Federal statutes have muddied the waters on the meaning of computer trespass, but a Supreme Court case may clear the air

When Congress passed a federal statute on computer fraud in 1984, it was concerned with the problem of people “breaking in” to computers and computer networks. You know, hacking. So it made it a crime to “access” a computer “without authorization.” You know, hacking. A few years later, it passed the Computer Fraud and Abuse Act (CFAA), which amended the statute to include within its prohibitions those who not only “access” a computer “without” authorization, but those who “exceed” the scope of authorization. Since then, courts have struggled to understand just what is prohibited. If an employer prohibits “personal use” of a work computer, is playing solitaire or minesweeper a felony? If a dating website’s terms of service say that you have to provide “accurate” information, does shaving a few years or a few pounds off your profile now land you in the hoosgow?

On April 20, the U.S. Supreme Court agreed to hear a case that would likely resolve this question.

When Cumming, Georgia, Police Sgt. Nathan Van Buren searched for a license plate number in the Georgia Crime Information Center (GCIC) database, an official government database maintained by the Georgia Bureau of Investigation (GBI) and connected to the National Crime Information Center (NCIC) maintained by the FBI, he wasn’t doing so for the benefit of the Cumming PD but rather as a favor to some guy from whom Van Buren had borrowed money and was part of his efforts to pay back what he owed. Even though Van Buren had legitimate credentials to use both the GBI and NCIC databases, he was accessing the data for a purpose for which he was not authorized.

Did that make the sergeant a “hacker?”

The CFAA, which makes it a crime to “exceed the scope of authorization to access a computer” and further makes it a felony to do so for “financial gain,” makes it a crime for someone with authorized access to computers and databases to do something with that access that the owner of the database or computer doesn’t want. But what does “exceeding the scope” of authorization mean?

The CFAA is both a criminal and a civil statute. That means that it permits parties aggrieved by certain portions of the statute to sue in federal court for violations. Frequently, this is used when an employee of a company accesses information (such as trade secrets, customer lists, etc.) that they are allowed to access but does so in anticipation of leaving the company and taking the data with them. In the past, the old employer could sue the employee for theft (misappropriation) of trade secrets, unfair competition or breach of a non-compete or non-disclosure agreement—or could sue the new employer for misuse of the trade secret or conspiring with the old employee. But the CFAA’s “exceeding authorized use” provisions have been used in both civil and criminal cases to go after such rogue employees in federal court. The Supreme Court’s decision in the Van Buren case may dictate whether such civil or criminal cases can proceed.

In addition, companies frequently access websites of competitors or others for a variety of reasons that the competitor might not want. So Best Buy might not want Micro Center to see what prices it is charging so it could undercut its prices. Best Buy might restrict access to its public website by saying, “You can’t use the pricing data on this website to undercut our prices …” Does this mean that when Micro Center corporate toadies go to the Best Buy website (or have an automated program do it for them) they are “exceeding the scope of their authorization” to access the public website, and therefore are both civilly and criminally liable for their actions? Is that what the hacking statute was intended to do?

Same problem for other “publicly” accessible databases. If an AI program snarfs up all the “public” photos from Facebook, LinkedIn and Twitter and creates a searchable facial recognition database of these pictures, is there anything the social media giants can do to prevent it? Can use restrictions in a Terms of Service or Terms of Use make such mass downloading into “exceeding authorization to access” and therefore a felony computer trespass?

What about a program that collects “public” information from a database like LinkedIn and provides more detailed analytics for customers? The data is collected by LinkedIn with promises about how it will be used—well, how it will be used by LinkedIn, at least. Can LinkedIn restrict with potential trespass liability the ability of others to use (or misuse) the accessible data?

In another example, many websites require users to input “accurate” information. If you log into a dating website and shave a few years or a few pounds off your profile, have you “exceeded” your authorization to access the computer? What if you’re 14 but lie and say you’re 16 to get on? What if you lie about being on a sex offender registry? And what about if you are a researcher trying to figure out whether job websites discriminate on the basis of race, gender or national origin, so you “test” these sites by creating artificial profiles and seeing how the algorithms handle them—are you “exceeding” your “authorization” when the job site requires accurate information?

A lot is riding on how the court rules in this case. It may determine whether companies can protect their websites and databases using the tools of trespass law and potential criminal prosecution. It may determine whether rogue employees can be jailed for merely wandering (online) where they shouldn’t be or for purposes for which they shouldn’t wander. But it may also determine whether those watching sports (remember sports?) on company computers, streaming Netflix at the office (remember the office?) or using data lawfully accessed for non-permissible purposes are guilty of felony trespass. And it may dictate whether using your high school graduation picture in your dating profile is not just a bad idea, but a felony.