Dec 2, 2020 - Technology

SCOTUS weighs the future of a major cybersecurity law

A gavel

Illustration: Eniola Odetunde/Axios

Several Supreme Court justices Monday seemed to signal that they're interested in narrowing a landmark cybersecurity law that critics have long charged is overbroad.

Why it matters: The Computer Fraud and Abuse Act of 1986 has been the basis for a number of controversial criminal cases, most infamously the prosecution of activist and hacker Aaron Swartz, who committed suicide while awaiting trial after downloading a large number of academic articles. Narrowing the law could prevent overzealous prosecutors from going after internet users engaging in relatively innocuous activity.

Driving the news: The high court Monday heard oral arguments in Van Buren v. United States, a case involving Nathan Van Buren, a former Georgia police officer who was convicted of computer fraud under CFAA for searching a license plate in a law enforcement database in exchange for cash from an FBI informant.

  • CFAA, among other things, criminalizes accessing "a computer without authorization" or in a way that "exceeds authorized access."

Between the lines: A number of groups ranging from libertarian think tank the R Street Institute to public interest group Public Knowledge said in pre-hearing filings that they view the law as currently construed as overly broad and vague.

  • Several groups said large tech firms dangle CFAA as a threat over would-be competitors, denying access to data and data portability features by invoking the law.

Others maintain that CFAA needs clarifying because prosecutors could extend it to cover a wide range of activity, much of it harmless.

  • Some critics note it could in theory criminalize work like security audits and academic research that scrapes sites for data.
  • The attorney representing Van Buren, meanwhile, contended Monday that someone using their work computer to check Instagram or a work Zoom account to talk with family would be violating CFAA under a broad interpretation of the law.

The other side: The attorney for the Justice Department said it's widely understood that CFAA only covers specific intentional breaches of computer systems and that there's no reason to think it would lead to the "imaginary avalanche of hypothetical prosecutions" floated by the petitioner's attorney.

Several justices in Monday's session, conducted via video conference, appeared sympathetic to the idea that CFAA is being read too broadly and could use reining in.

  • Justice Neil Gorsuch said conduct like Van Buren's is already illegal under other federal and state laws and that interpreting CFAA expansively could make "a federal criminal of us all."
  • Justice Sonia Sotomayor said the government's attorney's description of the popular view of CFAA as narrow isn't supported by the text of the law, which she said may be "dangerously vague."
  • Justice Stephen Breyer raised the concern that an employee using a work computer for personal reasons could be viewed as breaking the law.

Yes, but: The skepticism cut both ways at times. Justice Samuel Alito, for instance, said a narrower reading of the law could shield from prosecution people who use their authorized access into a system to engage in unauthorized and illicit activity not criminalized by other statutes.

The bottom line: Lines of questioning aren't fully reliable signals for how the Supreme Court is leaning. Clarity will only come when the court rules.

Go deeper