The U.S. Supreme Court may decide if someone who improperly uses their authorized computer access, such as a cop looking up a strip club dancer’s license plate as a favor, can be liable under a federal anti-hacking law.
A December petition seeks the high court review because appeals courts are split on interpreting the Computer Fraud and Abuse Act. Some courts take a narrow view that the law covers only those who hack into or use a system without permission. Other courts take a broader position that people authorized to use computer systems, such as the police officer, can still be violators.
People who lie about their ages on dating apps or misuse Walmart’s WiFi in violation of its policy could risk being held in violation of the law under the broad view, said Andrew Crocker, a senior staff attorney at the Electronic Frontier Foundation. “This is a law intended to go after hackers and not intended to be a general law to throw at any bad act committed on a computer,” he said.
The Supreme Court hasn’t yet said if it will hear the case. But if it does, a ruling clarifying the issue would likely have broad consequences for how website owners, employers, and prosecutors can pursue criminal and civil computer hacking and fraud cases, attorneys said.
“Businesses should be looking at this, even though it’s a criminal case,” said Dawn Mertineit, a partner at Seyfarth Shaw LLP. She represents companies in commercial litigation, with a focus on noncompete and trade secrets.
Appeals courts are divided on how to interpret the provision of the 1986 law that makes it a crime to “exceed authorized access” and, thereby, obtain information from a protected computer.
The case the high court may take up involves Nathan Van Buren, a former Cumming, Ga., police sergeant who allegedly used his authorized access to a government database to search for the license plate of a dancer at a local strip club in 2015. Van Buren, who was struggling financially, did the search at the request of a man who gave him $6,000, according to his petition asking the high court to hear the case.
Van Buren, as it turns out, was set up by the FBI in a sting initiated after he approached the man for a loan and was surreptitiously recorded by him. The man shared the recording with authorities. The $6,000 payment and faux request for a license plate search were part of the sting.
A jury convicted Van Buren of one count of violating the Computer Fraud and Abuse Act, and a district court sentenced him to prison. The U.S. Court of Appeals for the Eleventh Circuit upheld the ruling. Van Buren also was convicted of one count of honest-services wire fraud, which was vacated and remanded.
Van Buren, in asking the Supreme Court to review the matter, cited the narrow and broad rulings of the appeals courts. “Reading the statute more broadly would criminalize ordinary computer use throughout the country,” he argued in his petition.
Tens of millions of Americans each March use work computers to generate brackets for NCAA basketball pools, likely in violation of employer computer policies, Van Buren’s brief said. “The answer to the question presented determines whether these employees are guilty of a felony,’' he argued.
The U.S. Courts of Appeals for the First, Fifth, Seventh, and Eleventh Circuits have interpreted the provision about exceeding authorized computer access broadly. Those courts applied the law to people with authorized access to information but who may, in some cases, run afoul of terms-of-service agreements or computer-use policies.
Appeals courts for the Second, Fourth, and Ninth circuits, meanwhile, have adopted a narrower approach. District courts in other circuits also have weighed in.
The circuit split is “allowing for disparate results in different parts of the country,” said Mark Krotoski, a partner at Morgan, Lewis & Bockius LLP and former federal prosecutor at the Justice Department.
When advising clients on the law, “it’s hard to give advice that applies across all the jurisdictions,” said Jeffrey Neuburger, a partner at Proskauer Rose LLP. He noted that website owners have used the law to challenge web scraping.
Those that argue for a broad interpretation say the law is an important tool for prosecutors to crack down on bad acts on computers they couldn’t otherwise go after, Joseph Kennedy, a criminal and cybercrime law professor at the University of North Carolina School of Law, said.
The Department of Justice, the respondent in the case, didn’t respond to a request for comment. The government has until March 10 to file a response to Van Buren’s petition.
The Electronic Frontier Foundation, Center for Democracy & Technology, and New America’s Open Technology Institute, as well as the National Association of Criminal Defense Lawyers, submitted briefs in support of Van Buren, urging the high court to take the case.
If the high court doesn’t hear the case, it could be up to Congress to clarify the scope of the law, attorneys and legal scholars said.
The need “for uniformity and consistency are obvious,” said Ahmed Ghappour, associate law professor at Boston University School of Law and an expert in criminal law and computer security. If the high court doesn’t step in, the “path forward for uniformity is a clarifying amendment” to the law, he said.
Whether resolution comes from the Supreme Court or Congress, “The split has persisted,” Krotoski said, “and it needs to be resolved.”
The case is Van Buren v. United States, U.S., No 19-783, petition filed 12/18/19.