• by Wendy Davis  @wendyndavis, July 10, 2020

The Reporters Committee for Freedom of the Press, Mozilla and the Electronic Frontier Foundation are among a broad array of watchdogs and outside companies asking the Supreme Court to limit the scope of a federal anti-hacking law.

The organizations this week weighed in with friend-of-the-court briefs on behalf of former police sergeant Nathan Van Buren, who was convicted of violating the 1986 Computer Fraud and Abuse Act for accepting a $6,000 bribe to look up information in a state license-plate database.

He did so after being approached by a local resident, Andrew Albo, who said he wanted to learn whether a dancer at a strip club was secretly an undercover police officer. Albo was actually working with the FBI, which was conducting a sting operation against Van Buren.

Van Buren was authorized to access the license-plate database, but only for law enforcement purposes. He was convicted on the theory that he violated the anti-hacking law by exceeding his “authorized access” to the database.

After he was convicted, he appealed to the 11th Circuit Court of Appeals, which sided against him. The judges on that court ruled that Van Buren went beyond his authorized access to the database by looking up information for purposes unrelated to law enforcement.

Van Buren is now appealing to the Supreme Court. Among other arguments, he said the appellate court's interpretation of the Computer Fraud and Abuse Act is so broad that it could transform many common activities -- including violations of websites' terms of service -- into crimes.

Numerous outside groups agree with him.

The Reporters Committee for Freedom of the Press argues in a friend-of-the court brief that the 11th Circuit's opinion threatens journalists' ability to conduct online research.

“The court of appeals' interpretation would ... apply to inreasingly used data-journalism techniques, with the perverse result that certain investigative conduct that is perfectly acceptable in the analog world would be criminal when done more efficiently online,” the group writes in a friend-of-the-court brief filed this week.

The organization notes that reporters often rely on automated web scraping to uncover scandals and expose questionable activity -- even though many sites' terms of service ban scraping.

“Journalists have used web-scraping techniques to identify doctors nationwide that have continued to practice after being caught sexually abusing patients -- a reporting feat that was not practically feasible through traditional means,” the group writes, referring to the 2016 Atlanta Journal-Constitutionarticle “Behind the Scenes: how the Doctors & Sex Abuse Project Came About.”

The group adds that a broad interpretation of the anti-hacking law means that journalists who scrape data could be charged with exceeding their authorized access to a website, if the site bans scraping in its terms of service.

“The newsgathering techniques that make data journalism possible could be effectively outlawed by the broad reading of the [Computer Fraud and Abuse Act] that the government urges and that the Eleventh Circuit endorsed,” tech news start-up The Markup adds in its own friend-of-the-court brief.

The Electronic Frontier Foundation and other digital rights groups argue in a separate brief that a broad reading of the anti-hacking law undermines cyber security, because security researchers often use techniques that may violate a website's terms of service.

“Under the government’s broad interpretation ... standard security research practices -- such as accessing publicly available data in a manner beneficial to the public yet prohibited by the owner of the data -- can be highly risky,” the rights groups argue.

Mozilla and other tech companies chime in that the possibility of criminal prosecution could dissuade researchers from even looking for security threats.

“This chilling effect from the risk of criminal liability is further compounded because security researchers (usually non-lawyers) typically decide whether to take on the legal risk that accompanies research without seeking legal counsel,” the companies write. “Security researchers are therefore left to interpret an area of law where lawyers, scholars, and courts themselves cannot agree on what constitutes authorized access, and where a broad interpretation creates a real risk of criminal liability.”

The government is expected to respond next month.