In April 2020, the Supreme Court agreed to hear Van Buren v. United States. This case raises questions about what constitutes criminal “computer misuse” under 18 U.S.C. § 1030(a). The petitioner, Mr. Van Buren, was convicted under 18 U.S.C. § 1030(a) after accepting a loan in exchange for personal records obtained through a police database. As a police officer, Mr. Van Buren had permission to access the database for work related purposes. In his petition for certiorari, he argues that because he had permission to use the database, his misuse did not rise to a criminal level. The question for the Supreme Court – what is the breadth of § 1030(a)’s “computer misuse” provision – has potentially far-reaching implications in the age of internet technology.
What is the offense?
18 U.S.C. § 1030(a) is essentially an anti-hacking statute. Some portions of the statute clearly indicate this, such as § 1030(a)(2)(A)’s prohibition on the use of a computer to intentionally obtain unauthorized financial records. However, § 1030(a) also prohibits obtaining unauthorized information from any “protected computer.” Mr. Van Buren was convicted under this provision of the statute.
“Protected computer” is defined – in § 1030(e) – as including computers “affecting interstate commerce or communication.” This broad language could be interpreted to include almost any computer. As an example of how wide-ranging this could be, compare § 1030(e) with the Constitution’s Commerce Clause. The Commerce Clause gives Congress the authority to “regulate commerce with foreign nations, and among the several states.” Interpretations of the Commerce Clause gave Congress the authority to pass legislation with seemingly little relation to commerce, like anti-drug laws, and laws related to gun ownership. If the definition “protected computer” of “affecting interstate commerce or communication” is interpreted to be as expansive as the Commerce Clause, that could open the doors to wider prosecution for computer misuse.
What legal issues have the parties raised?
While neither side has yet filed substantive briefs, Mr. Van Buren’s petition for certiorari and the government’s response indicate their probable arguments.
Both sides appear likely to base their arguments in statutory interpretation. Mr. Van Buren identified Circuit inconsistency in his petition, and identified some potentially absurd results of broadly interpreting 18 U.S.C. § 1030. The core of his argument appears to be that the rule of lenity requires a narrow understanding of § 1030. His ultimate point is that § 1030 should be read as an anti-hacking statute, limited to criminalizing access of a protected computer by those who have no permission to use said computer.
The government’s position is tougher to predict, as its response to Mr. Van Buren’s petition largely denies that there is an issue at all. However, a potential argument evident from the response is that a combination of prosecutorial discretion and judicial wisdom will prevent misapplication of § 1030. The government will also probably echo the Circuits who have held that a plain reading of § 1030 requires broadly criminalizing computer misuse.
What could this mean for me?
The government notes that internal guidelines limit prosecution under § 1030 to “serious cases.” They define “serious cases” as computer misuse that also involves an abuse of authority, a pursuit of financial gain, or other similar situations. The government also notes that there are few examples of the absurd cases Mr. Van Buren’s describes in his petition.
However, the government’s “just trust us” approach is dubious, at best. For one thing, federal prosecutors internal guidelines–the US Attorneys’ Manual–change from administration to administration. For example, while former President Obama’s administration relaxed internal guidelines on marijuana prosecutions, that position was reversed by President Trump’s administration. Internal guidelines that change from administration to administration are no substitute for clear criminal statutes that give notice of what conduct is criminalized.
What is more, eyebrow-raising prosecutions under the computer misuse statute have already occurred. In 2009, California-based federal prosecutors secured a conviction against a defendant under 18 U.S.C. § 1030 for misusing Myspace.com. The crime: creating and using a Myspace profile for cyber-bullying. The prosecution’s theory rested on the violation of Myspace’s terms of service. That case was ultimately overturned, but it illustrates that the statute could be used to prosecute more than just hacking.
An expansive interpretation of computer misuse also creates the unwelcome possibility of selective enforcement. It is likely that with a broad definition of “criminal computer misuse,” thousands, if not millions of users would at some point technically run afoul of the statute. This may give prosecutors a means to focus investigations into those accessing specific websites considered undesirable.
Further, a broad interpretation of this statute could link criminality to the policies of employers. As employers set the policies of workplace computer use, those same policies would become the criminal boundaries defining what constitutes “computer misuse.” For example, if an employer offers a computer strictly for searching a single database, then merely typing a word document with that computer could be a criminal offense. So too could checking social media at work, a practice prohibited by many employers. Mr. Van Buren also notes in his brief that such an interpretation could criminalize checking sports scores at work. Even the policies of specific websites could be the basis of alleged criminal behavior. As Mr. Van Buren notes, lying on a dating website about height, for example, would violate the terms of service and therefore potentially be criminal.
Thus, the Supreme Court’s decision in this case could place millions of everyday computer users to the mercy of prosecutorial discretion and employer policies.
How is the Supreme Court Likely to Rule?
The Supreme Court is likely to avoid an outcome that would criminalize checking Facebook, but an expansion on computer misuse prosecution is possible. Lower courts have split interpretations. The Eleventh Circuit has said using a workplace computer for non-business purposes falls within the statute. Conversely, the Ninth Circuit has found that the statute only criminalizes using a computer when the user has no authority to access it all.
The Court will need to balance the government’s interest in holding hackers accountable and punishing computer misuse with the need to give clear standards for what constitutes criminal conduct.
This is a case worth paying attention to as it develops, and we will provide updates as it moves forward.