Several U.S. Supreme Court justices, including some of President Donald Trump’s appointees, skeptically questioned a broad interpretation of the main federal anti-hacking law during oral arguments Monday.
The hearing represented one of the final steps in the biggest case to come before the nation’s highest court involving the Computer Fraud and Abuse Act (CFAA), written in the 1980s. The case centers on when an individual “exceeds authorized access” to a computer, as defined by that law.
The law has long held a contentious place in the cybersecurity world, where it’s viewed as hopelessly vague, outdated and overly punitive. One CFAA prosecution that drew particular criticism was that of Aaron Swartz, an internet activist who took his own life before he was scheduled to stand trial for allegedly downloading articles from an academic database, in a case where he faced decades in prison if convicted.
The case now before the Supreme Court involves defendant Nathan Van Buren, a former police officer accused of accepting a bribe to look up license plate information in a law enforcement database. Lawyers for Van Buren contended that a broad reading of the law — as enshrined by a Supreme Court ruling — would further criminalize trivial online activities. The U.S. government counters that the petitioner exaggerates the potential pitfalls of a broader reading.
Despite the reception some justices gave the idea of a less-narrow interpretation, though, their questions aren’t always a guarantee of how they’ll rule. And not all of their questions were unfavorable to the U.S. government’s position, as argued by Deputy Solicitor General Eric Feigin.
On the conservative side, Justice Neil Gorsuch — a Trump appointee — sounded the most skeptical notes about a broad ruling. Republican-appointed justices currently hold a 5-4 edge on the Supreme Court.
“This does appear to be the latest… in a rather long line of cases in recent years in which the government has consistently sought to expand federal criminal jurisdiction in pretty significantly contestable ways that this court has rejected,” said Gorsuch. “And I would have thought that the Solicitor General’s office isn’t just a rubber stamp for the U.S. Attorney’s offices, and that there would be some careful thought given as to whether this is a really an appropriate reading of these statutes.”
Answered Feigin: “The kind of misconduct we have here, where a police officer tips off a criminal about something, is exactly the kind of misconduct that the statute was aimed at because the police officer is abusing his trust and has access to state and national databases.”
But some other court conservatives asked skeptical questions about the petitioner’s view. Justice Samuel Alito questioned Van Buren’s attorney Jeffrey Fisher about the number of “friend of the court” filings on the government’s side who said they were concerned about what an overly narrow interpretation would mean for personal privacy.
Many government employees and some private sector workers such as bank employees have access to others’ highly personal information, and they could use that to make money, harass people or cause other kinds of damage, Alito said. “Do you think that none of this was of concern when Congress enacted this statute?”
Fisher said the answer was “no,” because Congress was focused on what was then the relatively new problem of computer hacking. Other laws, Fisher said, could cover the kinds of abuses that Alito mentioned; alternately, Congress could amend CFAA to cover them.
Ultimately, Alito said, “I find this a very difficult case to decide based on the briefs that we’ve received.”
Justices also spent significant time questioning a number of hypotheticals on the petitioner’s side that several labeled a “parade of horribles,” such as whether lying about one’s weight on a dating site would run afoul of CFAA under a broader ruling.
Feigin derided Fisher’s “imaginary avalanche of potential prosecutions,” but Fisher said that simply because the government hasn’t pursued them doesn’t mean they wouldn’t. “The best thing the government can say is we haven’t brought a whole bunch of these prosecutions — yet,” Fisher said.
Security researchers and cybersecurity companies filed briefs on the petitioner’s side of the argument, fearing that CFAA could be used to prosecute legitimate, ethical hacking of software flaws that are intended to bolster digital defenses. An array of other organizations, like the Managed Funds Association and Federal Law Enforcement Officers Association, sided with the government.
The court has until it goes on recess next summer to hand down a ruling.
Jeffrey Vagle, an assistant law professor at Georgia State University, observed what he called “the near-universal skepticism” from the justices on the government’s arguments. Vagle said Gorsuch and Justice Sonia Sotomayor were particularly concerned about a broad reading resulting in the expansion of criminal liability.
“The CFAA gives very little support for clear textual analysis, which is much of the reason for the confusion and skepticism,” Vagle said via email.
Orin Kerr, a University of California Berkley law professor, also picked up on justice’s aversion toward a broad reading of CFAA.
I'd guess that the Court reverses in the end, in part based on their recent past w/ the scope of criminal statutes. Justice Alito suggested that he saw this as a hard case, and he's probably the most in general on the govt's side of crim cases.
— Orin Kerr (@OrinKerr) November 30, 2020
However, the law’s potential impact on security researchers was only “lightly addressed,” said Casey Ellis, founder and chairman of the cybersecurity company Bugcrowd and one of the signatories to a “friend of the court” brief arguing for a narrow reading of CFAA.
“Much of the hearing today was a reflection of the dramatic shifts in how computers and computer networks work between 1986 when the CFAA was first penned, and 2020,” Ellis wrote to CyberScoop. “The role of Terms of Services agreements, the difference between technical and authorized access, the need for prosecutorial protection against clearly malicious actors, and the overall ambiguity in distinguishing between ‘legal and illegal’ in modern computer systems.”
Updated, 11/30/20: Updated with commentary from outside experts.