Skip to content

Supreme Court justices sound skeptical note on government’s view of anti-hacking law

Post categories

  1. Policy
The justices’ questioning about the scope of the anti-hacking law should give the Justice Department some reason for concern.

Last week, we previewed Monday’s Supreme Court oral argument in Van Buren v. United States, a case about the scope of the federal Computer Fraud and Abuse Act that has serious implications for members of the news media, especially data journalists. You must be wondering how that went. While oral argument is never a perfect — or even a very good — indicator of how a case will be resolved, the justices’ questioning should give the petitioner, Nathan Van Buren, at least some reason for hope, and the Department of Justice at least some reason for concern.

I’ll avoid recapitulating the facts of the case in too much detail. At heart, though, the question presented is whether the anti-hacking statute criminalizes conduct that breaches a contract-like restriction on computer use (say, a website’s terms of service) or only conduct that breaches a password-like restriction.

In questioning Van Buren’s counsel, the justices pressed on the instinct that at least some of those contractual violations are genuinely wrongful in a way we would expect to be punished — a bank employee using her access to steal and sell a customer’s social security number, for instance, in a hypothetical offered by Chief Justice John Roberts. Counsel parried that that conduct certainly can be criminalized, but that the CFAA doesn’t do so. He emphasized, too, that there was “no foothold” in the statutory text for distinguishing the genuinely troubling scenarios (the social security number theft) from benign term-of-service violations (fibbing about your height by an inch on a dating website, in violation of a contractual prohibition on providing false account information).

In their questioning of both parties, the justices seemed doubtful that the text of the law alone — which defines “exceed[ing] authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain” — offers clear answers. Justice Elena Kagan, for instance, pressed Van Buren’s attorney on what the phrase “information … that the accesser is not entitled so to obtain” is supposed to refer to, if not to data a user can obtain using their credentials that they nevertheless aren’t “entitled” to (say, because their employer’s policies forbid it). Counsel answered that it refers to information obtained by “access[ing] a computer” that the defendant might have been “entitled” to obtain in some other way — in other words, that a defendant who gets ahold of government records by hacking can’t defend himself on the grounds that he could have lawfully obtained the same information by filing a Freedom of Information Act request. If you found that paragraph difficult to parse, well, the justices seemed to feel the same way, often appearing to despair whether the words of the statute could tell them very much.

When the government’s attorney was up, he began his argument there, claiming that the petitioner’s reading of the word “so” gave it very little work to do. He mocked, too, the suggestion that the government’s reading would have the sweeping consequences the petitioner suggested. (As law professor Orin Kerr pointed out, this was an odd tone to strike; the government defended exactly the view Van Buren’s attorney described, that the statute does sweep broadly enough to cover mere term-of-service violations, right up until it filed its Supreme Court brief in Van Buren.)

But the Justice Department soon confronted difficult questions about whether the limiting principles it identified to fend off the dating-website hypothetical had any basis in the statute. And while the government maintained that the law was “not even” ambiguous, Justice Samuel Alito — perhaps the justice most skeptical during Van Buren’s argument — insisted that he found the case “very difficult,” going so far as to suggest the Court might need supplemental briefing.

Justice Neil Gorsuch, for his part, had the harshest words for the Justice Department. In a remarkable exchange, he framed the case as “the latest in a rather long line of cases” in which the government was attempting to expand criminal law “in pretty significantly contestable ways.” He suggested, too, that he “would have thought that the Solicitor General’s Office isn’t just a rubber stamp for the U.S. Attorney’s Offices, and that there would be some careful thought given as to whether this is really an appropriate reading of these statutes.”

Most of the justices, though, can’t be said to have shown their hands to that extent. Clarity will have to await a decision later this term. In the meantime, you can listen to a recording of the argument for yourself here and access a transcript — with all the authorization you need — here.

Like what you’ve read? Sign up to get the full This Week in Technology + Press Freedom newsletter delivered straight to your inbox!

The Technology and Press Freedom Project at the Reporters Committee for Freedom of the Press uses integrated advocacy — combining the law, policy analysis, and public education — to defend and promote press rights on issues at the intersection of technology and press freedom, such as reporter-source confidentiality protections, electronic surveillance law and policy, and content regulation online and in other media. TPFP is directed by Reporters Committee attorney Gabe Rottman. He works with Stanton Foundation National Security/Free Press Legal Fellow Grayson Clary and Technology and Press Freedom Project Legal Fellow Mailyn Fidler.

Stay informed by signing up for our mailing list

Keep up with our work by signing up to receive our monthly newsletter. We'll send you updates about the cases we're doing with journalists, news organizations, and documentary filmmakers working to keep you informed.