Posted Tue December 1st 2020 3:05 pm by Ronald Mann
Monday’s argument in the Van Buren v. United States case was the first sustained attention the Supreme Court paid to the Computer Fraud and Abuse Act, a federal law that imposes civil and criminal liability for unauthorized access to computers . The government has continued to apply the law over the past few years, ultimately creating a confrontation where the Supreme Court has an opportunity to deal with it.
The CFAA is vague on important points, but it generally criminalizes unauthorized access to a computer and also exceeds “authorized access” to the computer. In this case the question arises, what does it mean to “transcend authorized access”, which the law defines as “access to a computer with authorization” and to use this access to obtain or change information on the computer, the authorized user is not authorized to receive or change. “A Georgia police officer, Nathan Van Buren, was authorized to search computerized license plate records for law enforcement purposes. Deceived by an FBI sting, he searched these records for private use (at the request of an FBI informant who offered him several thousand dollars for the information) Since Van Buren was not authorized to search these records for this purpose, the government was sentenced by the CFAA on the grounds that he was “not authorized to obtain these records.”
Jeffrey Fisher, who appeared on behalf of Van Buren, argued that the law does not criminalize obtaining information to which the defendant was entitled. Some of the judges openly expressed concern that exonerating Van Buren’s behavior under Fischer’s narrow reading of the statute would undermine privacy, which is particularly important in the Internet age. For example, Judge Clarence Thomas asked why we don’t need federal criminal liability when “you work for a car rental company and have access to GPS instead of using it to pinpoint the location of a car that may be missing. you use it to follow a spouse. Similarly, Justice Samuel Alito stated, “Many government employees are given access to all sorts of highly personal information that they can use to perform their duties. But when they use this for personal purposes, to make money, to protect or carry out criminal activity, to harass people they don’t like, they can do enormous harm. “
Fisher repeatedly insisted that various federal and state laws criminalize the behavior of concern, and some of the judges were clearly sympathetic to this point and essentially provided him with a platform from which to explain. Justice Sonia Sotomayor urged Fisher to confirm that even if the CFAA was narrowly read, the conduct in question could be pursued in other ways. In the same vein, Judge Neil Gorsuch suggested that he “accept[d] that there are abundant state laws that criminalize much of this behavior. Immediately after him, Judge Brett Kavanaugh noted, “One of the concerns… is government employees, or employees of financial companies, or employees of healthcare companies who have access to and then disclose very sensitive personal information. And I would appreciate if you could give us an idea of the federal laws that you believe would cover such disclosures. “Later in the argument, Alito noticed this exchange, suggesting that” this is a very difficult case “also because” I don’t really know what these statutes are “.
Another group of judges directly rejected the textual argument put forward by Eric Feigin on behalf of the government. Much of the government’s position in its briefing was based on the word “so” in the phrase “so to maintain or change”. In his argument on behalf of Van Buren, Fisher claimed that “so” falls back on the earlier clause in the law’s definition of “access to a computer with authorization” so that a defendant is not authorized to “so” obtain or change the information if He is not authorized to obtain or modify it for any purpose. In other words, as Fisher reads, it is breaking the law for a defendant to log on to a computer with permission but receive information that he was not “so” authorized to obtain using that access method. In contrast, Feigin argued that “so” applied much broader to all aspects of access – including whether a defendant was authorized to obtain the information in the particular way or for the particular purpose that he did . In this case, Van Buren was entitled to receive the information from the computer from which it was obtained, but not for the purpose for which it was obtained.
Recognizing the far-reaching liability that would arise from the government’s reading of the statute, Feigin offered a number of restrictive constructions, arguing, for example, that this only applies to particularly formal types of permits. Some of the judges found these arguments unconvincing. Sotomayor replied, “My problem is that you give definitions that restrict the statute that the statute does not have. They urge us to write definitions to narrow down what might otherwise be considered very broad and dangerously vague. “
Sotomayor then challenged Feigin’s reading of the statute directly with a hypothetical replica of Fischer’s reading of the statute. “Let me give you an example,” said Sotomayor. “Imagine a law that says anyone who drives on Elm Street and is not allowed to drive will be punished. That “driving like this” could mean to me if you’re not allowed to drive on Elm Street. But according to your theory, it could be, and could possibly be read, that if you are driving on Elm Street for an illegal purpose, you are speeding up, you are breaking the curfew law. “For Sotomayor, the many possibilities inevitably made the statute ambiguous.
Next, Justice Elena Kagan came to Sotomayor in the current argumentation regime and pushed Feigin with the same question: “Then the question is what ‘so’ means and takes up what you said Justice Sotomayor, if I understand Mr. Fischer’s argument , he says “so” means to access a computer. And you just said “so” using your account. And why should we make your previous speaker choice rather than his previous speaker choice? “
The last main subject of the argument came from Gorsuch and, to some extent, from Kavanaugh, in tones that leave little doubt about their view of the merits. For Gorsuch, this case was only “the latest … in a fairly long line of cases in recent years where the government has consistently sought to expand federal criminal justice in fairly controversial ways that this court has denied.” From that perspective, he urged Feigin to justify “why we are returning here for a rather minor state crime that is punishable under state and perhaps other federal laws”. Instead, the federal government is pursuing this behavior in a way that a disturbed Gorsuch found “remarkable” – “maybe he’ll make us all federal criminals.” When Feigin asserted himself and insisted that Van Buren’s behavior warranted federal prosecution, Gorsuch replied that he “thought that the attorney general was not just a stamp on US law firms and that some careful consideration would be given to whether or not that really is an appropriate reading of these statutes. “When offered his time minutes later, Kavanaugh signed the same position and told Feigin,” This, as Judge Gorsuch said, would be a pretty substantial extension of federal criminal liability based on a word you say we have interpret a certain way to avoid excesses. “
It is always risky to put too much emphasis on the discussion in an argument. The double problem that the government is facing here is a core group of judges who seem to believe that law enforcement is fundamentally wrong and overlaps with a group of judges who seem to think the language is way too vague is to justify the broad reach the government ascribes to it. I won’t be surprised if some of the judges accept the government’s position, but I will be surprised if a majority does.
Ronald Mann, Argument Analysis: Judges appear to be aware of the breadth of federal law on computer fraud,
SCOTUSblog (December 1, 2020, 3:05 pm), https://www.scotusblog.com/2020/12/argument-analysis-justices-seem-wary-of-breadth-of-federal-computer-fraud-statute / .