Share this page!

Eric Geller Profile picture
Twitter logo
30 Nov, 37 tweets, 6 min read
The Supreme Court is now hearing oral arguments in Van Buren v. United States, a case about the proper scope of the Computer Fraud and Abuse Act.

Listen here: c-span.org/video/?477429-…

Read my preview here: politico.com/newsletters/we…
Justice Thomas asked Van Buren's lawyer if he has any real-world examples of the slippery slope argument that CFAA critics have been making in the 11th Circuit, where courts have followed the government's reading of the law for a while.
Van Buren's counsel says no, but references cases in other circuits, including one where someone was prosecuted for “misusing MySpace" and another one involving Ticketmaster.
Van Buren's lawyer adds that just because prosecutors haven't yet applied the CFAA in the most dramatic and far-reaching ways possible, “that doesn’t enable the Court to simply construe the statute on that promise.”
Van Buren's lawyer is Jeffrey Fisher from Stanford, btw.
Alito: Do you really think Congress wasn't worried about, say, bank employees selling credit card numbers when they enacted the CFAA?

Fisher: I don't think so. Congress was concerned about hacking, “and that’s up and down in the legislative history.”
Alito is pressing Fisher about how things like lying about weight on a dating service would violate CFAA.

Fisher says the CFAA violation comes not from inputting the lie, but from obtaining info (in the words of the statute) from potential matches based on the lie.
Sotomayor: I share my colleagues' concern about the misuse of sensitive data by people entrusted with it.

Fisher: Congress can pass other laws to prevent that.
Fisher: “The core of the problem is, there is no foothold in the statute to inch the statute forward to cover the conduct in this case without also covering all kinds of other violations" in terms of service, employee handbooks, college course syllabi, etc.
Sotomayor: Can you think of CFAA amendments that would address this?

Fisher: Yes, and the government cites some just as we do. But that should come from Congress, not the Court.
The justices keep asking Fisher to explain how the CFAA would criminalize seemingly innocuous things. Kagan just asked about checking Instagram at work.

Fisher says that would violate CFAA under the govt's reading b/c you're "obtaining" words & pictures from your Instagram feed.
At issue is what it means to criminalize "obtaining or altering information" from a computer system in a manner that violates the terms under which you are allowed to access the computer.
Gorsuch: If the CFAA doesn't cover these kinds of things, but there are other, more troublesome activities, like what you client did, are there other laws that could cover those offenses?

Fisher: Yes. Every offense that the government wants covered is covered by another law.
Barrett is pushing Fisher over his definition of "authorization," expressing skepticism of his idea that it's "an on/off switch." She asks why the Court shouldn't view authorization as being inherently dependent on the purpose of the access.
Fisher: We don’t think the CFAA treats authorization in that way. And given that other statutes do that, we think that’s evidence that Congress didn’t intend to do that here.
Fisher's closing argument is about the CFAA's ambiguity. He seems to think that enough justices see it that way that this will appeal to them.

"You cannot distinguish...hypotheticals [like Instagram] from the ones that the government wants to point at [as] the most troubling."
The lawyer for the govt comes out swinging, saying Fisher is trying to limit the CFAA so that it can’t prosecute anyone who ever has any valid access to the system they abuse. He says Fisher is relying on a “wild caricature of our position” w/ “invented cases” to scare SCOTUS.
Thomas: What’s your response to Fisher’s claim that CFAA is ambiguous?

Govt lawyer: I don’t think it is. “I think it clearly supports us and his reading is textually insupportable.”

Thomas wants to know why SCOTUS shouldn't apply the rule of lenity.
The government's lawyer is Eric Feigin, a deputy solicitor general at DOJ.
Breyer is asking why the CFAA can't be read, in the government's view, to criminalize checking Instagram at work?

Feigin: The key issue is whether the computer access is being used to do something that couldn't be done without it (e.g. stealing protected data).
Alito asks for clarity on what precisely the various terms in the CFAA mean, e.g. "authorization."

“I don’t really understand the potential scope of this statute without having an idea about exactly what all those terms mean.”
Alito: “What is this statute talking about when it speaks of information in the computer? All information that somebody obtains on the web is in the computer in a sense. I have a feeling that’s not what Congress was thinking about when it adopted this.”
Feigin: I think your concern arises from the way in which Fisher teed up this case for you. He’s suggesting that the only way to avoid the “parade of horribles” is to define those terms better. I think it's pretty clear that the CFAA doesn't cover the examples he cited.
Sotomayor summarizes the concern that several other justices have been hinting at: “You’re asking us to write definitions to narrow what could otherwise be viewed as a very broad statute, and dangerously vague.”
Kagan: Do you concede that, without the word "so" in the CFAA, you would lose this case?

Fisher: “I think it would be a much tougher case for us without the word ‘so,’ Your Honor.”

We are truly getting into the weeds here.
Gorsuch: This case seems to be the latest example of the government trying to broaden the scope of criminal laws in “contestable” ways. Why are you trying to do this for a state crime that’s prosecutable under state and perhaps other federal laws?
Gorsuch: Your argument about the scope of CFAA seems rather broad, “perhaps making a federal criminal of us all.”
Feigin: “We do think this is the correct reading of the specific, narrow portion of the language that is at issue here.”
(This should have said Feigin, not Fisher, obviously.)

Kavanaugh: Seems like CFAA only criminalizes taking info from system you’re not authorized to access. Why is that wrong?

Feigin: That would be like criminalizing stealing cash from a safe but not from cash register b/c you’re authorized to remove $ from register for your job.
Barrett is asking Feigin about the scope of the word "authorized" and why it should be so broad.

Feigin: “The word 'authorization' refers to specific, individualized permission, and there are going to be systems that” don’t require it, like public websites.
Feigin again criticizes Fisher's framing of CFAA's scope.

“He’s ... argued that unless you do what he wants, all of this other stuff’s going to be opened up. And we don’t have much case law on the other stuff, because nobody has ever made” sustained efforts to bring those cases.
Feigin: “To the extent we start to see cases like that, that’ll give courts, including this court if necessary, the opportunity to further articulate those limits.”
Fisher, in his rebuttal, says, "The best thing the government can say is, 'We haven’t brought a whole bunch of these prosecutions yet.' … They would be available under the government’s reading."
Fisher, picking up on Gorsuch's concern, notes the many cases "where the government offers a reading of federal statute that would sweep in everyday conduct .... What the court has done in every one of those cases is" require that any ambiguity be construed narrowly.
Arguments are over.

It certainly sounded like the justices were more skeptical of the government's argument than the Van Buren team's argument, re: the ambiguity in the wording of the CFAA.

But obviously that's no guarantee of how they'll rule.
Here's my story about this morning's SCOTUS arguments in Van Buren v. United States, where several justices sounded concerned about the government's interpretation of the U.S.'s main cybercrime law. politico.com/news/2020/11/3…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Eric Geller

Eric Geller Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ericgeller

Eric Geller Profile picture
1 Dec
At @AspenCyber conf, fmr CISA DepDir Matt Travis, forced out by WH, recalls texting @C_C_Krebs re @NatashaBertrand's Rumor Control story.

“I saw it first, and I said, ‘If this doesn’t get you fired, nothing will,’ and his response back was essentially, ‘Yeah, this might do it.’”
WH personnel office called CISA’s chief of staff on Veterans' Day to tell her that WH was going to ask for CISA Assistant Director for Cybersecurity Bryan Ware’s resignation, Travis says.

"We...pressed that it would be silly to change the CISA team” during election & OWS.
CISA's chief of staff asked the WH if Ware was the only one, Travis says. His understanding, he says, is that the answer at that time was yes.
Read 8 tweets
Eric Geller Profile picture
30 Nov
Got some thoughts about Friday's #TheMandalorian episode, but first: Disney shouldn't have hired an actress who was sued for transphobic harassment.

The lawsuit was dismissed, but that doesn't necessarily mean much when the defendant is a celebrity.

Avoidable blunder here.
Transgender people endure constant abuse simply because of who they are, and Disney/Lucasfilm's refusal to even acknowledge their anger is a disappointing act of corporate cowardice that casts doubt on their oft-stated commitment to inclusion.

Transgender SW fans deserve better.
As for the episode, I really liked how Favreau and Filoni adapted Ahsoka for live-action — probably one of their most challenging tasks so far, given fan expectations. She looked great, and I loved how she moved like a wraith during the fight scenes. Overall, very impressive.
Read 7 tweets
Eric Geller Profile picture
23 Nov
I've spent the day talking to former colleagues of Biden DHS secretary nominee Alejandro Mayorkas about his work on cybersecurity.

The consensus is that, while he'll be working a lot on immigration, he'll also do great work on cyber.
"Ali is an outstanding choice to be the secretary, and he will really be able to hit the ground running," @SpauldingSez told me. "He was very much involved in some of our most important efforts" as depsec.

Fmr DHS official: "Cyber was probably his #2 [issue] behind immigration."
In my story subscriber.politicopro.com/article/2020/1… I noted Mayorkas' role in 2015 China IP theft deal.

"Ali was deeply involved in those discussions," said @C_Painter, one of the deal's key architects.

Mayorkas understood that multilateral pressure was "an important leverage point for us.”
Read 19 tweets
Eric Geller Profile picture
23 Nov
Biden picks Alejandro Mayorkas as DHS secretary, the transition team announces.

Mayorkas focused on cyber as DHS dep sec: info sharing, private sector trust issues, intl partnerships, breach lawsuit chilling effects, & need to reduce duplicative regs & improve agency oversight.
Among other things, Mayorkas led the DHS team that helped negotiate the 2015 deal with China that temporarily ended Beijing's IP theft.

He also helped negotiate the CISA info-sharing law and pushed for what would become the other CISA, the standalone cyber agency.
Cyber gets a prominent mention in Biden team's bio of Mayorkas (whose pick is obv much more significant for non-cyber reasons):

"During his tenure at DHS, he led the implementation of DACA, negotiated cybersecurity and homeland security agreements with foreign governments..."
Read 7 tweets
Eric Geller Profile picture
18 Nov
BREAKING: Trump has fired Krebs.

Our story coming shortly.
Here's Krebs' final tweet as CISA director.
As I reported last week, Trump can also fire CISA's deputy director and now (presumably) acting director, but he can't fire CISA's third-ranking official, the executive director, a career position that Krebs created specifically for a moment like this. politico.com/news/2020/11/1…
Read 57 tweets
Eric Geller Profile picture
12 Nov
CISA Director Chris Krebs, one of the few Trump administration officials with widespread bipartisan credibility, is reportedly telling people that he expects to be fired by the White House.

Krebs has led election security efforts through 2018 and 2020.

reuters.com/article/us-usa…
It's hard to overstate the impact that Krebs has had on the government's cybersecurity work over the past several years.

He's been able to steer his agency around the chaos and get things done with external partners who are repulsed by the rest of the Trump administration.
The Trump White House has essentially ignored CISA since it was created in 2018, but now that appears to be changing.

@Bing_Chris, who broke this story, also reported that today's resignation of one of Krebs' top deputies came under White House pressure: reuters.com/article/us-usa…
Read 26 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get email notifications when new thread is out from this Author!

Check out other threads from this Author!

Read all threads by @ericgeller