By Soraya Ferdman
On June 3rd, the Supreme Court overturned a lower court’s ruling that could have set a dangerous precedent for data journalists and security researchers.
The lawsuit, Van Buren v. United States, centered on the interpretation of the 1996 Computer Fraud and Abuse Act (CFAA) which makes it a federal crime to “knowingly access a computer without authorization or exceed authorized access.” The court had to decide whether the law could apply to an individual who is given access to a computer or online information, but uses it in an unauthorized manner.
In this case, the plaintiff, Van Buren, is a former Georgia police officer who was caught using a police license plate database for personal reasons. In 2017, a jury convicted Van Buren of taking bribes and violating CFAA. His conviction was upheld by the Eleventh Circuit.
See the previous story for more details about the lawsuit: Supreme Court Considers Federal Computer Fraud and Abuse Law
Writing for the majority, Justice Amy Coney Barrett overturned Buren’s conviction, arguing that the law should not apply in situations where an individual misuses information he already has access to, but only in situations where an individual “obtain[s] information from particular areas in the computer — such as files, folders, or databases — to which their computer access does not extend.”
“If the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals…Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA,” Barrett explained.
While the lawsuit is not focused on how journalists go about their work, it nonetheless caught the attention of press freedom groups because its outcome could implicate First Amendment activities such as traditional newsgathering and newer data-journalism methods.
In 2020, the Reporter’s Committee for Freedom of the Press (RCFP) and other media organizations filed an amicus brief on behalf of Van Buren. In it, they argued that if the Supreme Court adopted the Eleventh Circuit’s broad interpretation, the law could have applied to a common data-journalism technique called “scraping,” which involves using computer programs to quickly extract large amounts of data from websites. Scraping has been used to report on such issues as doctors who continue to practice after having been caught sexually abusing their patients, inhumane prison conditions, and to match missing people with the unidentified dead.
While press freedom groups have generally welcomed the decision, some say that a footnote #8 on page 13 could lead to future litigation. The footnote leaves open whether the hacking law applies in situations where an individual’s contract or policy says he can’t access a file, but the file remains technologically accessible (i.e. it is not password protected).
In a write-up about the decision, Aaron Mackey and Kurt Opsahl of the Electronic Frontier Foundation called the footnote “a bit odd, as the bulk of the majority opinion seems to point toward the law requiring someone to defeat technological limitations on access, and throwing shade at criminalizing TOS violations.”
Grayson Clary, the Stanton Foundation National Security and Free Press Fellow at the RCFP, said overall that he considers the decision a victory.
“There will be questions to sort out about the exact scope of the ruling, but the Supreme Court made clear that interpreting the CFAA to criminalize routine internet use––including routine journalism––is out of bounds. And we’re grateful that the Court acknowledged our brief highlighting the risks of the Government’s interpretation for press freedom,” Clary said.