Supreme Court To Decide Scope of Federal Hacking Law

For more than 30 years, the federal computer hacking statute has been used by companies to sue employees (and former employees), competitors and even customers and users who violate their rules on the use of computers, computer databases and data gleaned from computers. In the next few weeks, the U.S. Supreme Court will decide whether these lawsuits (and criminal prosecutions) are what Congress intended when it passed the hacking law in the early 1980s.

At issue is the concept of “exceeding authorization to access” a computer – a vague and ambiguous term used in the statute to criminally prosecute hackers who, although marginally “authorized” to use a computer or service, extend that authorization to do things like destroy data, perpetuate viruses or steal personal information.

The same language, however, has been used by employers to sue departing employees who use their legitimate user IDs and passwords (authorized access) to download things like customer data, client contacts or other information that they intend to use to (allegedly) improperly compete with their employer – or to “exceed” their authorization with respect to the data. The hacking law has also been used by companies to enforce restrictions on the use of otherwise “public” data on their websites – such as price comparisons by consumers or third parties, data “scraping” of useful information which is then represented by the competitor or simply violating a company’s terms of service or terms of use.

While any of these things might be actionable (as, say, unfair competition, trespass to chattels, breach of contract), companies have turned to the hacking law’s provisions to get compound damages, injunctive relief and most importantly, to get into federal court.

The Supreme Court is poised to decide whether this is what Congress intended in the early ’80s.

The statute, the Computer Fraud and Abuse Act, (CFAA) Title 18 USC 1030, was passed in 1984, and has been amended several times since then to fill a gap in then-existing law; if you “broke into” a home, an office or a business, you were guilty of burglary and trespass. If you “stole” documents or “damaged” property, you could also be prosecuted for theft or destruction. But with computers (and dial-up modems) the concepts of “trespass” and “burglary” and even of “theft” or “damage” were imperfect analogies.

At the end of the day, what we call “computer crimes” are, in reality, crimes against information – its confidentiality, its availability and its integrity. Unlike the theft of a car or a horse, when data is “stolen,” it is still where it belongs. When digital data is “damaged,” it may simply be locked or inaccessible. When a computer system is “damaged,” the hardware and software may be functioning perfectly well. So Congress, first in 1984 and again in 1986 and other times subsequently, attempted to “fill the gap” created by the new technology and passed a comprehensive but imperfect computer crime law.

The computer crime law focused on several types of possible mischief. Computer “trespass,” theft of certain classes of protected information (e.g., national security information, federal banking and credit information, trade secrets), damage and destruction of computers, networks and databases (viruses, worms, denial of service and disruption) and trafficking in “counterfeit access devices” – stolen passwords, tokens, etc. The statute was modified to include not simply “unauthorized access” to computers or databases, but also included “exceeding authorization” to access a computer.

Another modification included expanding the scope of the types of information protected under the computer crime law to include “any information” on a computer. The statute has both criminal and civil provisions. Under the criminal provisions, a United States Attorney may prosecute violations of the law either as a misdemeanor (trespass) or a felony (theft, damage, destruction), although some misdemeanors become felonies depending on the circumstances (e.g., “trespass” with intent to commit tortious conduct – including the “tort” of trespass). In one famous case, a woman was prosecuted under the felony provisions of the statute for creating a MySpace page under a fictitious name (in violation of MySpace’s rules) to harass her daughter’s estranged friend (who ultimately committed suicide). The government’s theory, in that case, was that the defendant’s “access” to MySpace “exceeded authorization,” since the rules required users to provide “accurate” information when opening an account. One of the results of the changes in the hacking law is that people who simply violate the terms of an online agreement – a Terms of Service, a Terms of Use, a privacy policy, an Acceptable Use Policy, a Software License Agreement or even employment agreements or HR policies, runs the risk that this “violation” renders their “access” to the computers, databases, networks or data to be either “unauthorized” or “exceeding authorization.”

In addition, the federal computer crime law, while written as a criminal statute, also includes a so-called private right of action. This means that individuals can sue others for exceeding their authorization to access (use) computers or electronic data. And they have. In one case, employees of executive search firm Korn Ferry left the company, but not before they downloaded data they thought might be useful in their future endeavors. The prosecutors alleged that the employees exceeded their authorization to access Korn Ferry’s computers in order to obtain information – a felony under the statute. The federal appeals court in California noted that “The government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. … If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions — which may well include everyone who uses a computer — we would expect it to use language better suited to that purpose.” In another case, the statute was used in a civil context against a company that “scraped” public data from LinkedIn in a way that violated LinkedIn’s online agreement prohibiting such online scraping.

It’s not clear that this is what Congress intended when it passed an anti-hacking law.

In the case to be decided by the Supreme Court, a Georgia police officer, using his own credentials, accessed the Georgia online police database, not as specified in the user agreement “for authorized law enforcement purposes,” but to look up criminal records and rap sheets for people he was paid by a third party to look up. Clearly a violation of policy, and maybe prosecutable under some law, but is it “hacking?”

While the police officer’s access to the database was both lawful and authorized, it was his subsequent use and dissemination of the data obtained as a result of the lawful access that was prohibited. The court will look to the language and history of the statute, its purpose and intent, and may give the law either an expansive or restrictive interpretation. If the high court rules expansively, then virtually any violation of an agreement that involves electronic data, network access or online databases can be the subject of a CFAA lawsuit or criminal prosecution. A company’s “acceptable use” policy which prohibits “abusive” language in emails can be used to sue an employee for hacking when they “exceed [their] authorization to access [use]” the email system in violation of the policy. Companies that are granted access to cloud services, databases or networks but agree on how they will use or secure that data are not only subject to breach-of-contract damages if they fail to live up to their contractual obligations, but can be sued or prosecuted for hacking. And users of social media who run afoul of policies face not only “Facebook jail,” but real jail as well.

The case is United States v. Van Buren, Supreme Court Dkt. No. 18-12024 and was argued before the high court Nov. 30. As the court’s term ends at the end of June or early July, we can expect a ruling before then.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark