Decision of the Supreme Court on computer fraud law revolves around a singular word: 'so'

The United States Supreme Court is currently grappling with the interpretation of the Computer Fraud and Abuse Act (CFAA) in the case of Van Buren vs. U.S. The case, centred on the "exceeds authorized access" prong of the CFAA, has sparked debates about the potential broadening of the statute's reach and the implications for everyday activities.

Justice Brett Kavanaugh and Neil Gorsuch have expressed concerns about scaling the CFAA's federal criminal liability. They, along with Justice Samuel Alito, have raised questions about the potential criminalization of innocuous activities under the CFAA, expressing the need for limiting instructions or interpretations.

The ambiguities of the CFAA, including unclear definitions of "authorization" or "obtaining or altering information," were highlighted during the hearing. The DOJ's argument relies heavily on narrowing the definition of authorization, a position that Van Buren's attorney, Jeffrey Fisher, argues protects consumers from falling under the CFAA's scope.

Feigin, another attorney for Van Buren, argued that the statute has a specific focus on insiders misusing their access. He attempted to prove that there is a "narrowing function" in the definition of access, suggesting that it does not require an individual to do something they couldn't otherwise do.

If the court adopts Feigin's narrow definition of access, it could make the "without authorization" prong of the CFAA irrelevant. This could prevent the CFAA from broadly sweeping over ethical hacking or common consumer activities.

Justice Sonia Sotomayor focused more on the DOJ's interpretation of the law's prongs: "exceeds authorized access" and "without authorization." She seemed frustrated with the DOJ's argument, which she characterized as a request to rewrite the statute to include definitions not contained in the text.

The DOJ defines "exceeds authorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the [accessor] is not entitled so to obtain or alter." This definition has raised concerns about the potential criminalization of individuals who violate workplace computer-use policies or service terms, even if they do not truly exceed authorized access.

If the court rules in favour of the government, the newfound scope of the CFAA could implicate individuals in violation of service terms on websites. However, Fisher argues that private entities can sue individuals in violation of the statute, even without further government interference.

The Supreme Court is yet to deliver a decision on the case Van Buren vs. U.S., which was heard on Monday. The outcome could have significant implications for the interpretation and application of the CFAA in future cases.