Hacker News new | past | comments | ask | show | jobs | submit login
US Supreme Court Restricts Scope of Computer Fraud and Abuse Act [pdf] (supremecourt.gov)
442 points by panarky 17 days ago | hide | past | favorite | 260 comments



I'm surprised at the negativity here. I agree with this decision.

When I saw it was a 6-3 decision my first instinct was "oh another conservative-liberal divide" but no it isn't. I'm actually surprised to find Thomas dissenting since he's just. a stickler for the literal text.

To me the ruling seems correct: the offender may have exceeded department rules and such access by that measure was "unauthorized" but he was not an unauthorized user to the system.

It's refreshing to see limits to the overreach on what constitutes "hacking". This isn't hacking.

Were this ruling in effect when Aaron Swartz was charged, I very much suspect it would've invalidated the hacking charges under the CFAA (since he used a guest account he had access to).


Agreed.

This is a policy violation, and maybe that should be illegal in some way or have consequences. I'd be ok with that, but it's just not "exceed authorized access". The person in this case was authorized.

The idea that you could be authorized, but suddenly not because of a policy doesn't make sense to me and that's kinda weird because that seems right up Thomas's literal interpretation alley (come on Thomas, use it right for once).

Imagine Comcast changes a policy, and suddenly you're in violation of Computer Fraud and Abuse Act (CFAA).


> This is a policy violation, and maybe that should be illegal in some way or have consequences.

Sure, and usually policy violations that matter do involve civil consequences (e.g. litigation to recover damages) but not handing out felonies or putting someone in prison for a decade+.


This person sold access to restricted data and abused his privileged position as civil servant to do so. Maybe it's not CFAA, but I'm sure it should be a felony of some sort.


He should be charged with the laws against that, then, rather than the CFAA. This other poster mentioned some:

https://news.ycombinator.com/item?id=27385624


Exactly. If he were charged with "bribery, and also public urination" for this, while I wouldn't be happy about what he did, it definitely wouldn't be public urination.


Well argued, counselor.


> it's not CFAA, but I'm sure it should be a felony of some sort

The Opinion says he “was charged with and convicted of honest-services wire fraud,” though that it was vacated in a separate holding [1].

[1] https://www.supremecourt.gov/opinions/20pdf/19-783_k53l.pdf


Absolutely, and it probably already is. CFAA is just such an absurdly overbroad law with rather harsh penalties that it gets charged even when there are other more reasonable alternatives.


Yes, as the Court noted in its opinion regarding the Government's charging practices.


If he directly shared or transfer the police database information to someone else then it looks very odd that the government went after him for hacking. Sharing of classified information is a more serious crime, and hindering a police investigation is also a crime.


There are so many laws that there's an incentive to throw as many as possible that might stick, so that at least one of them might get a conviction.

It also adds a lot more pressure on the person charged to take a plea deal.


I think the prosecution needs to be put to proof of every charge that's suddenly dropped where the dropped charge is the most appropriate and the charge the accused pleads to whether of their own accord or in bargain. It is absolutely not in the interests of justice to convict on secondary and tertiary charges for the purported purpose of punishment for a different unproven crime that is the crime society wants to deter.


Police data is not classified.


It isn't? I would think that information such as of people with hidden identity or informants was not public information but rather something for which the government has deemed sensitive enough to protect. Am I wrong?

In my country any information related to a on-going investigation is automatically classified. Police are not allowed under the law to divulge to the press any such information.


(big IANAL) Criminal penalties for revealing information would be a major affront to the First amendment since they're the most direct way for the government to restrict speech. The Federal classification system only works because the individuals given security clearance enter into a special contractual agreement with the Federal government - only someone who has made that agreement can face criminal penalties for revealing classified information. A random pedestrian who's never even been allowed near classified information but stumbled onto it can't be prosecuted (at least, not once it gets to a sane appeals court).

That's to say: it'd be up to each state to create its own criminal laws regarding what they consider confidential information (if any) and make sure those laws are constitutional by explicitly writing them into the police officers' contracts. Much of the time, changing internal policy is all that states can realistically do because some federal statute or constitutional clause has supremacy - even something that's normally a fireable offense at a private business might run afoul of constitutional protections when done by a state government or agency.


First amendment has a strong influence, through when it comes to obstructing justice I would lean towards the action being illegal.

I wonder if obstruction of justice can impact someone who has not made any agreement beforehand. A random pedestrian who tries to stop the police, in a public space where they otherwise would have a right to be, could still end up in jail if I understand the laws right. If they can do that with their physical body I suspect the same punishment can occur if they do that with their own first amendment voice given special circumstances and results of that speech.

It is however difficult for a random pedestrian to commit obstruction of justice out of accident, but a lot of actions done by a police officer would obstruct justice by the nature of their own work. Similar if a person were employed at a court, if they misbehaved erroneously, I would guess that it would carry a bit more legal risk just given the environment.

Nothing of this has anything to do with internal policy. Obstruction of justice is mostly about the intention and results.


Those are separate things and they're treated differently. The illegal act is obstruction of justice, not the speech itself, which is why criminal OoJ penalties don't run afoul of the first amendment.

If you have insider information on an ongoing investigation and you tell it to your buddy at the bar who doesn't care one bit about it and immediately forgets, that's not obstruction of justice because the speech itself isn't the criminal act. If you tell that same information to the suspects though, then that's obstruction of justice.

With classified (natsec) information, on the other hand, telling it to anyone who you're not absolutely certain has clearance to see it is a violation and could land you in jail for years if you get a bloodthirsty DA. (again, IANAL)


In this specific case we have a police interfering with a case about an undercover officer by informing the suspect about the under cover agents identity. However, the whole affair was actually a sting operation to test if the officer would interfere.

It is a bit of a special situation since the interfering was over a fake case, through the legal frame work of sting operations has always been a bit grey. It seems to me however that it flights clearly above that of first amendment rights. It seems simply that the prosecutor chose to go after CFAA because the case is about a sting case rather than a real one. Had the police officer interfered in a real case, where a criminal had been given information that obstructed police officers in their job, the case had been about that.

If that is true then the case has very little to do about internal policy decisions, exceeded permissions, unauthorized vs authorized users, employee contracts and so on. It is actually about sting operations and a prosecutor who attempts to bypass that discussion by using a law designed for a different purpose.


Out of curiosity, how would such a contract work? Normally the violation of a contract just means a tort and not criminal penalty. Surely you cannot simply say something like, "I agree that exercising my constitutional rights is now a federal offense."


The official contract is Standard Form 312 [1] which strictly only carries civil penalties - it's little more than an NDA except it carries the weight of the executive (in the sense that the executive branch can use its authority to enforce it). The actual criminal charges come from a variety of laws like the Espionage Act of 1917, Intelligence Identities Protection Act, etc that each protect a variety of information using a national security exception to get around constitutional issues. My understanding is that the glue that holds them together is this line in SF 312:

> In addition, I have been advised that any unauthorized disclosure of classified information by me may constitute a violation, or violations, of United States criminal laws, including the provisions of sections 641, 793, 794, 798, 952 and 1924, title 18, United States Code; the provisions of section 783(b}, title 50, United States Code; and the provisions of the Intelligence Identities Protection Act of 1982. I recognize that nothing in this Agreement constitutes a waiver by the United States of the right to prosecute me for any statutory violation

(again, IANAL and this is definitely not legal advice)

[1] https://www.gsa.gov/cdnstatic/SF312-13.pdf?forceDownload=1


It sounds like you might be unaware of the existence of NDAs?


What you’re saying isn’t true. There’s a legal doctrine of “born classified” that obligates everyone to secrecy.

Companies have gotten into trouble for doing research that might be used to build an atomic bomb, even though the research had other applications.


That's not what that doctrine means; information being classified and individuals having a duty to protect it are two distinctly different things. Imposing a duty to protect classified information on Americans who have not signed a national security NDA would be a breach of their first amendment rights. The rules are obviously totally different for people who hold or have held a clearance, but the legal basis for those rules is the NDA signed by those people.

This is fundamentally different than e.g. the British approach, where the official secrets act applies to everyone whether or not they have signed it.

It's also the case that while the doctrine of born secret has not been tested in court, it is generally regarded as unconstitutional and likely to be struck down by the courts of they are given the opportunity.


Everything I’ve ever read about the “born secret” doctrine says that it obliges non-cleared people to keep secrets.

Most of what I’ve read emphasized how controversial this is. As you said, there are severe first amendment implications.

Yet the law ignores these implications.

It is probably unconstitutional, but the SCOTUS has never ruled on it.

I hate to be the guy saying “cite your sources,” but I have quite a few sources that say “born secret” applies to everyone. Can you show me some evidence it doesn’t?

This source is about a related, but distinct, topic. It contains numerous example of the US government attempting to obligate non-cleared people to keep official secrets:

https://scholarship.law.upenn.edu/cgi/viewcontent.cgi?articl...

This source is a Wikipedia page, but it describes the government attempting to use “born secret” to censor a newspaper:

https://en.m.wikipedia.org/wiki/United_States_v._Progressive....

PS: From the first source:

In 1978, journalist James Bamford sent a Freedom of Information Act (FOIA) request to the Justice Department. He wanted documents related to the Department’s investigation of illegal wiretapping performed by the NSA. Among the surveillance programs the Justice Department investigated was Operation MINARET, which spied on Martin Luther King, Jr., Jane Fonda, and other opponents of the Vietnam War. The chief of the Justice Department’s special litigation unit, the unit that led the investigation into the NSA, took ten months to review the request. In the end, the Justice Department declassified and released 250 pages of documents to Bamford. When the NSA found out about the disclosure, however, it argued that the documents should never have been released and demanded that the Justice Department label them as classified. The Justice Department refused.

Two years later, with a new administration in the White House and new leaders atop the two agencies, the NSA tried again. This time, the Attorney General agreed. Bamford recalled a meeting with NSA and Justice Department officials. “They threatened to use the espionage statute against me,” Bamford recounted, “if I continued to refuse to return the documents.” A letter from the Justice Department soon followed: “You are currently in possession of classified information that requires protection against unauthorized disclosure,” it said, adding that Bamford should be aware of his “continuing obligation not to publish or communicate the information.”Keeping quiet was not enough for the Justice Department, however. “It is . . . your duty and obligation as a United States citizen to return this information to the Department of Justice,” the letter insisted.


> Yet the law ignores these implications.

Is that surprising? There's no physical law forcing legislators to write Constitutional laws or the executive branch to enforce them. They're just empty words until people actually implement them and then it's up to the Judiciary to review those implementations and resolve the ambiguities and inconsistencies between the laws and the real world. Unfortunately, there's nothing stopping bad laws from destroying lives on their way through courts, which often takes decades.

The Supreme Court hasn't decided the constitutionality of the born secret doctrine because the real world hasn't presented an opportunity. A core constitutional restriction of the courts is that they can't legislate, only rule on the cases that go before them. The doctrine has been abandoned by the government when push came to shove, likely because it knew the doctrine is indefensible before SCOTUS and only useful for the threat of litigation and criminal charges against civilians.


> I have quite a few sources that say “born secret” applies to everyone

No, you don't. The government can ask you to do a great many things. They can use big, scary words that are designed to coerce you to do it. But that's not the same thing as being legally compelled to do it.

No charges were filed, there was no prosecution, and he's not in jail. Strongly worded letters are worth approximately the paper they're written on.


In the US, barring other qualifiers, "classified" is a federal designation for national security data. Police are not federal. I could get more pedantic about it; there are designations like "Unclassified/Law Enforcement Sensitive" for data that can be shared with police. The police are allowed to keep various information internally. I'm not sure that license plate ownership information is protected at all, though, for this specific case.


My (possibly flawed) understanding is that "classified information" in the US is pretty much a federal government thing, and is usually used for information relating to national security or spy-agency type stuff.

I would imagine information about informants or people with hidden identities would be considered privileged information in whatever state/local law enforcement jurisdiction created it, but penalties for leaking or distributing it would be a local matter, and many localities might not have specific laws on their books to deal with it.

Regarding on-going investigations, police aren't supposed to publicly discuss information about investigations, but they may if they deem that there is a public interest in doing so, or that doing so will help them with their case. I may very well be wrong here, but my gut suggests that in most places in the US there are likely not specific laws against public disclosure of details of ongoing investigations.


I could see a law that has stricter terms for sensitive data, and civil servants with access to it. I'd be ok with that. Maybe even felonies depending on what occurred and whatever the law is.

It's just the law in this case doesn't fit what happened.


I find both your and GP's swipes against Justice Thomas to be perplexing. Literal interpretation of the Constitution's meaning at the time it was written is exactly what you should want, not whatever that single judge feels should be or should have been the meaning. I don't see how that's a bad trait.


And I pointed out how he didn't do that.


"Imagine Comcast shanges a policy, and suddenly you're in violation of Computer Fraud and Abuse Act (CFAA)."

That is only an argument, not a fact. They would have to persuade a court you are violation of the CFAA. That requires evidence. In almost all the previous cases with similar facts, the plaintiff provided notification and an instruction to cease and desist. Apparently, the plaintiff's lawyers or prosecutors thought they needed that as evidence. If you received such notfication, and you wished to avoid a CFAA claim, then you would follow the instruction and stop doing whatever Comcast is complaining about. And that would be the end of it.

The thing about the Swartz case is that he broke into a network closet and connected his laptop with ethernet cable directly to an MIT computer (networking equipment) in the closet. Even with this latest USSC decision, how could that ever be "authorised [physical] access".


Policies, by definition, are ways by which authorization rules are enforced. If the officer violated a policy, they also by definition violated their authorizations.

>The idea that you could be authorized, but suddenly not

They were never authorized to use this system in this way, so there was not a "authorized but then suddenly not". The officer's authorization was static: not authorized.

Authorization is more than just the technical controls in a system, and lack of a technical control to prevent an officer using a system in certain ways does not mean said officer is authorized to use the system in any way they please.


I think we are confusing two concepts here.

The officer's actions were unauthorized on a system he was provided access to. He didn't gain unauthorized access to a system, he failed to follow the rules on a system he already had access to.


> The officer's actions were unauthorized on a system he was provided access to.

Er, no, that's specifically not the case. The officer's actions on the system in fact were authorized; he was authorized to look up licence plate information. The officer's actions later - specifically sharing private information with a third party - were criminal[0], and would be criminal regardless of whether a computer was even involved.

0: Give or take legislative and judicial corruption a al misrepresenting theft as 'civil forfeiture', but that's not really the point.


> would be criminal regardless of whether a computer was even involved

I don't think GP is in disagreement with you that it's potentially illegal, just that the CFAA shouldn't apply here.


> I don't think GP is in disagreement with you

I am confused about how(/whether?) confused you are about what I said.

> > > The officer's actions were unauthorized on a system he was provided access to.

The CFAA does not apply here, because the officer's actions on the system were authorized. He did not "failed to follow the rules on a system he already had access to", he followed those rules, then separately did something illegal[see previous footnote] with the information he obtained in accordance with those rules.

If his actions (on the system) were unauthorized, that would be a CFAA violation, even he was authorized to access the system in some other way.


It isn't just about access to the system, but access to the data as well, and he accessed data that he was not authorized to access. That is "exceeding authorized access".

- Logging onto the system: officer has technical access to log on and is authorized to log on, no problem

- Accessing normal data the officer needs for legitimate reason: officer has technical access to this data and is authorized to access it, no problem

- Accessing data for the purpose of a bribe: officer has technical access to this data, but is not authorized to access it, thus they are exceeding their authorized access


His crime was violating the policy. He clearly did not hack into the computer system to get the data, and that's what the CFAA was meant to prosecute.

Put another way, he didn't work around any computer controls to get at the information.


>Put another way, he didn't work around any computer controls to get at the information.

That's irrelevant. You can do unauthorized things without having to "work around" controls.

>He clearly did not hack into the computer system to get the data, and that's what the CFAA was meant to prosecute.

The CFAA was meant to prevent computer-related crimes including but not limited to unauthorized access, fraud, abuse, etc, which this clearly was.


> That's irrelevant. You can do unauthorized things without having to "work around" controls.

SCOTUS disagrees with you, and so do I.

> The CFAA was meant to prevent computer-related crimes including but not limited to unauthorized access, fraud, abuse, etc, which this clearly was.

He didn't do any of those with respect to the computer system. He accessed a resource that he had authorization to access as part of his job. He misused it, but didn't break into the system or gain access by fraud. His reasons for accessing the data were wrong, but his access was authorized.


Actually I don't know that SCOTUS has much to say in this ruling on the necessity of effective technical controls.

If the officer was explicitly told 'you can use the computer system, and it can do plate lookups, but you're not allowed to perform plate lookups ever', then he went ahead and made a plate lookup anyway, I'm not entirely clear that the ruling would exclude that from being a CFAA charge, even without there being any password or permission model to lock him out of that functionality. I could be wrong there - there may be other caselaw on that - but I didn't read much in the ruling that suggested they were interested in the extent to which the system technically restricted access to this functionality.

But in this case he had legitimate technical access, he was authorized to use it to look up plate data, and the SCOTUS verdict, sensibly, concludes that using that access for an illegitimate purpose does not merit a CFAA charge.


>His reasons for accessing the data were wrong

This, by definition, makes his access unauthorized. That's the point. "Authorization" is more than just technical controls. He was not authorized to access the data for this reason.


> "Authorization" is more than just technical controls.

You are applying too broad a definition to "authorization." In this context it refers specifically to the configured authorization behavior of the computer system. They gave him the equivalent of a key to a lock implemented in the computer system, and the law is meant to address the equivalent of someone who pick locks, not someone who misuses the access provided by keys they were given.


> "Authorization" is more than just technical controls.

SCOTUS just literally said the opposite.


>You can do unauthorized things without having to "work around" controls.

The term "unauthorized" is overloaded. There is one sense in which he was unauthorized by policy. There is another sense by which he was authorized by technical access. These are separate scenarios and separate violations. It makes no sense for unauthorized-by-policy to be a violation of a computer hacking statute.


There's some kind of weird penumbra here. The intent of the owner of the computer system clearly matters, but how much?

At the "seems pretty clearly like unauthorized access" end of the spectrum, we can imagine someone brute-forcing a password to gain access to a system. They're "authorized by technical access" once they have the username/password, but that's surely a focal case of the kind of crime that the statute was intended to address.

Alternatively, say there was a guest account activated with a default password.

Would we argue that someone with no relationship to the owner who discovered the account was active and then used it was "authorized by technical access"?

Presumably the answer is that authorization in that case depends on whether it was the intent to allow strangers to use the system as a guest or whether it was some kind of technical oversight.

What about if you were hired as a data entry operator, but your account was accidentally set up as a superuser? The owner of the system intended to give you one level of access but accidentally gave you another. Are you a hacker if you use the unintended access grant to snoop around? Again, you're "authorized by technical access".

What about if your boss puts his username/password on a post-it note on his monitor and you use his account without his knowledge? What about if you use it with his knowledge and agreement?


Yeah, the issue is a lot more ambiguous than my comment let on. If I had to make a determination, I would say any specialized technical knowledge or extra effort to access the resource would fall under the CFAA. So knowing of a default guest account that wasn't pointed out to you by staff, or finding the boss' password on a post-it note and entering it would count. Being given a superuser account is even greyer. Perhaps if you come across sensitive data in the natural course of your work, then you would be safe from this law. If you recognized your elevated privileges and then went out of your way to find sensitive information, then that should be a violation.


CFAA now is about violating technical controls, not policy controls. If policy says "Don't look at HR data", but nothing technically stops you from looking, it's not a CFAA violation to look.


> >Put another way, he didn't work around any computer controls to get at the information.

> That's irrelevant. You can do unauthorized things without having to "work around" controls.

You are conflating bypassing security measures (which in the digital world would be equivalent of lock picking) and abuse of trust (throwing a party and trashing the home of someone who trusted you with the keys to only feed the cat).


Authorization isn't just yes or no though. It's conditional on intent.

Say I give a neighborhood kid a key to come water my plants while I'm out of town. If they use that key to gain access and throw a party they're trespassing. I don't see why it should be different for a CPU


> Authorization isn't just yes or no though

For purposes of this law, it is. The Government agreed “that Van Buren ‘access[ed] a computer with authorization HK’ when he used his patrol-car computer and valid credentials to log into the law enforcement database” [1].

“The dispute is whether Van Buren was ‘entitled so to obtain’ the record.” The Court found that Van Buren was entitled so to obtain the record, in that entitlement is the operative word. If the file is electronically accessible to the user, they have entitlement to so, *i.e. electronically, obtain it. They aren’t properly authorised or permitted or something else to it. But those weren’t the words used. "Authorized," unadorned, and "entitled so to."

[1] https://www.supreme court.gov/opinions/20pdf/19-783_k53l.pdf


I know, but it doesn't make sense. It's like arguing the kid was entitled to throw a party because he had my key.


> like arguing the kid was entitled to throw a party because he had my key

Did he steal your key? Or did you give it to him? If he stole your key, he wasn't entitled to your house. But if you gave him the key, he had entitlement to it.

If this were a friend, not a kid, you might be able to sue her for throwing a party in your house without permission. You would not be able to get her charged with breaking and entering because she overstepped the conditions that came with your key.


B&E requires intent to commit a felony in my state. If we change the story to the kid using the key to rob me then yes he will get convicted of B&E (burglary in my state).


So if they come in with full intent to water the plants and walk off with your things, and do so, they'll be charged with "breaking and entering"? That really shouldn't be a valid charge. It should be pure larceny.


In that case no because they didn't enter with the intent to commit a felony.


You may not have caught the first-minute edit I made. Or I worded it badly.

Presume they had intent to water and steal at a felony level when they entered.


Then that's a crime. The innocent motivation doesn't wash away the guilty one.


If they walked through an already-open door with the intent to steal, entering wouldn't be burglary, at least not under the rules I'm used to.

If they had to break open the door, entering would be burglary.

Using a key they were supposed to have, to enter a building they were supposed to be able to enter? I would say it should be treated like the former case, not the latter case.

US law may not always agree with me, and apparently there are states where shoplifting can count as burglary. But I say stretching the definition that far is ridiculous.


Then he's not committing a crime because he entered your house but because he trashed your house. Therefore he can't be charged for breaking and entering but can be charged for destruction of property.


I dunno. If they use the key to gain access and throw a party, they probably aren't trespassing. Their guests might be. You might have civil cause against the kid, but if they clean up after the party and don't cause a nuisance or disturbance, there's not obviously a criminal act by the kid there. Maybe a conspiracy charge on the trespassing?


I agree with this decision, but I've always advocated my own personal test for whether access is 'unauthorized' or not.

Basically, I would say that unauthorized access should require some material deception to gain access. So if you socially engineer your way in, it's unauthorized--you lied to someone. If you use a computer virus, it's unauthorized--you lied to the computer to get it to execute that code, probably misrepresenting it as some other type of data. If they set the permissions wrong or it's just an AUP thing, it's not unauthorized access. Though, as here, it might be against the law for some other reason (violation of privacy or whatever).

This would avoid catching people out because someone set permissions to give too much access or wrote overbroad AUPs that shouldn't be turned into federal felonies, while providing a nice bright line because you can actually test whether, if not for the deception, they'd have been granted access to the system, especially the computer side of that. So the people who used anonymous FTP with a fake email won't become felons because it's easy to prove the system lets in everyone no matter what their email is set to, whereas the person using someone else's credentials lied to the system about who they are and should get punished, etc.

I think that my test would be consistent with this holding, but remember that this is merely my view of how the law should be. It's not a description of how the law is, it's something I would advocate that I believe provides a reasonable boundary between authorized an unauthorized access that's both clear and testable.


>Basically, I would say that unauthorized access should require some material deception to gain access. So if you socially engineer your way in, it's unauthorized--you lied to someone. If you use a computer virus, it's unauthorized--you lied to the computer to get it to execute that code, probably misrepresenting it as some other type of data. If they set the permissions wrong or it's just an AUP thing, it's not unauthorized access. Though, as here, it might be against the law for some other reason (violation of privacy or whatever).

Interesting test. What if you set your user agent to chrome instead of firefox and that grants you access to a website?


The CFAA requires you to have effective security measures, or something of the sort. I'm dubious a User-Agent filter qualifies, especially so if it's only filtering for the largest browser by market share.

Fwiw, from my readings of similar cases, this seems similar to how the courts read the law. Any access you can achieve without material deception is valid. There was a case on here a while back where a couple of reporters filed a FOIA request and the city accidentally put records not meant for release in the Dropbox folder. Reporters downloaded the accidentally-added files, city sued. The city ended up settling because it looked like the court was going to rule against them.

The court's logic was basically that by allowing access to the information, you have de facto authorized the user to access it. It would be impossible to tell whether you can legally access any information if the counterparty can give you access and then decide you shouldn't have seen it when you do access it.


Yeah, cases like this are a bit harder. Part of the idea is how important the lie is to gaining access. It is difficult to distinguish a relatively harmless lie like this, or claiming to have actually read the 1,000,000 page AUP, to someone impersonating another.


> What if you set your user agent to chrome instead of firefox and that grants you access to a website?

The website is at fault. This is no different than lying about your religion to bypass a discriminatory shop owner.


But where do you draw the line re: which type of "lie" matters?

A naive generalization might say that "lying" by setting a header = illegal. But clearly there is a difference between setting the Authorization header and setting the User-Agent header.

But what about headers that are not so well-defined? What about custom headers?

I'm not disagreeing with you, but these are the first questions that come to mind.

It seems that a judge would have to carefully consider the design of the system, and whether the vector that granted access was something that was clearly negligent on the part of the site owner, or was truly an attack vector and deemed illegal. But it seems difficult to formulate a universal test for this.


> But clearly there is a difference between setting the Authorization header and setting the User-Agent header.

No. If you falsify information indicating that you have authorization to access the site, it doesn't matter what header it's in. Conversely, if you falsify information that has no bearing on whether you have authorization to access the site, it also doesn't matter what header it's in.

You are either authorized to access the site (or URL, or whatever) or you are not. What tools you use to do so are only relevant if they cause you to generate accesses (eg network requests) that you are not authorized to make. By construction, configuring one tool to generate accesses as they would have been generated by another tool does not produce unauthorized accesses unless that other tool's normal accesses would be themselves be unauthorized.


> Conversely, if you falsify information that has no bearing on whether you have authorization to access the site, it also doesn't matter what header it's in.

Ahh, but here's where things get tricky. Who decides that the information has no bearing on whether you have authorization to access the site?

Imagine a situation where a very poorly designed site allows "My-Obscure-User-Agent", but denies all other User Agents. This is obviously a horrible design, but if the intent of the developer was to authorize access to a specific set of internal clients, identified by a unique/non-standard user-agent, how would you classify the act of changing one's browser settings to send the accepted agent?

User Agent is a great example of something that has a pretty well-defined purpose (and that purpose has nothing to do with authorization), but has also been misused by naive or lazy developers to control access to sites.


> a very poorly designed site allows "My-Obscure-User-Agent", but denies all other User Agents.

> to authorize access to a specific set of internal clients,

Are you, the person, authorized to access the site? If yes, setting a User Agent header to "My-Obscure-User-Agent" is truthful (insofar as it bears on whether you (the person) are authorized), regardless of whether you are using the prescribed internal client. If you are not authorized, the use of said internal client doesn't change that.

Edit: as a analogy, suppose you took a job and your employer provided you with a uncomfortable uniform jacket which your employment contract stipulated you must wear when on the job. If you acquired a more comfortable jacket and dyed it to resemble the uniform, your employer would (arguably) be within their rights to refuse you access (blocking by user-agent), but if they let you in, that does not mean you have entered (the employee-only portions of) your workplace without authorization. Same applies to cars, phones, power tools, etc; you may have done something wrong by bringing them to work, but that something is not unauthorized entry.


I think the tail end of GP's comment answers your question:

> configuring one tool to generate accesses as they would have been generated by another tool does not produce unauthorized accesses unless that other tool's normal accesses would be themselves be unauthorized.

Therefore: When you generate a request that spoofs the obscure user agent string, it is authorized only if you were also authorized to use the obscure agent. The string is a secret like any other, even if it's a secret shared by the entire group of people who were provided with the obscure agent.

On the other hand, is it really a secret if the agent tells it to every server that the agent connects to? At some point it's not a secret if little care is taken to protect it (and the name of the header has some bearing on what care is taken, for example whether it ends up stored in clear text in access logs...).


> Therefore: When you generate a request that spoofs the obscure user agent string, it is authorized only if you were also authorized to use the obscure agent. The string is a secret like any other, even if it's a secret shared by the entire group of people who were provided with the obscure agent.

"it is authorized if and only if you were also authorized", but otherwise yes, exactly.


I originally wrote something like that, but removed it to fix wordiness. There's a difference?


  |  A  |  B  |A-only-if-B|A-if-and-only-if-B|
  |false|false|   true    |       true       |
  |false|true |   TRUE    |       FALSE      |
  |true |false|   false   |       false      |
  |true |true |   true    |       true       |
Arguably it's nitpicking (the unmodified statement is true, just less precise), but I like to say "exactly" when people rephase my statements in a more/differently clear way than I managed to, and don't like to say false things.


I think your matrix depicts that [the hypothetical scenario where a person is unauthorized to spoof the obscure UA string, but is authorized to use the obscure agent] is allowed when saying "only if" but is not allowed when saying "if and only if" -- if I'm reading it properly. If so, and only if so, then I disagree with you; to me, the "if and" does absolutely nothing but add wordiness without changing meaning.

However, if the columns of your matrix were modified to compare "if" versus "[if and] only if" (where square brackets represent an optional component that does absolutely nothing), I'd agree with the logic, being analogous to the difference between OR and XOR (for the boolean sense of OR, not the English sense which is akin to XOR).


> if I'm reading it properly.

And now I'm not sure I'm not the one who isn't reading things properly. (And that sentence probably doesn't help matters.)

I'll point to (the "only if" part of) https://en.wikipedia.org/wiki/If_and_only_if#Distinction_fro..., which I think agrees with me and disagrees with you, assuming I'm not misreading one or both.


I would not say “no different.” Religion is a protected class[1], web browser preference is not. The law does not treat all kinds of discrimination equivalently.

[1] https://en.m.wikipedia.org/wiki/Protected_group


I don't know... some people are pretty fanatical about their web browser preferences.


That would arguably be wire-fraud (you lied over an electronic network in order to get some material gain).


I think the problem with the deception test is that if the login screen for the DMV database access had a checkbox that said "I am only using the system in a way consistent with department policies" or something, then you could argue that checking that box was deceitful.

I think Congress' intent with CCFA was to criminalize hacking. There are already laws against fraud, so we don't need a deceitfulness test to catch, say, social engineering. The problem I think is that CCFA was written in 1986 and not enough people understood what hacking was well enough to write it down clearly in the law, so instead the "excess of authorized access" language is in the law, and has been used to criminalize lots of things that aren't really hacking and Congress didn't intend to criminalize with the CCFA.


I think that is a real worry and you're not wrong that that's a hard test to pass. I just wish for a brighter line over what 'unauthorized' means and it's hard to do that in a way that doesn't let companies write AUPs that effectively define the scope of criminal laws in some way.


The decision talks about a gates-up-or-down analysis, which seems like the seed of a reasonable test: when the gates are up, entering a restricted area isn’t criminalized; when the gates are down, picking the lock or finding a home in the wall is criminalized.

I haven’t read the decision closely enough yet to see how well developed that idea is.


What if I, as your employer, say "you're not authorized to look at records that haven't been assigned to you" and you then look at a record that hasn't been assigned to you - is that unauthorized access?

edit: I certainly don't agree that the distinction between access to a file in a file cabinet and a record on a computer should be significant. I think it's a dumb law. But the unauthorized access test is straightforward. If I work at a company that disallows internet browsing other than for work purposes and I visit my facebook page, I think that's a clear case of hacking under the "authorized access" test, and my only real defense would be that I needed to check facebook for work.


>is that unauthorized access?

Yes. And SCOTUS's problem is that they think the punishment for visiting facebook at work shouldn't be the same as the punishment for stealing company records - and that's fine, and of course something I agree with. But SCOTUS should actually address that directly, rather than going down this weird path of trying to warp the definition of "authorized".


> rather than going down this weird path of trying to warp the definition of "authorized".

I don't think they are. I think SCOTUS is looking at this, as is their wont, from a legal perspective.

We have two legal systems: civil and criminal. Both of them have the concept of "authorized." What SCOTUS has said here is that whether or not something is unauthorized may be a civil tort claim--you broke a contract--versus a criminal offense--you broke the law.

That seems to be the knot everyone is trying to untie here. It's not illegal for me to break a contract with someone. It is illegal for me to break the law.


That is "hacking" the same way opening an unlocked filing cabinet you were told never to look in is "lockpicking".


That isn't "hacking" as defined by the CFAA (according to this ruling). It's certainly not following your employer's policies, but your employer policies should not rise to the level of potential federal criminal prosecution.

Now, if your employer put software on your machine or on their network that prevents you from viewing Facebook, and you work around that restriction, it could be argued that you have now "hacked" their network and gained access you were not authorized to have.

The distinction is pretty clear in the ruling - if you have access, you can do X without it being considered a violation of the CFAA (doesn't mean you can't be fired, or prosecuted for other crimes leading from the actions, or other repercussions). If you don't have access, and you figure out a way to gain access, it is now a violation of the CFAA.


I'd say that should only be fraud if you lied to get access, I don't agree with interpretations that allow any random AUP to create new felonies.

Don't get me wrong, I understand how that can be straightforwardly interpreted as "unauthorized access." I'm advocating for what the law should be, in my view. The idea is to make a bright line that gives a test for mens rea to avoid over-criminalization while not being too unreasonable. I'm sure there could be scenarios I haven't thought of that would turn out poorly.


> Basically, I would say that unauthorized access should require some material deception to gain access.

This seems like a poor definition, IMO.

For example, what if I tell you I'm going to club you over the head and get access to the computer you're on. And I do so. There was no material deception. I did exactly what I said.

Another example is what if I just walk around the counter while you're not there. There is no one around to deceive.


> For example, what if I tell you I’m going to club you over the head and get access to the computer you’re on. [...] There is no material deception.

Then there’s no hacking and you should be charged with assault or whatever else is appropriate.

> Another example is what if I just walk around the counter while you’re not there.

Then it doesn’t matter if there was an unlocked computer or an unlocked cabinet behind that counter.

There doesn’t need to be, for every illegal act X, an extra special law or punishment for “X but a computer was involved”.

People want a criminal penalty for hacking and maybe they’re right, but you shouldn’t try to cover every undesirable act that involves a computer with a single law any more than every undesirable act that involves a piece of paper is covered with one. You also shouldn’t claim that breaking down a door is the same as walking through an open one, even when both constitute (among other things) trespassing.


This is the frustration I have with things like "cyberbullying laws".

I mean, sure the usual "plain ol' bullying laws" might need an update to keep up with the times but a whole separate set of laws just to capture "but it used a computer" is silly.

Mind you, I also have a thing about professional sports breaking out into punchfests. They should get prosecuted for assault or whatever just the same as anyone on the street.


> For example, what if I tell you I'm going to club you over the head and get access to the computer you're on

That's either a true threat, or assault and battery. It only becomes computer fraud if you fraudulently use my credentials to access the computer.

> Another example is what if I just walk around the counter while you're not there. There is no one around to deceive.

That's trespass, not computer fraud.

There's more than one crime on the books. Saying that something isn't computer fraud isn't claiming that all those things should be legal.

Like in this case, I think it should be bribery more than computer fraud.


> That's trespass, not computer fraud.

Why is that trespassing? There's no sign that says I can't go behind the counter? In fact, in many cases you can go behind the counter, just you aren't expected to jump on their computer. The problem isn't that I'm behind the counter. The problem is that I'm using a computer I'm not authorized to use -- it's just whoever set up the computer didn't set up an authorization gateway.

But really access to the computer really isn't fraud. It's what you do once your at the computer that matters much more. Its authorization for the action that matter, not access authorization.


There’s actually an argument to be had around how illegal this should be.

Let’s take computers out of the picture again. Suppose I know that an organization O throws out folders with sensitive data D into the trash can in their publicly-accessible lobby every Friday at 3 pm. People that want to know D pay me to come there at 2:55, root through the can and write down the pieces that they need.

Should what I am doing be illegal? Whatever your answer, is it in any way different from walking around that same lobby sniffing O’s open Wi-Fi network except for “computers were involved”?


So how is this any different than my front door if I don't lock it. Can you just walk around in my house if the door is unlocked. Trespassing doesn't depend on doors being locked or not. The act of trespassing (and most crimes) doesn't depend on the victim setting up a suitable defense before what you've done is a crime. Even things like sex require some sort of consent (implied or otherwise) or it's a crime.

Can I walk into a bank and take all the money from the vault if they leave it open? But yet somehow with a computer that isn't yours you seem to be stating that if you don't properly protect it then access to it by anyone who happens upon it is completely legal.


> Why is that trespassing? There's no sign that says I can't go behind the counter?

You wrote it as if it's somewhere you're not authorized to be, e.g. an Employee's Only section which would tend to be trespass. If you are authorized to be there and they leave records out that they shouldn't, I think that failure is on them and they need to improve security.

If someone leaves a database of everyone's personal details on an open webserver, that doesn't become hacking or computer fraud if someone visits the site. I mean, I don't think it should be true that I could say "you, specifically, aren't authorized to read this post" and have that morph into a federal felony.

In my view, there has to be at least some kind of notice that someone is crossing a criminal boundary. I think lying makes a decent, if imperfect, boundary. It's possible that someone can think of something better, too.


But then that would be considered hacking only if you used an axe.


Presumably the argument is that you are "deceiving" the computer into thinking that you are the person whose head you clubbed, or who walked away from the counter.


Only if the computer had some type of technical authorization associated with it.


I wonder if the negative commenters are unaware of the history of CFAA prosecution abuse, and are coming at this for the first time only through this case.

This is very, very good news.

https://www.eff.org/deeplinks/2020/01/eff-asks-supreme-court...

https://www.eff.org/deeplinks/2021/06/supreme-court-overturn...


> I'm surprised at the negativity here.

If this were not a ruling in favor of a police officer, I feel that you would see a much more positive response. The past few years of political craziness have warped peoples' minds where they can't recognize a good thing anymore.


Perhaps the ruling is correct because the judges went out of their way to save a police officer, but would not provide others the same courtesy. But I'm only speculating.


I don't find either side's arguments particularly compelling in this case; they all look like legalistic sophistry to me more than anything else. I think the fundamental problem is that the CFAA is bad law, which means that there will be reasonable arguments on both sides any time it comes up in a court case. What should really happen is that the law should be changed.


> What should really happen is that the law should be changed.

And the way to make that happen is by limiting the scope of the law as much as possible, in order to force law makers to rewrite it. Which is what has happened here. If law makers did intend the rejected interpretation, then they should rewrite it to clarify such.


> the way to make that happen is by limiting the scope of the law as much as possible, in order to force law makers to rewrite it.

I doubt that will actually happen, though. Our system basically assumes that laws will be written to be vague and ambiguous, and that courts will clarify the interpretation over time. I don't think this is a very good way to run things, but it seems to be the way we've settled on.


Maybe. But it's a pretty strong component of the interaction between legislature and judiciary. Ambiguity should be resolved to make fewer things criminal. And then the legislature can disambiguate if they deem it important enough business to do so.

https://en.wikipedia.org/wiki/Rule_of_lenity


Yep, I think this was a small win for the opponents of CFAA but this is a total show of force of the supreme court. This law is famously broad and to interpret it in its literal sense would mean the mass majority of the nation would be federal criminals (they point out some of the scenarios in the article).

Instead of law makers fixing the problem, the supreme court is effectively reading between the lines. Luckily IMHO they are doing the right thing here and will put this particular employer based scenario to rest.

Now to clarify on the countless other holes in the CFAA...


It's almost as if textualism is just an excuse, and not actually a coherent legal view...

I have mixed feelings on the ruling. It sounds to me like a crime did occur. But the CFAA is also overly vague... Without reading the details of the case and the statue, it's hard for me to be sure what to think here.

I guess looking forward, this will force police departments and others to be more explicit in their access policies, which it sounds like here there just wasn't any?

I guess that's a win?


As opposed to the very coherent legal view of a "living constitution"? Because sure, textualism can seem arbitrary at times, but it at least tries not to be. I don't understand what's more coherent about judges basically ignoring or rewriting the laws in whatever way they want, and do it openly under the pretext that they felt like "things just change bro, society is just different now & they didn't mean what they wrote anyways"

It sounds pretty harsh but to me it's boils down to this: while textualism can lead to excesses & dubious interpretations by judges...The alternative can lead to any interpretation since it surrenders the entire judicial process to the judges while hoping they won't go too far because they just wouldn't dare?


That is in fact exactly the problem with strict textualism: It's actually not that strict.

I am sympathetic to the criticisms of the "living document" ideology. It's populism masquerading as jurisprudence. Or, as Scalia put it, it's no philosophy at all.

HOWEVER, textualism is not as clean as it's advocates will argue. Case in point: The post-Civil War era Supreme Court (the so-called "Redeemer" court) went out of it's way to essentially dismantle legislation aimed to protecting minorities in the name of textualism.

This was the origin of hate crime legislation, which came about because of jury nullification, essentially.

Consider the aftermath of the Colifax massacre [1]:

> This decision, in United States v. Cruikshank, the legal historian Lawrence Goldstone argues, provided a guide for the campaign of racist terrorism that would suppress the black vote and enshrine a white man’s government for generations. “The Colfax defendants would have had to announce their plan to violate their victims’ rights on account of the color of their skin in order to be culpable,” Goldstone wrote. “Justice Bradley had thus communicated to any Redeemer with violent intent that to avoid federal prosecution one need simply to keep one’s mouth shut before committing murder.”

[1]: https://www.theatlantic.com/ideas/archive/2018/09/redemption...


I agree with this comment. In my opinion there should be stronger laws regarding the misuse of police power, but those can be implemented at the state level, the extension of the CFAA to that is dangerous. One key point is this document:

> The Government’s interpretation of the “exceeds authorized access” clause would attach criminal penalties to a breathtaking amount of commonplace computer activity. For instance, employers commonly state that computers and electronic devices can be used only for business purposes. On the Government’s reading, an employee who sends a personal e-mail or reads the news using a work computer has violated the CFAA. The Government speculates that other provisions might limit its prosecutorial power, but its charging practice and policy indicate otherwise.


They charged Swartz under many more things than just the Computer Fraud and Abuse Act. Just check out the list here: https://en.wikipedia.org/wiki/Aaron_Swartz#Arrest_and_prosec...

- two state charges of breaking and entering with intent to commit a felony

- wire fraud, computer fraud, unlawfully obtaining information from a protected computer, and recklessly damaging a protected computer

- breaking and entering with intent, grand larceny, and unauthorized access to a computer network

- federal prosecutors filed a superseding indictment adding nine more felony counts, which increased Swartz's maximum criminal exposure to 50 years of imprisonment and $1 million in fines


Agreed.

My initial reaction to the headline I read was anger that an officer got away with abusing his power. But upon learning the details, it's clear that a CFAA violation is an inappropriate charge here.


> measure was "unauthorized"

While I agree with your assessment, it was not just "unauthorized", it was straight up corruption. Making an agreement to accept a $5000 cash payment from some sketchy dude to look up a third party's accessible-to-law-enforcement only details. The guy should have been prosecuted under various existing corruption statutes and not the CFAA.


I am loath to defend agents of the government, law officers or otherwise; but I have to agree with the decision here.

Van Buren violated department policy, and perhaps other laws in his conduct. But he did not gain unauthorized access to a system. He already had authorized access - he just used it improperly.

Similarly, if I were granted access to my company's production database to perform some kind of operation that required me to read/write data, and I used that privilege to access financial records of customers, I would certainly be violating my company's policy and likely some privacy and financial laws. But it would not be gaining unauthorized access, as I was explicitly granted access to that system - just for a different purpose.


I guess this is the part that matters most?

"We must decide whether Van Buren also violated the Computer Fraud and Abuse Act of 1986 (CFAA), which makes it illegal “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” He did not. This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them"

Thomas, Alito and Roberts dissented, and I hate to say it, but I agree with them.

"The question here is straightforward: Would an ordinary reader of the English language understand Van Buren to have “exceed[ed] authorized access” to the database when he used it under circumstances that were expressly forbidden? In my view, the answer is yes. The necessary precondition that permitted him to obtain that data was absent."

That's Thomas dissenting.


I very much feel their ruling is correct. The CFAA is intended to target "hackers," not policy violations.

Here's a quote from the ruling making the point that applying the law to something like access policy is far too broad to be viable

> The Government’s interpretation of the “exceeds authorized access” clause would attach criminal penalties to a breathtaking amount of commonplace computer activity. For instance, employers commonly state that computers and electronic devices can be used only for business purposes. On the Government’s reading, an employee who sends a personal e-mail or reads the news using a work computer has violated the CFAA. The Government speculates that other provisions might limit its prosecutorial power, but its charging practice and policy indicate otherwise. The Government’s approach would also inject arbitrariness into the assessment of criminal liability, because whether conduct like Van Buren’s violated the CFAA would depend on how an employer phrased the policy violated


I agree that the ruling is correct. The officer was granted the accesses he had, and he was fully authorized to use them. He violated a department policy by using his access improperly. The government wants to turn policy violations into a felony, and even set up a sting operation in this case to get a felony conviction. The officer should be disciplined/fired/etc. for violating department policy, but the CFAA should not be used to turn him into a felon.


The problem is that the officer is corrupt, and he should be charged for taking a bribe. I don't think corruption is "just a policy violation", but I don't know enough about US law to know if taking bribes make you a felon or not (I would hope so, but I assume it depends on circumstances).

In any case, it shouldn't matter that he used a computer to commit a crime. If he had gotten the relevant information by reading them from a paper file or by asking a coworker the crime should be the same, in my opinion.


But then he should be charged under the set of laws pertaining to bribery or corruption. I don't think anyone here disagrees with that. The question is should this crime of corruption get a massive additional pentaly specifically because it was committed on a computer.

The supreme court says that this law has a purpose: to catch people who gain unauthorized access to computers. If laws are interpreted too broadly, they can be used to overcharge people. The example given by the supreme court is that if this law covers unauthorized use of a computer you are authorized to have access to, then sending a personal email on a work computer can be a felony.


One thing that's weird about the Justice system is that there are so many laws. I agree that what the police officer did should be a crime, but it seems like there are potentially many ways to slice it. Maybe it's bribery, stalking, sharing privileged information, prior to this ruling CFAA, maybe other crimes too.

If you add up all the crimes that may have been committed here it seems like the punishment gets pretty severe. Even 18 months in prison for this already seems severe to me. I would think justice is more like getting fired, fined, and community service rather than prison.


I think that what the officer did is likely illegal for other reasons. So this ruling doesn't mean the officer deserves no punishment, it just means they committed some other crime than unauthorized access to a computer system.


>and he was fully authorized to use them

This line is the crux, and the problem is that "authorized" means subtle, yet critically important, different things to different people.

The officer was surely "authorized" in the sense that he had technical authorization to log into the system and accomplish the task.

But in the sense that "authorization" is defined by more than just technical controls, and also has to do with many dynamic situations that technical controls can't often restrict (or just aren't in place), it doesn't sound like was "authorized".

Think of walking into a restaurant and they have a sign that says "Employees Only Behind Counter". Even if there was no technical/physical control preventing you from going behind the counter (eg there was no locked door or anything like that), I think it would still be understood that you as a customer do not have "authorization" to go back there.

In my experience as a security consultant, my technically-minded clients typically think of "authorization" as the first way, defined by technical controls and thinking that lack of technical controls in a system means they have carte blanche to do whatever they want with that system. But my experience with anyone outside of tech is that they don't think of it that way at all, and that just because you have the physical/technical ability to do something does not make it okay to do that.

"Authorization" is an overloaded term and the CFAA suffer for it, but personally I do not think an average person would think the officer was "authorized" to do what he did, even if he did have the technical access to do it.

The points about "average employees technically violating the CFAA by doing stuff like reading the news on their work laptop" are valid concerns and I think they need to be resolved, but I think that is a completely different concern than someone like this officer abusing their access for legitimately bad acts.


I like your restaurant analogy but I draw the opposite conclusion. Imagine a restaurant which has a sign saying, "You must be dressed appropriately to enter - no shoes, no socks, no service." A family goes in to dine. About halfway through their meal, the cops come and arrest the father. Turns out, although nobody noticed at first, he wasn't wearing socks, and was therefore trespassing according to store policy. Is that fair though? It's one thing to ask the family to leave, but should the father be charged with an actual crime for unauthorized entry?


And at worse he's guilty of trespass, not breaking and entering.

If there were a filing cabinet that he had keys to, he wouldn't be charged with breaking into the cabinet if he grabbed the wrong files. What's the penalty for using the wrong physical file he has direct access to? That's what we should be talking about.


You're right about a lot of that, but there are huge problems with making mere policy violations into federal felonies. We want to stop people from hacking stuff, but at the same time, we can't do that by giving every random company the power to make things into federal felonies via their own complex and often-ignored rules.

I posted up thread too, but my own personal view is that unauthorized access should hinge on whether the person used deception to obtain access. That provides a clear separation between lawful and unlawful conduct without giving private parties the power to define new felonies.

With computers, I don't think that the proverbial "employees only" sign on a load of private data means anything and the incentive should be on the business to provide a proper access control there. Meanwhile, if they add a guard who asks "are you an employee?" and you lie to them to get access, I would say you're unauthorized.

That gives us some semblance of mens rea while not going to far in any direction, I believe.


>Think of walking into a restaurant and they have a sign that says "Employees Only Behind Counter". Even if there was no technical/physical control preventing you from going behind the counter (eg there was no locked door or anything like that), I think it would still be understood that you as a customer do not have "authorization" to go back there.

But if a customer was invited back there because they said they wanted to thank the chef? They're told not to touch anything, they touch something. Do we view that touching something as breaking the same rule as someone who just walks back there uninvited or is it another rule they are breaking?

I can definitely see arguments for both views. Especially compelling to me based on the analogy is once you've taken the first unauthorized by policy action no other actions other than leaving would be authorized though this interpretation would lead to its own absurdities.


I would hope that there are stronger protections against such abuses of authorization. What if a police officer (or system administrator, etc.) sold information about a potential victim to a criminal that resulted in physical or financial harm to said victim?


That is / should be illegal on its own, the fact that the information was obtained through a computer system instead of a paper file doesn't change anything in your example.


I'm absolutely fine with him being charged with a felony, as he is a corrupt government official, I just don't think that felony should be hacking.


"The CFAA is intended to target "hackers," not policy violations."

However, they also explicitly write that they're not addressing that distinction (footnote 8 on page 13, to my best ability to parse it). There's some semantic gap between "policy violations" and "improper motives".

"For present purposes, we need not address whether this inquiry turns only on technological (or “code-based”) limitations on access, or instead also looks to limits contained in contracts or policies. Cf. Brief for Orin Kerr as Amicus Curiae 7 (urging adoption of code-based approach)."

I discovered this nuance from Orin Kerr's twitter (the same one cited in this footnote); he says he's not confident he understands this footnote.

https://twitter.com/OrinKerr/status/1400461828807741455


I don't know if it can always be avoided, but I think it makes sense for a court to try to avoid the code-based approach.

It seems to be all downside (exploiting bugs will typically be OK because the code said this was OK, even if the people who wrote it never intended that) with no upside (the things rendered illegal already don't work, because code forbade them).

Courts ought to be familiar with the fact that they're present mostly to make decisions about fuzzy things like "Did the accused intend to cause harm to the victim?" and not simple mechanics like "Does being injected with cyanide kill people?".


I agree, I don't think it can always be code-only. If you socially engineer someone into giving you an account, I really think that should be fraud.

I've thought about this for some years now and looked at various different cases tried under the CFAA or otherwise claimed to be unauthorized access.

I personally believe it should turn on whether or not you used deception as the means to gain access. That is, but for your deception, would you have gained access?

This, in my mind, proves they were up to no good (mens rea) and acts to make it clearer whether or not you were authorized. It also connects to the idea that the law is mean to counteract a type of fraud in general. I mean, how can anyone say they had authorized access if they had to lie to gain access?


>I very much feel their ruling is correct. The CFAA is intended to target "hackers," not policy violations.

ok, but devil's advocate for a second - much hacking is actually just lying to people to get access to things you shouldn't have access to - so pretty much closer to policy violations than the stuff most people associate with 'hacking'


That's fraud and it's always been illegal.


CFAA stands for "Computer Fraud and Abuse Act". The entire purpose of the law is that is addresses that type of fraud.


I believe this would still be covered by the first clause, the one not even being argued in this decision.

> Subsection (a)(2) specifies two distinct ways of obtaining information unlawfully—first, when an individual “accesses a computer without authorization,” §1030(a)(2), and second, when an individual “exceeds authorized access” by accessing a computer “with authorization” and then obtaining information he is “not entitled so to obtain,” §§1030(a)(2), (e)(6).

I fraudulently obtain and use credentials to a system which authorize another person to access it. I am still "accessing a computer without authorization", because those credentials never authorized me.

This starts to get really fuzzy if I fraudulently have credentials explicitly granted to me...


But let’s say you called someone on the phone and lied to them to gain access to a computer system, you committed wire fraud doing so. It’s just a different crime because the thing you did wrong involves lying on the phone.


If you obtain access using somebody else's credentials through fraud, YOU are not authorized. Thus you are violating the CFAA.


Obtaining access through fraud is fraud. Why do you need to morph one crime into another?

Think Breaking and Entering requires breakin. If someone gave you keys under false pretences, thats a different crime.


I don't agree.

I think the other judges have the better reading of the specific language of the text. Thomas, Alito, and Roberts don't even take their dissent on the interpretation offered by the Government, but have to craft their own—extremely broad—interpretation of "entitled".

Since I think the opinion (at least, the little bit of it that I've skimmed) makes a fairly compelling case around the majority's interpretation of the words "so" and "entitled" I won't rehash that here. But, if we back up to the purpose and intent of the legislation, I think this outcome also better aligns with that.

The CFAA was designed to curtain the unauthorized use of computers. To make it illegal for people to deliberately circumventing the security measures built into computers to obtain information or cause other harm. If I hand you a computer, tell you the password, and ask you to login to my computer and respond to an email for me, but then ask you not to look in the `Taxes` folder on the desktop should it be a felony for you to open the `Taxes` folder? That conceptually feels wrong to me. I have violated your trust, sure, but I haven't committed fraud, and I haven't abused any access control mechanisms on the computer.

Or another scenario: your work gives you a work computer, and has a paragraph in the employee handbook that says you are never allowed to visit news.ycombinator.com on the work computer. At some point while working at the company, you visit news.ycombinator.com on the work computer. Have you just committed a felony? You've "exceeded the authorized access", if you interpret "entitled" and "authorized" as broadly as Thomas, Alito, and Roberts seem to. Should that really be a felony?

That interpretation leads to such a massive broadening of felony criminal liability. It doesn't gut-check for me. That, combined with what I perceive as the better textual reading of the phrases "so" and "entitled", I have to disagree with you. I think the other 6 justices had the better argument at multiple levels.


That interpretation leads to such a massive broadening of felony criminal liability. It doesn't gut-check for me

I agree with you, it totally fails the gut check, but it is because the law is poorly written. The Supreme Court bailed out the lawmakers by winging it here. The minority opinion is the worse, but more accurate plain reading of the law.


The alternative would be declaring the act void for vagueness. A statute that "forbids or requires something in terms so vague that men of common intelligence must necessarily guess at its meaning and differ as to its application" violates the constitutional provision of due process. So the SCOTUS ruling makes sense in terms of choosing the least disruptive option wrt. general expectations.


Not really. I would just read the word "fraud" in the very title of the act and decide that means that whether or not the access was unauthorized depends on whether you lied to gain access.

I won't claim that test is perfect, but it's a lot clearer than the current standards and when I go through past cases, I don't see it coming to any indefensible conclusions.

Yes, that would agree with the majority holding in this case. It's important to note that even if they didn't violate the CFAA, they likely broke plenty of other laws and can be punished for that.

So this conduct absolutely deserves to be punished, just not under the CFAA.


Well, that ignores the part where I agree with the textual reading and interpretation of the majority.

I think the majority opinion is also the more accurate plain reading of the law. So, from my perspective, no bailing out is necessary. The gut check and the plain reading both seem to align.


intentionally accesses a computer without authorization or exceeds authorized access

Did he exceed authorized access? He did, and therefore he broke the plain reading of the law. The law should be better, and separate violating access controls from violation of access policy, but it doesn't.


> Did he exceed authorized access?

He did not. He was given a level of authorization that he did not exceed.

The problem, again, is in the ambiguity of the word “authorized” that allows multiple plain readings.

To me, it’s absolutely plain that “authorized access” refers to system authorization (that is, what the computer tells the user their permissions are), and “exceeds authorized access” refers to bypassing the system authorization limits. That’s absolutely the plain reading to me.

To you, you read “authorization” as “policy authorization” (that is, where another human tells you what your permission levels are).

The fact is, there are multiple kinds of “authorization” involved in this case, which means different people can have different plain readings of the statute. While your reading seems obvious to you, it seems strained to me. My reading might be strained to you, but it’s obvious to me.


Since they didn't specify what type of authorization, the plain reading is that it covers all types.


> the plain reading is…

No, that’s not quite right.

*To you* the plain reading is what you say. To *other* people the plain reading is different.

I, for example, don’t think the plain reading of something typically involves taking the union of definitions for each word in the sentence. To me, most plain readings involve selecting the single most appropriate definition for a word based on the surrounding context.

My point is that there isn’t an objectively correct “plain reading”. You are not the arbiter of what a plain reading is, nor am I.

Would you agree that different people can read the same sentence and in good faith have a different understanding of what “the plain reading” is?


For the requisite car analogy: one is like a mechanic taking your car for a joyride after you give them the key, the other is a stranger taking it for a joyride after breaking in and stealing it out of your driveway.

One of them is misusing a car that you gave them access to, the other one is stealing it.


That's because you're assuming the stranger doesn't return the car. If your mechanic takes your car for a joyride after you give them the key for purposes of repairing your car, and a stranger steals my car when I'm not using it and brings it back before I notice it's missing, I don't understand why one is any different or worse than the other.


In my jurisdiction, a mechanic who takes a car for a joyride is committing a class A misdemeanor (unauthorized use of a vehicle in the third degree)

ref. https://codes.findlaw.com/ny/penal-law/pen-sect-165-05.html

In other jurisdictions (like, say, New Hampshire), that same case falls into the definition of theft.

http://www.gencourt.state.nh.us/rsa/html/LXII/637/637-9.htm


> but then ask you not to look in the `Taxes` folder on the desktop should it be a felony for you to open the `Taxes` folder? That conceptually feels wrong to me. I have violated your trust, sure, but I haven't committed fraud

You accessed privileged information that you were explicitly not allowed. To me, asking you not to look at certain information is effectively the same as putting a password on it, then having you break it. In both cases, the intent of the owner is clear: do not access these files. And in both cases, the actions of the perpetrator very clearly disregard the owners intent.

Your example about accessing a website is not the same. It's pretty clear that the person going to new.ycombinator.com is not stealing or accessing privileged information. There have been separate rulings dealing with whether or not employees can use corporate equipment for personal reasons.

A more analogous example to the case at hand would be an employee at Google/Humana/Tinder selling your private details to a third party. This ruling means that such activity is perfectly legal, even if the terms of their employment state the opposite.

Unless, of course, the only reason the court ruled in favor of this person was that they are a police officer. But I guess we have to wait until the FBI attempts to press charges against someone at Google selling personal details to third parties to find out.


> A more analogous example to the case at hand would be an employee at Google/Humana/Tinder selling your private details to a third party. This ruling means that such activity is perfectly legal, even if the terms of their employment state the opposite.

No, this isn't what this means at all. This ruling just means you haven't committed a crime under the Computer Fraud and Abuse Act by accessing that data if you didn't "hack" to get access to it. Depending on the information you sold, you could've violated other laws and you definitely violated the Non-Disclosure agreement you signed with those companies.

For reference, the cop in this case had other convictions under wire fraud laws that weren't changed by this.


> To me, asking you not to look at certain information is effectively the same as putting a password on it, then having you break it.

To me, they are not effectively the same at all. I see there being two different types of "authorization" at play. One is a mechanical authorization built into the computer systems (a password, for example). The other is a policy authorization, built into how I convey to you what is "allowed" on the system. They seem fundamentally different to me.

To 6 justices on the Supreme Court, they are not effectively the same thing either. To 3 justices, they are. The ambiguity of English is definitely annoying when we get into the nitty-gritty of laws!

> A more analogous example to the case at hand would be an employee at Google/Humana/Tinder selling your private details to a third party. This ruling means that such activity is perfectly legal, even if the terms of their employment state the opposite.

That's simply not what this ruling holds. That would be an accurate summary of this ruling if and only if the CFAA were the only law that exists in the United States Code!

"Legal" is also an ambiguous word in this context. Such an activity may break other laws, or it may not. I'm not familiar with what other criminal liability may attach to such behavior. But that activity almost certainly would be a civil violation. I would potentially be able to sue Google/Humana/Tinder (though there's a chance their privacy policy already gives them the option to sell my information). And Google/Humana/Tinder could certainly sue the rogue employee for damages caused by such a sale.

If Google/Humana/Tinder wanted to go further to protect themselves from bad-acting employees, they could use actual access controls (instead of mere policy) to restrict the ability for employees to access such data and only give access to employees who need such access. While it's certainly not the thing a Supreme Court ruling should hinge on, it's a nice added bonus that this gives a further incentive for companies to implement actual least access control rather than just making it a policy.


> If Google/Humana/Tinder wanted to go further to protect themselves from bad-acting employees, they could use actual access controls (instead of mere policy) to restrict the ability for employees to access such data and only give access to employees who need such access.

I'm pretty sure the exact fact that Amazon did not appropriate restrict access in this way is one of the points being considered in the antitrust case. Specifically, that people who shouldn't have been able to, and who shouldn't have by policy, still could access seller data.


>There have been separate rulings dealing with whether or not employees can use corporate equipment for personal reasons.

Such rulings are about different laws. The government's interpretation would criminalize violating a protected computer's terms-of-service regardless of whether it is part of a corporate intranet or an ordinary website on the Internet. And yes, the government has pursued criminals charges for violating a website's ToS; see United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009).

>A more analogous example to the case at hand would be an employee at Google/Humana/Tinder selling your private details to a third party. This ruling means that such activity is perfectly legal, even if the terms of their employment state the opposite.

As to Humana, it would likely be a criminal HIPAA violation.


> A more analogous example to the case at hand would be an employee at Google/Humana/Tinder selling your private details to a third party.

That's not a realistic example because something like that would be covered by an NDA or alternatively, if in EU or California, by data policies.


Judges interpret ambiguous laws narrowly to avoid criminal liability, as you say.[1] Three justices dissented though, I take it, because in their view the words weren't ambiguous, even if leniency would have been the better public policy.

[1] https://en.m.wikipedia.org/wiki/Rule_of_lenity


I initially agreed with Justice Thomas's viewpoint but you really make it clear that he is wrong.


> "This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them"

I think this would have acquitted Aaron Swartz (though he likely would have been acquitted anyway since they didn't even allege improper motive iirc).

In his case he accessed journals that were available to him via MIT's open network. There is the second issue of his trespassing in a closet to leave a laptop on the network, but that would have been minor when compared to the string of felonies they charged him with which was tied to the CFAA.

This seems like a good restriction to me at first glance.


Do you think people will be able to acknowledge that predisposition to suicide is what killed him and not the gravity of the DA obsession to convict him? The US doesn't have the most people in prison because long sentences caused everyone to kill themselves first, its because people do the time.

I just see so much focus on needing to identify a catalyst (which doesn't affect most people) instead of the pre-existing mental health issue of the person. I think this hampers the necessary conversations to be had on suicide.


> "Do you think people will be able to acknowledge that predisposition to suicide is what killed him and not the gravity of the DA obsession to convict him?"

This is itself presumptive and I think largely wrong. Like most things it's a combination of factors. No doubt Aaron was struggling with depression, but facing federal prison with a trial defense costing $1.5M (even if acquitted in the end) is enough pressure to break even an otherwise healthy person.

I don't understand the need for people to frame this as you are.

I suspect Aaron would be alive today if the prosecution had shown some discretion. In this specific case, it would also have been the right/just thing as well as the legally correct thing.


> I don't understand the need for people to frame this as you are.

Then perhaps the bigger issue, to me, is that this level of analysis is not given to other people, where it should be as well.


On that we agree - if there's one thing in short supply on the internet, it's nuance.


Look up the eggshell doctrine. From wikipedia: The rule states that, in a tort case, the unexpected frailty of the injured person is not a valid defense to the seriousness of any injury caused to them.


this wasn't a tort case, it was a criminal case

even if the family sued the state civilly there would be nothing for the state to defend against


I don't see the need to assign a single cause to a given event, to the exclusion of all others. Most events that occur have multiple causes, with varying degrees of importance.


people are misattributing the most important one, then:

planning and following through with the action incompatible with maintaining a consciousness on this plane of existence.


Because a catalyst can be made political. A person's mental health (as of yet) cannot.


My initial reaction was to agree with you, but based on my reading of the law I actually have to support the majority opinion: https://www.law.cornell.edu/uscode/text/18/1030#e_6

(6) the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;

The language here is relatively narrow. Nathan did "access a computer with authorization", and he didn't obtain information that he was "not entitled so to obtain or alter".

He may have obtained it for a purpose that was expressly forbidden by the department policy, but he was permitted to obtain the information in and of itself. To qualify as being "under circumstances that were expressly forbidden", I think it would have to be a situation wherein he wasn't allowed to obtain the information in general, e.g. if he were only allowed to access it within certain hours or with a superior present.

It's like the difference between giving someone your phone (which, for the sake of argument, qualifies as a "protected computer" in this scenario) and telling them that they can go through your photos so long as they don't take out their own phone and photograph any of them, and telling them that they can only open your photos while you're watching.

It would be extremely rude in either case to secretly take your phone and exfiltrate your photos — and may even still be a crime in and of itself (and/or lead to follow-on crimes) — but I wouldn't consider the former to violate this particular law.


The court's hypothetical is useful:

> For instance, employers commonly state that computers and electronic devices can be used only for business purposes. On the Government’s reading, an employee who sends a personal e-mail or reads the news using a work computer has violated the CFAA.

Accessing data for a forbidden reason should be a fireable offense, but not criminal. So if Thomas is right, it's a very bad law.

I'm not sure I agree with him though. I think if you asked an average person, they might say something like "yes I am authorized to access that database, because I have credentials, but I'm not supposed to without a good reason". I don't think there is a single plain English reading of this phrase that any large group of people would agree on.


The heart of this is the difference between legal authorization vs technical authorization. Legally, it is (or rather, used to be) OK to say "you have have access to data X for purpose Y." While the technical controls could not enforce restrictions on the purpose, it was understood that purpose limitation was valid. There was an understanding that technical controls are only an approximation of policy, and it's the policy that has legal weight when determining what access is authorized.

Hopefully this particular case also runs afoul of other laws. Like something about granting access to unauthorized individuals, which is what the defendant was doing (selling government data). That can, and perhaps should be, separately illegal from accessing data for improper purposes.


>> The heart of this is the difference between legal authorization vs technical authorization.

We must not confuse legal authorization (felony for violation) with private or contractual agreements.

Any law that allows private entities to define what actions constitute a felony is bad, and hopefully unconstitutional.

Technical access measures are somewhat like physical locks. Terms of use are more similar to contracts. IANAL so my analogies my be crap.


This is a very good point and what people often confuse.

There is a crime of breaking and entering - and thats well defined.

Then there are permissions of: "you can be in my house as long as you dont use the bathrolm and only wear pink socks" - if a person were to wear green socks, you can icik them out, but it does not suddenly become a home invasion


Exceeded authorized access commonly refers to privilege escalation, which means access to a resource beyond his/her level of granted permission, whether by modification of technical controls, social engineering, or physical access. That is not what happened here. The access to the resource occurred exactly in accordance with the access controls and authority granted, but the motivation and intention were in clear ethical violation.

Judge Barret said exactly this in her opinion.


Civil and criminal law are distinct for a reason. In criminal law the consequences for your wrongs are much more dire-- you face the power of the state against you and you can be denied your freedom.

Triggering the CFAA on policy violations creates a general tool to convert civil matters into not just a crime, but a relatively serious one! It essentially lets system operators write private law with criminal enforcement without the oversight of the public.

To give a silly example: Your landlord prohibits you from painting your walls. Their payments website has some terms of US that makes it a CFAA violation to use their site with painted walls. Suddenly what otherwise might be a lawsuit over the $500 cost to repaint is a state funded attack where you face ten years in prison.

It's clearly wrong to use the CFAA that way in the silly example, but it's no less wrong in less silly cases. Saying the CFAA can't be used to create private criminal law doesn't mean that policy violations can't be prosecuted-- but it means they should be prosecuted under other laws (with intentionally matched terms and penalties) or as civil matters.


Actual hacking into a network with intent should be on the order of breaking-and-entering, not robbing a bank, murder, or committing acts of terrorism. Hacking to rob a bank should be the same as robbing a bank. Hacking to intentionally poison a water supply is something like terrorism.

Cracking, gnireenigne copy-protection, copying a publicly-/privately-available archive of information, etc. should be "speeding tickets" not 50 years in pound-me-in-the-ass federal pen.

Hacking should be seen as an amoral means to commit another act, not a specific criminal, malicious activity in-and-of-itself.


This is the outcome of a legislative branch which can no longer legislate effectively. The courts have to "interpret" the laws into a sensible form of common law which minimizes the difference between the legislation, and practical governance concerns.

Interpreting the law in such a way as to make private policy makers the arbiters of felony charges is not compatible with our society. This would be the equivalent of a restaurant letting you in, asking you to take a seat, and then charging you with a felony for choosing the wrong seat as listed on a tiny sign in the back of the restaurant.


The argument against the dissent is CFAA defines the terms used. Ordinary reader rule does not apply in that circumstance and nor should it.


A policy change by your employer shouldn't lead to the possibility of a criminal prosecution for "hacking" and that's the net result of what you're suggesting and what that interpretation would mean.

To me this is the definition of overreach.


Would that make you a criminal if you mistyped your URL, and ended up looking at someone else's document?

It seems like it would to me, and I don't like that interpretation.

If you want me to keep out, then keep me out. Don't make something available to me and then accuse me of a felony when I see it.


It sounds similar to the problem of someone with access to a file cabinet, where they aren't allowed to use some of the files in the cabinet, but are allowed to access other files in the same cabinet.


And if do access the files that they aren't allowed to, we don't charge them with safecracking. They did something, but safecracking doesn't fit.


Similar to if someone does something they aren't supposed to in a business, they aren't immediately charged with breaking and entering or trespass.


Based on your quote, with no other context, using your authentication to access information you aren’t supposed to access is verbatim the scenario the law speaks to.


Plain English to me seems like the person in question had authorized access.

His actions maybe should be criminal in some way (time to write a law maybe), but his access was authorized.


This seems to me to be the correct decision. Van Buren should have been charged with:

GA 332: Abuse of official power GA 333: Exceeding official powers GA 338: Bribe-taking

and, Federally, 18USC 201, which prohibits public officials from taking bribes.


I'd imagine they were, by the time things get to the Supreme Court, they're dealing with very narrow issues of law and not the entire case.


There should be some snooping/violation-of-privacy charges as well, but otherwise that sounds about right. CFAA is not relevant here.


> CFAA is not relevant here.

Er, CFAA is not relevant to the criminal case againt Van Buren, I mean.


There's an important distinction between levels of government and civil vs. criminal penalties here. From section a.4 of the holding:

"The relevant question, however, is not whether Van Buren exceeded his authorized access but whether he exceeded his authorized access as the CFAA defines that phrase."

The CFAA is a federal statute that governs unauthorized access to computer systems. When granting authorized access to computer systems, other organizations (whether states or police departments or private companies) are free to set their own policies, and they can enforce those policies with the mechanisms they have available to them, like terminating the offending officer or revoking his computer access (at which point further access would be a CFAA violation). But can they then use the language of the CFAA to criminalize violations of their own authorization policies? This holding says no - the CFAA covers the initial access to the computer system, and then violation of more granular access policy is a civil matter between the individual parties.

This is consistent with several other recent court positions. There was a recent case to criminalize ToU violations [1]; the court ruled that this is an overbroad reading of the CFAA and ToU violations were civil matters between parties. When Anthony Levandowski used Google's network to download self-driving car plans and sell them to Uber [2], he was prosecuted under "theft of trade secret" laws, not under the CFAA. It's also analogous to perpetual free speech battles, where the court has repeatedly ruled that private parties are free to restrict speech on their own property, and that the 1st amendment applies only to the government. In general liberal democracies seek to apply restrictions as narrowly as possible and have private parties work out contracts and consequences amongst themselves, only stepping in when there is no way to enforce such agreements without an outside power.

[1] https://arstechnica.com/tech-policy/2020/03/court-violating-...

[2] https://www.justice.gov/usao-ndca/pr/former-uber-executive-s...


An analogy: Imagine I give you a key which opens two doors, and tell you to only use it on the first one.

Entering the prohibited room isn't an offense under this act. But circumventing a lock on a third door for which you don't have a key would be.

i.e. The judges interpreted it as intending to capture hacking, not policy violations.


Or stated differently, the judges explicitly denied giving policy the force of law so that you can’t be charged for a crime for going against an employee handbook or license agreement rule.


Even that analogy makes it sound more severe as it’s a door that you’ve been asked to stay out of. They used a door that they frequently are required to use but for a purpose other than what they were authorized to do. Eg. You can use this door to do A but you use the door to do B.

Or, car analogies! You are given a car for work and told it can only be used for business purposes, but you use it to drive to the grocery.

Or, something closer to technical which may be familiar to people. You’ve given a laptop for work only but you browse HackerNews on it.

All are against the policies of those that granted you access to the device, but would they constitute unauthorized access?


Here's EFF's take, which IMO is correct: https://www.eff.org/deeplinks/2021/06/supreme-court-overturn...


The EFF has been arguing for limiting the scope of the vague CFAA for two decades already, I'm happy to see some progress on this issue.


https://en.wikipedia.org/wiki/Van_Buren_v._United_States

> The FBI set up a sting operation and instructed Albo to offer Van Buren US$6,000, but in exchange, to request Van Buren look up a license plate on the Georgia Crime Information Center (GCIC) he had authorized access to, as to see if its registered owner, a stripper, was an undercover officer

What ever happened to entrapment being… you know… against the law?

Like I'm aware these sorts of stings happen all the time. What I don't understand is why it's generally found to be OK.


Entrapment is not against the law, but it is a legal defense at trial against a charge.

In any event, this is not entrapment, because it was not coercive. It's not entrapment to offer someone a reasonable amount of money to commit a crime, that's standard police work. It's only entrapment if the person refuses the offer, and law enforcement harasses them, repeatedly suggesting someone commit a crime until they are eventually convinced to do it.


The police routinely catches drug dealers by selling them or buying from them drugs. This is no different. Entrapment would only be a defense if you showed that absent police action you'd never do anything like that and they essentially coerced you into it. But if they know an officer is corrupt and routinely sells data to criminals, then to obtain hard evidence by staging a sting sale would be completely ok for them. In this particular case, the officer reached out to the criminal for money, so it'd be hard for him to claim he'd never done it if the police weren't involved.


Holy shit, it costs $6,000 to look up one license plate?

Hollywood has really made this seem like a not-that-bad or not-that-unusual activity. Good that they're cracking down on it, but my expectations and reality are way out of whack on this.


Nah, it really doesn't cost $6000.

The context here is that the police officer was already trying to shake this guy down for money; perhaps he figured that he's getting what he wanted in the first place, and can do a little favor to smooth things out.


The expensive part is "is an undercover officer" not "look up a license plate".


Entrapment has specific requirements to apply, namely, that the person would not normally have committed the crime.

Wearing someone down for years with harassment? Threats? Lies like “you have to do this or someone would die?” Entrapment.


How is that different than offering someone 6 grand? Had no one offered him six grand he never would have committed the crime.

Like there's literally no victim here other than the accused.


If you're willing to take $6k to commit a crime, you're a criminal (in the eyes of the law). On the other hand if you're being coerced, that's not a crime you'd normally commit. There's presumably people willing to offer up money for illegal plate searches, so this isn't really some wacky situation (the price might be high though).

I do agree the line is incredibly vague. In theory, you could argue that, oh yes, the criminal would commit a crime if you constantly called them up and threatened their family. That's a bit of a stretch, I think.

I don't agree with this interpretation and think entrapment should be more broadly defined, and stings should be very limited... but I also think a lot less things should be illegal and we should reform the criminal justice system, so clearly I'm not the type of person they listen to when writing laws.


He would’ve happily accepted the $6k from someone else who wasn’t part of a sting. That’s why it’s not entrapment.

If they had to beg and cajole and plead and coerce, it would’ve been entrapment.

Same reason prostitution stings aren’t entrapment.


Entrapment is absurdly narrowly defined. You practically have to put a gun to someone's head.


This quietly, but I think significantly, changes the considerations for IAM and similar access controls.

In the wild, these always trend towards overly permissive. Almost every company, tech or not, mature or not, deals with this.

This ruling shifts a fair amount of responsibility to IAM teams to get it right now, as CFAA won’t back them up as much anymore.


I don't know it makes much difference for internal controls. The implicit threat that backs the control is the disciplining of the employee, not their criminal prosecution.


Disagree as someone who’s built these, prosecution is an ultimate fallback in AUPs, employee handbooks, etc.

HR teams ultimately don’t have a ton of teeth or willpower unless there are laws involved, and now there is not legal coverage.


If it matters, I was speaking as someone who led the authorization platform team for a Fortune 100 company. I do suppose this depends significantly on company culture.

In my experience: failure to abide by company policy is first-and-foremost a compliance issue; the company policy framework definitely goes above and beyond the scope of "what is criminal".

HR is primarily there to provide to manage records of employee conduct (e.g. in case of a pervasive pattern of misconduct across a number of different controls) and a sanctioning mechanism (hard conversation; formal reprimand; separation).


Yeah def a company culture thing.

I agree it’s a compliance issue, this is def GRC, and agree with your def of HR.

What I notice is HR likes to really move on employees when it has legal protection to do so. What a “pervasive pattern of misconduct” is often has a law behind it in some form, as otherwise you risk a wrongful termination lawsuit.

So, if you have a situation where an employee’s pattern of misconduct sources back to only, or at the root, IAM allowing it (say an extreme scenario like consistently nuking prod), there is now some gray area for those wrongful termination suits.


If a company's first line of defense for an employee violating internal policies is getting them charged with a federal felony then there is something very wrong with that company.


Hence “quietly but significantly.” I certainly never said a felony was the first option.

From a defense in depth standpoint, the CFAA served as sort of a final stopgap, in that it gives HR legal precedent to fire someone who did something moronic with their IAM.


Company policy does not have the force of law, and violating company policy should not be met with legal ramifications unless those violations also transgress the law. Most company policies forbid installing games on company laptops—should that be treated as a felony?


Not apples to apples at all.

IAM mistakes easily touch prod, laptop games don’t.


I don't see how "touching prod" has anything to do with the unauthorized use of computer resources.


Sure, good question. Have you ever built/audited IAM policies before? That helps with understanding the context.

You can get fired for HR reasons through a pattern of misbehavior. That misbehavior needs to be safely within legal territory such that a wrongful termination suit can't occur (to really generalize).

Prod example:

A not inconceivable pattern of misbehavior could be repeatedly causing prod events simply because the IAM allows the user to touch prod, because the user has an overly permissive IAM policy. Policies like that are very, very common in the wild, and almost equally at small or large companies (but for different reasons).

This could be hedged by an AUP or prod access policies, but then what wins out... the company might have an internal prod-access policy in place, but the laws, per this change, clearly state that if the IAM allows them to do it, it's not illegal to do so solely based on that reason. So, HR loses legal precedent to support their firing, which isn't an area HR loves being in I think.

You can generalize prod events to over-permissive IAM causing any number of moronic environment problems by a single user, but if they're only doing it because the IAM allows it and the user doesn't know any better, this legal change means it's not illegal (at least under the CFAA).


> Sure, good question. Have you ever built/audited IAM policies before? That helps with understanding the context.

Yes, I have been working in regulated industries for a while in devops and security roles.

> So, HR loses legal precedent to support their firing, which isn't an area HR loves being in I think.

I think this is the crux of it, frankly. People can be fired for arbitrary reasons, including violation of company policy, even if that policy is not backed by force of law. If you perform unauthorized access of customer info willfully and that is in violation of policy, why does HR need the force of law? If you were a key holder and repeatedly left the door unlocked at close despite previous warning, while not violating the law you should likely be let go.


How would the Aaron Schwartz case been affected if this decision had been made before?


I am not a lawyer, but it really looks like Schwartz would not have been convicted on CFAA charges.

However, he was also charged with wire fraud. The gov't was throwing the book at him. If it wasn't one law, it would've been another, and if it didn't apply, they'd still convict (and he'd have to spend years appealing the decision).

Sadly, I don't think it would have saved Aaron Schwartz.


Also not a lawyer, but wire fraud was because of circumventing IP address restrictions. Which is hard to claim that such act is defrauding anyone of money or property.


Oof. I don't like this decision, and surprised to see the breadth of agreement from the Court. When you grant a person access to a system (digital or physical), it's for a specific purpose. Violating that purpose should be a criminal act. If I give a plumber my house key to come in and fix my sink, and he goes and he opens up my computer and looks at my files, that should be a crime. If I grant a Geek Squadder access to my computer to get a virus off my computer, and he looks at my private photos except to the extent necessary to do the job I hired him to do, that should be a crime.

One could always say "Congress can remedy this with legislation" but that body has become fully dysfunctional so we all know that won't happen.


Yes, it likely should be a criminal act, and it may even be covered by one.

But it should not be a violation of the CFAA.

In your Geek Squadder case, you gave him access to the computer. He may have used that access improperly, but he did not increase his access through any illicit means. It is likely a crime, but not one that should be covered by the CFAA.

Your plumber case is a much different scenario. Also definitely a crime, but you did not grant him access to the machine. So it's possible that the CFAA should cover that, but I don't have the knowledge required to answer that with any amount of certainty.


If someone has access to data, but uses it inappropriately. That doesn't sound like something that should be covered by “exceed authorized access”.

If someone is using that information inappropriately, maybe that should be a against the law, but not the Computer Fraud and Abuse Act.


The SC made the right call here. In order to dissent, you have to claim that all improper/illegal acts done with computers constitute a form of hacking under the CFAA, since the prevailing laws do not "authorize" one to use the computer in that fashion.


I don't think the agent's action is proper, but it had nothing to do with computer fraud per se, nor is it the legislation intention.

Suppose someone was granted access to evidence room, but had a look at the evidence that is not of his case, or a case file that he have access to for reasons not work-related. And those generally falls in the area of internal regulation, in which case the agency takes the legal blame for the agent, and should it take actions against the agent, it might be supported.

Plain simply, even if those records are physical the referred agent could have done the same thing. Logically, it's not a matter of abusive conduct through computer, it's a matter of abusing public power.


I wonder if this precedent would have had any impact on weev's case. https://en.wikipedia.org/wiki/Weev#AT&T_data_breach


I was wondering the same thing, and I don't think it would. I am not a lawyer, and I guess we can't know why the jury voted guilty, but I think the arguments were that weev didn't have authorization. They argued that there was several "gates" weev had to go through to access AT&T's data.

1) User agent. He changed the user agent to that of an iPad.

2) The ID themselves. He only had to increment them to get to a new one, but they argued these were like a password.

3) Going to a URL that wasn't linked from somewhere. I'm not kidding.

https://www.techdirt.com/articles/20130929/15371724695/dojs-...

So I think in weev's case, they argued he never had authorization at all.

Whereas, in Van Buren's case, "The parties agree that Van Buren “access[ed] a computer with authorization”. So the problem was whether or not he exceeded authorization, not if he had it in the first place.


I wonder how the market for compliance and authorization tools and services will react to this ruling. I would guess they will have a lot of increased business - even though employers can always fire an employee that violates policy, it will probably strengthen their case to ensure that the employee is also breaking the law, especially in unionized workplaces or other places where formal policies around termination are especially important.


What a silly and cynical comment. Most employers (the vast majority even!) aren’t looking to set their employees up to become criminals when they fail to follow company policy. Usually the goal of a policy is to have a fail-safe: where even if the policy is violated the law isn’t.


Just so I understand here; he's still on the hook for taking the bribe and running the license plate, he's just been cleared of unauthorized access because he was granted access to the system. Right? Seems to me the prosecutor messed up when charging him under CFAA, which as we can see here is a complex and nuanced section of law, instead of something straightforward, if less sexy like public corruption/bribery.


In what world is it reasonable for the FBI to go around and bribe small-town police officers in order to charge them under the CFAA? WTF.


They do anti-corruption stings like this. The most famous was probably ABSCAM (https://en.wikipedia.org/wiki/Abscam).

I'd rather them devote resources to anti-corruption like this than "drugs".


Questions:

* Should there be a distinction between violating a written policy; and bypassing a technical barrier?

* Should there be a distinction between doing something that you are ordinarily permitted to do, but for an unpermitted purpose; and doing something that you are just never permitted to do?

It seems that the Court didn't answer the first question, which is more interesting to me.


That's been answered in other cases where someone violated a ToU and SCOTUS ruled that's not a breach of CFAA and not a criminal act.

The second situation they've just ruled is not a crime under CFAA. That second clause "you are just never permitted to do" would depend on whether it was implemented as an employment policy or as a technical implementation that you "hack".



Summary please.

It's a lengthy document with quite complex language.

The impression I got from reading the introduction is it was pretty clear which way the ruling went, but some of the comments here seem to be based on the opposite so there seems to be some confusion.

So please can someone please sum it up in 1 or 2 lines?


    if (not authorized && access system) {
        // unauthorized access = crime
    }
    else (if authorized && access system && access data &&
            (authorized to access data && only under certain circumstances)) {
        // FBI/prosecution said = crime
        // SCOTUS said if authorized to access, but not in circumstances, 
        // then ! crime under CFAA but may be crime under other laws
    }
Basically, it comes down to that the system let the user access the data, but their conditions of use where that they were only allowed to do it under certain situations (in this case, as a cop, when involved in a traffic stop, or some other activity).

The prosecution tried to say that this was a crime under CFAA, SCOTUS said that if the user is allowed to access the data, then it's not a breach of CFAA to do so.


The question was if you accessed the data which you are authorized to access (like police database for a policeman) but then used it for the purposes which are not part of your duties (like a corrupt policeman selling these data to criminals) can you be charged under CFAA. The SCOTUS said no, if you are authorized, then you are authorized, and the fact that you used the data later for an unauthorized purpose does not make the access itself a crime under CFAA (still could be a crime under a different law, of course). Thus, they restricted the reading of CFAA to a much narrower scope than the government wanted to apply.


Also this probably blows a huge hole in the "EULA violation is a CFAA crime" argument. I'd say it probably would not survive this decision.


"[E]xceed[ing] authorised access" (EAA) may occur where information accessed is located in "areas of the computer that are off-limits", e.g., "files, folders, databases". Access for an unauthorised purpose does not amount to EAA.

I was aiming for 160 chars (2 lines of 80 chars). Not so easy.


did the court clarify what "authorized" means? seems that the opinion hinges on that definition.

does it mean just knowing the right user name and password? what if the login page also had a check box "I agree to use this system only to perform my job". if the cop lies and checks this box, does it mean he's not authorized?

if lying about the check box is OK, what if he had used a colleague's user name and password for the criminal activity? he's still authorized just he didn't use his own password to commit the crime. would that still not make it CFAA?


>"...to retrieve information about a particular license plate number in exchange for money..."

This is a clear case of bribery. It is criminal. Not sure why was not the case prosecuted accordingly.


I wonder if the raid in 1990 on Steve Jackson Games fell under this particular act.

http://www.sjgames.com/SS/


Almost certainly not. My understanding of the SJ Games raid was that the Secret Service was issued a search warrant by a court prior to the raid.

18 U.S. Code § 1030 (f) explicitly excepts lawfully authorized investigative activity of a law enforcement agency. The Secret Service is such a law enforcement agency, the raid was an investigatory activity, and since they obtained a search warrant prior to the raid it was a "lawfully authorized" search.

As such, even if there might be liability based on their actions under the other portions of the section (I have no idea on this aspect, I'm not too familiar with the details of what they did as part of the search and seizure), the waiver in (f) is extremely broad and would apply to the Secret Service in that particular case.

> (f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.

https://www.law.cornell.edu/uscode/text/18/1030


Thanks!


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: