Dean Reuter: Welcome to Teleforum, a podcast of The Federalist Society's Practice Groups. I’m Dean Reuter, Vice President, General Counsel, and Director of Practice Groups at The Federalist Society. For exclusive access to live recordings of practice group teleforum calls, become a Federalist Society member today at www.fedsoc.org.
Nick Marr: Welcome all to The Federalist Society’s teleforum conference call. This afternoon, October 28, 2020, we’ve got a special Courthouse Steps Preview call on Van Buren v. United States. I’m Nick Marr. I’m Assistant Director of Practice Groups at The Federalist Society.
As always, please note that expressions of opinion on today’s call are those of our expert.
We’re very fortunate to have with us this afternoon Mr. Joseph DeMarco. He’s a Partner at DeVore & DeMarco LLP. He’s also a member of our Telecommunications & Electronic Media Practice Group Executive Committee. As we go along, Mr. DeMarco’s going to give some opening remarks, and then we’ll have some time for audience questions after that, so be thinking of those and have those in mind for when we get to that portion of the call. Thanks for being with us here today, Joe. The floor is yours.
Joseph DeMarco: Thanks very much, Nick. And thanks to The Federalist Society for sponsoring this teleforum. Again, my name is Joseph DeMarco, and I’m a partner at a boutique law firm in New York, DeVore and DeMarco LLP. Our practice focuses on the law of data privacy and security, and cybercrime prevention and response. And I’ve been a partner at that firm since staring it about 13 years ago. Prior to that, for 10 years, I was a federal prosecutor in New York where I ran the cybercrime program at the United States Attorneys Office for the Southern District of New York.
In my practice both as a prosecutor and now in my practice as a private attorney, I’ve spent a lot of time with the Computer Fraud and Abuse Act, the CFAA, both prosecuting cases as a prosecutor and now representing victims of cybercrime, particularly companies that have been victimized by cybercrime that want to refer those matters to law enforcement.
So it’s really a statute that I’ve spent the better part of my professional career for the last 20 years inside. And I’ve watched over the years as various jurisdictions, both at the district court level and at the circuit court level, have wrestled with some very fundamental questions in statutory construction and interpretation under the law, which finally are going to be, at least in part, resolved by the United States Supreme Court which granted cert a few months ago in a criminal case, Van Buren v. United States, which we’ll talk about today.
I’ve had the privilege of representing two amicus entities before the Court, filing amicus briefs on behalf of the Federal Law Enforcement Officers Association in support of the government and also the Managed Funds Association, also in support of the government. And we’ll talk a little about that.
What I thought we’d do over the next 15 or 20 minutes is just kind of go over some of the very high-level issues in play in the CFAA. I’m assuming that most people on the call are not regular CFAA practitioners. Of course, all the briefs are on the SCOTUSblog website, and the briefs we’ve filed are there as well as on our firm website, www.devoredemarco.com.
But what I thought I’d do is just kind of flag some of the big issues in play, why this matters, why it is that we filed amicus briefs on behalf of two very different organizations, and what is at stake in the Court’s decision. It is, as I mentioned, the very first time that the U.S. Supreme Court has taken up interpretation of a key provision of the CFAA.
So for those of you that may not be familiar with it, the Computer Fraud and Abuse Act, found at 18 U.S.C. Section 1030, is the main federal criminal anti computer hacking statute. It’s been on the books for dozens of years. I think the first version of it was passed in the late 1980s. And it’s been updated over the years, although it hasn’t quite kept pace with modern technology, not surprisingly. But it is the main federal criminal statute that’s used at the federal level to prosecute theft of information from computers, transmissions of viruses, ransomware, worms and other malware, internet frauds, and certain types of computer extortion.
Interestingly enough, it’s also a federal tort. Under Section 1030(g), private parties have the ability to sue each other where there’s been a violation of the CFAA for damages in federal court. And the plaintiffs’ bar has many years ago discovered the CFAA and has used it to bring class action cases involving violations of privacy alleged against corporations to the detriment of individuals and their privacy rights. So it’s, interestingly enough, both a case that has a fairly rich body of criminal law and also a fairly rich body of civil law attendant to it.
Now, the law makes a number of things illegal. The most pertinent one for today is the provision of the law, 1030(a)(2)(C), which makes it a crime to, quote, “intentionally access a computer without authorization,” or to, quote, “exceed authorized access,” close quote, to that computer in order to obtain information from that computer. By obtaining information from a computer, what it essentially means is taking information off of a computer.
So think of the case where everyone agrees, both the respondents and the government, an outside hacker breaks into a company’s database and steals all of the employee W2s in order to commit identity theft, or foreign state sponsored hackers break into a drug company’s databases to steal their COVID vaccine trial information. That’s essentially what we’re talking about when it comes to obtaining information from a computer.
I should also mention various states have analogous provisions that also make it a crime to engage in unauthorized computer access to take information from computers. But what we’re talking about today, obviously, is the federal statute.
Now, I mentioned that in order for it to be a crime, the person has to intentionally access a computer without authorization or exceed authorized access. But what does authorization actually mean? And what the case really turns on is whether or not the statute is going to be limited to outside hackers who break into computer systems and are unauthorized in doing that, or whether it also covers situations where someone has permission to be on a computer system or a computer database but uses that permission for manifestly improper purposes.
Putting it even more starkly, is the statute limited to outside hackers, or does it also embody the threats posed by insiders? The petitioner, Van Buren, says that authorization means that if you have permission to be on the computer system, you’re authorized, and whatever you do on that system, it’s not going to be a violation of 1030. The government would say authorization is not just limited to permissions to be on the system, code based restrictions, if you will, but also applies to the facts and circumstances of what you do, including but not limited to contractual restrictions or policy restrictions.
Now, this is a distinction that courts have struggled with for quite some time. Some of you may remember over a decade ago a Goldman Sachs trader by the name of Sergei Aleynikov was arrested by my old office, the Southern District of New York, and charged with a number of crimes, including a 1030 violation for taking code that resided on the system of Goldman Sachs, where he worked, and transmitting that code, which ran their high frequency trading platform, to a computer server in Germany, and from that computer server, then transferring the data to a company that he was going to work for in Chicago.
Among other crimes, he was charged with a violation of Section 1030 for this very subpart, making it a crime to exceed authorized access to obtain information from a computer. Prior to trial, the defense moved to dismiss that count, and the trial judge, Judge Denise Cote, granted that motion. So ultimately, he went to trial on other charges, largely theft of trade secrets and interstate transportation of stolen property. But at the time, there was even dissention within the ranks of the Southern District of New York.
Over the years, various courts have continued to rule on these cases. And ultimately, the case that culminated to the Supreme Court that is before the Court right now involved an individual named Van Buren who was a Georgia Police Officer who accessed a database maintained by Georgia for law enforcement only purposes, the Georgia Crime Information Center database, at the request of a friend to find out whether an exotic dancer that the friend was interested in was working undercover for law enforcement.
So the police officer, at the behest of this friend, used his permissioned access to the Georgia Crime Information Center database, which is, I believe a subset of the National Crime Information Center database, essentially the database that includes records of people’s arrest and the crimes which they were arrested, as well as, of course, information on informants and cooperators. And he used his username and password to access that database in order to run a license plate number as part of trying to find out whether or not this particular exotic dancer was working for undercover law enforcement.
The police officer was arrested by the FBI, and at trial raised as a defense that he was allowed to be on the system because, after all, he had a username and password. So he said, “I was authorized.” The prosecution, in opposition to that, argued that the police department had a policy prohibiting the use of law enforcement databases for non-law enforcement uses and/or for personal uses, and that, applying the rules of the Eleventh Circuit, the court should charge the jury that when a person uses their permissioned access for a non-permissioned purpose they can be convicted under 1030.
The Eleventh Circuit to this day, unless the Supreme Court reverses, is one of those circuits which adopts what I will call the broad view of 1030, which, as I mentioned, permits prosecutions or civil lawsuits to go forward, either in the case of a violation of a code-based restriction or a violation of a contractual or policy-based restriction. Applying Eleventh Circuit precedent, the Eleventh Circuit panel which heard the appeal of Van Buren’s conviction affirmed, and the case then went to the Supreme Court.
Now, why is this such a big deal, and why are parties far and wide, not just those involved in law enforcement, paying attention to this case? They’re paying attention to the case for the very simple reason that the insider threat, the threat posed by individuals who have permission to be on a computer but who used that permission for improper purposes, is an incredibly potent threat. By some estimates, almost half of all cybercrime is either committed or facilitated by insiders.
So I was tracking the case when the cert petitions were filed and when cert was granted. And ultimately, we were retained on behalf of FLEOA and the MFA to file briefs in support of the government’s position arguing that authorization as understood in the statute should be given its ordinary common sense meaning, and that it can and should take into account not just technical restrictions on computer use — for example, did someone have a user account on the system? — but also whether they used that technically permitted access in violation of clear directives concerning use or purposes for which the authorization was granted.
For those of you that don’t know, FLEOA, the Federal Law Enforcement Officers Association, is a fraternal organization representing about 28,000 federal law enforcement agents and retired federal law enforcement agents from agencies such as the Secret Service, the FBI, the DHS, and other federal agencies.
And from the perspective of FLEOA, we pointed out to the Court the incredibly sensitive nature of information that’s stored on law enforcement databases, information about informants, victims, witnesses, operational methodologies, plans, procedures, communication technologies. And we also pointed out the fact that for those databases to work, many, many people, beyond what you would ordinarily think, have to be given access to those systems in order for them to function. So it’s not just the police officials who have to have access to those information systems, but also civilian agency employees, vendors, contractors, third-party IT service providers. When you total it all in, it’s actually a staggering amount of people that have to be given authorized credentials, typically usernames and passwords, in order to be on those systems.
We also described real world concrete examples where people who had access to those systems used that access for very, very improper purposes, which included assisting criminals, committing other crimes, and also, unfortunately, facilitating the recent trend of doxing law enforcement members and their families. In other words, just taking the information stored in those databases about the private contact information, the residential addresses, the home phone numbers, next of kin addresses, of law enforcement officials and just putting that information up on the web. So we’re very concerned about that and filed a brief in support of FLEOA on those points.
From a completely different perspective, we also filed a brief in support of the government for the Managed Funds Association. The Managed Funds Association is a not for profit membership association, and it represents the global alternative investment industry. It consists of about 4,200 members, including hedge funds and managed service providers. Now, from the perspective of the MFA, harkening back to the Aleynikov example I mentioned a few moments ago, we pointed out the incredibly innovative non-public financial service products and intellectual property created by member firms and the value that non-public IP and the threat to that IP which was posed by corrupt insiders who had access to that IP.
In today’s modern digital economy, in many cases, the value of a company is essentially the bits and bytes, the 1s and 0s sitting on that company’s hard drive. And particularly for entities that are in the hedge fund or alternative asset industry, the secret sauce is really everything because all you need is some basic computers and some basic working capital. If you have the secret sauce, you can not only make a lot of money for yourself, but in some cases, given the nature of the industry, take all the profits away from every other entity that has access to that secret sauce.
Not surprisingly, in light of a Supreme Court case, amicus briefs were filed on both sides with about fourteen filed on behalf of the petitioner, Van Buren, and about six, including our two, filed on behalf of the respondent. Interestingly enough, two internet privacy civil liberties groups are supporting opposite sides with the Electronic Frontier Foundation, the EFF, supporting the petitioner, Van Buren, and the Electronic Privacy Information Center, EPIC, supporting the government.
So in terms of a debate between the parties, there are a couple of interesting things. And I’m happy to, of course, answer questions in more detail on any of these. Both the petitioner and the government start off by agreeing that the case can be decided on the basis of the ordinary meaning of the terms authorized access and exceeds authorized access, with, I believe, both sides citing dictionary definitions of those terms.
By the way, for those of you that are wondering, exceeds authorized access has its own definition in the statute, albeit a somewhat circular definition. Exceeds authorized access means, quote, “to access a computer with authorized access and to use such access to obtain or alter information that the accessor is not entitled to so obtain.” So it kind of turns back on itself with exceeding authorized access getting at the use case where someone has permission to be on a database or on a system, but their permissions are restricted to, let’s say, only certain databases or only certain files within a database, but that they go from one of the permission systems to a non-permission system, as distinct from the purely completely third-party outside hacker who has no relationship at all to the victim at all and comes in from the outside.
So what are the key points of the two parties? Well, I think the most impactful and biggest point of the petitioner, the one they spend the most time on and the one that they’ve discussed in the press and in the media is the following. They say, look, if you allow the owner of a computer system to set out the rules, the metes and bounds of what can and can’t be done on that system, then what you really do is you invite overcriminalization and abuse.
And they point to a scenario involving someone who has signed up for an account on a dating website and, in violation of the terms of service, creates a profile about themselves which misrepresents their height and weight. And what they say is, look, that person has violated a contractual restriction. Terms of services are, generally speaking, contracts. And that person has violated the terms of service which prohibit the posting of untruthful information about a person’s height or weight.
Are you really going to make criminals out of those people? Because if you say that contractual based restrictions should be given weight, then what’s to stop rampant prosecutorial abuse of those kind of cases? The only firewall that prevents that is limiting the statute to outside hackers, people who have engaged in completely unauthorized access because they don’t even have permission to be on the system.
And they point to a couple of cases. They point, actually, to three cases, all from quite some time ago, three prosecutions, which the government responds to. And the government’s response is basically fourfold. First, they say the parade of horribles, people being prosecuted for lying about their height and weight on a dating website or spending too much time on a website when the website has timed them out and then signing up under an alternate identity, those are red herrings. There really are no prosecutions of purely innocent conduct that everyone would agree should not be criminalized.
They respond to three cases that the petitioner points to. The petitioner said these cases are not fanciful, and they give three examples. Two of them the DOJ distinguishes, one of which they point out related to a 1030 count which was dropped in a superseding indictment, so the case went forward without the 1030 charge. Another which involved not only contractual violations but also code based, access control based violations, so it was not a clear cut case of a pure contractual violation.
And then the final case they discussed was a case which got some notoriety at the time, the Lori Drew case. For those of you that may remember, back in 2009, an individual named Lori Drew was prosecuted after she created a false profile on Myspace and used that profile to taunt, electronically, a classmate of her daughter’s, ultimately telling that classmate that “the world would be a better place without you.” Tragically, that classmate killed herself.
Lori Drew was prosecuted under Section 1030(a)(2), the provision I just mentioned at the beginning today, for unauthorized computer access premised on her creation of the false and fictitious profile on Myspace in violation of Myspace’s terms of service. The case was very controversial at the time. It was a misdemeanor prosecution, but she went to trial in any event. I don't know if there was a plea offer or not. And at the close of the case, at the end of the case, the court granted the defendant’s motion for a post-trial judgement of acquittal, and the government did not appeal.
So the petitioners say, look, these cases are not fanciful. These are not hypotheticals. They give three examples. The government distinguishes two of them, and as to the third, the Lori Drew case from 2009, says it’s an outlier prosecuted over 11 years ago. The DOJ also points out the fact that in 2016, the Department of Justice issued official guidance and charging guidance as to 1030 cases which formally counsels against investigations or prosecutions where unauthorized access is based on contractual or terms of service violations. So essentially, the government has said don’t bring these cases where the only basis for a violation of 1030 is that someone broke a contract or breached a promise.
The government also points out that there are other provisions in the statute which can limit abuse, for example, the mens rea requirement of the statute which the government asserts is an intentionality mens rea. They assert that that would prohibit prosecutions based on innocent conduct or non-blameworthy conduct, for example, people who didn’t read a terms of service and therefore didn’t knowingly violate any of the provisions, certainly not intentionally.
And then, finally, the DOJ point out that as to the parade of horribles that the petitioner mentions, pretty much all of which involve public access to public data, the government points out that those kinds of cases are ill-suited to prosecution under 1030 because the concept of authorized conduct versus unauthorized conduct doesn’t really fit well when you’re talking about a public website or public data as distinct from situations involving non-public data, like law enforcement sensitive information that Van Buren accessed where the person doing the accessing has specifically been told not to do something as it relates to that data and has been trained on the fact that there are only certain permitted use cases. So they distinguished the case from non-public data versus public data and situations where someone is clearly and unambiguously intentionally violating explicit instructions against doing something, and that’s the something that forms the basis of the prosecution.
And then, finally, as you might expect, the DOJ says that those horribles, the hypotheticals, are quite different than the case before the Court. All the Court really needs to decide is whether what Van Buren did was in excess of authorization or not. The bottom line is the DOJ says that authorized should be defined in a case-specific and contextual way, and essentially that that really is the gravamen of the defense -- of the prosecution, rather. Some cases will tip in one direction. Some cases will tip in the other direction.
The parties do get out -- in terms of predecessor versions of the statute, they do get out in terms of legislative history, which is kind of ambiguous and a bit all over the place, although DOJ does point out that Senator Leahy did say in one of his legislative history pronouncements that one of these cases that was of concern to him involved corrupt IRS officials who were rifling through people’s tax returns for personal gains or to settle scores.
So I think that’s where I’ll leave it. We talk in our briefs about the absurd results, in our view, that would pertain to adopting the petitioner’s view. I will say this is also a case where the petitioners can point to absurd results that would go in the other direction. That’s one of the things that makes it most fascinating.
In addition to my practice, I teach the cybercrime seminar at Columbia Law School, and we spend, as you might imagine, a great deal of time on this because the statute is what it is. The hypotheticals spin out of it like cotton candy. There are great arguments on both sides, and the Supreme Court is going to have to tackle it. My suspicion is it will not be the last time the Court will weigh in on these cases.
There are other cases percolating out there, but I do think that for those of you that are interested in cybercrime, the insider threat, hacking, and the metes and bounds of statutory interpretation, Monday, November 30, is your day. That is the day oral argument will be held. And I’ll leave it there and am happy to take questions. I’m also happy to take questions offline. You can contact me through our email address which is on our website.
Nick Marr: Great. Thanks very much, Joe. So now we’ll turn to audience questions. And we’ve already got a questioner, so we’ll go to it now.
Bob Fitzpatrick: Hi, Bob Fitzpatrick here in D.C. I’m in employment lawyer, and I see the CFAA issues arising with frequency on the civil side with my representing an employee who had authorization to access.
And if I heard you right, am I correct that if the Court as it seems to be with frequency now oriented on the language of the statute and dictionary definitions of what words meant at the time of the enactment, that if an employee accesses what he or she already has, documents, data, information that he or she might already have access to as a part of their job, they would not be exceeding that access by looking at or taking what they work on during their job. They would only be liable potentially in terms of exceeding access if they look at and take for an improper purpose something that they don’t work on at their job. Do I have it right on that word, exceeds, the way it’s defined?
Joseph DeMarco: So it’s a great question, and we’ll see. I will say both sides point to the ordinary common definition. What I think in your case you would want to look to is really what their technical permissions are. I think what the petitioner, what Van Buren would say is, look, this is a very simple case. Did this employee have a password and username which allowed them to look at that file, or to get to that file, did they need to crack into the database? Did they need to steal someone else’s username and password, or did they need to have to borrow someone else’s username and password? And I think that that is how the petitioner would read the situation.
The government, of course, would take the opposite view that you would say, okay, what is the reason why that employee who has technical permission to look at that information, why are they looking at it? Are they looking at it so that they can take screenshots of it with their iPhone to send to a competitor, which is clearly in derogation of their duties as an agent of the company, if they are one, and any fiduciary duties they might have as well as contractual obligations? But I think that is how they would analyze the question.
What I do think from our perspective is, and we point this out in our brief, that if the petitioner’s view is upheld, that as to insiders, the analysis has to begin and end with did they have access to this file, did they have access to that file, did they have access to this document, that spreadsheet, that email platform? Managing those permissions is going to be a nightmare for employers that produce high value IP.
And so those employers, or really, any employer, are going to have to do one of two things. One, run the risk -- have open permissions. Once the person is in the system, they’re in and have broad permissions, and they run the risk of misappropriation without any 1030 remedy. Or they have to create a very detailed and, I must say, hard to maintain file permission structure, even, perhaps, a permission structure on a document by document basis so that when someone exceeds their permissions and strays from one bucket of IP that they’re allowed to work on and supposed to work on into another bucket of IP, they will have a 1030 remedy at their disposal if they feel they need it.
From the law enforcement point of view, and also from the IP point of view, we point out that a lot of the value from these databases in here in cross-collaboration, cross-pollination, and collective analysis so that when you start to set up those kind of very, very fine and minute permission systems and structures within an organization, you actually can dampen down creativity. Sometimes, it’s good to let employees graze and free roam and free range across a very large set of IP because that just where a lot of creative ideas come from. So I don't know if that helps, but it’s a great question.
Bob Fitzpatrick: Thank you very much.
Nick Marr: And Joe, we don’t have any questions in the queue right now, so I’ll throw one out there about -- actually, we do have one right now. We’ll go to it.
Caller 2: Thank you for your discussion. Was Van Buren fired, and isn’t that the best remedy for contractual violations?
Joseph DeMarco: It’s a great question. I actually don’t know. I didn’t read the case closely enough for that point. I assume so. And that is an argument that the petitioners make. Petitioners would say that, look, why make a federal case out of this? Is jail the answer? You can always fire an employee. You can always bring a breach of contract lawsuit. There might even be other crimes that could be permitted.
And what I think the government would say, were that question put to them, is that there are certain cases where the conduct is so egregious and crosses the line that it merits criminal prosecution. And in fact, Congress made that judgement in passing the statue that they passed. But I think that that is a common argument which is countered by the common refrains that in appropriate cases, at least a civil remedy should be available to parties that are aggrieved by violations. Great question, too.
Nick Marr: Okay, we don’t have any questions in the queue right now, so I’ll throw one out there. And you might have briefly touched on different kinds of uses, but how does this apply, this statute, has it applied to data analytics and net sweeping where there’s just a general taking of information? If you could speak a little bit about that.
Joseph DeMarco: Yeah. So that’s really not implicated in the case on appeal. There are other cases in the appellate courts that are percolating around there on that subject, but what’s distinct about Van Buren and perhaps one of the reasons why the government decided to -- well, I guess the petitioner appealed. But I think one of the unique aspects about it is that it involved private data, sensitive data, data that was non-public, and misuse of that data in a way specifically prohibited by the employer, and also the fact that the employer was law enforcement. So I think that it is a very different case than those types of situations, but certainly I think people will be watching this issue as it continues to develop.
If there are no other questions, I would just end on one point which I thought was quite interesting. For those of you that really like to study and parse how issues of statutory construction can apply in a given case, both sides spend a great deal of time on one little two-letter word. So remember when I mentioned that exceeds authorized access is defined as, quote, “to access a computer with authorized access and to use such access to obtain or alter information that the accessor is not entitled to so obtain.”
Both sides spend a lot of time on what so means, with the government saying that to so obtain means to obtain in the circumstances and manner in which the obtention occurred, thereby bringing in policy and contractual considerations, and the petitioner saying that so obtain means obtained through that methodology, i.e., the computer methodology as opposed to a non-computer, for example, methodology.
Again, I’m not a Supreme Court practitioner. I’ve filed a handful of amicus briefs in the United States Supreme Court. I’m not a practitioner, but I’d venture to say that not many statutory construction arguments come down to one two-letter word, the two-letter word here being so. So maybe that’s a good place to end. But if you’re looking to read some interesting, mind-bending parts of the briefs, I think those are greats parts to focus on.
Nick Marr: So we haven’t gotten any questions in the meantime. I’ll give you a chance for any closing remarks you might want to offer besides that, or we can just wrap it up.
Joseph DeMarco: So let me just thank you, thank The Federalist Society, thank everyone for watching, for following this teleforum. Again, whatever area of law you’re in, whether it’s cyber or not, even employment, HR law, it is an area where I think the Court’s decision would be well worth reading. And I think we could have some very interesting concurrences coming out of it because there’s a lot of rich material and a lot of great hypotheticals that I think are just begging for law clerks and judges, too, to write on. So thank you very much.
Nick Marr: On behalf of The Federalist Society, I want to thank you, Mr. DeMarco, for sharing with us today and to our audience for calling in. As always, we welcome your feedback by email at email@example.com. And be keeping an eye on our website and your emails for announcements about upcoming teleforum calls and our webinar panels.
Also, you can visit our website for information and registration for the upcoming National Lawyers Convention. It’s going to be all virtual the week of November 9, so check that out. Thank you all for calling in today. We are adjourned.
Dean Reuter: Thank you for listening to this episode of Teleforum, a podcast of The Federalist Society’s Practice Groups. For more information about The Federalist Society, the practice groups, and to become a Federalist Society member, please visit our website at www.fedsoc.org.