an unparalleled change and challenge. This was the case at Honeywell, for example, a company with a legacy in innovation and technology for over a century. When I joined the company just months before the pandemic hit we were already in the midst of an intense transformation under the leadership of CEO Darius Adamczyk. This transformation spanned our portfolio and business units. We were already actively working on products and solutions in advanced phases of rollouts that the world has shown a need and demand for pre-pandemic. Those included solutions in edge intelligence, remote operations, quantum computing, warehouse automation, building technologies, safety and health monitoring and of course ESG and climate tech which was based on our exceptional success over the previous decade.

Keep Reading Show less
Jeff Kimbell
Jeff Kimbell is Senior Vice President and Chief Commercial Officer at Honeywell. In this role, he has broad responsibilities to drive organic growth by enhancing global sales and marketing capabilities. Jeff has nearly three decades of leadership experience. Prior to joining Honeywell in 2019, Jeff served as a Partner in the Transformation Practice at McKinsey & Company, where he worked with companies facing operational and financial challenges and undergoing “good to great” transformations. Before that, he was an Operating Partner at Silver Lake Partners, a global leader in technology and held a similar position at Cerberus Capital LP. Jeff started his career as a Manufacturing Team Manager and Engineering Project Manager at Procter & Gamble before becoming a strategy consultant at Bain & Company and holding executive roles at Dell EMC and Transamerica Corporation. Jeff earned a B.S. in electrical engineering at Kansas State University and an M.B.A. at Dartmouth College.
Entertainment

Beat Saber, Bored Apes and more: What to do this weekend

Don't know what to do this weekend? We've got you covered.

Images: Ross Belot/Flickr; IGBD; BAYC

This week we’re listening to “Harvest Moon” on repeat; burning some calories playing Beat Saber; and learning all about the artist behind the goofy ape pics that everyone (including Gwyneth Paltrow?) is talking about.

Neil Young: Off Spotify? No problem.

Neil Young removed his music from Spotify this week, but countless recordings are still available on YouTube, including this 1971 video of him performing “Heart of Gold” in front of a live studio audience, complete with some charming impromptu banter. And while you’re there, scroll down and read a few of the top-rated comments. I promise you won’t be disappointed.

'Archive 81': Not based on a book, but on a podcast!

Netflix’s latest hit show is a supernatural mystery horror mini-series, and I have to admit that I was on the fence about it many times, in part because the plot just often didn’t add up. But then the main character, Dan the film buff and archivist, would put on his gloves, get in the zone, and meticulously restore a severely damaged, decades old video tape, and proceed to look for some meaning beyond the images. That ritual, and the sentiment that we produce, consume and collect media for something more than meets the eye, ultimately saved the show, despite some shortcomings.

'Secrets of Sulphur Springs': Season 2 is out now

If you’re looking for a mystery that's a little more family-friendly, give this show about a haunted hotel, time travel, and kids growing up in a world that their parents don’t fully understand a try. Season 2 dropped on Disney+ this month, and it not only includes a lot more time travel mysteries, but even uses the show’s time machine to tackle subjects as serious as reparations.

The artist behind those Bored Apes

Remember how NFTs are supposed to generate royalties with every resale, and thus support artists better than any of their existing revenue streams? Seneca, the artist who was instrumental in creating those iconic apes for the Bored Ape Yacht Club, wasn’t able to share details about her compensation in this Rolling Stone profile, but it sure sounds like she is not getting her fair share.

Beat Saber: Update incoming

Years later, Beat Saber remains my favorite VR game, which is why I was very excited to see a teaser video for cascading blocks, which could be arriving any day now. Time to bust out the Quest for some practice time this weekend!

Correction: Story has been updated to correct the spelling of Gwyneth Paltrow's name. This story was updated Jan. 28, 2022.


Janko Roettgers

Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety's first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.

Boost 2

Can Matt Mullenweg save the internet?

He's turning Automattic into a different kind of tech giant. But can he take on the trillion-dollar walled gardens and give the internet back to the people?

Matt Mullenweg, CEO of Automattic and founder of WordPress, poses for Protocol at his home in Houston, Texas.
Photo: Arturo Olmos for Protocol

In the early days of the pandemic, Matt Mullenweg didn't move to a compound in Hawaii, bug out to a bunker in New Zealand or head to Miami and start shilling for crypto. No, in the early days of the pandemic, Mullenweg bought an RV. He drove it all over the country, bouncing between Houston and San Francisco and Jackson Hole with plenty of stops in national parks. In between, he started doing some tinkering.

The tinkering is a part-time gig: Most of Mullenweg’s time is spent as CEO of Automattic, one of the web’s largest platforms. It’s best known as the company that runs WordPress.com, the hosted version of the blogging platform that powers about 43% of the websites on the internet. Since WordPress is open-source software, no company technically owns it, but Automattic provides tools and services and oversees most of the WordPress-powered internet. It’s also the owner of the booming ecommerce platform WooCommerce, Day One, the analytics tool Parse.ly and the podcast app Pocket Casts. Oh, and Tumblr. And Simplenote. And many others. That makes Mullenweg one of the most powerful CEOs in tech, and one of the most important voices in the debate over the future of the internet.

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editorial director. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.

Workplace

Mental health at work is still taboo. Here's how to make it easier.

Tech leaders, HR experts and organizational psychologists share tips for how to destigmatize mental health at work.

How to de-stigmatize mental health at work, according to experts.

Illustration: Christopher T. Fong/Protocol

When the pandemic started, HR software startup Phenom knew that its employees were going to need mental health support. So it started offering a meditation program, as well as a counselor available for therapy sessions.

To Chief People Officer Brad Goldoor’s surprise, utilization of these benefits was very low, starting at about a 10% take rate and eventually weaning off. His diagnosis: People still aren’t fully comfortable opening up about mental health, and they’re especially not comfortable engaging with their employer on the topic.

Keep Reading Show less
Michelle Ma

Michelle Ma (@himichellema) is a reporter at Protocol, where she writes about management, leadership and workplace issues in tech. Previously, she was a news editor of live journalism and special coverage for The Wall Street Journal. Prior to that, she worked as a staff writer at Wirecutter. She can be reached at mma@protocol.com.

Fintech

Robinhood's regulatory troubles are just the tip of the iceberg

It’s easiest to blame Robinhood’s troubles on regulatory fallout, but its those troubles have obscured the larger issue: The company lacks an enduring competitive edge.

A crypto comeback might go a long way to help Robinhood’s revenue

Image: Olena Panasovska / Alex Muravev / Protocol

It’s been a full year since Robinhood weathered the memestock storm, and the company is now in much worse shape than many of us would have guessed back in January 2021. After announcing its Q4 earnings last night, Robinhood’s stock plunged into the single digits — just below $10 — down from a recent high of $70 in August 2021. That means Robinhood’s valuation dropped more than 84% in less than six months.

Investor confidence won’t be bolstered much by yesterday’s earnings results. Total net revenues dropped to $363 million from $365 million in the preceding quarter. In the quarter before that, Robinhood reported a much better $565 million in net revenue. Net losses were bad but not quite as bad as before: Robinhood reported a $423 million net loss in Q4, an improvement from the $1.3 billion net loss in Q3 2021. One of the most shocking data points: Average revenue per user dropped to $64, down from a recent high of $137 in Q1 2021. At the same time, Robinhood actually reported a decrease in monthly active users, from 18.9 million in Q3 2021 to 17.3 million in Q4 2021.

Keep Reading Show less
Hirsh Chitkara

Hirsh Chitkara ( @HirshChitkara) is a is a reporter at Protocol focused on the intersection of politics, technology and society. Before joining Protocol, he helped write a daily newsletter at Insider that covered all things Big Tech. He's based in New York and can be reached at hchitkara@protocol.com.

Latest Stories
Bulletins