power
Power

Van Buren v. United States: The SCOTUS case splitting the privacy world in two

The court will hear oral arguments Monday in a case that could expand what's considered a computer crime and strengthen the power of big tech companies.

Van Buren v. United States: The SCOTUS case splitting the privacy world in two

Van Buren v. U.S. could have sweeping consequences for the future of internet safety and the power tech companies have over their users.

Photo: Mark Wilson/Getty Images

The country's foundational anti-hacking law — the Computer Fraud and Abuse Act — faces a major test Monday, as the Supreme Court prepares to hear arguments in a case that could radically broaden the scope of what's considered a computer crime and expand the power that companies have over their users.

The case, Van Buren v. United States, has divided frequent allies in the security and privacy space. On one side are groups like the Electronic Frontier Foundation and the American Civil Liberties Union, who argue that expanding the interpretation of the CFAA could make research conducted by cybersecurity experts and journalists alike illegal, paving the way for increased legal action by tech companies. On the other are groups like the Electronic Privacy Information Center and a raft of prominent privacy scholars who emphasize that the case before the court involves a law enforcement official using a government database to commit a serious privacy breach — behavior they say the law does and should prohibit.

Whatever the court decides, both sides believe the decision will have sweeping consequences for the future of internet safety and the power that companies have over their users.

At the center of the case is a former Georgia police officer named Nathan Van Buren, who was convicted in 2017 of violating the CFAA after he accepted money to look up a woman's license plate in a law enforcement database and was caught in an FBI sting. The CFAA, which was enacted in 1986, made it a crime to knowingly access a computer "without authorization or exceeding authorized access," a frustratingly vague standard that has been interpreted differently by the courts. Van Buren successfully petitioned the Supreme Court to take up his case, arguing that he didn't violate the CFAA because he did have authorized access to use the system; he merely used it for unauthorized purposes, just as millions of Americans, say, use their work computers to check sports scores.

Van Buren's argument has gained traction with cybersecurity professionals and civil liberties groups, who say that the CFAA is meant to prevent actual hacking. Interpreting it broadly to also include unauthorized actions by authorized users, they argue, would also make it a crime for anyone to violate a web company's terms of service. That, they fear, would make research and reporting that requires something as simple as creating a fake account on Facebook or scraping publicly available data illegal.

"Something that's concerned us for a long time is the ability of journalists and researchers to conduct research that we think is really in the public interest, especially on huge tech platforms like the social media companies," said Stephanie Krent, staff attorney at the Knight First Amendment Institute, which signed on to an amicus brief siding with Van Buren. "Journalists and researchers who want to study those questions shouldn't face criminal civil liability just for breaching terms of service."

In recent years, tech companies, including Facebook, have repeatedly sought legal remedies to enforce their terms of service. Just last month, Facebook tried to shut down a research project at New York University focused on Facebook ads, arguing that the researchers' strategy violated Facebook's terms and put Facebook at risk of violating its own consent decree with the Federal Trade Commission.

"You can see examples of how big companies are using CFAA for so-called privacy enforcement and why we think that's a really bad idea," said Andrew Crocker, staff attorney at EFF. "They're kind of just using it as an excuse to bully outside groups they don't like." If the court sides against Van Buren, Crocker and others worry that bullying will only get worse.

That groups like the EFF and ACLU are lining up behind a police officer who misused a government database to spy on a private citizen is unusual. Those same groups have been among the loudest opponents of police surveillance and have been particularly suspicious of automated license plate readers in particular. But they argue that the privacy concerns raised by Van Buren's case can and should be addressed through other means. "It's not a privacy statute, and it wasn't passed as a privacy statute," said Crocker. "To the extent folks are concerned about misuse of data online and unintended consequences, the way to solve that is with a federal privacy law."

Groups like EPIC have, meanwhile, made precisely the opposite point. In its amicus brief, EPIC argues that protecting privacy is core to the CFAA and that the law was written to defend against both outside hackers and unauthorized access from insiders. EPIC points to a Senate report that was published when the CFAA was amended in 1996, which stated that the changes were designed to "increase protection for the privacy and confidentiality of consumer information." EPIC's lawyers argue it's especially important for the CFAA to hold government officials like Van Buren accountable for misusing the "vast troves" of highly sensitive personal information they have access to.

"This case concerns a police officer who abused his login credential and the public trust by accessing a record in a database filled with sensitive personal information for no other purpose than to sell it to an outsider," said Megan Iorio, counsel for EPIC. "This is the kind of behavior we think is clearly covered by the statute."

Taking the state's side in this case has made EPIC, another organization wary of police surveillance, strange bedfellows with groups like the Federal Law Enforcement Officers Association. That's not to say EPIC doesn't agree that researchers and journalists are doing important work that ought to be considered carefully under the CFAA. But it argues that the "slippery slope" argument invoked by the EFF and ACLU is weak, because Van Buren wasn't tapping into a public consumer-facing website with its terms of service hidden away in fine print. He was improperly accessing a government database. Iorio says the court could find Van Buren to be in violation of the CFAA without making broader proclamations about violations of internet terms of service. "The Van Buren case doesn't require figuring out all the nuanced ways the CFAA applies in the internet context because it's not internet-based," she said.

Instead, she believes concerns about research and journalism are better handled through another case called LinkedIn v. hiQ. In that case, hiQ was scraping public LinkedIn data to make its own HR tool. When LinkedIn found out, it slapped hiQ with a cease and desist letter. HiQ filed suit to prevent LinkedIn from taking legal action under the CFAA. A court in that case said that hiQ's scraping of public data from LinkedIn didn't violate the law, but LinkedIn has since petitioned the Supreme Court to take up the case. That case has also divided the privacy community, with EPIC taking LinkedIn's side in the name of protecting internet users' data and the EFF taking hiQ's in the name of protecting researchers and journalists who scrape public data in the course of their work.

Whether the court decides to hear that case will likely depend a lot on the decision in Van Buren, which could have downstream consequences for that case — and so many others in the future.

 Issie Lapowsky

Issie Lapowsky ( @issielapowsky) is Protocol's chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol's fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University's Center for Publishing on how tech giants have affected publishing.

supreme court cybersecurity privacy power
Protocol | Policy

5 things to know about FCC nominee Gigi Sohn

The veteran of some of the earliest tech policy fights is a longtime consumer champion and net-neutrality advocate.

Gigi Sohn, who President Joe Biden nominated to serve on the FCC, is a longtime net-neutrality advocate.

Photo: Alex Wong/Getty Images

President Joe Biden on Tuesday nominated Gigi Sohn to serve as a Federal Communications Commissioner, teeing up a Democratic majority at the agency that oversees broadband issues after months of delay.

Like Lina Khan, who Biden picked in June to head up the Federal Trade Commission, Sohn is a progressive favorite. And if confirmed, she'll take up a position in an agency trying to pull policy levers on net neutrality, privacy and broadband access even as Congress is stalled.

Keep Reading Show less
Ben Brody

Ben Brody (@ BenBrodyDC) is a senior reporter at Protocol focusing on how Congress, courts and agencies affect the online world we live in. He formerly covered tech policy and lobbying (including antitrust, Section 230 and privacy) at Bloomberg News, where he previously reported on the influence industry, government ethics and the 2016 presidential election. Before that, Ben covered business news at CNNMoney and AdAge, and all manner of stories in and around New York. He still loves appearing on the New York news radio he grew up with.

fcc policy
sponsored content
Sponsored Content

Four processes to keep you innovating through change

If you've ever tried to pick up a new fitness routine like running, chances are you may have fallen into the "motivation vs. habit" trap once or twice. You go for a run when the sun is shining, only to quickly fall off the wagon when the weather turns sour.

Similarly, for many businesses, 2020 acted as the storm cloud that disrupted their plans for innovation. With leaders busy grappling with the pandemic, innovation frequently got pushed to the backburner. In fact, according to McKinsey, the majority of organizations shifted their focus mainly to maintaining business continuity throughout the pandemic.

Keep Reading Show less
Gaurav Kataria
Group Product Manager, Trello at Atlassian
sponsored content sponsored
Protocol | Workplace

Adobe wants a more authentic NFT world

Adobe's Content Credentials feature will allow Creative Cloud subscribers to attach edit-tracking information to Photoshop files. The goal is to create a more trustworthy NFT market and digital landscape.

Adobe's Content Credentials will allow users to attach their identities to an image

Image: Adobe

Remember the viral, fake photo of Kurt Cobain and Biggie Smalls that duped and delighted the internet in 2017? Doctored images manipulate people and erode trust and we're not great at spotting them. The entire point of the emerging NFT art market is to create valuable and scarce digital files and when there isn't an easy way to check for an image's origin and edits, there's a problem. What if someone steals an NFT creator's image and pawns it off as their own? As a hub for all kinds of multimedia, Adobe feels a responsibility to combat misinformation and provide a safe space for NFT creators. That's why it's rolling out Content Credentials, a record that can be attached to a Photoshop file of a creator's identity and includes any edits they made.

Users can connect their social media addresses and crypto wallet addresses to images in Photoshop. This further proves the image creator's identity, but it's also helpful in determining the creators of NFTs. Adobe has partnered with NFT marketplaces KnownOrigin, OpenSea, Rarible and SuperRare in this effort. "Today there's not a way to know that the NFT you're buying was actually created by a true creator," said Adobe General Counsel Dana Rao. "We're allowing the creator to show their identity and attach it to the image."

Keep Reading Show less
Lizzy Lawrence

Lizzy Lawrence ( @LizzyLaw_) is a reporter at Protocol, covering tools and productivity in the workplace. She's a recent graduate of the University of Michigan, where she studied sociology and international studies. She served as editor in chief of The Michigan Daily, her school's independent newspaper. She's based in D.C., and can be reached at llawrence@protocol.com.

productivity workplace
dating apps
Protocol | China

Why another Chinese lesbian dating app just shut down

With neither political support nor a profitable business model, lesbian dating apps are finding it hard to survive in China.

Operating a dating app for LGBTQ+ communities in China is like walking a tightrope.

Photo: Nicolas Asfouri/AFP via Getty Images

When Lesdo, a Chinese dating app designed for lesbian women, announced it was closing down, it didn't come as a surprise to the LGBTQ+ community.

It's unclear what directly caused this decision. 2021 hasn't been kind to China's queer communities; WeChat has deactivated queer groups' public accounts and Beijing has pressured charity organizations not to work with queer activists.

Keep Reading Show less
Zeyi Yang
Zeyi Yang is a reporter with Protocol | China. Previously, he worked as a reporting fellow for the digital magazine Rest of World, covering the intersection of technology and culture in China and neighboring countries. He has also contributed to the South China Morning Post, Nikkei Asia, Columbia Journalism Review, among other publications. In his spare time, Zeyi co-founded a Mandarin podcast that tells LGBTQ stories in China. He has been playing Pokemon for 14 years and has a weird favorite pick.
censorship dating app lgbtq social media dating apps
wearables

The Oura Ring was a sleep-tracking hit. Can the next one be even more?

Oura wants to be a media company, an activity tracker and even a way to know you're sick before you feel sick.

Over the last few years, the Oura Ring has become one of the most recognizable wearables this side of the Apple Watch.

Photo: Oura

Oura CEO Harpreet Rai swears he didn't know Kim Kardashian was a fan. He was as surprised as anyone when she started posting screenshots from the Oura app to her Instagram story, and got into a sleep battle with fellow Oura user Gwyneth Paltrow. Or when Jennifer Aniston revealed that Jimmy Kimmel got her hooked on Oura … and how her ring fell off in a salad. "I am addicted to it," Aniston said, "and it's ruining my life" by shaming her about her lack of sleep. "I think we're definitely seeing traction outside of tech," Rai said. "Which is cool."

Over the last couple of years, Oura's ring (imaginatively named the Oura Ring) has become one of the most recognizable wearables this side of the Apple Watch. The company started with a Kickstarter campaign in 2015, but really started to find traction with its second-generation model in 2018. It's not exactly a mainstream device — Oura said it has sold more than 500,000 rings, up from 150,000 in March 2020 but still not exactly Apple Watch levels — but it has reached some of the most successful, influential and probably sleep-deprived people in the industry. Jack Dorsey is a professed fan, as is Marc Benioff.

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editorial director. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.

wearables oura ring health tech
Latest Stories