ACM US Technology Policy Committee Urges US Supreme Court to Narrowly Interpret Computer Fraud and Abuse Act (CFAA)
Influential Group of Experts Argues that Broad Interpretation of CFAA Could Make Some Forms of Computing Research Federal Crimes
New York, NY, July 9, 2020 – The Association for Computing Machinery’s US Technology Policy Committee (USTPC) filed an amicus curiae ("friend of the court") brief with the United States Supreme Court in the case of Van Buren v. United States. Van Buren marks the first time that the US Supreme Court has reviewed the Computer Fraud and Abuse Act (CFAA), a 1986 law that was originally intended to punish hacking. In recent years, however, the CFAA has been used to criminally prosecute both persons who access a computer system without permission, as well as those who have exceeded their permission to use a database once logged in.
While the Van Buren case involves prosecution of a police sergeant who allegedly accessed a state license plate database for an impermissible purpose, USTPC notes in its brief that the questions posed in this case have broad implications for the work of data and computing scientists, as well as other professionals who make use of the Internet and computing technology, particularly to access information posted online.
Accordingly, USTPC urges the Supreme Court to clearly and narrowly define the limits of the CFAA so that researchers “remain free to find, collect, and use publicly-available data, and to access the publicly-available systems on which data are maintained, without the threat of prosecution or civil lawsuit.”
Specifically, if the common and essential practice of data scraping – in which computer scientists use tools to systematically or automatically search for and collect large-scale data from Internet sources – is considered illegal “unauthorized access” under the CFAA, the threat of years in federal prison if convicted of violating the statute could chill valuable research and innovation. The brief provides no fewer than 20 detailed citations to such beneficial research conducted using data scraping, including an online interactive dashboard that is now in active use to track reported COVID-19 cases in real time.
USTPC also argues that illegal conduct, including the kind at issue in Van Buren, can be prosecuted under other existing criminal statutes and, therefore, that the CFAA need not be stretched to cover access to information made publicly available.
Critically, the brief also urges the High Court to make clear after years of conflicting decisions in lower courts that charges may not be brought under the CFAA against anyone if the conduct they allegedly engaged in merely violates a private agreement, such as an Internet service provider’s terms of service or a private employment contract. Prosecutions have been brought in the past on all of these grounds, thus – USTPC argues – effectively giving private entities the right to make criminal law, a power reserved to Congress alone under the Constitution.
Andrew Grosso, a former US Assistant Attorney who serves as Chair of USTPC’s Law Subcommittee, added that interpreting the CFAA as prohibiting access to information that is already publicly available on the Internet is an inherent contradiction. “The CFAA should not be read so as to put data researchers at risk for criminal or civil liability for conducting research that involves collecting information that is publicly available on the Internet,” Grosso said. “Data researchers have many reasons for collecting and analyzing information available on the Internet, including the audit of gender and racial biases in algorithms used for online job advertising, the market impact of algorithmic price setting, and the evaluation of online news and its impact on shaping political opinion. These kinds of concerns will continue to be crucial as society makes increasing use of information posted online, resulting in the need to access and evaluate that information. Researchers must be able to do so without any chilling effect caused by threat of lawsuit and prosecution. The CFAA was not enacted for such a purpose.”
“Prosecutors and lawyers for large corporate interests have too often sought to use the heavy penalties connected with the Computer Fraud and Abuse Act as a cudgel against infractions that should be remedied with other, more appropriate statutes,” added USTPC Member Lorraine Kisselburgh, who also serves as Chair of ACM’s globally-oriented Technology Policy Council. “Because the Internet is integrated into almost every aspect of work and daily life, liability based on the concept of ‘unauthorized use’ has become more commonplace, but should not be considered a federal crime. Such broad interpretation of the CFAA discourages computing professionals from conducting research that is beneficial to society. We look to the Court to properly narrow the Act.”
The US Supreme Court is expected to hear oral arguments and issue a ruling in Van Buren v. United States by the end of 2021.
About the ACM US Technology Policy Committee
ACM’s US Technology Policy Committee (USTPC) serves as the focal point for ACM's interaction with all branches of the US government, the computing community, and the public on policy matters related to information technology. The Committee regularly educates and informs Congress, the Administration, and the courts about significant developments in the computing field and how those developments affect public policy in the United States.
ACM, the Association for Computing Machinery, is the world's largest educational and scientific computing society, uniting educators, researchers and professionals to inspire dialogue, share resources and address the field's challenges. ACM strengthens the computing profession's collective voice through strong leadership, promotion of the highest standards, and recognition of technical excellence. ACM supports the professional growth of its members by providing opportunities for life-long learning, career development, and professional networking.