The Supreme Court will finally rule on controversial US hacking law:
The Supreme Court on Monday considered how broadly to interpret the Computer Fraud and Abuse Act, America's main anti-hacking statute.
Here's how I described the case back in September:
The case arose after a Georgia police officer named Nathan Van Buren was caught taking a bribe to look up confidential information in a police database. The man paying the bribe had met a woman at a strip club and wanted to confirm that she was not an undercover cop before pursuing a sexual—and presumably commercial—relationship with her.
Unfortunately for Van Buren, the other man was working with the FBI, which arrested Van Buren and charged him with a violation of the CFAA. The CFAA prohibits gaining unauthorized access to a computer system—in other words, hacking—but also prohibits "exceeding authorized access" to obtain data. Prosecutors argued that Van Buren "exceeded authorized access" when he looked up information about the woman from the strip club.
But lawyers for Van Buren disputed that. They argued that his police login credentials authorized him to access any data in the database. Offering confidential information in exchange for a bribe may have been contrary to department policy and state law, they argued, but it didn't "exceed authorized access" as far as the CFAA goes.
Obviously, no one is going to defend a cop allegedly accepting bribes to reveal confidential government information. But the case matters because the CFAA has been invoked in prosecutions of more sympathetic defendants. For example, prosecutors used the CFAA to prosecute Aaron Swartz for scraping academic papers from the JSTOR database. They also prosecuted a small company that used automated scraping software to purchase and resell blocks of tickets from the TicketMaster website.
The CFAA allows for civil as well as criminal penalties. For example, LinkedIn sued a small data-analytics company for scraping data from its website. Last year, the 9th Circuit Appeals Court rejected the lawsuit, holding that the CFAA was intended to address computer hacking, not conduct that merely violated a site's terms of service.
In short, the core issue in the case was when—if ever—violating the terms of use of a website or other computer system can lead to legal trouble. While the CFAA has been on the books since the 1980s, the nation's highest court has never addressed the question.
On Monday, the court's nine justices seemed to have a range of views on the question. Some seemed ready to accept the government's broad reading of the statute, while others worried that doing so could criminalize a lot of innocuous online activity.
Related Stories
Supreme Court reins in definition of crime under controversial hacking law:
The Supreme Court issued a ruling Thursday that imposes a limit on what counts as a crime under the Computer Fraud and Abuse Act (CFAA).
The case involves a former Georgia police sergeant who "used his own, valid credentials" to get information about a license plate number from a law enforcement database, the court decision said. The sergeant ran the search in exchange for money and for non-law enforcement purposes, violating a department policy. He was charged with a felony under the CFAA, which says it's a crime when someone "intentionally accesses a computer without authorization or exceeds authorized access." He was convicted and sentenced to 18 months in prison in May 2018.
A federal appeals court upheld the conviction, but the Supreme Court reversed it today in a 6-3 decision that said Van Buren did not violate the CFAA. Justices found that the cybersecurity statute does not make it a crime to obtain information from a computer when the person has authorized access to that machine, even if the person has "improper motives."
The court wrote:
(Score: 2) by krishnoid on Monday December 07 2020, @05:16AM (13 children)
Any guesses as to how our newly- and recently-minted justices will vote?
(Score: -1, Offtopic) by Anonymous Coward on Monday December 07 2020, @05:29AM (1 child)
God's will.
(Score: 0) by Anonymous Coward on Monday December 07 2020, @07:49AM
I don't know what God thinks about computer fraud, so I will wait for the SCOTUS decision.
(Score: 2, Informative) by Anonymous Coward on Monday December 07 2020, @06:38AM (6 children)
I'm guessing that the court will definitely rule on this case.
You could listen to the oral argument yourself [c-span.org] and make up your own mind about that.
And Lawfare [lawfareblog.com] gives much better background and detail on the case than the Ars article used as TFA.
(Score: 0) by Anonymous Coward on Monday December 07 2020, @06:56AM
I'd note that the Lawfare [lawfareblog.com] piece summarizes the oral argument as well.
(Score: 1) by hemocyanin on Monday December 07 2020, @07:47AM (4 children)
There was oral argument, meaning the court accepted the appeal, which means it must issue a decision.
(Score: 0) by Anonymous Coward on Monday December 07 2020, @07:58AM (3 children)
Wow. Ya think? I must've "guessed" right then.
Sigh.
(Score: 0) by Anonymous Coward on Monday December 07 2020, @04:10PM (2 children)
If you knew that, why would you BET they would rule on it? Betting is something done when an outcome has some probability but lacks certainty.
(Score: 0) by Anonymous Coward on Monday December 07 2020, @10:39PM
I was replying (with snark) to this comment. [soylentnews.org].
Hell, I even quoted it in my reply. Geez, Louise!
You folks aren't so bright are you? More's the pity.
(Score: 2) by meustrus on Wednesday December 09 2020, @04:34PM
FTFY
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 0) by Anonymous Coward on Monday December 07 2020, @02:02PM
the good way?
(Score: 1) by agr on Monday December 07 2020, @03:27PM (2 children)
Justice Gorsuch berated the government for even bring this case, given the Supreme Court's recent refusals to accept over-broad interpretations federal criminal laws:
(Score: 2) by The Mighty Buzzard on Monday December 07 2020, @04:14PM (1 child)
Better legal minds than you and I have been completely poleaxed by assuming they knew how a Justice would vote based on their questions during oral arguments.
My rights don't end where your fear begins.
(Score: 1) by agr on Monday December 07 2020, @05:47PM
>Better legal minds than you and I have been completely poleaxed by assuming they knew how a Justice would vote based on their questions during oral arguments.
It is rare to see a justice suggest their disapproval so clearly, and Gorsuch's other questions were unfavorable to the government too. But, of course, we will get to see how he votes soon enough.
(Score: 1) by fustakrakich on Monday December 07 2020, @06:42AM (15 children)
Did he do it while off hours? Or is he supposed to get orders from the boss before touching the machine? If so, can't they use the CFAA?
La politica e i criminali sono la stessa cosa..
(Score: 0) by Anonymous Coward on Monday December 07 2020, @06:57AM (11 children)
The case arose after a Georgia police officer named Nathan Van Buren was caught taking a bribe to look up confidential information in a police database.
(Score: 3, Interesting) by FatPhil on Monday December 07 2020, @09:45AM (10 children)
For example, from the lawfare blog link above:
"""
But what if my employer says not to use my email for personal purposes and I do, asks Breyer. Feigen responds that there is a second limiting feature in the statute. If an employee has been specifically, individually authorized to use a computer, the term “use” also limits the scope of the statute. It requires the user to do something he couldn’t otherwise do, because the CFAA refers separately to using the computer and using one’s access. That means that “using the access” must be narrower, but § 1030(a)(2)(C) says you have to use the access in order to violate the statute. So if you use your computer to email a friend to schedule lunch, something you could have done from your phone, you’ve “used the computer” but not “used the access.”
"""
I don't believe that you can use the computer that your employer has given you restricted access to without using the authorisation that the employer has given you to use that computer. If you open a locked door with a key and go through it you can't say "I was using the door, but not the key".
However, another little jem in that write-up is the following:
"""
One would not say, for example, that a museum requires authorization when it just requires visitors to put a name on a sign-up sheet. Services like Facebook that will give an account to anyone are not authorization-based systems.
"""
So - has he just declared open season on hacking facebook, as this statute does not apply? (Of course, other statutes might, see, erm, this case for an example of one.)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2, Interesting) by Anonymous Coward on Monday December 07 2020, @11:20AM (5 children)
I read through the summary on Lawfare *and* listened to the oral argument, which gives some extra detail.
From the perspective of *this* case, it seems the defendant certainly *misused* the access he had, with the question being whether or not that misuse constituted exceeding his authorization to access the database, hence being a violation of the CFAA (USC1030 [cornell.edu](a)(2)(c)).
Chief Justice Roberts asked about the precedent of Musacchio v. United States, he notes, the Supreme Court interpreted (a)(2)(C) as “provid[ing] two ways of committing the crime of improperly accessing a protected computer: obtaining access without authorization, and obtaining access with authorization but then using that access improperly.”
I thought the defendant's lawyer was pretty weak in responding to that. What's more, the argument about a "parade of horribles" (cases where the use of CFAA would constitute an impermissible overreach on the part of the government) seemed really forced as well.
I think Justice Barrett was on the right track asking about the *scope* of the defendant's (a cop) authorization to access data from a license plate/auto registration database. The defendant certainly had authorization to access not just the database, but all the data in that database. However, that access/authorization was contingent on it being used for official police business.
As the government's lawyer put it (paraphrasing), if a cashier at a store is authorized to make change from a cash register, it doesn't necessarily follow that the cashier can then do as they wish with any cash in the cash register.
The analogy is a little strained, but I think it makes the point about scope of authorization.
While it's clear that in *this particular case*, the defendant clearly exceeded his authorization (in using the database for non-official purposes -- e.g., taking a bribe to gather information) and misused his access, which can certainly be *reasonably* argued to be a violation of the CFAA.
That said, the broader question raised is whether or not the CFAA can be used to prosecute folks who exceed their authorization in other, less clear-cut circumstances (cf. Aaron Swartz). [wikipedia.org]
If the goal were to restrict those sorts of prosecutions, this is a really poor case to use for that purpose.
As such, I suspect that the court will uphold Van Buren's (the defendant) conviction under the CFAA, and we'll just have to trust that the government won't prosecute kids, if and when their parents tell them "don’t use your computer to go on Facebook" and they do.
Or not. It will be interesting to read the opinion(s) when it's released.
(Score: 0) by Anonymous Coward on Monday December 07 2020, @10:59PM (4 children)
That analogy is actually very illustrative, but in the opposite way that you intended, I think. If a cashier decided to use their access to the cash register to steal the cash, they'd be charged with theft of the cash. They wouldn't be charged with trespassing or breaking and entering because they opened the cash drawer.
(Score: -1, Offtopic) by Anonymous Coward on Monday December 07 2020, @11:59PM (3 children)
I didn't "intend" it in any particular way. Rather, I paraphrased the *government lawyer's* analogy in an effort to eluicidate the *government's* claims, not my own. My name isn't Feigen and I don't work in the Solicitor General's [justice.gov] office.
Well done. Do you always assume that those who paraphrase or quote others are the authors of such statements?
If so, here's another one for you, "Four score and seven years ago our forefathers brought forth a new nation, conceived in liberty and dedicated to the proposition that all men are created equal. Now we are engaged in a great civil war, testing whether that nation, or any nation so conceived, and so dedicated, can long endure."
By your logic, either I wrote the Gettysburg Address or I am, in fact, Abraham Lincoln. Yay me! Please.
Thanks for playing!
(Score: 0) by Anonymous Coward on Tuesday December 08 2020, @09:39AM (1 child)
Wow, talk about missing the point.
(Score: 0) by Anonymous Coward on Tuesday December 08 2020, @12:32PM
If you get near one, make it.
(Score: 2) by FatPhil on Wednesday December 09 2020, @09:18AM
Other A/C is right. I think it's a terrible example that shows that *other laws* cover the subsequent wrongs.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: -1, Redundant) by Anonymous Coward on Monday December 07 2020, @05:27PM (1 child)
Laws aren't written in standard American English. They're written in legalese, a mix of English, archaic English, English legal jargon, and Latin legal jargon.
(Score: 2) by FatPhil on Wednesday December 09 2020, @09:21AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2, Interesting) by VLM on Monday December 07 2020, @06:02PM (1 child)
You're talking about "illegitimate access" but the law title literally contains the word fraud, which is "intentional deception to secure unfair or unlawful gain"
Its trivial to obtain legitimate access to the accounting server, especially if you're an accountant or CEO, but trivial to use that legit access to commit all kinds of stock fraud.
The intentional deception would be pretending to use a "work only" database for "work" despite it being some personal issue. The unlawful gain would be getting intel on some rando citizen thats supposed to be private. Seems the cop is pretty much screwed.
Now it could be a crap law mis-titled to be about fraud but actually enforcing "legitimate access" type stuff. You could write a shit law titled "The anti-burglary act of 2021" with the contents instead enforcing the ban on lead additives in gasoline, then selling leaded gas would be all kinds of illegal environmental stuff under a poorly named law, despite not actually being burglary.
(Score: 1, Informative) by Anonymous Coward on Monday December 07 2020, @10:48PM
It's the Computer Fraud and Abuse Act [cornell.edu]:
For goodness sake, VLM, are those Nazi tattoos all over your face rotting your brain.
(Score: 2) by sjames on Tuesday December 08 2020, @01:31AM (2 children)
Because there's an important difference between gaining access you were never granted vs. using access you were granted in a manner contrary to policy.
Otherwise, you are guilty of "hacking" (a felony) if you access a public web page and ignore (or don't even know) the terms of service.
(Score: 2) by FatPhil on Wednesday December 09 2020, @09:29AM (1 child)
Despite the fact that all you did was issue a polite request to the server for the directory, the server works out if you should be given the directory listing, deciding yes, and then serving you the directory listing.
Can I have a cake? Yes, here it is, enjoy. Thanks! HE STOLE MY CAKE, WAH WAH WAH!!!
Sounds absurd, no, but even the absurd is possible /on a computer/.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by sjames on Wednesday December 09 2020, @06:59PM
There have indeed been a number of prosecutorial overreaches in order to pile on charges or to manufacture a crime where none existed. I'd like to think that a Supreme Court review might get rid of at least some of that, but I'm not holding my breath.
(Score: 0, Insightful) by Anonymous Coward on Monday December 07 2020, @07:47AM (2 children)
send the stupid law back to the idiots who wrote it, and ask them to define "exceed authorized access" properly.
(Score: 3, Touché) by Dr Spin on Monday December 07 2020, @10:08AM (1 child)
send the stupid law back to the idiots who wrote it
Madness is when you do the same thing again and expect different results.
The whole point of "Dimocracy" is that it is government of the dim, by the dim, for the dim. I thought that was obvious by now.
Warning: Opening your mouth may invalidate your brain!
(Score: 3, Funny) by The Mighty Buzzard on Monday December 07 2020, @04:36PM
Indeed, which is why today I'm formally announcing my campaign for hereditary Emperor, Sovereign of Fishes, and Assface in Chief of North America. And since I have no descendants, I'm adopting aristarchus and chromas and declaring whoever catches the largest catfish on rod and reel before my untimely passing shall succeed me.
My rights don't end where your fear begins.
(Score: 3, Interesting) by legont on Monday December 07 2020, @01:48PM (3 children)
My employer prohibits me to email our internal documents to my home email or any other ways to take them out for that matter. The document that describes my benefits is marked internal. Not on the document mind you, as it is not, but by the system that filters email. There is an easy hack to go around - just save the document locally and change; then the system will not flag it. It is obviously a hack. It is explicitly described in the policy as "don't do it".
I went to the manager of the system who oversees this security measure and asked him how I could get the document home because it is obvious I have the right to. He told me to save it locally and email as I evidently have the right. He told me that the system he is managing is "not 100% right, unfortunately". A bud, you know...
What will happen if I use the document as an evidence in a law suit involving me and the company?
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by Dr Spin on Monday December 07 2020, @03:30PM
What will happen if I use the document as an evidence in a law suit involving me and the company?
A hoard of Ninjas will suddenly ride towards you on phantom unicorns and ... ^&%$*..
Warning: Opening your mouth may invalidate your brain!
(Score: 1) by hemocyanin on Monday December 07 2020, @04:19PM (1 child)
Can you print it out at work? That is within your access privileges unless they don't allow printing or provide one. Then take the printed copy home. Whether taking the printed copy home breaks their rules may be true, but you didn't use a computer to get it to your home.
Don't know if that would work but it's an argument against the crime this case is about. Maybe. .... probably not.
(Score: 2) by FatPhil on Wednesday December 09 2020, @09:32AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Monday December 07 2020, @10:15PM
Seems like if the lawyers and the court need a professional to explain to them how a computer crime was committed; then it probably is somewhere in the, 'computer cracking,' vicinity. Anything else, is just an unlawful entry/access/use or just a plain old stealing type of thing.
As far as I can tell, you probably don't even need a whole separate law relegated to, 'computer crimes'. Just apply existing law to it's digital counterpart. ie; destruction of property, theft, unlawful entry, etc.. etc.. Probably only a few handful of cases where new legislation is required for specific computer mediated malicious activity is involved.
Maybe the U.S. government is just too antiquated to deal with the modern world anymore... I dunno... If you asked me if something was computer, 'cracking,' or not computer, 'cracking,' I'd probably be able to tell you pretty easily; and I'm no expert..
(Score: 2) by meustrus on Monday December 07 2020, @11:37PM (3 children)
This right here is the point. The crime here is that bribery happened, not that a database was used incorrectly. Would it be a special crime to use your own key to read a list of undercover agents kept in a locked box? No, that would be silly.
The problem though is that the FBI doesn't have jurisdiction to go after police bribery. They have jurisdiction to go after computer hacking. So even though the real crime is bribery, they can only take the computer hacking to federal court.
The solution is that this FBI/state jurisdiction battle needs to be settled. It is frankly ridiculous that police in this country are either nominally accountable to local voters but cut off from their professional community, or big government goons with the resources and scope to actually go after modern crimes.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 2) by choose another one on Tuesday December 08 2020, @08:58AM
> The problem though is that the FBI doesn't have jurisdiction to go after police bribery.
If that is the case, WTF were the FBI doing setting up a bribery sting? Or if it wasn't a setup/sting, WTF was it?
(Score: 2) by FatPhil on Wednesday December 09 2020, @09:46AM (1 child)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by meustrus on Wednesday December 09 2020, @04:31PM
> I don't see why that should affect things, the law treats intentions as concrete things that can be evaluated post hoc all the time.
That's a pretense and everyone knows it. Yes, it is more heinous to break into someone's home intending to murder them than it is to break into their home to steal something and then incidentally killing them to escape, and the only difference there is intent.
But that's a necessary difference, and it is loud. You can prove it to an extent, like if the murder weapon belonged to the killer or if it was grabbed in haste at the scene of the crime, or if the killer was really prepared for a full scale burglary and not just a quick assassination.
How do you prove what is in a detective's head when they access the database? What if they're studying past cases that seem completely unrelated, trying to jog their memory or see patterns, or looking for hidden criminal connections?
And there will always be times that a query might be "relevant to a pressing current case", but the information is still useful when it's leaked to a third party. It might not have counted as "unauthorized access" if the officer was directly involved in undercover operations on a daily basis, but it would be no less wrong to do what he did. Why tie your law enforcement to standards that fall apart in actual crimes?
I appreciate that somebody is running anti-bribery stings on local cops, but this just is not an effective way to do that. It's also problematic for sure, but I think its lack of effectiveness is more troubling (to the side that needs convincing, i.e. the feds).
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?