The U.S. Supreme Court is set to hear oral argument Nov. 30 over the scope of an anti-hacking law in a case that has implications for cybersecurity research, and other situations where computer access is in question.
The case, Van Buren v. United States, involves whether people who misuse their authorized access can be held liable under the Computer Fraud and Abuse Act.
Appeals courts have split over the meaning of computer access and what counts as exceeding it. The case gives the high court the chance to clarify the law. Its decision could impact a wide range of computer use scenarios, from so-called helpful hackers to the alleged theft of company trade secrets.
“The reason this matters is every company has computer data,” said Mark Krotoski, a partner at Morgan, Lewis & Bockius LLP who previously prosecuted cyber crimes for the Justice Department. “If you have someone given access, when is that civil or criminal conduct?”
Police officer Nathan Van Buren was convicted and sentenced to 18 months in prison for using an enforcement database to look up a strip club dancer’s license plate number as a favor in exchange for a loan.
Van Buren’s petition to the Supreme Court argues that the conviction should be overturned because he was authorized to access the police database. Lawyers for the government contend that Van Buren violated the anti-hacking law by searching the database for personal gain.
The Computer Fraud and Abuse Act, enacted in 1986, has been used to bring charges for hacking, especially by foreign governments.
“That sort of thing is what the CFAA was intended to go after,” said Andrew Crocker, a senior staff attorney at the Electronic Frontier Foundation, a nonprofit focused on digital rights.
The law makes it a crime to access a computer without authorization or in excess of authorization. But the law’s language leaves room for interpretation on the definition of authorized access, Crocker said.
Federal courts have been wrestling with how to apply the law to different situations, including trade secrets claims made against departing employees who take corporate information to competitors.
The anti-hacking law also impacts cybersecurity researchers who test computer systems, with or without permission, so that they can report vulnerabilities. Those researchers worry that a broad reading of the law would expose them to civil or criminal liability.
“If someone sees something, let them say something without fear of prosecution,” said Katie Moussouris, the founder and CEO of Luta Security, a company that specializes in vulnerability disclosure and bug bounty programs.
Moussouris was one of more than a dozen security researchers who signed onto a brief in the Van Buren case that argues for a narrow reading of the anti-hacking law.
It’s not meaningful that Van Buren used a computer, rather than a file cabinet or some other system of records, said Tarah Wheeler, a a cyber fellow at Harvard University and at the think tank New America who also signed on to the brief. The Computer Fraud and Abuse Act shouldn’t apply, Wheeler said.
“If this was something other than a computer, would be we having this conversation? The answer I think is no,” Wheeler said.
The case is: Van Buren v. United States, U.S., No. 19-783, oral argument 11/30/20.