• by Wendy Davis  @wendyndavis, April 20, 2020

The U.S. Supreme Court has agreed to take up a battle over the scope of a federal anti-hacking law at the center of several high-profile Silicon Valley disputes, including a fight between social networking service LinkedIn and analytics company hiQ.

The case before the Supreme Court involves Nathan Van Buren, a former police sergeant in Cumming, Georgia who was convicted for violating the Computer Fraud and Abuse Act for taking a $6,000 bribe to look up information in a state license-plate database. He did so after being approached by a local resident, Andrew Albo, who said he wanted to learn whether a dancer at a strip club was secretly an undercover police officer. Albo was actually working with the FBI, which was conducting a sting operation against Van Buren.

Van Buren was authorized to access the license-plate database, but only for law enforcement purposes. He was prosecuted for violating the Computer Fraud and Abuse Act -- a 1986 law, with civil and criminal components, that prohibits people from exceeding authorized access to websites.

He was convicted at trial, after which he unsuccessfully appealed to the 11th Circuit Court of Appeals, where he argued that his conduct didn't amount to a violation of the anti-hacking law.

The appellate court ruled that Van Buren exceeded his authorized access to the database by accessing it for purposes unrelated to law enforcement.

He then asked the Supreme Court to review his conviction. Among other arguments, he said the appellate court's interpretation of the Computer Fraud and Abuse Act is so broad that it could transform many common activities -- including violations of websites' terms of service -- into crimes.

“The [Computer Fraud and Abuse Act] is not an all-purpose statute covering any misdeed that occurs on a computer,” he argued.

Similar arguments over the scope of the anti-hacking law have come up in other disputes, including a civil lawsuit between LinkedIn and the analytics company hiQ, which gathers data about LinkedIn users in order to determine which employees are at risk of being poached, and selling the findings to employers.

LinkedIn accused hiQ of violating the anti-hacking law by continuing to scrape data after receiving a cease-and-desist demand.

The 9th Circuit ruled last year that hiQ's scraping likely did not violate the Computer Fraud and Abuse Act.

Not all judges have reached the same conclusion in similar lawsuits. For instance, in 2013 a federal district court judge in California ruled that the data mining company 3Taps potentially violated the anti-hacking law by scraping real estate listings from Craigslist, after Craigslist had demanded that 3Taps stop doing so.

The digital rights groups Electronic Frontier Foundation, Center for Democracy & Technology and New America's Open Technology Institute sided with Van Buren earlier this year.

The groups wrote in a friend-of-the-court brief that the anti-hacking law “is a vague and ill-defined statute, with uncertain application to the modern Internet,” adding that the statute “does not define even its most critical terms -- 'access' and 'authorization.'”

“In applying this unclear statute to today’s world, some courts have diverged wildly from Congress’ intent to stop serious computer break-ins,” the groups wrote.