“Under the government’s broad interpretation of the CFAA,” they wrote, “standard security research practices — such as accessing publicly available data in a manner beneficial to the public yet prohibited by the owner of the data — can be highly risky.”
Key context: The case that could decide the scope of the CFAA stems from a tawdry sting operation. In 2017, a district court convicted police officer Nathan Van Buren for using his access to the license plate database to check whether a strip club dancer was an undercover officer in return for a loan from a man who turned out to be an FBI informant. Van Buren’s lawyers argued that he hadn’t violated the CFAA’s prohibition on unauthorized computer access because he’d had legitimate access to the database as part of his job.
The U.S. Court of Appeals for the 11th Circuit upheld Van Buren’s conviction, finding that the CFAA prohibited accessing a computer for improper purposes even if the defendant was authorized to use it for other purposes. Four appeals courts have now interpreted the CFAA in this broad manner, while three have interpreted it more narrowly.
Previous CFAA rulings have generated concern about the law’s scope. In 2015, a court in California convicted the local news producer Matthew Keys on hacking charges for giving his work password to hackers who used it to deface a Los Angeles Times article. Keys, who did not conduct any hacking himself, was subsequently sentenced to two years in prison.
The most controversial CFAA case never reached a verdict. In 2011, federal prosecutors indicted the prominent internet freedom activist Aaron Swartz on hacking charges for downloading millions of journal articles using a subscription provided by MIT. Swartz, then 24, faced 35 years in prison. He died by suicide in January 2013 while awaiting trial.
A slippery slope? The justices sounded alarmed Monday about the broader reading of the CFAA.
Justice Neil Gorsuch suggested that the Van Buren case was the latest example of the government trying to broaden the scope of criminal laws in “contestable” ways.
DOJ’s argument risked “making a federal criminal of us all,” Gorsuch said.
The government lawyer, Deputy Solicitor General Eric Feigin, argued that CFAA critics’ warnings about overzealous prosecutions were baseless scare tactics. He noted that prosecutors haven’t charged anyone for browsing Instagram at work in one of the judicial circuits where an appeals court agreed with the government’s interpretation.
Feigin accused Van Buren’s lawyer, Jeffrey Fisher of Stanford University, of painting a “wild caricature of our position” with “invented cases” about CFAA overreach.
“To the extent we start to see cases like that,” he added, “that’ll give courts, including this court if necessary, the opportunity to further articulate those limits.”
But several justices appeared unpersuaded by Feigin’s argument that the court could simply pare back the law in the future if prosecutors went too far.
“You’re asking us to write definitions to narrow what could otherwise be viewed as a very broad statute, and dangerously vague,” said Justice Sonia Sotomayor.
Fisher seized on the justices’ concerns about the CFAA’s ambiguity.
“The best thing the government can say is, ‘We haven’t brought a whole bunch of these prosecutions yet,’” he said, but “they would be available under the government’s reading.”
Other questions: Several justices expressed uncertainty about the definitions of key terms in the law, such as “authorization,” and they spent a significant amount of time asking both lawyers about the meaning of the word “so” in one part of the statute.
“What is this statute talking about when it speaks of information in the computer?” Justice Samuel Alito asked Feigin at one point. “All information that somebody obtains on the web is in the computer in a sense. I have a feeling that’s not what Congress was thinking about when it adopted this [law].”
“I don’t really understand the potential scope of this statute without having an idea about exactly what all those terms mean,” Alito added.
At another point, Justice Stephen Breyer cited the history of the CFAA, which amended an existing computer-crime law that had been folded into a 1984 omnibus crime bill in response to fears sparked by the hacker film “WarGames.”
The 1984 law specifically outlawed accessing a computer for unauthorized purposes. Even though the CFAA dropped that language, Breyer suggested, “history says they didn’t mean to make a substantive change.”
In response, Fisher pointed to a congressional committee report on the CFAA that referenced a desire to clarify the law’s application.
Dating and lying: The justices also sought more clarity about the consequences that Fisher argued would result from a broad reading of the CFAA. Alito asked Fisher to explain how the CFAA would criminalize one of his example scenarios: lying about one’s weight on a dating website. Fisher responded that, by receiving interested messages from potential romantic partners based on a falsified weight, the user would be “obtaining” information from a computer in violation of the website’s terms of service — and thus also the CFAA.
Similarly, Fisher told Justice Elena Kagan, checking Instagram at work constituted obtaining words and pictures from one’s Instagram feed. And if a company prohibited social media browsing on work computers, obtaining that information would violate the CFAA by contravening the employer’s policy.
On the other hand, the justices also signaled a desire for some prohibition against abuses of workplace privileges such as the one that Van Buren committed. Alito cited the possibility of a bank employee misusing customers’ credit card numbers.
When Sotomayor asked Fisher about this, he argued that Congress could pass other laws to prevent these kinds of abuses.
“The core of the problem,” Fisher said, is that “there is no foothold in the [CFAA] to inch the statute forward to cover the conduct in this case without also covering” innocent violations of formal and informal contracts. Those could include websites’ terms-of-service agreements, employee handbooks and college course syllabi.
One pointed question came from new justice Amy Coney Barrett, who said it sounded as though Fisher was treating “authorization” as “an on/off switch”: Once someone was authorized to access a database, it wouldn’t matter, for legal purposes, how they used that access. Why, she asked, shouldn’t the court view “authorization” as inherently dependent on the purpose of the access?
Fisher responded that the CFAA didn’t explicitly say that, and given that other statutes do make those kinds of distinctions, there is good reason to believe that Congress didn’t intend to do that here.