Posted Tue, December 1st, 2020 3:05 pm by Ronald Mann
Monday’s argument in Van Buren v. United States was the first sustained attention the Supreme Court has offered to the Computer Fraud and Abuse Act, a federal statute that imposes civil and criminal liability for unauthorized access of computers. The government in recent years has applied the statute ever more broadly, finally producing a confrontation in which the Supreme Court has an opportunity to address it.
The CFAA is vague in important ways, but it generally criminalizes obtaining access to a computer without authorization and also exceeding “authorized access” on the computer. The question in this case is what it means to “exceed authorized access,” which the statute defines as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” A police officer in Georgia, Nathan Van Buren, was authorized to search computerized records about license plates for law-enforcement purposes. Duped by an FBI sting, he searched those records for private purposes (at the request of an FBI informant who offered to pay him several thousand dollars for the information). Because Van Buren was not authorized to search those records for that purpose, the government obtained a conviction under the CFAA on the grounds that he was “not entitled so to obtain” those records.
Appearing for Van Buren, Jeffrey Fisher argued that the statute does not criminalize obtaining information that the defendant had the right to obtain. A few of the justices openly expressed concern that exonerating Van Buren’s conduct under Fisher’s narrow reading of the statute would remove protections for personal privacy that are particularly important in the internet age. Justice Clarence Thomas, for example, asked why we don’t need federal criminal liability if “you work for a car rental and have the access to the GPS, but rather than use it to determine the location of a car that may be missing, you use it to follow a spouse.” Similarly, Justice Samuel Alito commented that “many government employees are given access to all sorts of highly personal information for use in performing their jobs. But, if they use that for personal purposes to make money, protect or carry out criminal activity, to harass people they don’t like, they can do enormous damage.”
Fisher repeatedly insisted that various federal and state statutes criminalize the conduct of concern, and several of the justices clearly were sympathetic to that point, essentially offering him a platform to explain it. Justice Sonia Sotomayor prompted Fisher to confirm that, even under a narrow reading of the CFAA, the conduct in question could be prosecuted in other ways. In the same vein, Justice Neil Gorsuch suggested that he “assume[d] that there are ample state laws available that criminalize a lot of that conduct.” And then immediately after him, Justice Brett Kavanaugh noted that “one of the concerns … is government employees or financial company employees or health care company employees who have access to very sensitive personal information, then disclose it. And I’d appreciate it if you could give us a sense of the federal statutes that you think would cover such disclosures.” Later in the argument, Alito noted that exchange, suggesting that it made “this a very difficult case to decide,” in part because “I don’t really know what those statutes are.”
Another group of justices directly rejected the textual argument offered by Eric Feigin, appearing on behalf of the government. Much of the government’s position in its briefing relied on the word “so” in the phrase “so to obtain or alter.” In his argument for Van Buren, Fisher maintained that “so” refers back to the earlier clause of the statute’s definition, “access a computer with authorization,” so that a defendant does not have authority “so” to obtain or alter the information if he does not have authority to obtain or alter it for any purpose. In other words, under Fisher’s reading, a defendant violates the statute if he logs on to a computer with authorization, but then obtains information that he was not “so” – with that method of access – entitled to obtain. Feigin, by contrast, argued that “so” refers much more broadly to all aspects of the access – including whether a defendant was authorized to obtain the information in the particular way or for the particular purpose that he did. In this case, Van Buren was entitled to obtain the information from the computer from which he obtained it, but not for the purpose for which he obtained it.
Recognizing the broad liability that would arise under the government’s reading of the statute, Feigin offered a variety of limiting constructions, arguing, for example, that it applies only to particularly formal types of authorization. Several of the justices found those arguments unpersuasive. Sotomayor retorted: “My problem is that you are giving definitions that narrow the statute that the statute doesn’t have. You’re asking us to write definitions to narrow what could otherwise be viewed as a very broad statute and dangerously vague.”
Sotomayor then directly challenged Feigin’s reading of the statute with a hypothetical replicating Fisher’s reading of the statute. “Let me give you an example,” Sotomayor said. “Imagine a law that says anyone who drives on Elm Street who is not authorized so to drive shall be punished. The ‘so to drive’ to me could mean if you’re not authorized to drive on Elm Street. But under your theory, it could be, and might very possibly be read as saying you can’t ride on Elm Street if you’re driving on it with an illegal purpose, you’re speeding, you’re breaking the law on curfew.” For Sotomayor, the multiple possibilities necessarily made the statute ambiguous.
Coming next after Sotomayor in the current argument regime, Justice Elena Kagan pressed Feigin with the same line of questioning: “So then the question is what does ‘so’ mean, and picking up on what you were saying to Justice Sotomayor, if I understand Mr. Fisher’s argument, he says ‘so’ means by accessing a computer. And you just said ‘so’ means by using your access. And why is it that we should pick your choice of the prior referent rather than his choice of the prior referent?”
The final major thread of the argument came from Gorsuch and, to some degree Kavanaugh, in tones suggesting little doubt about their view on the merits. For Gorsuch, this case was only “the latest … in a rather long line of cases in recent years in which the government has consistently sought to expand federal criminal jurisdiction, in pretty significantly contestable ways that this court has rejected.” Seen from that perspective, he pressed Feigin to justify “why we’re back here again on a rather small state crime that is prosecutable under state law, and perhaps under other federal laws.” The federal government instead is prosecuting that conduct in a way that a perturbed Gorsuch found “remarkable” — “perhaps making a federal criminal of us all.” When Feigin stood his ground, insisting that Van Buren’s conduct warranted federal prosecution, Gorsuch responded that he “would have thought that the solicitor general’s office isn’t just a rubber stamp for the U.S. attorney’s offices, and that there would be some careful thought given as to whether this is really an appropriate reading of these statutes.” When Kavanaugh was offered his time minutes later, he signed on to the same viewpoint, commenting to Feigin that “this would be, as Justice Gorsuch said, a fairly substantial expansion of federal criminal liability based on one word that you’re saying we have to interpret a particular way because of avoiding surplusage.”
It is always risky to put too much weight on discussion at an argument. But the dual problem the government faces here is a core group of justices who appear to think the prosecution is fundamentally wrong-headed, overlapping with a group of justices who seem to think the language is far too vague to justify the broad reach the government ascribes to it. I won’t be surprised if some of the justices accept the government’s position, but I’ll be surprised if a majority do.
Recommended Citation: Ronald Mann, Argument analysis: Justices seem wary of breadth of federal computer fraud statute, SCOTUSblog (Dec. 1, 2020, 3:05 PM), https://www.scotusblog.com/2020/12/argument-analysis-justices-seem-wary-of-breadth-of-federal-computer-fraud-statute/