• by Wendy Davis  @wendyndavis, November 30, 2020

The government's interpretation of a decades-old anti-hacking law “would brand most Americans criminals on a daily basis,” a lawyer representing former police sergeant Nathan Van Buren told the Supreme Court Monday.

Van Buren's lawyer, Jeffrey Fisher, expressed that view as part of his bid to convince the court to reverse a ruling that Van Buren violated the Computer Fraud and Abuse Act -- a 1986 law, with civil and criminal components, that prohibits people from exceeding their authorized access to websites.

That law has been at the center of several high-profile Silicon Valley disputes, including a battle between social networking service LinkedIn and analytics company hiQ.

Van Buren was convicted of violating the law for accepting a $6,000 bribe to look up information in a state license-plate database.

He did so after being approached by a local resident, Andrew Albo, who said he wanted to learn whether a dancer at a strip club was secretly an undercover police officer. Albo was actually working with the FBI, which was conducting a sting operation against Van Buren.

Van Buren was authorized to access the license-plate database, but only for law-enforcement purposes.

He unsuccessfully appealed to the 11th Circuit Court of Appeals, which ruled that Van Buren exceeded his authorized access to the database by looking up information for personal reasons.

Van Buren then appealed to the Supreme Court, arguing that the 11th Circuit's interpretation of the Computer Fraud and Abuse Act is so broad that it could transform many common activities -- including violations of websites' terms of service -- into crimes.

Fisher expounded on that point during Monday's hearing. For instance, he asked the judges to imagine a scenario where an employee violated his company's handbook by using a Zoom account for personal purposes.

“If the government is right,” Fisher said, “any employee who used a Zoom account over Thanksgiving to connect with distant relatives would be subject to the grace of federal prosecutors.”

But Deputy Solicitor General Eric Feigin argued that the government's interpretation of the law wasn't as broad as Fisher had suggested. Feigin specifically argued that “public” websites, social networking sites, don't require "authorization" to access -- which would mean that people who violated terms of service on consumer-facing websites wouldn't also violate the anti-hacking law.

“Services like Facebook and Hotmail that will give accounts to anybody who has a pulse and --and even people who don't, because they don't really check, those aren't authorization-based systems,” Feigin told the court.

Justice Samuel Alito questioned that contention.

“With respect to the argument that adopting your interpretation would criminalize all sorts of activity that people regard as largely innocuous, you suggest that there are ... limiting interpretations. But I don't know exactly what they are,” Alito told Feigin.

Alito added that, without a definition of terms like “authorization,” the potential scope of the statute was unclear.

Justice Clarence Thomas asked Fisher whether anyone had been criminally prosecuted for disregarding a company's terms of service by accessing a web-based service like Zoom or Facebook.

Fisher provided some examples -- including the prosecution of Lori Drew, who was involved in the emotionally charged MySpace suicide case. (Drew was accused of violating the Computer Fraud and Abuse Act for allegedly helping to hatch a plan to create a fake profile of a boy, "Josh," who sent hurtful messages to 13-year-old Megan Meier. Megan hanged herself after receiving a final message from "Josh." A federal judge ultimately dismissed the charges against Drew.)

Alito also noted that privacy groups expressed concern about the implications of a decision in Van Buren's favor.

“There are many government employees who are given access to all sorts of highly personal information for use in performing their jobs,” Alito said. “But, if they use that for personal purposes to make money, protect or carry out criminal activity, to harass people they don't like, they can do enormous damage.”

Fisher argued that other laws could come into play if people accessed government databases for illegal purposes -- including laws against misusing trade secrets, or stalking.

The dispute drew interest from numerous outside organizations, including the Reporters Committee for Freedom of the Press, Mozilla, tech news site the Markup and digital rights groups including the Electronic Frontier Foundation.

Those organizations argued in friend-of-the-court briefs that a broad interpretation of the Computer Fraud and Abuse Act could harm news-gathering as well as research.

For instance, the Reporters Committee for Freedom of the Press specifically said a broad interpretation of the law would allow prosecutors to charge journalists who scrape data with exceeding their authorized access to a website, if the site bans scraping in its terms of service.

The Electronic Privacy Information Center was among the groups that sided with the government, arguing in a friend-of-the-court brief that the anti-hacking law should apply when people access government databases for improper purposes.