Skip to main content

The Supreme Court pared down a controversial anti-hacking law

The Supreme Court pared down a controversial anti-hacking law

/

A ‘breathtaking amount’ of everyday computer use was at stake

Share this story

Supreme Court Releases Opinions
Photo by Anna Moneymaker/Getty Images

The Computer Fraud and Abuse Act (CFAA), a controversial anti-hacking law which bans “exceeding authorized access” on a computer system, was narrowed by the Supreme Court on Thursday in a 6-3 ruling. The court said the law shouldn’t cover people misusing systems they’re allowed to access — and that claiming otherwise would criminalize a “breathtaking amount” of everyday computer use.

The court case, Van Buren v. United States, concerns a former Georgia police officer named Nathan Van Buren. Van Buren accepted $5,000 in exchange for looking up a woman’s license plate in a police database. (The deal was actually an FBI sting operation, and the plate number was fictitious.) Because the exchange violated department rules, prosecutors said Van Buren had “exceeded access” to the system. Van Buren’s lawyers argued that whether or not he misused the database, he was authorized to access it — and therefore hadn’t violated anti-hacking laws.

Cases should be judged on gate-crashing systems, not misusing data

The Supreme Court’s majority opinion, delivered by Justice Amy Coney Barrett, concurred. It backed a “gates-up-or-down” approach to authorization: accessing parts of a system that are specifically forbidden breaks CFAA rules, but simply accessing authorized areas in an unapproved way does not.

Barrett’s opinion noted that people routinely bend or break the rules of computers and web services. “The government’s interpretation of the ‘exceeds authorized access’ clause would attach criminal penalties to a breathtaking amount of commonplace computer activity,” she wrote. “If the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals.” The law could cover an employee who sends a personal email on a work computer, for example, or “criminalize everything from embellishing an online dating profile to using a pseudonym on Facebook.”

It could “criminalize everything from embellishing an online dating profile to using a pseudonym on Facebook”

Legal experts and civil liberties advocates broadly praised the overall ruling. “This is an important victory for civil liberties and civil rights enforcement in the digital age,” said Esha Bhandari, the American Civil Liberties Union’s Speech, Privacy, and Technology Project deputy director. Electronic Frontier Foundation staff members Aaron Mackey and Kurt Opsahl also called the decision a victory, saying the court “provided good language that should help protect researchers, investigative journalists, and others.” (Both organizations previously filed briefs supporting Van Buren.)

CFAA can be used to crack down on legitimately malicious hacking, but it’s also notoriously vague, and different charges can carry penalties of up to 5, 10, or 20 years in prison. Critics argue that this combination threatens researchers and other people who use freely accessible information in unapproved ways. Federal prosecutors can stack up intimidating charges against targets, as was the case with activist Aaron Swartz, who died by suicide in 2013 while facing prosecution. Companies can also use it to harass journalists or employees that leak documents.

The CFAA’s definition of hacking was notoriously broad

In theory, prosecutors now have to establish that users actually accessed parts of a system they were barred from entering. “I think it’s a really substantial deal,” Cornell University Law School professor James Grimmelmann tells The Verge. “It really clarifies that employees using computers disloyally is not a CFAA issue, and that blows away an enormous piece of criminal and civil use of the CFAA.” The ruling could also affect cases involving scraping, or mass-collecting publicly available data from websites.

Employees may still be guilty of other offenses, like stealing trade secrets, says Grimmelmann, and data scrapers could face CFAA charges if their activities cause a site to become inaccessible. But Van Buren raises the bar for what’s considered criminal hacking. “You get rid of a huge swathe of things that are not really high-tech, dangerous hacker crimes,” he says.

What is a gate? It’s an open question

The ruling also leaves crucial questions unanswered, though. The court’s decision didn’t ultimately rest on the law’s overall impact or validity. It focused on a dictionary definition of one word (“so”) to decide if “exceeding authorized access” should be defined like a similar ban on computer use “without authorization” — which uses the gate metaphor. And while it says violators must have bypassed some metaphorical “gate,” it doesn’t firmly define these gates. On Twitter, Berkeley Law professor and CFAA expert Orin Kerr pointed to a footnote that implies gates could be technical barriers or rules in a contract — in Kerr’s words, something as potentially broad as “do not access this computer for a bad purpose.”

“It is still an open question whether the restriction on access has to be technological or contractual,” says former EFF staff member and computer crime attorney Hanni Fakhoury. As Fakhoury notes, the ruling does say it’s not necessarily “plausible” for the CFAA to hinge on fine semantic distinctions in private contracts. “It certainly seems to me they’re uneasy about the idea that the CFAA would somehow become a tool to criminalize contractual obligations,” he concludes. But it leaves this big question for lower courts to debate — at least until another case reaches the Supreme Court.

Today’s Storystream

Feed refreshed Two hours ago Striking out

A
Andrew WebsterTwo hours ago
Looking for something to do this weekend?

Why not hang out on the couch playing video games and watching TV. It’s a good time for it, with intriguing recent releases like Return to Monkey Island, Session: Skate Sim, and the Star Wars spinoff Andor. Or you could check out some of the new anime on Netflix, including Thermae Romae Novae (pictured below), which is my personal favorite time-traveling story about bathing.


A screenshot from the Netflix anime Thermae Romae Novae.
Thermae Romae Novae.
Image: Netflix
J
Twitter
Jay PetersSep 23
Twitch’s creators SVP is leaving the company.

Constance Knight, Twitch’s senior vice president of global creators, is leaving for a new opportunity, according to Bloomberg’s Cecilia D’Anastasio. Knight shared her departure with staff on the same day Twitch announced impending cuts to how much its biggest streamers will earn from subscriptions.


T
Twitter
Tom WarrenSep 23
Has the Windows 11 2022 Update made your gaming PC stutter?

Nvidia GPU owners have been complaining of stuttering and poor frame rates with the latest Windows 11 update, but thankfully there’s a fix. Nvidia has identified an issue with its GeForce Experience overlay and the Windows 11 2022 Update (22H2). A fix is available in beta from Nvidia’s website.


A
External Link
If you’re using crash detection on the iPhone 14, invest in a really good phone mount.

Motorcycle owner Douglas Sonders has a cautionary tale in Jalopnik today about the iPhone 14’s new crash detection feature. He was riding his LiveWire One motorcycle down the West Side Highway at about 60 mph when he hit a bump, causing his iPhone 14 Pro Max to fly off its handlebar mount. Soon after, his girlfriend and parents received text messages that he had been in a horrible accident, causing several hours of panic. The phone even called the police, all because it fell off the handlebars. All thanks to crash detection.

Riding a motorcycle is very dangerous, and the last thing anyone needs is to think their loved one was in a horrible crash when they weren’t. This is obviously an edge case, but it makes me wonder what other sort of false positives we see as more phones adopt this technology.


A
External Link
Ford is running out of its own Blue Oval badges.

Running out of semiconductors is one thing, but running out of your own iconic nameplates is just downright brutal. The Wall Street Journal reports badge and nameplate shortages are impacting the automaker's popular F-series pickup lineup, delaying deliveries and causing general chaos.

Some executives are even proposing a 3D printing workaround, but they didn’t feel like the substitutes would clear the bar. All in all, it's been a dreadful summer of supply chain setbacks for Ford, leading the company to reorganize its org chart to bring some sort of relief.


E
TikTok
Spain’s Transports Urbans de Sabadell has La Bussí.

Once again, the US has fallen behind in transportation — call it the Bussí gap. A hole in our infrastructure, if you will.


J
External Link
Jay PetersSep 23
Doing more with less (extravagant holiday parties).

Sundar Pichai addressed employees’ questions about Google’s spending changes at an all-hands this week, according to CNBC.

“Maybe you were planning on hiring six more people but maybe you are going to have to do with four and how are you going to make that happen?” Pichai sent a memo to workers in July about a hiring slowdown.

In the all-hands, Google’s head of finance also asked staff to try not to go “over the top” for holiday parties.


E
External Link
Insiders made the most money off of Helium’s “People’s Network.”

Remember Helium, which was touted by The New York Times in an article entitled “Maybe There’s a Use for Crypto After All?” Not only was the company misleading people about who used it — Salesforce and Lime weren’t using it, despite what Helium said on its site — Helium disproportionately enriched insiders, Forbes reports.


J
Youtube
James VincentSep 23
Nvidia’s latest AI model generates endless 3D models.

Need to fill your video game, VR world, or project render with 3D chaff? Nvidia’s latest AI model could help. Trained on 2D images, it can churn out customizable 3D objects ready to import and tweak.

The model seems rudimentary (the renders aren’t amazing quality and seem limited in their variety), but generative AI models like this are only going to improve, speeding up work for all sorts of creative types.