Two cases before the U.S. Supreme Court put at stake the availability of the internet for business and academic research, and the ability of Americans to make informed decisions about their time, money, and politics.
The two cases are Van Buren v. United States, a criminal case out of Georgia that the court has decided to hear; and HiQ Labs, Inc. v. LinkedIn Corp., a civil case from California that the court is considering taking.
Both involve the Computer Fraud and Abuse Act (CFAA), a complex law that reads more like a restaurant menu, with elements from columns A, B, and C matched with penalties from columns D, E, and F. And among its many thorns is a section providing that anyone who “intentionally accesses a computer without authorization or [who] exceeds authorized access,” thereby obtaining “information,” may find himself or herself prosecuted for a felony.
Courts Disagree on ‘Exceeds Authorized Access’
The rub is in the words “exceeds authorized access.” The question is, what do these words mean?
The lower courts do not know. Or more accurately, they disagree. Taking the narrow interpretation, some courts hold that “exceeding authorized access” means that you “hacked” into a part of a computer system where you were not supposed to be, and saw information that you were not supposed to see. Motive and means are irrelevant.
Under other courts’ broader interpretations, these do count, and using a computer system or internet service in violation of terms of service drafted by internet providers, or agreements drafted by employers for use of internal computer systems, or notices to customers drafted by online sellers, results in actions enforceable in federal court—as civil lawsuits and criminal prosecution.
Let’s look at a terms of service agreement, or “TOS.” Such an agreement is just that—an agreement, a contract between an internet provider and its customer. It typically specifies what the customer is allowed and not allowed to do when using the service. Breach the terms, and you break the agreement. Typically, the provider’s remedy might be an action in state or county court for breach of contract, or perhaps under tort law.
With the CFAA, however, breach of the TOS might be much more. If you used your internet services for a purpose not authorized or expressly prohibited under your TOS, you exceeded your authorization. You can be sued in federal court by the provider with penalties determined by the CFAA.
Or worse, since the CFAA is both civil and criminal: You might be prosecuted by a U.S. attorney.
Under a broad interpretation, contract law is both federalized and criminalized—for internet terms of service and for all other agreements affecting access to computer systems, including employment agreements and website notices—agreements that are drafted by private entities for their own convenience and without the consideration of Congress after public notice and debate.
The Two CFAA Cases
In Van Buren, a law enforcement officer had the wrong motive when accessing his department’s computer system to search for information about someone: doing so not for his official duties, but for the benefit of an acquaintance in exchange for money. He was charged, and convicted, of having exceeded his authorization to access the department’s computer system—a felony.
In the second case, HiQ used the wrong means: scraping. In other words, HiQ accessed and downloaded information from LinkedIn’s website by automated mechanism, doing so in violation of LinkedIn’s TOS. Despite the fact that the information scraped was publicly disclosed on the website, LinkedIn sued, claiming that HiQ exceeded the authorization it granted for use of its website. The courts in California found no violation of the CFAA.
The internet is a vast infrastructure of communication and information, available to anyone with a computer and a service provider. Financial researchers, entrepreneurs, data scientists, and other professionals use the internet to access, collect and analyze information freely posted. They make financial use of this information, implement new business models, and conduct social research.
Unfortunately, the collection of this information is often prohibited by a TOS or notice posted on the website. This may be so despite the fact that the information collected was made publicly available by those who posted it; and, given the technology behind the internet and the world wide web, necessarily downloaded when viewed.
The broad interpretation of the CFAA approved by some courts can’t avoid having a chilling effect on e-commerce, an effect not intended when Congress enacted the CFAA in the 1980s. The internet, computer systems, and e-commerce have all grown since then. So too must the interpretation of the CFAA.
If Congress means civil contracts between private parties to be enforced by federal law, and particularly federal criminal law, it can amend the CFAA to say this. It is unlikely that it ever so intended, and it is unlikely that it will so amend. The Supreme Court has the opportunity to confine the CFAA to the narrow interpretation to which all criminal statutes are subject, even those with civil components.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Andrew Grosso is the principal attorney with Andrew Grosso & Associates in Washington, D.C. He is a former assistant U.S. attorney in the Criminal Divisions of both the District of Massachusetts and the Middle District of Florida, and holds Master of Science in both physics and computer science. He chairs the law subcommittee of the U.S. Technology Policy Committee (USTPC) of the Association for Computing Machinery, the oldest and largest association for computing professionals in the world.
He is counsel of record for the USTPC on its amicus brief filed with the U.S. Supreme Court in Van Buren v. United States.