yesIssie LapowskyNone
×

Get access to Protocol

I’ve already subscribed

Will be used in accordance with our Privacy Policy

Power

Van Buren v. United States: The SCOTUS case splitting the privacy world in two

The court will hear oral arguments Monday in a case that could expand what's considered a computer crime and strengthen the power of big tech companies.

Van Buren v. United States: The SCOTUS case splitting the privacy world in two

Van Buren v. U.S. could have sweeping consequences for the future of internet safety and the power tech companies have over their users.

Photo: Mark Wilson/Getty Images

The country's foundational anti-hacking law — the Computer Fraud and Abuse Act — faces a major test Monday, as the Supreme Court prepares to hear arguments in a case that could radically broaden the scope of what's considered a computer crime and expand the power that companies have over their users.

The case, Van Buren v. United States, has divided frequent allies in the security and privacy space. On one side are groups like the Electronic Frontier Foundation and the American Civil Liberties Union, who argue that expanding the interpretation of the CFAA could make research conducted by cybersecurity experts and journalists alike illegal, paving the way for increased legal action by tech companies. On the other are groups like the Electronic Privacy Information Center and a raft of prominent privacy scholars who emphasize that the case before the court involves a law enforcement official using a government database to commit a serious privacy breach — behavior they say the law does and should prohibit.

Whatever the court decides, both sides believe the decision will have sweeping consequences for the future of internet safety and the power that companies have over their users.

At the center of the case is a former Georgia police officer named Nathan Van Buren, who was convicted in 2017 of violating the CFAA after he accepted money to look up a woman's license plate in a law enforcement database and was caught in an FBI sting. The CFAA, which was enacted in 1986, made it a crime to knowingly access a computer "without authorization or exceeding authorized access," a frustratingly vague standard that has been interpreted differently by the courts. Van Buren successfully petitioned the Supreme Court to take up his case, arguing that he didn't violate the CFAA because he did have authorized access to use the system; he merely used it for unauthorized purposes, just as millions of Americans, say, use their work computers to check sports scores.

Van Buren's argument has gained traction with cybersecurity professionals and civil liberties groups, who say that the CFAA is meant to prevent actual hacking. Interpreting it broadly to also include unauthorized actions by authorized users, they argue, would also make it a crime for anyone to violate a web company's terms of service. That, they fear, would make research and reporting that requires something as simple as creating a fake account on Facebook or scraping publicly available data illegal.

"Something that's concerned us for a long time is the ability of journalists and researchers to conduct research that we think is really in the public interest, especially on huge tech platforms like the social media companies," said Stephanie Krent, staff attorney at the Knight First Amendment Institute, which signed on to an amicus brief siding with Van Buren. "Journalists and researchers who want to study those questions shouldn't face criminal civil liability just for breaching terms of service."

In recent years, tech companies, including Facebook, have repeatedly sought legal remedies to enforce their terms of service. Just last month, Facebook tried to shut down a research project at New York University focused on Facebook ads, arguing that the researchers' strategy violated Facebook's terms and put Facebook at risk of violating its own consent decree with the Federal Trade Commission.

"You can see examples of how big companies are using CFAA for so-called privacy enforcement and why we think that's a really bad idea," said Andrew Crocker, staff attorney at EFF. "They're kind of just using it as an excuse to bully outside groups they don't like." If the court sides against Van Buren, Crocker and others worry that bullying will only get worse.

That groups like the EFF and ACLU are lining up behind a police officer who misused a government database to spy on a private citizen is unusual. Those same groups have been among the loudest opponents of police surveillance and have been particularly suspicious of automated license plate readers in particular. But they argue that the privacy concerns raised by Van Buren's case can and should be addressed through other means. "It's not a privacy statute, and it wasn't passed as a privacy statute," said Crocker. "To the extent folks are concerned about misuse of data online and unintended consequences, the way to solve that is with a federal privacy law."

Groups like EPIC have, meanwhile, made precisely the opposite point. In its amicus brief, EPIC argues that protecting privacy is core to the CFAA and that the law was written to defend against both outside hackers and unauthorized access from insiders. EPIC points to a Senate report that was published when the CFAA was amended in 1996, which stated that the changes were designed to "increase protection for the privacy and confidentiality of consumer information." EPIC's lawyers argue it's especially important for the CFAA to hold government officials like Van Buren accountable for misusing the "vast troves" of highly sensitive personal information they have access to.

"This case concerns a police officer who abused his login credential and the public trust by accessing a record in a database filled with sensitive personal information for no other purpose than to sell it to an outsider," said Megan Iorio, counsel for EPIC. "This is the kind of behavior we think is clearly covered by the statute."

Taking the state's side in this case has made EPIC, another organization wary of police surveillance, strange bedfellows with groups like the Federal Law Enforcement Officers Association. That's not to say EPIC doesn't agree that researchers and journalists are doing important work that ought to be considered carefully under the CFAA. But it argues that the "slippery slope" argument invoked by the EFF and ACLU is weak, because Van Buren wasn't tapping into a public consumer-facing website with its terms of service hidden away in fine print. He was improperly accessing a government database. Iorio says the court could find Van Buren to be in violation of the CFAA without making broader proclamations about violations of internet terms of service. "The Van Buren case doesn't require figuring out all the nuanced ways the CFAA applies in the internet context because it's not internet-based," she said.

Instead, she believes concerns about research and journalism are better handled through another case called LinkedIn v. hiQ. In that case, hiQ was scraping public LinkedIn data to make its own HR tool. When LinkedIn found out, it slapped hiQ with a cease and desist letter. HiQ filed suit to prevent LinkedIn from taking legal action under the CFAA. A court in that case said that hiQ's scraping of public data from LinkedIn didn't violate the law, but LinkedIn has since petitioned the Supreme Court to take up the case. That case has also divided the privacy community, with EPIC taking LinkedIn's side in the name of protecting internet users' data and the EFF taking hiQ's in the name of protecting researchers and journalists who scrape public data in the course of their work.

Whether the court decides to hear that case will likely depend a lot on the decision in Van Buren, which could have downstream consequences for that case — and so many others in the future.

Big Tech benefits from Biden’s sweeping immigration actions

Tim Cook and Sundar Pichai praised President Biden's immigration actions, which read like a tech industry wishlist.

Newly-inaugurated President Joe Biden signed two immigration-related executive orders on Wednesday.

Photo: Chip Somodevilla/Getty Images

Immediately after being sworn in as president Wednesday, Joe Biden signed two pro-immigration executive orders and delivered an immigration bill to Congress that reads like a tech industry wishlist. The move drew enthusiastic praise from tech leaders, including Apple CEO Tim Cook and Alphabet CEO Sundar Pichai.

President Biden nullified several of former-President Trump's most hawkish immigration policies. His executive orders reversed the so-called "Muslim ban" and instructed the attorney general and the secretary of Homeland Security to preserve the Deferred Action for Childhood Arrivals, or DACA, program, which the Trump administration had sought to end. He also sent an expansive immigration reform bill to Congress that would provide a pathway to citizenship for undocumented individuals and make it easier for foreign U.S. graduates with STEM degrees to stay in the United States, among other provisions.

Keep Reading Show less
Emily Birnbaum

Emily Birnbaum ( @birnbaum_e) is a tech policy reporter with Protocol. Her coverage focuses on the U.S. government's attempts to regulate one of the most powerful industries in the world, with a focus on antitrust, privacy and politics. Previously, she worked as a tech policy reporter with The Hill after spending several months as a breaking news reporter. She is a Bethesda, Maryland native and proud Kenyon College alumna.

People

Amazon’s head of Alexa Trust on how Big Tech should talk about data

Anne Toth, Amazon's director of Alexa Trust, explains what it takes to get people to feel comfortable using your product — and why that is work worth doing.

Anne Toth, Amazon's director of Alexa Trust, has been working on tech privacy for decades.

Photo: Amazon

Anne Toth has had a long career in the tech industry, thinking about privacy and security at companies like Yahoo, Google and Slack, working with the World Economic Forum and advising companies around Silicon Valley.

Last August she took on a new job as the director of Alexa Trust, leading a big team tackling a big question: How do you make people feel good using a product like Alexa, which is designed to be deeply ingrained in their lives? "Alexa in your home is probably the closest sort of consumer experience or manifestation of AI in your life," she said. That comes with data questions, privacy questions, ethical questions and lots more.

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editor at large. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.

Doxxing insurrectionists: Capitol riot divides online extremism researchers

The uprising has sparked a tense debate about the right way to stitch together the digital scraps of someone's life to publicly accuse them of committing a crime.

Rioters scale the U.S. Capitol walls during the insurrection.

Photo: Blink O'faneye/Flickr

Joan Donovan has a panic button in her office, just in case one of the online extremists she spends her days fighting tries to fight back.

"This is not baby shit," Donovan, who is research director of Harvard's Shorenstein Center on Media, Politics and Public Policy, said. "You do not fuck around with these people in public."

Keep Reading Show less
Issie Lapowsky
Issie Lapowsky (@issielapowsky) is a senior reporter at Protocol, covering the intersection of technology, politics, and national affairs. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University’s Center for Publishing on how tech giants have affected publishing. Email Issie.
Protocol | Enterprise

Don’t worry about the cybersecurity fallout of the Capitol breach

Members of Congress can't access classified information on their work computers, and the chances that Wednesday's mob contained a few moonlighting cyberspies are slim.

Any lasting cybersecurity damage from the breach is likely to be limited.

Photo: Louis Velazquez/Unsplash

Among the disasters that visited Capitol Hill on Wednesday, the fact that the people who infiltrated Congressional offices had unfettered access to IT assets for several hours ranks rather low.

One of the most iconic images of Wednesday's events was a picture of the home screen of Speaker Nancy Pelosi's office computer, abandoned in haste after a mob broke into the Capitol building, forcing Congress and staffers to retreat to safer locations. By design, nothing on Pelosi's computer was classified: Members of Congress have to enter a protected area room in the building to view secret documents, as you'll recall from last year's impeachment proceedings when several House Republicans stormed into such a room in protest because they were denied access to documents their leaders could access.

Keep Reading Show less
Tom Krazit

Tom Krazit ( @tomkrazit) is a senior reporter at Protocol, covering cloud computing and enterprise technology out of the Pacific Northwest. He has written and edited stories about the technology industry for almost two decades for publications such as IDG, CNET, paidContent, and GeekWire. He served as executive editor of Gigaom and Structure, and most recently produced a leading cloud computing newsletter called Mostly Cloudy.

Politics

In 2020, COVID-19 derailed the privacy debate

From biometric monitoring to unregulated contact tracing, the crisis opened up new privacy vulnerabilities that regulators did little to address.

Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project, says the COVID-19 pandemic has become a "cash grab" for surveillance tech companies.

Photo: Lianhao Qu/Unsplash

As the coronavirus began its inexorable spread across the United States last spring, Adam Schwartz, senior staff attorney at the Electronic Frontier Foundation, worried the virus would bring with it another scourge: mass surveillance.

"A lot of really bad ideas were being advanced here in the U.S. and a lot of really bad ideas were being actually implemented in foreign countries," Schwartz said.

Keep Reading Show less
Issie Lapowsky
Issie Lapowsky (@issielapowsky) is a senior reporter at Protocol, covering the intersection of technology, politics, and national affairs. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University’s Center for Publishing on how tech giants have affected publishing. Email Issie.
Latest Stories