On June 3, the U.S. Supreme Court issued an opinion holding that a Georgia police officer could not be prosecuted under the federal computer crime law for accessing a criminal database accessible only “for law enforcement purposes” and then selling data that he received from that database. The Court did not say that the police officer could not be prosecuted — that he did not commit abuse of authority, embezzlement, conversion or misuse of property. The 6-3 decision written by Justice Amy Coney Barrett simply found that the federal “hacking” statute, which makes it a crime to “exceed authorization to access a computer” and thereby to “obtain information” didn’t apply to what the police officer did.
The case is significant not for its impact on Officer Van Buren, but as a wholesale redefinition of the nature and extent of computer trespass. The dissenting judges, Thomas, Roberts and Alito, point to the law of property and the law of trespass to point out that what the cop did clearly exceeded authorization and would be a crime in the real (non virtual) world. If, on a “day off” from school in Chicago you give your best friend’s dad’s Ferrari 250 GT California to a valet for safekeeping, and instead the valet takes it for a joy ride, Justice Thomas opines, they have done so without permission, noting “Both the common law and statutory law have long punished those who exceed the scope of consent when using property that belongs to others.”
The problem with this analysis is simply that information is a special kind of “property.” It’s not just that it is not tangible. It’s that questions of “ownership” and “rights to use” information are extraordinarily murky and difficult to decipher. Add to that the fact that the computer crime statute, first written in 1984 and then amended several times, by its terms deals not with “use of information” without authorization but with “access without authorization” or “exceeding authorization to access a computer.” It is the access to the computer which must be unauthorized — not the subsequent use of the information gleaned from an “authorized” access.
Uncivil Litigation
The Computer Fraud and Abuse Act, 18 U.S.C. 1030 has both criminal and civil provisions. Indeed, the overwhelming majority of cases arising under the statute are civil disputes — employer/employee lawsuits, divorce cases, unfair competition cases and similar matters. These cases often hinge on what the offending party was “authorized” to do on someone’s website, or with data that was shared between parties. For example, when a group of Korn Ferry employees used their computer access to take information they could use to compete with their (soon to be former) employer, Korn Ferry sued not just for unfair competition, but also under the Computer Fraud statute, alleging that the computer access “exceeded authorization.” The Ninth Circuit Court of Appeals found that this kind of dispute was not the kind of “hacking” prohibited by the statute — presaging the Supreme Court’s ruling on Thursday.
Similarly, when data analytics firm HiQ “scraped” public data from social media site LinkedIn (in violation of LinkedIn’s written policy that prohibited such scraping) LinkedIn sent a cease and desist letter alleging that the conduct violated the computer crime statute as it “exceeded authorization” to “access” the social media site. HiQ went to federal court to clarify the issue, and the Ninth Circuit found that the actions similarly did not violate the hacking statute.
These kinds of cases are the bulk of the matters that come under the CFAA — not going after Russian hackers, botnets and ransomware purveyors. As a result, the statute becomes a tool used by civil litigants to go after competitors, abusers, employees and others — often for violating contracts, terms of service, terms of use, or even just social norms.
Mother, May I?
The real distinction between the majority in Van Buren and the dissent focuses on the question of “authorization” or “consent” to access or use a computer or computer network (or data on them). A broad interpretation of the term “exceeding authorized access” would make it both a crime and a civil action to — as Justice Thomas noted — “joyride” not only on a computer network, but to “joyride” with data gleaned from a network. The scope of “authorization” to access a computer or to use data obtained from a computer is determined principally by reference to a contract or terms of service or terms of use meaning that violating any or all of these terms potentially renders ones’ access to a computer “unauthorized.” This means that a social media user who sets up a fake profile in violation of the hosting site’s policy is now subject to civil and criminal litigation. The Supreme Court noted:
If the “exceeds authorized access” clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals. Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA. Or consider the Internet. Many websites, services, and databases—which provide “information” from “protected computer[s],” §1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers.
Most people’s access to computers, databases or information online are dictated by Terms of Service, Terms of Use, Software License Agreements, Acceptable Use Policies, Data Privacy and Data Security policies, or the terms of employment or access agreements. These agreements can be hundreds of pages of legalese, and contain obscure, confusing and even contradictory or ambiguous terms that dictate what you may, or may not do online. For example, an Acceptable Use Policy may prohibit the use of a computer, network, or social media account for “abusive” or “improper” purposes, or for harassment, or to post information that is false, defamatory, or otherwise prohibited. So, if you link a Facebook or Twitter post to a broadcast by Fox News about Dominion Election Systems (which is now the subject of a multi-billion dollar defamation lawsuit), there is no doubt that the social media companies can determine that the posting violates their AUP, and restrict the posting. But can they have you arrested for “exceeding your authorization to access their computer?” I mean, when you signed up for Facebook, you agreed not to post false material; Facebook determined that the material was false (a factual issue you can dispute at your criminal trial); your access to Facebook was conditioned on your adherence to the AUP; you violated the AUP; therefore, you “exceeded your authorization” to access Facebook or Twitter. The slope is mighty slippery.
In other words, the things that can land you in Facebook jail can also land you in jail. That is probably not what Congress intended in 1984. As a result, the Court narrowed the definitions of unauthorized access and exceeding authorized access to the kinds of things we think of when we think of “hacking.” Things like breaking in, cracking passwords, bypassing security, etc. You know, crimes.
Forgive Me My Trespasses
One of the problems here is that Congress, in enacting the Computer Fraud and Abuse Act, was trying to emulate online the kinds of criminal activity it saw in the real world, and to fill in gaps that made it difficult to prosecute those crimes if they occured in cyberspace. For example, a real-world “theft” involved the “taking” or “property.” Online, such “theft” may simply involve the “reading” of “information.” Not a perfect analogy. In real life, one “trespasses” when one breaks into or remains unlawfully in a place without authorization to do so (or in excess of authorization to do so). Congress tried in the CFAA to emulate this type of crime with reference to “exceeding authorization to access” a computer. But the law of trespass is itself murky — as the dissenting judges point out. Justice Thomas points out that “A person is entitled to do something only if he has a “right” to do it” and that “[e]ntitlements are necessarily circumstance dependent; a person is entitled to do something only when “proper grounds” or facts are in place.” If you don’t have permission to do something, you are not “authorized” and therefore you are trespassing. And you trespass in the real world not simply by virtue of your physical presence, but also by virtue of your authorization and your actions. If you are at a public hearing and become disruptive (or even off topic) your “authorization” to attend the meeting is expressly or impliedly revoked and you are “trespassing” — sometimes after having been asked to leave, but often not. If you sleep in a hotel lobby in violation of a “no loitering” sign, you can be arrested for trespass. If your access to a location is conditioned on a promise to do, or refrain from doing something (e.g., no eating on the subway, no weapons in a bar) then violation of those terms constitutes revocation of authorization and voila! Trespass.
So when Congress imported the law of trespass into the virtual world, in theory, they were importing this “permissions based” or “consent based” doctrine. Under this broad theory, it’s not that you are not permitted to be somewhere online — it’s that you are not permitted to be there for the purpose for which you are there, or that you are not permitted to do something you are doing there.
Problem is, there are no “walls” in cyberspace, and the rules are created and enforced on an ad hoc basis. A “permissions” based system for criminal law means that any violation of the conditions of access or use — a multipage turgid and indecipherable document — creates criminal liability. As Matthew 6:12-14 notes, “…forgive us our trespasses, as we forgive them that trespass against us, and lead us not into temptation, but deliver us from evil.”
Online trespass is at least as murky as, and often murkier than that in the real world. The lack of defined boundaries, consensus on the acceptable or “authorized” access to or use of data (particularly semi-public data) confound and confuse the question.
There Ain’t No Such Thing as Computer Crime
Which brings us to the final problem. In the early 1980’s, as we were examining the problem of computer crime and attempting to craft a statute to deal with the problem, the legal construct spoke of distinct offenses of “computer crime” and “computer related crime.” Computer crimes were crimes where the computer was the subject or target of the criminal offense — viruses, worms, denial of service and the like. Computer related (or computer assisted) crimes were those that existed in real life, but were facilitated through computers. A pump and dump securities fraud could exist in real life, but could be amplified by email or message boards.
Over time, these distinctions — and indeed the entire concept of “computer crime” — have proved illusory. What we think of as “computer crimes” are in reality “information crimes.” Crimes targeting the confidentiality, availability and integrity of information. They may be things like revenge porn (confidentiality), extortionware (confidentiality), or ransomware (availability). They may be “theft” of personal information. They may be phishing or malware. They may be denial of service or botnets. They also include things like child pornography (and sexual abuse online), cyberbullying, threats, harassment, intimidation, drug trafficking, extortion, and any kind of human enedavor. What is criminal in the real world can be facilitated and/or amplified by the virtual one. NFT’s and cryptocurrency can be stolen. Intellectual property infringed. Secrets exposed. Information exported.
But in the end, crime is crime. It’s old wine in new bottles — bottles that sometimes don’t make a perfect fit. What the Court was attempting to do is to understand how the new bottle affects the wine inside. In the area of “unauthorized access” or “exceeding authorized access” the Court was concerned that defining the crime too broadly would make criminals out of everyone. And that’s probably not what Congress intended in 1984.
Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.