We have previously covered the SCOTUS’s interesting decision to grant certiorari in Van Buren v. United States – a criminal case where the petitioner has appealed his conviction under the Computer Fraud and Abuse Act (CFAA).
The case is potentially significant because the lower court’s interpretation of the CFAA, defended by the government on appeal, would criminalize large swaths of seemingly innocuous computer use. For example, a SCOTUS decision for the government could mean that your yearly March Madness office pool is now a criminal conspiracy.
On July 1, the petitioner submitted his opening brief which lays out his arguments to the justices, accompanied by several “friend of the court” briefs from outside organizations. He is represented by the Georgia Federal Public Defender’s Office, the Stanford Law School Supreme Court Litigation Clinic and private counsel.
In this post, we summarize these arguments for our readers and offer some commentary thereon.
Factual and Procedural Background
The petitioner, Nathan Van Buren was a police officer in Georgia. Mr. Van Buren obtained a license plate number from a police database as a personal favor for a friend. The friend later paid Mr. Van Buren $5,000 for the information.
Importantly, Mr. Van Buren was fully entitled to access this database in his capacity as a police officer. However, the police department’s rules prohibited accessing the database for a non-law-enforcement purpose.
Unbeknownst to Mr. Van Buren, his friend was working with the FBI, and the “favor” was in fact a sting operation designed entirely to test Mr. Van Buren’s willingness to skirt police rules. The government charged Mr. Van Buren with a felony violation of the CFAA. Mr. Van Buren argued at trial that the CFAA should be interpreted only to cover so called “hacking” – that is, gaining unauthorized access to computerized information. The trial court disagreed, denying Mr. Van Buren’s Rule 29 motion to dismiss and instructing the jury that CFA covered not only hacking but misuse of computerized information a defendant had lawful access to.
On appeal, the 11th Circuit affirmed Mr. Van Buren’s conviction despite the fact that other circuits had placed a narrow interpretation on the CFAA that would not have covered the offense conduct.
The Supreme Court granted Mr. Van Buren’s certiorari petition, no doubt wishing to resolve the circuit split on CFAA interpretation.
Arguments in Mr. Van Buren’s Opening Brief
Mr. Van Buren raises four main arguments in support reversal which we summarize as follows:
1) the CFAA’s statutory language only covers unauthorized access of computer data and does not cover misuse of data to which the user has lawful access, 2) interpreting the CFAA to cover obtaining information for an unauthorized reason is inconsistent with the purpose of the statute, which was simply to criminalize hacking, 3) the 11th Circuit’s interpretation, as defended by the government, would have absurd results, and 4) canons of statutory interpretation – such as the rule of lenity or avoidance of constitutional questions – favor the petitioner’s interpretation.
We address each argument below:
- The Statutory Interpretation Argument
Mr. Van Buren opens with a technical argument on the the statute he was prosecuted and convicted under – 18 U.S.C. § 1030(a)(2). He argues that when the statute is read in its entirety, the language only means to criminalize hacking, not simple computer misuse. He also points out that the Eleventh Circuit Court of Appeals – the previous court to hear his case – skipped the definition section Congress included in this statute in their reading of the law.
Mr. Van Buren also argued that simple computer misuse is better handled in private litigation, not criminal prosecutions. An employee who violates their workplace rule could be sued for breach of contract or in tort. Mr. Van Buren argues that the Supreme Court should let these private bodies of law stand in place of criminal prosecution.
2. The Statutory Purpose Argument
In a similar argument, claims that criminalizing Mr. Van Buren’s conduct would be inconsistent with the legislative purpose of the statute. He claims that 18 U.S.C. § 1030(a)(2) should not be read to prohibit simple computer misuse, because there are other computer related statutes. He points to 17 U.S.C. § 506(a)(1) as an example, which prohibits unauthorized access to copyrighted material and 42 U.S.C. § 1320d-6(a)(3), which criminalizes accessing an individual’s health records.
Where the government’s reading of the statute permitted, these statutes would be rendered meaningless, as 1030(a)(2) would criminalize those behaviors as well. Without mentioning specifics, Mr. Van Buren also notes that there are state laws regulating computer use as well. He reasons that 1030(a)(2) must therefore be narrowly read, so as to give meaning to the other federal and state computer statutes.
3. The Consequentialist Argument
The petitioner’s next argument focuses on the consequences of the government’s proposed interpretation of the statute. These argument are strong, even if highly technical. However, the practical implications of the reading the statute to criminalize the type of computer misuse present more striking concerns, and are likely the reason the Supreme Court agreed to hear the case. Mr. Van Buren spends most of his brief focusing the Supreme Court towards the realities that may come if the Justices allow his conviction to stand — a slippery slope argument.
Mr. Van Buren points to the far ranging consequences that could result if the Supreme Court allows his prosecution to stand, namely that it could criminalize innocuous computer misuse, like watching March Madness basketball games while at work or exaggerating one’s height on a dating website.
Lest the court think he is exaggerating the possible outcomes, Mr. Van Buren quotes the exact words used by the prosecutor at Mr. Van Buren’s trial, where the prosecutor told the jury that breaking an employer’s computer rules was a crime:
Many of you work on computers in your own jobs. … You’re allowed to be on the network, but once you’re using the network that’s against what your job or policy prohibits, you’ve exceeded your access. You’ve gone too far, and this is the concept that this defendant violated. He violated this federal law when he ran that tag query for his own personal benefit and for a nonlaw enforcement purpose.
4. Other Arguments – Rule of Lenity, Avoiding Constitutional Questions, Etc.
Finally, Mr. Van Buren closes with a patchwork of smaller points. He begins with the Court’s own tradition of deciding cases while avoiding Constitutional questions, and encourages the court to avoiding deciding his case in a way that would raise First Amendment worries or otherwise render 1030(a)(2) overly vague.
Next Mr. Van Buren warns against relying on the government’s promises to responsibly use a broad criminal statute. This would go against the rule of lenity — a longstanding tradition of deciding close criminal issues in favor of defendants. In recent years the Supreme Court has also carefully avoided expanding the power of prosecutors, which Mr. Van Buren reminds the Court of when he asks them to avoid producing a “sweeping expansion of federal criminal jurisdiction.”
On their own, each of these arguments is relatively weak. Taken together though, Mr. Van Buren paints his position as the historically favored one, That is a powerful position to be in, and provides good closure to his brief.
Arguments of the Amicus Curiae
Several amicus curiae – outside individuals or organizations with expertise relevant to the case – have submitted briefs in support of the petitioner’s position, identifying further repercussions of broadly criminalizing computer usage. Most pointed out circumstances where technically breaking computer polices benefits society.
For example, the ACLU wrote that broadly criminalizing computer usage could stifle online research. Some research requires elements of deception to achieve unbiased test results, which technically violates the rules of many websites and apps; despite the benefit that research brings.
The Markup and The Reporters Committee for Freedom of the Press also noted a broad prohibition would stifle investigative reports and freedom of the press, as journalists who skirt private rules to break important news could suddenly face criminal charges.
Similarly, the National Whistleblower Center also writes that a wide prohibition on computer usage would open many whistleblowers up to prosecution, as it necessary for whistleblowers to break some of their employer’s rules to expose wrongdoing.
Most of the amici join Mr. Van Buren in his conclusion that 18 U.S.C. § 1030(a)(2) should be read to only criminalize true hacking – and not simple computer misuse.
Only one Amici refrained from explicitly supporting Mr. Van Buren, the United States Technological Committee – an organization of computer professionals and educators claimed to take a neutral position. However, they largely echoed Mr. Van Buren’s arguments anyways, even without endorsing him. They argued that too broad a reading of 18 U.S.C. § 1030(a)(2) does not line up with the rising societal and businesses reliance on the internet.
Our Analysis
Mr. Van Buren’s consequentialist arguments are extremely powerful. As Mr. Van Buren points out, even the “[g]overnment has never disputed that its reading of the CFAA reaches commonplace activities prohibited by employer’s computer use policies and websites’ terms of use.”
As mentioned above, under the government’s interpretation, an office March Madness bracket contest would be a criminal offense if the employer rules prohibit non work related computer use. In fact, even in the absence of a “pool”, checking a single basketball score a singe time would violate the statute. Undoubtedly, our readers can supply scores of further examples of anachronistic (and unjust) consequences that would flow from the government’s position.
Mr. Van Buren is certainly correct to challenge the government’s argument that prosecutorial discretion will prevent misapplication of the CFAA. A government victory in this case will be seen as further vindication for critics of DOJ overreach such as Harvey Silverglate (author of “Three Felonies a Day”) or the @CrimeADay twitter account. Federal criminal law is so expansive, these commentators argue, that nearly every American has violated some federal law they could be prosecuted for. In the absence of a “real” crime, federal prosecutors can always fall back on the thousands of abstruse crimes in the U.S. Code; a scenario many view has having high potential for abuse.
The facts of this case provide a provide an illustration of how the proliferation of overly broad federal crimes could be subject to abuse. To expand a bit on our factual discussion above, the sting operation that resulted in Mr. Van Buren’s conviction was not the government’s first move against him. Prior to this, the FBI used the same cooperating witness to seek Mr. Van Buren’s help in transporting controlled substances. Mr. Van Buren refused.
Having thus failed in their first sting operation, the FBI devised a second based not on controlled substances but on a federal law that most of us have probably violated at some point in our lives – the CFAA. To be sure, the facts do not suggest that law enforcement was motivated by anything other than a suspicion that Mr. Van Buren would seek to profit from his access to law enforcement databases – a suspicion that proved to be correct. Moreover, the FBI’s cooperating witness had attempted to involve Mr. Van Buren in a drug conspiracy and the officer did not cut off contact with this seemingly shady character. However, it is easy to imagine a scenario where federal agents with less admirable motivations could abuse the CFAA to prosecute otherwise innocent persons for bad faith reasons.
Turning to the textual argument, Mr. Van Buren is on somewhat weaker ground. The government’s proffered interpretation does not obviously conflict with the text of the statute – as the 11th Circuit ultimately found. We offer no opinion on the likely outcome of the case and look forward to reading the government’s submissions which are due on August 27.