Computer crime at the Supreme Court: Freedom of the Press Foundation and others weigh in on an upcoming CFAA case
Parker Higgins
July 23, 2020
Freedom of the Press Foundation joined a Supreme Court brief this month in Van Buren v. United States, an upcoming case about the primary federal “anti-hacking” law: the Computer Fraud and Abuse Act. Our brief, led by the Reporters Committee for Freedom of the Press, argues that the law must be narrowly construed or risk unconstitutionally restricting protected First Amendment speech.
The CFAA has been on the books since 1986 — reportedly introduced in response to president Ronald Reagan becoming concerned after watching the cyberthriller WarGames — and has come under extensive criticism over the years. The scholar Tim Wu has called it “the worst law in technology,” for example. Although it is on its face about “computer crime,” it has at times been so broadly construed as to cover any behavior prosecutors or plaintiffs find undesirable, as long as a computer is even involved. That includes a lot of protected common practices in reporting, especially in the field of data journalism. And until now, the Supreme Court has not yet weighed in on it.
As a result, the case is highly anticipated, and has attracted over a dozen amicus briefs from experts around the country. Today we're highlighting some of the important speech arguments that directly affect journalists, presented in a selection of those briefs.
Threats to press freedom around the world are at an all-time high. Sign up to stay up to date and take action to protect journalists and whistleblowers everywhere.
Thanks for signing up for our newsletter. You are not yet subscribed! Please check your email for a message asking you to confirm your subscription.
Beyond RCFP and FPF, the brief is joined by dozens of press freedom groups, journalist associations, and media outlets, including the Los Angeles Times, The Washington Post, AP, Reuters, and more. As expected, then, it focuses extensively on the ways in which an overly broad interpretation of the CFAA — specifically its prohibition on “exceed[ing] authorized access” — can be used to hinder reporting, or to chill protected speech.
In particular, it outlines how a broad read of what the “authorized access” clause means could reach nearly all acts of corporate and government whistleblowing, which is clearly beyond the intent of the law:
“If this Court were to embrace that expansive interpretation, the number of government and corporate-whistle-blower sources available to journalists would significantly drop. Because a violation of an employer’s computer-use policy constitutes a crime under that interpretation and such a violation would occur virtually any time a potential source were to use a work computer to access information for a non-business reason—i.e., any time a source is acting as a source—such an interpretation would strongly deter potential sources from coming forward with newsworthy information.”
The brief also explains how the law threatens the practice of web scraping, which it notes is increasingly used by researchers and data journalists to uncover stories. Scraping has become an essential tool in finding instances of algorithmic discrimination, and — as the brief notes — even just the looming threat of potential liability under the CFAA has already led independent journalists and newsrooms to not publish reporting gathered that way.
The American Civil Liberties Union, on behalf of its plaintiffs in a separate court challenge to the constitutionality of the CFAA, makes a similar argument in its brief:
“Any construction of the CFAA that leaves open the possibility of criminal or civil liability when users violate website terms of service will chill critical research and data journalism necessary to hold powerful platforms and websites accountable to the public, including for violations of anti-discrimination laws.”
Beyond just chilling reporting, the CFAA can complicate efforts to actually enforce non-discrimination laws, especially as 21st century audit techniques — even those that bear no resemblance to the “hacking” targeted by the law — can be prohibited by website terms of service.
The Markup is a nonprofit news outlet that uses data driven methods to cover how technology impacts society. Its amicus brief argues that a broad interpretation of CFAA would criminalize newsgathering practices in the tradition of Ida B. Wells’s transformative work, “A Red Record: Tabulated Statistics and Alleged Causes of Lynchings in the United States, 1892-1893-1894.”
“Like Ms. Wells, The Markup seeks to inform and influence public debate by marshaling the ‘best evidence’ available - which is now increasingly online. Whereas Ms. Wells forced society to confront the evils of lynching by manually searching paper records, modern data journalists analyze enormous datasets to identify abuses of power in the modern world.”
The Markup goes on to argue that charging Van Buren under the CFAA is detrimental to the public-serving function of data journalism. The Markup regularly harvests data through methods that may be at odds with the arbitrary terms of service of some online platforms. This behavior would potentially be criminalized if the Supreme Court upholds the Eleventh Circuit’s decision. “Banning The Markup and other journalists from collecting and analyzing publicly accessible information would make it impossible to observe activity on the Internet, which in turn would make it impossible for reporters to serve their vital oversight function,” reads the brief.
The brief from the National Whistleblowers Center is specific in scope, arguing that a broad interpretation of the CFAA would be contradictory towards congressional efforts to protect whistleblowers who report fraud or other illegal activity of their employers to federal law enforcement.
To demonstrate Congressional intent to incentivize whistleblowing employees, the brief points to a number of laws and their histories. The Sarbanes-Oxley Act of 2002, for example, protects employees who report criminal activity of their employers to federal law enforcement. Congressional records related to the CFAA itself express explicitly that the law should not cast “a wide net over ‘whistleblowers’ who disclose information they have gleaned” from a computer.
The NWC is particularly concerned about an interpretation of the CFAA that would criminalize a circumstance in which an employee granted access to information for a specific purpose then uses it for another. Such an interpretation would potentially take away from the protections afforded to whistleblowers who disclose fraud or illegal conduct to federal law enforcement. The phrase “exceed[] authorized access” in the CFAA, NWC argues, should only extend to those who “access information on a work computer which they have no right to view for any purpose.”
These briefs represent just a few examples among the many compelling arguments against broadly interpreting the CFAA. We are closely following developments in this case, and will provide updates as they come.