The United States Supreme Court has indicated that it will finally solve a problem that has been causing legal problems for almost two decades: What exactly is authorized computing?
If a person is allowed to use a computer – for example, to access a database – is this a full authorization and can they use it as long as they continue to use their existing ID? Or does it depend on the circumstances? Can a person’s consent depend on the terms of the application?
The question may seem simple, but the big problem is how the law – especially the American Computer Fraud and Abuse Act (CFAA) – sees it. After all, even if an employee can be warned or even fired for misusing his or her access to information, the CFAA makes it a criminal offence to do so. People can go to prison if they don’t meet the right conditions.
The specific case at issue here concerns former police officer Nathan Van Buren, who was convicted by the CFAA in 2017 for initiating a computer search on a disk. Van Buren had given permission for access to the police database, but in this case he performed a license check for cash.
The complete information is summarised: Van Buren needed the money and offered to do the numbers of a stripper named Albo. Albo went to the local sheriff’s office, who contacted the FBI, and they organized a bite check, where Albo got a fake license, which she gave to Van Buren. She said she wanted to know if it belonged to the clothing manager who tried to arrest her for prostitution. She gave money to Van Buren, and he checked the number.
Van Buren was arrested for violating the CFAA. But Van Buren’s lawyers argued in court that as a police officer he was authorised to use the system and that this access could not be unauthorised, regardless of the reason for the search.
In other words, he could have been prosecuted for taking money from a stripper for a license plate – clearly unethical behavior – but he could not have been convicted by the CFAA.
He was charged with two charges: For-profit computer fraud (ABCP violation) and honest service fraud and ABCP violation. He was convicted on both counts and sentenced to 18 months imprisonment and two years parole. He appealed and the fairness department’s complaint was withdrawn, but the charge of computer fraud was not filed by the CFAA. So it could be the perfect test.
Lawyers and lawyers have been fighting for authorised and unauthorised use ever since the introduction of the CFAA in 1986. With the advent of the Internet, however, the problem has become 100 times more important.
Relax, hacking the fine print on a website does not make you a criminal hacker, says an American Cyberlaw judge.
The case is currently before the Supreme Court, as other appeal courts have had to rule on similar cases and have given different interpretations. In 2011, the Eleventh Circuit ruled that a violation of the written restriction made such access in the Van Buren case inadmissible.
But the second and ninth circles have since rejected this argument, mainly because it would turn millions of potential criminals into criminals by not respecting the conditions of hundreds of different companies.
For example: A law professor at the University of Berkeley, Orin Kerr, has argued that when the CFAA is used to enforce the terms of service, he is guilty of criminal behavior because he has given Facebook a bad place for him, a violation of the terms of the social media giant above us. And every time he logs in, he commits a new crime.
Van Buren is clean enough for the Supreme Court in the sense that legal issues are dealt with properly. He was accused of violating the CFAA, convicted – by a jury – and that conviction was upheld. But now his whole proposal is based on this interpretation of the CFAA.
And there are other courts of appeal that have made it clear that they do not agree with the interpretation. In addition, it is, of course, of great importance and importance to the public, since it influences the behaviour of almost all citizens on a daily basis.
No strong arguments
The government is afraid of losing the Supreme Court as this will lead to immediate appeals for all those convicted under the CFAA’s current interpretation.
And to open Pandora’s box a little wider: A change in the way the CFAA operates will affect one of the most controversial cases in which it has been used – the prosecution of Aaron Schwartz for downloading millions of scientific articles.
Already in 2013, MEP Zoe Lofgren (D-CA) prepared a bill that would explicitly exclude the CFAA’s terms of service because of the events surrounding Swartz. The young co-founder of RSS has aggressively pursued this aspect of the law and says he faces a fine of $1 million and up to 35 years imprisonment for his actions. When he couldn’t resist the pressure, he committed suicide.
Lofgren’s bill was defeated – allegedly thanks to Oracle’s lobbying – and they brought it back into effect in 2015, but again it came to nothing. At the time – five years ago – Lofgren stated that the CFAA was in need of reform for a long time.
Essentially, she argued, the CFAA is a law against burglary and trespassing. Unfortunately, over time we have seen how prosecutors have broadened the scope of this legislation by imposing overly severe penalties for less serious offences. It is time to reform this law in order to better deal with hackers and malicious parties and to abandon the usual computer and internet activities.
What is unusual is that a corrupt policeman and a corrupt stripper can bring Schwartz and perhaps dozens of others convicted under the CFAA government’s interpretation to justice. ®
Webcast : Build a new generation of your business in the public cloud.