In a landmark decision (at least for those of us following the application of computer crime laws to newsgathering), the U.S. Supreme Court finally issued its opinion last Thursday in Van Buren v. United States, the first time it has had the opportunity to consider the scope of the federal Computer Fraud and Abuse Act.
The central question in the case is whether using a computer for an “improper purpose,” like playing a game on a work laptop, can properly be within the scope of the CFAA’s prohibition on “exceed[ing] authorized access” to a computer.
Justice Amy Coney Barrett, joined by Justices Stephen Breyer, Sonia Sotomayor, Elena Kagan, Neil Gorsuch and Brett Kavanaugh, held that it is not. That holding is particularly important given that certain data journalism techniques — like automatically gathering large amounts of data from the public internet, or “scraping” — can violate websites’ terms-of-service. That is, they could qualify as an “improper” use of the system under the government’s proposed interpretation of the statute.
Much of the Supreme Court’s opinion focused on questions of statutory construction (literally the meaning of the word “so”), but Part III credited arguments made in a friend-of-the-court brief by the Reporters Committee and 41 news organizations that, as the Court put it, “the Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity” (and cited the brief in support of that conclusion).
While the bulk of the Court’s decision appears to be a broad affirmation of the proposition that the CFAA is really about “hacking,” in the sense of breaking into a computer or part of a computer using some technical means, there is, as always, that one mysterious footnote.
In footnote eight, the Court says that it need not address whether what it calls a “gates-up-or-down” approach to “access” (is a folder protected by a password, for instance) turns only on whether the gate is “technological (or ‘code-based’).” As Professor Orin Kerr wrote in a tweet thread, the footnote could be suggesting “that breaching a code-based barrier is not necessarily sufficient to establish liability,” though the precise meaning is unclear.
(Finally, special thanks to our counsel at Paul, Weiss, Rifkind, Wharton & Garrison LLP for their amazing work on the media coalition friend-of-the-court brief.)
The Technology and Press Freedom Project at the Reporters Committee for Freedom of the Press uses integrated advocacy — combining the law, policy analysis, and public education — to defend and promote press rights on issues at the intersection of technology and press freedom, such as reporter-source confidentiality protections, electronic surveillance law and policy, and content regulation online and in other media. TPFP is directed by Reporters Committee attorney Gabe Rottman. He works with Stanton Foundation National Security/Free Press Legal Fellow Grayson Clary and Technology and Press Freedom Project Legal Fellow Mailyn Fidler.