Reading Laws in the Digital Age

Timothy Edgar
Monday, September 27, 2021, 10:54 AM

When reading laws about computers, judges should follow the technical approach cited by Justice Barrett in Van Buren. It is a sensible way out of the cybercrime maze.

Cybersecurity Visuals Challenge Graphics (Source: Ifrah Yousuf)

Published by The Lawfare Institute
in Cooperation With

In June, the Supreme Court finally resolved a debate about how to read the Computer Fraud and Abuse Act (CFAA). The Van Buren opinion was a win for cybersecurity because it provided clarity on issues of cybercrime. For more than a decade, lower federal courts had struggled with hacking cases as disparate as violating a workplace use policy, using a new guest account when a previous account had been suspended, and obtaining information from public websites in ways the website owners had not anticipated or discouraged. Orin Kerr’s article “Norms of Computer Trespass” contains an excellent analysis of a range of CFAA cases.

Put briefly, the lower courts’ opinions were all over the map. This inconsistency showed the courts’ real confusion over how to read key terms that define criminal conduct in the CFAA, including “authorization” and “access.” These are common words, but they also have more specialized meanings in both law and computer science. However, the two disciplines define them differently.

This distinction is significant. The legal meaning of these terms is broad and flexible, invoking concepts of authority over property and trespass that invite judges to play a game of “choose your analogy”—a game that ultimately provided nothing but confusion and fear of the criminalization of a wide range of conduct involving computers. The technical meaning, by contrast, avoids the analogy game, is consistent with cybersecurity principles, and results in clearer notice about what specific technical conduct the law forbids.

In Van Buren, the justices had to decide whether a police officer who misused his access to a computer database containing confidential informants had committed a crime. The case turned on the phrase “exceeds authorized access.” The government argued the officer’s actions—looking up a name in exchange for money—clearly exceeded the limits of his authority, understood in light of his employer’s policy. The defendant, supported by civil liberties organizations and many scholars, maintained that the question was whether the officer had exceeded the access privileges granted to him by the computer itself.

This split in the legal and technical meaning is what really divided the justices in Van Buren, but this is not immediately apparent from reading the opinions. The majority opinion, written by Justice Amy Coney Barrett, instead pays homage to conservative orthodoxy by invoking textualism, sometimes called the “plain meaning” approach to statutory interpretation. Setting aside mere “policy arguments,” she writes:

We start where we always do: with the text of the statute. Here, the most relevant text is the phrase ““exceeds authorized access,” which means “to access a computer with authorization and to use such access to obtain ... information in the computer that the accesser is not entitled so to obtain.”

The court, in a lengthy discussion, expanded on the purpose of the word “so” in the phrase “that the accesser is not entitled so to obtain.” Barrett interprets “so” to have a narrowing function: It means that the accessor is not entitled to obtain the information “by using a computer.” It is a “gates-up-or-down inquiry.” What matters is not whether users are generally entitled to use particular information, but whether they have been given access by the computer to that information. Van Buren had access to the computer, so he won. The computer’s “gate” was up for him; while he was a corrupt cop, he was not guilty of malicious computer hacking.

Justice Clarence Thomas’s dissent initially appears to take a similar textualist approach by asking what “an ordinary reader of the English language” would think of the statute’s words. He concludes that the word “so” has a broader meaning than the majority believes, referring to the factual and legal context of the user’s situation. These circumstances favored the government, so Van Buren should have lost under this approach.

This abstruse argument over the meaning of a single two-letter word is not very helpful. Focusing on the word “so” gives little guidance to lower courts or to Congress about the broader questions of how to interpret the CFAA or other laws relevant to cybersecurity. The two conservative justices try to one-up each other by invoking Justice Antonin Scalia and consulting multiple dictionaries, but this is not helpful. Both interpretations of “so” are plausible, neither is plain, and dictionaries are not particularly helpful in choosing between them.

The real issue is whether to view the CFAA through a legal or a technical lens. For Thomas, an “ordinary reader” means a reader like him – that is, someone with legal training. He accepts the government’s view because it is consistent with a legal understanding of what “authorization” means. “Here, as in other contexts of property law, a person’s authority to use his access to property is circumstance dependent,” he writes (emphasis added).

The majority takes the opposite, technical approach. Barrett writes:

When interpreting statutes, courts take note of terms that carry “technical meanings.” “Access” is one such term, long carrying a “well established” meaning in the “computational sense”—a meaning that matters when interpreting a statute about computers. In the computing context, “access” refers to the act of entering a computer “system itself ” or a particular “part of a computer system,” such as files, folders, or databases. It is thus consistent with that meaning to equate “exceeding authorized access” with the act of entering a part of the system to which a computer user lacks access privileges.

For Barrett, the meaning of a term refers not just to any “ordinary reader” of the language but to one who is “appropriately informed,” and that means giving technical terms their proper technical meaning.

As discussed in my previous post, the technical approach provides a sensible way out of the cybercrime maze. When reading laws about computers, judges should follow the well-established rule of interpretation cited by Barrett. If Congress uses a technical term, it should be presumed to be using that term according to its technical meaning, unless it has explicitly provided another definition. This rule makes it easier for those most affected by technical terms—like computer researchers and other “white hat” hackers—to understand and comply with the law.

Judges should be especially mindful to avoid the trap of relying on their own legal background to interpret technical terms that are superficially similar to legal terms, such as with“authorization,” “access” and “authentication.” The technical meaning of these terms is consistent with basic cybersecurity principles. “Gates-up-or-down” refers to an essential concept in computer security—the three A’s—authentication, authorization and accounting (or access control.) Once judges recognize that authorization and access are technical rather than legal terms, it becomes much clearer to navigate the CFAA.

Part of the confusion over the CFAA has stemmed from the failure of judges to recognize that terms like “authorization” and “access” should be understood not as legal terms but as technical concepts, with well-understood technical meanings. While it would be an overstatement to say that the Supreme Court in Van Buren said that the terms “authorization” and “access” in the CFAA mean exactly what they mean in computer security, the technical meaning of these terms is now central to the legal question of whether a user’s actions violate the law.

In the digital age, individuals are governed as much (if not more) by the decisions of those who write software in Silicon Valley (“West Coast Code”) as by statutes enacted by Congress (“East Coast Code”). Both kinds of code depend on specialized terms. When interpreting such a term, it is natural for judges to default to their own discipline’s understanding of it. Often, this yields the right answer—they are, after all, interpreting laws—but not always. When using a specialized term in its legal sense is not appropriate, the results can result in confusion and frustration of Congress’s intent.

When laws regulate computers, Van Buren teaches that judges should stop and ask whether Congress may be using the term in its technical sense. Justice Barrett’s opinion is a positive contribution, helping to bridge the gap between law and technology.

Timothy H. Edgar teaches cybersecurity and digital privacy at Brown University and Harvard Law School. He is the author of Beyond Snowden: Privacy, Mass Surveillance and the Struggle to Reform the NSA. He served as a privacy official in the National Security Staff and in the Office of the Director of National Intelligence, and was a legislative counsel for the American Civil Liberties Union.

Subscribe to Lawfare