US Supreme Court appears to narrow application of hacking law

The Supreme Court today reversed a lower court's broad reading of the US's principal anti-hacking statute, in an occasionally confusing opinion mostly siding with proponents of the theory that the law criminalizes actual computer break-ins and not policy violations against accessing certain information.

In the 6-3 ruling, the court remanded the felony conviction under the Computer Fraud and Abuse Act of a former police sergeant who patrolled the Atlanta exurbs town of Cumming. A federal jury in 2017 convicted Nathan Van Buren after he accessed a state-run criminal database for an impermissible purpose: looking up the license plate of a dancer after accepting money from a local man who was working with the FBI. Van Buren was caught as part of a sting operation.

"The Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity," wrote Justice Amy Coney Barrett in the majority opinion. Justice Clarence Thomas dissented, joined by Chief Justice John Roberts and Justice Samuel Alito.

The Computer Fraud and Abuse Act, whose roots date to the mid-1980s, makes it a crime to access a computer without authorization, or to exceed authorized access. Circuit courts have split over what the exceeding-access prong means, because the statute could be read as criminalizing access that exceeds purpose-based restrictions, or as prohibiting the hacking of computing systems that begins from a place of authorization.

A number of defendants have seen the act used against them by prosecutors despite not having circumvented technical barriers to access information, instead using valid log-on credentials for a forbidden purpose. Van Buren was one such defendant. He didn’t need to hack his way into the law enforcement database because his job granted him access to it. The former police officer was also convicted of honest service fraud, but the US Court of Appeals for the Eleventh Circuit ordered a new trial on that count after finding fault with the jury instructions.

To "exceed authorized access" covers defendants "who obtain information from particular areas in the computer — such as files, folders, or databases - to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them," wrote Barrett.

"If the 'exceeds authorized access' clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals," Barrett added, echoing an argument Van Buren's attorney used during oral argument last November.

Always read the footnotes

Barrett's apparent repudiation of policy-based restrictions as grounds for criminal prosecutions under the Computer Fraud and Abuse Act isn't as straightforward as it may seem, due to a footnote that some analysts say could undermine the opinion.

Legal scholars who wanted the court to limit the law's scope urged the court to explicitly rule that defendants must have virtually trespassed into databases or files surrounded by security protections before they can be prosecuted. That would mirror the US Court of Appeals for the Ninth Circuit's 2012 formulation that "without authorization” applies to external hackers while “exceeds authorized access” applies to insider hackers.

The bulk of Barrett's opinion hews to that interpretation, said Orin Kerr, a University of California-Berkeley law professor and long-time critic of the law, in a brief interview. But the footnote on page 13 rejects Kerr's theory that conduct becomes unauthorized only when it circumvents a technological restriction, a reading Kerr dubs a “code-based” approach. Footnote 8 states that the justices need not address whether this case "turns only on technological (or 'code-based') limitations on access, or instead also looks to limits contained in contracts or policies."

It's a confusing footnote as policy-based versus technology-based is the crucible of the case and lies at the heart of whether the law applies broadly or narrowly. Buttressing a reading that Barrett ultimately comes down on the side of code-based restrictions is language coupling the act of exceeding authorized access with damage or loss to computer systems. The statute's definitions of damage and loss for civil suits focus on technological harms, such as file corruption, that unauthorized users cause to systems. Those definitions are "ill fitted" to remediating misuse of information employees may permissibly access using their computers, she wrote. "Van Buren’s situation is illustrative: His run of the license plate did not impair the 'integrity or availability' of data, nor did it otherwise harm the database system itself," Barrett added.

It's unclear what the opinion is about unless it repudiates the contract or policy-based view of the law, Kerr told MLex. He later tweeted a possible explanation: "Putting a former clerk hat on, I wouldn't be entirely surprised if FN8 was added in response to another Justice who worried that the opinion was taking on more than it needed to."

Los Angeles federal prosecutors famously used the Computer Fraud and Abuse Act to convict Lori Drew, a St. Louis mother who in 2006 cyber-bullied the 13-year-old daughter of a neighbor while using a fake MySpace profile. A California federal judge ultimately overturned a jury verdict finding that Drew committed three computer misdemeanors surrounding the teen's suicide.

The Department of Justice has sought to tamp down worries that it could use the hacking law as a cudgel, telling justices that past examples of prosecutors capitalizing on the act to go after terms-of-service violators occurred before a 2014 change to federal charging policy. Under that revision, federal attorneys informed justices, prosecutors must be prepared to prove that the defendant knowingly violated restrictions on the computer “and not merely that the defendant subsequently misused information or services that he was authorized to obtain.”

In the dissent, Thomas said the majority's reading of the law tramples on "basic principles of property law," since "it is well established that information contained in a computer is 'property.'" A technician granted access to recover data from a celebrity's crashed hard drive hasn't been granted permission to copy and leak photos found on it, he wrote. "Congress ensured protection against improper login as well as misuse after proper login," he added.