Login | July 15, 2020

SCOTUS to look at hacking law

Technology for Lawyers

Published: June 5, 2020

Terms of Service (TOS) are generally construed as a private contract between the online purveyor and the individual singing up for the online service—whatever it may be. Nobody reads them—except maybe a benighted few who really like to torture themselves.
But the oldest federal computer hacking law on the books has been used on numerous occasions to impose criminal process for an individual violation of terms of service, even though the Department of Justice has guidance to not do that. Circuits have been split on whether or not this is appropriate behavior on the part of the DOJ. And now, finally, the US Supreme Court is going to get involved.
The statute is the Computer Fraud and Abuse Act (CFAA), which became law just as the public internet was beginning in 1986. Computer security professionals, for the most part, want several parts of that law updated (or overturned), because computer laws from 1986 are out of date by definition, and a particular application of this law on the criminal side has consequences that they argue far exceed the original intentions of the law because of the change in tech in the ensuing decades since it was passed.
Now Nathan Van Buren has been granted cert by the Supremes (as of Aoril 20) to try to get his case overturned. He is a former police officer who was found guilty of a violation of CFAA when he accessed a data base which he had authority to access and then illegally sold that information.
But Van Buren didn’t actually hack anything—he just used information in a way that was unauthorized by the provider. And Van Buren is not the only person who has faced criminal charges under the CFAA for misusing data that was acquired legitimately.
Now the Supreme Court will decide if that application of the CFAA is overbroad. Van Buren is represented by Jeffrey L. Fisher, who has successfully argued two prior cases limiting the police’s use of technology.
The misuse of legally obtained data is not hacking—and yet, the DOJ, even going against its own guidelines—prosecutes it. This is a Pandora’s box that no security expert wants opened—or wants to have stay open.
But SCOTUS will have the final say on whether this loophole is finally closed. Stay tuned.