The CFAA will soon have its day before the Supreme Court
The future of a long-controversial federal law could come down to how the U.S. Supreme Court interprets the way that a local police officer looked up information on an exotic dancer in a law enforcement database.
The Supreme Court indicated on Monday it will hear a case involving the U.S. Computer Fraud and Abuse Act, a piece of legislation instituted in 1986 that internet freedom advocates have described as “the worst law in technology.”
The CFAA makes it illegal for computer users to access another computer or exceed authorized access without permission. Technologists and attorneys have argued that the law is so vaguely-worded that it could open well-intentioned security researchers up to prosecution for doing their job, or criminalize the use of work computers for personal purposes. In the best known case, internet pioneer Aaron Swartz took his own life before standing trial for allegedly downloading articles from a database of academic journals, an alleged CFAA violation punishable by 35 years in prison.
The Supreme Court has agreed to make a ruling on the CFAA as lower courts remain split on the definition of the law, the legal scholar Orin Kerr wrote in a recent column. At the crux of the issue is the definition of what is restricted. Recent rulings are split on whether a defendant is guilty of violating the CFAA when they behave outside what’s allowed under a written “Terms of Service” policy, or if access only is unauthorized when an individual bypasses technical constraints, such as a password or by hacking a website, Kerr wrote.
“The split is clear and acknowledged, and it’s crazy important,” he wrote. “The CFAA either makes more people or very few people criminals.”
The Supreme Court will weigh whether to limit the type of behavior that can be prosecuted under the law when its next term is scheduled to begin in October. The case involves Nathan Van Buren, a former Georgia police officer, who was convicted of violating the CFAA by searching police records on behalf of an acquaintance. A Georgia court convicted Van Buren in 2017 after a man paid him $6,000 to search through a law enforcement database on his behalf.
The other man, Andrew Albo, was working undercover for the FBI, and told Van Buren he was trying to learn if a local stripper was working as an undercover cop.
Van Buren has argued that, as a police officer, he had permission to search the license plate database.
Other notable cases involving CFAA are LinkedIn v. hiQ Labs, in which the social media company argued that a startup violated CFAA by scraping LinkedIn users’ public data, and U.S. v. Matthew Keys. In the latter case, Keys, a reporter, was sentenced to two years in prison for giving hackers his username and password. The group then published a fake news story on Keys’s former employer’s website.
“This law was written before the internet became what it is,” defense attorney Tor Ekeland, an outspoken CFAA critic who represented Keys said during a recent interview. “The other big issue is the draconian sentences that these statutes allow. It’s disproportionate to the actual harm influence in, I think, every case I’ve ever worked on.”