Interesting Supreme Court Case Regarding Computer Hacking

Miscellaneous and Personal Stuff I Must Share
41

The questions about whether hypothetical abusive postings on a message board violate the CFAA are not fringe concerns and it has nothing to do with trying to interpret phrases in the CFAA in a particular way to disclaim that making message board posts are not ways of accessing a protected computer or retrieving information (simply loading a webpage is “retrieval”) in the way many posters so far are trying. It’s a real concern that has driven actual cases.

The CFAA, on the face of it, does allow for prosecuting users of a computer system for violating the services contractual terms of service under an “exceeds authorized access” argument. This isn’t theoretical; it’s been done perhaps most notably in US v Drew. Most posters here have probably heard of the situation at least in passing. In 2009 Lori Drew used postings on Myspace under a false name to influence Megan Meier to commit suicide. Prosecutors charged Drew with a violation of the CFAA, asserting her use of Myspace in violation of its terms and conditions (prohibiting false names) was “unauthorized access”. Importantly, this case initially resulted in a conviction.

On appeal, the conviction was overturned on the basis that a non-legislative user terms of service contract is too vague to give rise to criminal sanctions. The elements of the Myspace system being a protected computer system and Drew’s interactions with it involving retrieval of information from it were not part of the appeal. Only the problems with interpreting a violation of a service’s terms of service contract as a legal foundation for prosecution were elements in overturning the initial conviction.

So while there is at least one situation where an appellate court rejected violations of a website terms of service as constituting criminal activity, it only applies to precedent in the Central District of California and is not a fully settled matter, just like how whether “unauthorized access” involves only the circumventing of technical access restrictions is still unsettled.

42

Looks like the Supreme Court agreed with the cop that his conduct wasn’t criminal:

43

As I said earlier, I agree with the majority. It is a weird combination of a majority (Barrett, Breyer, Sotomayor, Kagan, Gorsuch, and Kavanaugh). I think the law would be far too broad as read by the dissent, but the dissent brings up very valid points. This is a good example for posters who wonder why it isn’t so simple just to go by plain words of a statute in many cases.

44

To me, it looks like it was simple to go by the plain meaning, but that the other justices relied on other factors to say the plain meaning was not the correct meaning.

I much prefer this sort of jurisprudence that looks at other factors. The problems that can arise come from bias, and that is just as much a factor in textual analysis as it is analyzing other factors.

45

I’m not sure about plain meaning in this case. I think too much hinges on the idea of “authorized access” in a computer hacking statute. To many people that concerns only what the technology allows you to do. If your boss or the SDMB says that you can only use it for this or that purpose and you use it for another purpose, then it sure doesn’t seem like hacking but a rule violation between you and the boss or you and the SDMB.

Thomas makes excellent points in the dissent that “authorized access” is always context specific. You may allow me into your home if I am a plumber fixing your sink but not allow me in to eat dinner. But I think the majority has the better of it in the context of a computer hacking statute in that authorization means a login and password and the general permission to access a certain part of the computer.

46

It could probably be explained by looking at the majority’s browser history. :slight_smile: