A longish thread on Van Buren: Where does it leave the CFAA?
Here's a first cut.
The computer hacking statute, the CFAA, prohibits two things: access without authorization, and exceeds authorized access. Access without authorization is understood to require some kind of breaking in. The question here is whether exceeds authorized access does, too.
As I read the new decision, the Court says yes -- exceeding authorized access also requires some breaking in. The court agrees with the defendant's claim that the two prohibitions are similar -- at just different stages. The Court calls this a "gates-up-or-down" inquiry.
In a footnote, the Court seems to adopt the authentication test -- "whether a user’s credentials allow him to proceed past a computer’s access gate" -- that I and others have proposed.
But there's a big caveat to that. In a different footnote, the Court says it is *not* reaching whether that "gate" can be imposed only by technology, or by a contract or policy.
I am not sure how to square those footnotes.
I may be too close to this to see it clearly right now, but I would have thought the issue in Van Buren is what counts as a "gate." Does there need to be a technological gate, or can a gate of words ("do not access this computer for a bad purpose") suffice?
Reading Van Buren other than FN8 seems to point consistently to the idea that "gates up or down" means "access is blocked or not blocked," that is, a technological block. Put another way, it's all about actual hacking.
(With apologies to the computer science folks who insist that the word "hacking" is misused by everyone, here the word is understood as meaning to break in.)
So this seems a little confusing, at least on my first read. It seems that the opinion other than FN8 is a rejection of the view that FN8 says the opinion is not resolving.
Putting a former clerk hat on, I wouldn't be entirely surprised if FN8 was added in response to another Justice who worried that the opinion was taking on more than it needed to.
Van Buren's brief at times alternated between a narrow and broad position -- at times narrowly arguing about "improper purpose," and at times more broadly arguing about technologically breaking in.
Van Buren ended up 6-3 and took a long time (argued 11/30, handed down 6/3). This is all just outside speculation, but it may be that the delay was caused by a Justice or 2 wanting a somewhat narrower ruling than Barrett's initial draft, which other than FN8 seems quite broad.
Anyway, that's how it seems to me at first blush. Curious if others have a different reaction. /end
Pondering this a bit more, I wonder if I was over-reading FN8. It leaves unresolved whether the gate test is “only” technological, or also “looks to” policies, terms, etc. That might still mean a mostly technological test, but one that can be impacted by written restrictions.
For example, what if there’s a password gate, but the company has posted the PW and has a policy that anyone can use it? You could say that’s a case where the policy alters the gate; it’s not closed gate if they post the key and invite use.
That interpretation could reconcile the various footnotes, at least. Maybe FN8 is just saying that breaching a code-based barrier is not necessarily sufficient to establish liability — not that it is not required.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
There's a lot to be said about the traffic stop of Lieutenant Caron Nazario, but one of them is that it makes this 2015 blog post unfortunately relevant again:
"Sandra Bland and the 'Lawful Order’ Problem."
(Given the paywall, I'll include screenshots.) washingtonpost.com/news/volokh-co…
The interview above was recorded in 1997, and none of it has ever been shown outside my family before. At some point I'm going to make a full length edited video of it to post on Youtube (it was 5+ hours long, so it needs to be shortened). But, for now, this excerpt.
When a father consented to a search of his "son's account" on their jointly used computer, investigators exceeded the scope of consent when they searched the recycle bin, which included files from multiple users. Child porn found there is suppressed. wicourts.gov/ca/opinion/Dis…#N
The forensic tool used to search the computer grouped the deleted files from all accounts in the same place, the recycle bin, without indicating from which account a particular file had originated. Acc to the court, using the tool to search that was beyond the scope of consent.
This case touches on a question that I cover in my computer crime law casebook and discuss in my class: How do you apply consent principles to computer searches when people consent in regular-user-speak but forensic analysts think in forensic-tool-speak?
Many, myself included, have expressed amusement (or horror) about how splintered and long the 5th Circuit's decision is. Perhaps worth noting that at least some of that may reflect the fact that it's a facial challenge.
Some background: Most constitutional arguments are "as applied" challenges, in which a person will claim the government did something unconstitutional. But some challenges are "facial" challenges, in which the challenge is to the statute itself.
With "as applied" challenges, there's usually an ultimate ruling: Is the action constitutional or unconstitutional? But facial challenges can be more complicated, because the challenger may challenge several different parts of the statute, on different rationals.
How does the 4th Amendment apply to the "U.S. Private Vaults" case, busting the Beverly Hills store where people could anonymously store guns and drugs (and anything else)?
First, the alleged facts. The store hosted safe deposit boxes at a strip mall. Their selling point was total privacy: You pay big $$$, and you can store anything there and no one will know. According to prosecutors, the business was trying to entice those engaged in crimes.
The store didn't want to know who its customers were. They just wanted the very large payments in exchange for privacy. I gather this is their website, and Youtube plug: