Power

Van Buren v. United States: The SCOTUS case splitting the privacy world in two

The court will hear oral arguments Monday in a case that could expand what's considered a computer crime and strengthen the power of big tech companies.

Van Buren v. United States: The SCOTUS case splitting the privacy world in two

Van Buren v. U.S. could have sweeping consequences for the future of internet safety and the power tech companies have over their users.

Photo: Mark Wilson/Getty Images

The country's foundational anti-hacking law — the Computer Fraud and Abuse Act — faces a major test Monday, as the Supreme Court prepares to hear arguments in a case that could radically broaden the scope of what's considered a computer crime and expand the power that companies have over their users.

The case, Van Buren v. United States, has divided frequent allies in the security and privacy space. On one side are groups like the Electronic Frontier Foundation and the American Civil Liberties Union, who argue that expanding the interpretation of the CFAA could make research conducted by cybersecurity experts and journalists alike illegal, paving the way for increased legal action by tech companies. On the other are groups like the Electronic Privacy Information Center and a raft of prominent privacy scholars who emphasize that the case before the court involves a law enforcement official using a government database to commit a serious privacy breach — behavior they say the law does and should prohibit.

Whatever the court decides, both sides believe the decision will have sweeping consequences for the future of internet safety and the power that companies have over their users.

At the center of the case is a former Georgia police officer named Nathan Van Buren, who was convicted in 2017 of violating the CFAA after he accepted money to look up a woman's license plate in a law enforcement database and was caught in an FBI sting. The CFAA, which was enacted in 1986, made it a crime to knowingly access a computer "without authorization or exceeding authorized access," a frustratingly vague standard that has been interpreted differently by the courts. Van Buren successfully petitioned the Supreme Court to take up his case, arguing that he didn't violate the CFAA because he did have authorized access to use the system; he merely used it for unauthorized purposes, just as millions of Americans, say, use their work computers to check sports scores.

Van Buren's argument has gained traction with cybersecurity professionals and civil liberties groups, who say that the CFAA is meant to prevent actual hacking. Interpreting it broadly to also include unauthorized actions by authorized users, they argue, would also make it a crime for anyone to violate a web company's terms of service. That, they fear, would make research and reporting that requires something as simple as creating a fake account on Facebook or scraping publicly available data illegal.

"Something that's concerned us for a long time is the ability of journalists and researchers to conduct research that we think is really in the public interest, especially on huge tech platforms like the social media companies," said Stephanie Krent, staff attorney at the Knight First Amendment Institute, which signed on to an amicus brief siding with Van Buren. "Journalists and researchers who want to study those questions shouldn't face criminal civil liability just for breaching terms of service."

In recent years, tech companies, including Facebook, have repeatedly sought legal remedies to enforce their terms of service. Just last month, Facebook tried to shut down a research project at New York University focused on Facebook ads, arguing that the researchers' strategy violated Facebook's terms and put Facebook at risk of violating its own consent decree with the Federal Trade Commission.

"You can see examples of how big companies are using CFAA for so-called privacy enforcement and why we think that's a really bad idea," said Andrew Crocker, staff attorney at EFF. "They're kind of just using it as an excuse to bully outside groups they don't like." If the court sides against Van Buren, Crocker and others worry that bullying will only get worse.

That groups like the EFF and ACLU are lining up behind a police officer who misused a government database to spy on a private citizen is unusual. Those same groups have been among the loudest opponents of police surveillance and have been particularly suspicious of automated license plate readers in particular. But they argue that the privacy concerns raised by Van Buren's case can and should be addressed through other means. "It's not a privacy statute, and it wasn't passed as a privacy statute," said Crocker. "To the extent folks are concerned about misuse of data online and unintended consequences, the way to solve that is with a federal privacy law."

Groups like EPIC have, meanwhile, made precisely the opposite point. In its amicus brief, EPIC argues that protecting privacy is core to the CFAA and that the law was written to defend against both outside hackers and unauthorized access from insiders. EPIC points to a Senate report that was published when the CFAA was amended in 1996, which stated that the changes were designed to "increase protection for the privacy and confidentiality of consumer information." EPIC's lawyers argue it's especially important for the CFAA to hold government officials like Van Buren accountable for misusing the "vast troves" of highly sensitive personal information they have access to.

"This case concerns a police officer who abused his login credential and the public trust by accessing a record in a database filled with sensitive personal information for no other purpose than to sell it to an outsider," said Megan Iorio, counsel for EPIC. "This is the kind of behavior we think is clearly covered by the statute."

Taking the state's side in this case has made EPIC, another organization wary of police surveillance, strange bedfellows with groups like the Federal Law Enforcement Officers Association. That's not to say EPIC doesn't agree that researchers and journalists are doing important work that ought to be considered carefully under the CFAA. But it argues that the "slippery slope" argument invoked by the EFF and ACLU is weak, because Van Buren wasn't tapping into a public consumer-facing website with its terms of service hidden away in fine print. He was improperly accessing a government database. Iorio says the court could find Van Buren to be in violation of the CFAA without making broader proclamations about violations of internet terms of service. "The Van Buren case doesn't require figuring out all the nuanced ways the CFAA applies in the internet context because it's not internet-based," she said.

Instead, she believes concerns about research and journalism are better handled through another case called LinkedIn v. hiQ. In that case, hiQ was scraping public LinkedIn data to make its own HR tool. When LinkedIn found out, it slapped hiQ with a cease and desist letter. HiQ filed suit to prevent LinkedIn from taking legal action under the CFAA. A court in that case said that hiQ's scraping of public data from LinkedIn didn't violate the law, but LinkedIn has since petitioned the Supreme Court to take up the case. That case has also divided the privacy community, with EPIC taking LinkedIn's side in the name of protecting internet users' data and the EFF taking hiQ's in the name of protecting researchers and journalists who scrape public data in the course of their work.

Whether the court decides to hear that case will likely depend a lot on the decision in Van Buren, which could have downstream consequences for that case — and so many others in the future.

Fintech

Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep Reading Show less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep Reading Show less
FTA
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.
Enterprise

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep Reading Show less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep Reading Show less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.

Enterprise

Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep Reading Show less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories
Bulletins