Power

Van Buren v. United States: The SCOTUS case splitting the privacy world in two

The court will hear oral arguments Monday in a case that could expand what's considered a computer crime and strengthen the power of big tech companies.

Van Buren v. United States: The SCOTUS case splitting the privacy world in two

Van Buren v. U.S. could have sweeping consequences for the future of internet safety and the power tech companies have over their users.

Photo: Mark Wilson/Getty Images

The country's foundational anti-hacking law — the Computer Fraud and Abuse Act — faces a major test Monday, as the Supreme Court prepares to hear arguments in a case that could radically broaden the scope of what's considered a computer crime and expand the power that companies have over their users.

The case, Van Buren v. United States, has divided frequent allies in the security and privacy space. On one side are groups like the Electronic Frontier Foundation and the American Civil Liberties Union, who argue that expanding the interpretation of the CFAA could make research conducted by cybersecurity experts and journalists alike illegal, paving the way for increased legal action by tech companies. On the other are groups like the Electronic Privacy Information Center and a raft of prominent privacy scholars who emphasize that the case before the court involves a law enforcement official using a government database to commit a serious privacy breach — behavior they say the law does and should prohibit.

Whatever the court decides, both sides believe the decision will have sweeping consequences for the future of internet safety and the power that companies have over their users.

At the center of the case is a former Georgia police officer named Nathan Van Buren, who was convicted in 2017 of violating the CFAA after he accepted money to look up a woman's license plate in a law enforcement database and was caught in an FBI sting. The CFAA, which was enacted in 1986, made it a crime to knowingly access a computer "without authorization or exceeding authorized access," a frustratingly vague standard that has been interpreted differently by the courts. Van Buren successfully petitioned the Supreme Court to take up his case, arguing that he didn't violate the CFAA because he did have authorized access to use the system; he merely used it for unauthorized purposes, just as millions of Americans, say, use their work computers to check sports scores.

Van Buren's argument has gained traction with cybersecurity professionals and civil liberties groups, who say that the CFAA is meant to prevent actual hacking. Interpreting it broadly to also include unauthorized actions by authorized users, they argue, would also make it a crime for anyone to violate a web company's terms of service. That, they fear, would make research and reporting that requires something as simple as creating a fake account on Facebook or scraping publicly available data illegal.

"Something that's concerned us for a long time is the ability of journalists and researchers to conduct research that we think is really in the public interest, especially on huge tech platforms like the social media companies," said Stephanie Krent, staff attorney at the Knight First Amendment Institute, which signed on to an amicus brief siding with Van Buren. "Journalists and researchers who want to study those questions shouldn't face criminal civil liability just for breaching terms of service."

In recent years, tech companies, including Facebook, have repeatedly sought legal remedies to enforce their terms of service. Just last month, Facebook tried to shut down a research project at New York University focused on Facebook ads, arguing that the researchers' strategy violated Facebook's terms and put Facebook at risk of violating its own consent decree with the Federal Trade Commission.

"You can see examples of how big companies are using CFAA for so-called privacy enforcement and why we think that's a really bad idea," said Andrew Crocker, staff attorney at EFF. "They're kind of just using it as an excuse to bully outside groups they don't like." If the court sides against Van Buren, Crocker and others worry that bullying will only get worse.

That groups like the EFF and ACLU are lining up behind a police officer who misused a government database to spy on a private citizen is unusual. Those same groups have been among the loudest opponents of police surveillance and have been particularly suspicious of automated license plate readers in particular. But they argue that the privacy concerns raised by Van Buren's case can and should be addressed through other means. "It's not a privacy statute, and it wasn't passed as a privacy statute," said Crocker. "To the extent folks are concerned about misuse of data online and unintended consequences, the way to solve that is with a federal privacy law."

Groups like EPIC have, meanwhile, made precisely the opposite point. In its amicus brief, EPIC argues that protecting privacy is core to the CFAA and that the law was written to defend against both outside hackers and unauthorized access from insiders. EPIC points to a Senate report that was published when the CFAA was amended in 1996, which stated that the changes were designed to "increase protection for the privacy and confidentiality of consumer information." EPIC's lawyers argue it's especially important for the CFAA to hold government officials like Van Buren accountable for misusing the "vast troves" of highly sensitive personal information they have access to.

"This case concerns a police officer who abused his login credential and the public trust by accessing a record in a database filled with sensitive personal information for no other purpose than to sell it to an outsider," said Megan Iorio, counsel for EPIC. "This is the kind of behavior we think is clearly covered by the statute."

Taking the state's side in this case has made EPIC, another organization wary of police surveillance, strange bedfellows with groups like the Federal Law Enforcement Officers Association. That's not to say EPIC doesn't agree that researchers and journalists are doing important work that ought to be considered carefully under the CFAA. But it argues that the "slippery slope" argument invoked by the EFF and ACLU is weak, because Van Buren wasn't tapping into a public consumer-facing website with its terms of service hidden away in fine print. He was improperly accessing a government database. Iorio says the court could find Van Buren to be in violation of the CFAA without making broader proclamations about violations of internet terms of service. "The Van Buren case doesn't require figuring out all the nuanced ways the CFAA applies in the internet context because it's not internet-based," she said.

Instead, she believes concerns about research and journalism are better handled through another case called LinkedIn v. hiQ. In that case, hiQ was scraping public LinkedIn data to make its own HR tool. When LinkedIn found out, it slapped hiQ with a cease and desist letter. HiQ filed suit to prevent LinkedIn from taking legal action under the CFAA. A court in that case said that hiQ's scraping of public data from LinkedIn didn't violate the law, but LinkedIn has since petitioned the Supreme Court to take up the case. That case has also divided the privacy community, with EPIC taking LinkedIn's side in the name of protecting internet users' data and the EFF taking hiQ's in the name of protecting researchers and journalists who scrape public data in the course of their work.

Whether the court decides to hear that case will likely depend a lot on the decision in Van Buren, which could have downstream consequences for that case — and so many others in the future.

Entertainment

'The Wilds' is a must-watch guilty pleasure and more weekend recs

Don’t know what to do this weekend? We’ve got you covered.

Our favorite things this week.

Illustration: Protocol

The East Coast is getting a little preview of summer this weekend. If you want to stay indoors and beat the heat, we have a few suggestions this week to keep you entertained, like a new season of Amazon Prime’s guilty-pleasure show, “The Wilds,” a new game from Horizon Worlds that’s fun for everyone and a sneak peek from Adam Mosseri into what Instagram is thinking about Web3.

Keep Reading Show less
Janko Roettgers

Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety's first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.

Sponsored Content

Why the digital transformation of industries is creating a more sustainable future

Qualcomm’s chief sustainability officer Angela Baker on how companies can view going “digital” as a way not only toward growth, as laid out in a recent report, but also toward establishing and meeting environmental, social and governance goals.

Three letters dominate business practice at present: ESG, or environmental, social and governance goals. The number of mentions of the environment in financial earnings has doubled in the last five years, according to GlobalData: 600,000 companies mentioned the term in their annual or quarterly results last year.

But meeting those ESG goals can be a challenge — one that businesses can’t and shouldn’t take lightly. Ahead of an exclusive fireside chat at Davos, Angela Baker, chief sustainability officer at Qualcomm, sat down with Protocol to speak about how best to achieve those targets and how Qualcomm thinks about its own sustainability strategy, net zero commitment, other ESG targets and more.

Keep Reading Show less
Chris Stokel-Walker

Chris Stokel-Walker is a freelance technology and culture journalist and author of "YouTubers: How YouTube Shook Up TV and Created a New Generation of Stars." His work has been published in The New York Times, The Guardian and Wired.

Workplace

Work expands to fill the time – but only if you let it

The former Todoist productivity expert drops time-blocking tips, lofi beats playlists for concentrating and other knowledge bombs.

“I do hope the productivity space as a whole is more intentional about pushing narratives that are about life versus just work.”

Photo: Courtesy of Fadeke Adegbuyi

Fadeke Adegbuyi knows how to dole out productivity advice. When she was a marketing manager at Doist, she taught users via blogs and newsletters about how to better organize their lives. Doist, the company behind to-do-list app Todoist and messaging app Twist, has pushed remote and asynchronous work for years. Adegbuyi’s job was to translate these ideas to the masses.

“We were thinking about asynchronous communication from a work point of view, of like: What is most effective for doing ambitious and awesome work, and also, what is most advantageous for living a life that feels balanced?” Adegbuyi said.

Keep Reading Show less
Lizzy Lawrence

Lizzy Lawrence ( @LizzyLaw_) is a reporter at Protocol, covering tools and productivity in the workplace. She's a recent graduate of the University of Michigan, where she studied sociology and international studies. She served as editor in chief of The Michigan Daily, her school's independent newspaper. She's based in D.C., and can be reached at llawrence@protocol.com.

Workplace

It's OK to cry at work

Our comfort with crying at work has changed drastically over the past couple years. But experts said the hard part is helping workers get through the underlying mental health challenges.

Tech workers and workplace mental health experts said discussing emotions at work has become less taboo over the past couple years, but we’re still a ways away from completely normalizing the conversation — and adjusting policies accordingly.

Photo: Teerasak Ainkeaw / EyeEm via Getty Images

Everyone seems to be ugly crying on the internet these days. A new Snapchat filter makes people look like they’re breaking down on television, crying at celebratory occasions or crying when it sounds like they’re laughing. But one of the ways it's been used is weirdly cathartic: the workplace.

In one video, a creator posted a video of their co-worker merely sitting at a desk, presumably giggling or smiling, but the Snapchat tool gave them a pained look on their face. The video was captioned: “When you still have two hours left of your working day.” Another video showed someone asking their co-workers if they enjoy their job. Everyone said yes, but the filter indicated otherwise.

Keep Reading Show less
Sarah Roach

Sarah Roach is a news writer at Protocol (@sarahroach_) and contributes to Source Code. She is a recent graduate of George Washington University, where she studied journalism and mass communication and criminal justice. She previously worked for two years as editor in chief of her school's independent newspaper, The GW Hatchet.

Enterprise

Arm’s new CEO is planning the IPO it sought to avoid last year

Arm CEO Rene Haas told Protocol that Arm will be fine as a standalone company, as it focuses on efficient computing and giving customers a more finished product than a basic chip core design.

Rene Haas is taking Arm on a fresh trajectory.

Photo: Arm

The new path for Arm is beginning to come into focus.

Weeks after Nvidia’s $40 bid to acquire Arm from SoftBank collapsed, the appointment of Rene Haas to replace longtime chief executive Simon Segars has set the business on a fresh trajectory. Haas appears determined to shake up the company, with plans to lay off as much as 15% of the staff ahead of plans to take the company public once again by the end of March next year.

Keep Reading Show less
Max A. Cherney

Max A. Cherney is a senior reporter at Protocol covering the semiconductor industry. He has worked for Barron's magazine as a Technology Reporter, and its sister site MarketWatch. He is based in San Francisco.

Latest Stories
Bulletins