Supreme Court vs online security: Has the reckoning come?

Online security is an ever changing landscape of defenses, strategies, intrusion tactics, countermeasures, and technologies locked in an eternal war. Legal matters sometimes intersect and can provide sweeping changes as new perspectives are considered in a world that marches toward a digital future at a faster rate. As every fact of life becomes more imbued with digital surveillance, there are times when specific acts and events must be scrutinized for the sake of judicial review.

This is even more prevalent with the move to working from home. Several industries are coming to terms with the new normal of telecommunication, and this is presenting challenges to be negotiated for a wide variety of personnel.

Simply put: our lives are online all the time now.

On November 30th, 2020, a new case – Van Buren vs. United States – had arguments open up with the Supreme Court concerning this very topic. In short, a police officer accepted money to look up restricted information in a law enforcement database (specifically, the license plate of a citizen). The question here is simple – does an actor who has privileged access still maintain that clearance when it is used for unauthorized purposes?

Essentially, this matter can be reduced to “it’s not illegal, buuuuuuut something feels a little off about it.” Theoretically, the argument of “there’s no law against it, thus it is not legal” has come under fire for a variety of reasons throughout history, and anything that resembles an invasion of privacy can certainly fall under this umbrella. The policeman in this situation did not break a law or violate any kind of rule or order, but it still feels strange to know that someone on friendly terms with an officer could gain access to information hidden from the public.

However, really, that’s kind of besides the point. The bigger issue here is less about the foggy nature of what happened, and more about how to classify it. This is important because until we can apply specific labels and designations, appropriate punishment (if even any should be applied) for breaching online security is difficult to assess.

Specifically, this case falls under the nebulous area of hacking (broadly defined as a situation where a user gains unauthorized access to digital resources), with specific respect to the Computer Fraud and Abuse Act (CFAA). It was enacted in 1986 in response to ensuring that computer-related crimes could actually be punished from a legal standpoint (again, shades of weeeeeell it wasn’t illegal when I did it).

Unfortunately, the CFAA has generally been seen as vague. For example, does breaching any part of the terms of service for a website, application, or digital service constitute a violation of online security?

Tim Wu – a longstanding legal scholar and professor at Columbia Law School – has called it “the worst law in technology,” and his involvement in the computer world cannot be understated (he coined the term “net neutrality” for starters). The CFAA is believed and cited to pressure free-speech advocates, stifle journalistic endeavors, and complicate the punishment phase of law by raising a misdemeanor into a felony (creating disproportionate sentences).

One of the most famous examples of this is the case of Aaron Swartz. To summarize, he downloaded academic journals from MIT, and was charged under the CFAA with wire fraud. Following a very controversial lawsuit that resulted in felony charges, he committed suicide. This has been a subject of intense debate when it comes to free speech and the limitless punitive measures available to federal prosecutors.

Maybe the shortest way to think of this is that we – as a society – are still coming to terms with the breadth and depth that technology has on daily life, and have not yet caught up in terms of proper regulation and law with regards to our online security.

This is why this case is being heard by the Supreme Court – to discuss a long standing and still undecided law that can potentially have widespread impact on the entire digital world. Apparently, this discussion is a long time coming.

You are most likely wondering why or how this would affect you, which is an entirely valid response to have. For example, if you created two accounts on a shopping website to get a 10% coupon for two separate orders when the coupon specifically dictates one per household, could you be charged? Think about it – you knowingly created two accounts with the same physical address for the purpose of saving some money. Under some interpretations of the CFAA, this would constitute hacking behavior (or at least hacking- like behavior) and could result in felony charges.

Another example: All the recent activity involved the Playstation 5 and scalpers could fall under CFAA litigation. I’m not even sure there’s ANY laws being broken there, but a shrewd argument could be made regarding the use of bots to game checkout systems to obtain stock in a not-fraudulent fraudulent way. I’m not saying this kind of behavior should be punished, even if I really want to play that sweet new Spiderman game.

The point here is that it’s a planet sized swamp of legal complexity that may finally force specific conversations and new laws to be put into place. Arguments are underway, and digital rights advocates are understandably keeping close watch.

I’d wager no one in the entire world – should their entire inventory of digital actions be known – would be immune to prosecution under the current constructs of the CFAA. When you think about it that way, and when you think of all the seemingly innocuous things you’ve done that could suddenly land you in front of a judge, then it’s clear that this case can and should be considered extremely applicable to everyone.