41 min read

Van Buren v. United States - Oral Argument

The Supreme Court heard oral argument in Van Buren v. United States, a case concerning a statute of the Computer Fraud and Abuse Act (CFAA) and violations of terms of service agreements.
Van Buren v. United States - Oral Argument
<em>Van Buren v. United States</em> Oral Argument
The Supreme Court heard oral argument in <i>Van Buren v. United States</i>, a case concerning a statute of the Computer Fraud and Abuse Act (CFAA) and violations of terms of service agreements. Nathan Van Buren, a police officer in Georgia, was offered money to look up information on a person in a p…

Transcribed via Rev.com without modification

Jeffrey Fisher:
Mr. Chief Justice, and may it please the Court. The CFAA is an anti-hacking statute. It prohibits obtaining information from a computer without authorization. And to ensure comprehensive coverage, the statute also prohibits, "Exceeding authorized access." As Judge Kozinski put it, "This ensures that the statue covers, not just outside, but also inside hackers."

Jeffrey Fisher:
In this case, however, the government seeks to transform the supplemental prong of the CFAA into an entirely different prohibition. In the government's view, this prong covers obtaining any information via computer that the acceptor is not entitled to "under the circumstances" to obtain. It is no overstatement to say that this construction would brand most Americans criminals on a daily basis. The scenarios are practically limitless, but a few examples will suffice.

Jeffrey Fisher:
Imagine a secretary whose employee handbook says that her email or Zoom account may be used only for business purposes, or consider a person using a dating website where users may not include information on a profile to obtain information about potential mates, or think of a law student who is issued log-in credentials for West Law or Lexus for educational use only. If the government is right, then a computer user who disregards any of these stated use restrictions commits a federal crime. For example, any employee who used a Zoom account over Thanksgiving to connect with distant relatives would be subject to the grace of federal prosecutors.

Jeffrey Fisher:
The main argument the government offers in response to that startling result is that a single two-letter word in the CFAA's definition of exceeds authorized access. The term so demands it. But that word requires no such thing. The word simply clarifies that the user must be prohibited from obtaining the information merely via computer. It relieves the government of having to negate every possible alternative means by which the defendant might permissibly have obtained the information at issue. But that is all the word does. It does not transform the CFAA into a sweeping internet police mandate. The Court should reverse. And I'm happy to take my questions.

John Roberts:
Mr. Fisher, in Musacchio versus United States, this is what we said, "That statute provides two ways of committing the crime of improperly accessing a protected computer, obtaining access without authorization and obtaining access with authorization, but then using that access improperly." You didn't mention that case in your opening brief. The government relied on it. You didn't mention it in your reply brief. I wonder what your answer to that quote is.

Jeffrey Fisher:
Mr. Chief Justice, my understand in that case was the Court was simply giving a thumbnail summary of how the statute works. Of course, the question presented here was not presented there. And, in fact, not even the exceeds authorized access prong was at issue there in the conspiracy issue the Court reached. I understand what the Court to be doing in that summary simply to be using the word improperly as a shorthand for whatever it is that the exceeds authorized access prong prohibits, and then moving right along.

John Roberts:
Well, but that's not what it says. It says, and this seems to me to go to the point at issue here, that the second way you can violate it is by obtaining access with authorization, but then using that access improperly.

Jeffrey Fisher:
Well, Mr. Chief-

John Roberts:
Go ahead.

Jeffrey Fisher:
I'm sorry. I think my answer would simply be just to look at the words of the statute. And I think the definition of exceeds authorized access doesn't talk about improper use. It talks about obtaining information that the accessor is not entitled so to obtain. And as we've explained in our papers, we think the definition of that term leaves out improper purposes because we know Congress, in fact, had those words in the very original provision of the statute, and they took them out in 1986. And we know from other enactments that we've cited, for example, on page 19 of our blue brief, that when Congress wants to criminalize or otherwise prohibit improper use or unauthorized purposes, it does so expressly.

John Roberts:
Just to make sure I have your interpretation correct, if a bank has a policy baring employees from accessing Facebook, an employee exceeds her authorized access and would be covered if she goes onto Facebook. But it wouldn't be a violation if she used that access to look up customers' Social Security numbers and sell them to a third party, right?

Jeffrey Fisher:
I'm not sure I follow, Mr. Chief Justice. I think my position is that it would not violate the CFAA for the employee to go on Facebook. If you're asking me about the Social Security numbers, for example, it would depend on whether the employee actually had access to that information. As we explained in our brief, if that employee has to use certain log-in credentials of somebody else's, for example, to get that information, that would be a violation of the statute. The question, again-

John Roberts:
Thank you. Justice Thomas?

Clarence Thomas:
Thank you, Mr. Chief Justice. Mr. Fisher, you gave a brief list of parade of horribles. In CA-11, this has been the rule for a while, can you give us some actual examples of that happening, of someone violating this provision because of accessing Zoom or something like that or Facebook?

Jeffrey Fisher:
Justice Thomas, not in the 11th Circuit, but the papers discussed, for example, the Drew case out of the Ninth Circuit, which was before the Ninth Circuit issued the Nosal decision where somebody was prosecuted for misusing MySpace. There's a case involving Ticket Master that we cite in the brief. But more generally, Justice Thomas, I'd also point to two other things. One is, remember, that the language of this statute has its own deterrent effect. And so for people who use the internet every day, they have to be aware of the criminal law, both on the criminal side and, remember, this statute has a civil component.

Jeffrey Fisher:
And I think that's the critical thing that the Court said in Maranello and many other cases, that you can't construe a statute simply on the assumption the government will use it responsibly. So if the government has withheld the full brunt of the federal prosecutorial power, that doesn't enable the Court to simply construe the statute on that promise. And so I think that's the critical problem with the government's point here.

Jeffrey Fisher:
I'd also point you to the Committee for Justice brief, which gives another example of just not everyday Zoom use or Facebook use, but also political prosecutions, like the case in Kelly last term and McDonald a little bit earlier. And I think there's a persuasive case made in that brief how any one of those prosecutions could simply be repackaged as a CFAA prosecution if the government were to win here.

Clarence Thomas:
So you are, I assume, to be making a point that, well, if you don't have the authority to access a certain area, for example, you have a level-A clearance, but you access information that is at a level-B or something, that that, certainly, would exceed authorization. But why can't you have the exact same thing on the other end, that is, you have authority to access information, but you are limited, that authorization is limited as to what you can do with it?

Clarence Thomas:
For example, you work for a car rental, and you have the access to the GPS. But rather to use it to determine the location of a car that may be missing, you use it to follow a spouse, or, as in this case, the use of the information is a problem. So, I don't understand why you make the distinction between these two levels or ways that you can have or not have authorization.

Jeffrey Fisher:
Because of the language of the statute, Justice Thomas. The statute simply asks whether the user is entitled to obtain the information. And to use your car rental example, the user there is entitled to obtain that GPS information. Now, it may be a breech of company policy. In the case of the stalking example that the government gives in its brief like that, it may be a different crime. But the question in front of you is whether it violates the CFAA as enacted and existing right now. And so my only-

John Roberts:
Justice Breyer?

Stephen Breyer:
All right. The argument on the legislative history I'm interested in because there was a earlier statute which did say pretty clearly it's a crime to use your access for purposes to which such  authorization does not extend. And then that was changed to the present language, but at that time the history says that they didn't mean to make a substantive change. So what do you respond to that?

Jeffrey Fisher:
Well, two things, Justice Breyer. Remember, first of all that that original provision of the statute was exceedingly narrow. It applied just to certain federal employees and certain information. When Congress changed that law two years later in 1986, you're right that in one point of the committee report it talked about simply clarifying the statute. But in the other part of the committee report dealing with exactly the same words, what Congress said is that they had removed one of the murkier grounds for liability and refocused the statute on its principal object. And so you have those crosscutting pieces of legislative history.

Jeffrey Fisher:
And even the government, I would stress, does not argue that all that amendment did is clarify. The government says that that amendment actually dramatically expanded the statute to go even beyond improper purposes to a violation of any stated use restrictions. So nobody here is arguing that the statute didn't change in 1986. It's just a question of whether it expanded dramatically or took away that purpose language.

Jeffrey Fisher:
And I think, Justice Breyer, the other thing I would stress about the legislative history is because this is a criminal case, we think it's improper, if not at the very least, very dangerous to rely on legislative history to resolve ambiguity. In stead, what you should look to are thing like the rule of lenity and the principal of last term in Kelly and then Maranello where the Court has always resisted construing ambiguity in federal criminal statutes to vastly enlarge the sweep of criminal liability.

Stephen Breyer:
Thank you.

John Roberts:
Justice Alito?

Samuel Alito:
Mr. Fisher, in this case we've received amicus briefs from a number of organizations and individuals who are very concerned about what your interpretation would mean for personal privacy. There are many government employees who are given access to all sorts of highly-personal information for use in performing their jobs. But if they use that for personal purposes, to make money, protect or carry out criminal activity, to harass people they don't like, they can do enormous damage, and the same thing for people who work for private entities. Think of the person in the fraud detection section of a bank who has access to credit card numbers, and uses that information to sell for personal profit. Do you think that none of that was of concern when Congress enacted this statute?

Jeffrey Fisher:
Justice Alito, with due respect, I do not think it was. What Congress was concerned about was computer hacking, and that's up and down the legislative history, this new problem of hacking. And I think that the two things I would add to that, because I understand the concern, and there are powerful briefs about the policy question you raise, and it's possible Congress may want to step in and regulate that and even criminalize it to some effect. But the question is what does the statute you have in front of you right now do? And the problem with the government's view, or those amicus briefs, is there's no way to reach the government employee or the financial employee that you're imagining without also reaching every other ordinary employee who violates an employee handbook, every student who violates the [crosstalk 00:12:49].

Samuel Alito:
Let me ask you about that, because you rely heavily on former Judge Kozinski's parade of horribles. But in doing that, you read the provisions of this section very, very broadly. Take the example of the person who lies about weight on a dating website. How would that be a violation of this statute?

Jeffrey Fisher:
Well, under the government's theory it's a violation to use a website in violation of the terms of service. I think the government [crosstalk 00:13:25].

Samuel Alito:
Well, what the statue says is to obtain information, obtain or alter information. How is that person obtaining or altering information?

Jeffrey Fisher:
Well, I think typically [crosstalk 00:13:35].

Samuel Alito:
It's putting in information.

Jeffrey Fisher:
No, it's not the entering of the false information, Justice Alito, it's then obtaining information on a dating website, for example, about a potential mate. So you are obtaining information from the website through a profile that is false, and that violates the terms of service of that website. And it falls squarely within the government's theory because you've gotten on that website with authorization with your log-in credentials because you're a single person and not married, etcetera. And you have obtained information in violation of the stated use restrictions on that website. So I don't see how the government gets out of that hypothetical.

Samuel Alito:
All right, thank you.

John Roberts:
Justice Sotomayor?

Sonia Sotomayor:
Counsel, I very much understand the concerns of my colleagues about the amicus briefs of illegal conduct that this would not cover, including the one at issue here, your client, a local police officer, not your client, I'm sorry, yes, your client, a local police officer who paid for information he got from the federal computer system for personal reasons. But the fact that there isn't this federal crime doesn't mean this conduct isn't prosecuted in other ways, does it?

Jeffrey Fisher:
No. For example, my client in this case was prosecuted also under a separate count that's pending on remand. As I said in our reply brief, other types of misconduct the government talks about, like the stalking example or like mis-obtaining health information, misuse of trade secrets, all of those things can be prosecuted under different federal statutes. And if Congress decided, it could enact the proposal the Department of Justice has given it a couple of times over the last several years to expand the CFAA in certain limited respects.

Jeffrey Fisher:
But as I was trying to say earlier, Justice Sotomayor, the core of the problem is there is no foothold in the statute to inch the statute forward to cover the conduct in this case without also covering all kinds of other violations of purpose-based restrictions that could appear in terms of service contracts, employee handbooks, course syllabi at universities, or even oral dictates. Go back to the facts of this case and imagine Mr. Van Buren's supervisor had told him, "Please don't do any license plate searches this evening until you've finished your paperwork. Or tomorrow when you're out on patrol-

Sonia Sotomayor:
Counsel, are there targeted changes that could be made to limit the reach of this statute to exactly the fears that I think one of my colleagues expressed, the kind of conduct that we would think of as subjecting someone to punishment? I know, for example, most statutes have a obtaining information and using it for financial gain.

Jeffrey Fisher:
Yes, Justice Sotomayor, the government itself has proposed amendments to the statute that we cite in our brief. Professor Kerr in his amicus brief describes those proposals as well and endorses them. But I think, again, the critical point I would make is that that should come from Congress. Just back to this statute, as I was saying, what about oral directives to an officer that, "Tomorrow when you're out on patrol don't run license plates just on ordinary traffic stops. I want you to be more efficient"?

Jeffrey Fisher:
There's any number of questions that would have to be addressed. Just look at subsection one of this statute, Justice Sotomayor, it does restrict federal employees' use of information and giving it to third parties. That is not part of the provision at issue here. So, again, that would be a choice for Congress to make, and all these things should be done on a legislative basis.

John Roberts:
Justice Kagan.

Sonia Sotomayor:
Thank you, counsel.

Elena Kagan:
Mr. Fisher, could you tell me again what you think so means?

Jeffrey Fisher:
So means in the manner so described, that's the Black's Law definition. And so translated to this statute, what it means is that you've accessed and obtained the information via computer as opposed to some other means.

Elena Kagan:
Could you just parse that for me a little bit? In a manner so described asks for some kind of reference back, so what are we referring back to on your theory?

Jeffrey Fisher:
You're referring back to access a computer with authorization. So, Justice Kagan, two things that might flesh this out for you, one is we give an example of another federal statute on page two of our yellow brief that uses so in this manner. It just picks up what was said before that was earlier. And maybe the government's own hypothetical, I think, is the best way this plays out where the government worries about a federal contractor obtaining salary information from a salary database that he does not have access to.

Jeffrey Fisher:
And what so does is it prohibits that person from defending himself in a prosecution for hacking into that database by saying, "Oh, I could have filed a FOIA request, or I could have called the employees themselves and asked them what they made. And, therefore, I was entitled to obtain the information." That defense is off limits because of the word so, and, in fact, in that way so helps the government.

Elena Kagan:
On your parade of horribles, a similar question to Justice Alito's, but one of the features of your parade is an employee checking Instagram at work. How is that obtaining or altering information?

Jeffrey Fisher:
It's obtaining information because you are literally obtaining the words or pictures out of Instagram. And it would violate the government's rule. Remember, the prosecutor himself told the jury this at closing argument, it would violate the government's rule because the employee would be, at least theoretically, prohibited from using her work computer for personal reasons. And so checking Instagram through your work computer would be an improper purpose. It would be an improper use. And you would obtain the information from the computer in the form of those pictures or words or whatever they might be.

Elena Kagan:
Thank you, Mr. Fisher.

John Roberts:
Justice Gorsuch?

Neil Gorsuch:
Good morning, Mr. Fisher. Picking up on your parade of horribles, could you explain to us what the constitutional implications are of your parade? Just give you an opportunity, rather than just make a policy argument, try and link it up to something bigger.

Jeffrey Fisher:
Thank you, Justice Gorsuch. I think there are two constitutional problems. One of the First Amendment problems with certain applications of the government's rule that are described in the amicus briefs. Secondly, there's the vagueness problem, and that's what I'll focus on. Under the government's view, remember, obtaining information via a computer that you're not entitled "under the circumstances to obtain" violates the statute. That is an impossible vagueness problem because either one of two things has to be correct, either under the circumstances means, literally, every possible circumstance you could imagine, right down to somebody orally telling you not to do that. Imagine a parent telling her teenager, "Don't use Instagram tonight until your homework is done, or don't use Facebook to talk to your friends."

Jeffrey Fisher:
And so, the opportunities for prosecutorial discretion are probably broader than any statute the Court has ever seen, if this government is right in literal terms. The only alternative is that under those circumstances somehow puts some of those circumstances in and some of them out, but that's a wholly indeterminate problem that I think violates just the most basic fair notice principles of the criminal law.

Neil Gorsuch:
And then on the reverse parade of horribles we've heard from the other side, I guess I'm struggling to imagine how long that parade would be, given the abundance of criminal laws available. So if this one didn't cover that kind of conduct, but there were troublesome forms of it, like your client's behavior in this case misusing a police database, I assume there are ample state laws available that criminalize a lot of that conduct. Am I mistaken?

Jeffrey Fisher:
No, in fact, this case comes from Georgia, and Georgia itself has a statute about hacking or otherwise misusing computer information. As we point out in our reply brief, the government gave a few hypotheticals in its brief, and almost every one of them is already addressed by some other provision of even the U.S. code, let alone state law.

Jeffrey Fisher:
And even, remember, my client himself has already lost his job and has other forms of punishment that have already been brought to bear. So if Congress decides somehow that is not enough and it wants the CFAA to also be available in situations like this, it could amend the statute, but I don't think there's anything like or a comparable problem on the other side in terms of the sort breadth issue in front of the court.

John Roberts:
Justice Kavanaugh?

Brett Kavanaugh:
Thank you, Mr. Chief Justice, and good afternoon, Mr. Fisher. Picking up on Justice Gorsuch's question there at the end, and following up on questions from earlier, one of the concerns, I suppose, is government employees or financial company employees or healthcare company employees who have access to very sensitive personal information and then disclose it. And I'd appreciate if you could give us a sense of the federal statutes that you think would cover such disclosures, if any. I take your reference to state statutes, but are there any federal statutes that you want to identify that would cover that kind of situation?

Jeffrey Fisher:
Sure. I think I'd start with page 19 of our blue brief, Justice Kavanaugh, where we cite a federal statute that prohibits obtaining classified information and using it for an unauthorized purpose. So that's one very important statute.

Jeffrey Fisher:
We cite a couple of others involving Social Security Administration information. There's also the trade secrets statute that was passed in 1996. Again, this circles back to Justice Breyer's question, but, remember, that was passed right alongside amendments to the CFAA. And so when Congress wanted to criminalize an improper purpose it knew exactly how to do so, and it did with respect to trade secrets. So I think those are the ones that I would highlight. The government, of course, in this case also tried to use the wire fraud statute, and that may be available in some situations as well. So I think you have, for the most part, already fairly comprehensive coverage. And as I said, I'd like to say it one more time-

Brett Kavanaugh:
Can I interrupt? Sorry to interrupt, Mr. Fisher. The 1984 version of the statute likely would have covered this kind of activity. Why do you think Congress would have narrowed it in 1986 when they were still concerned about this kind of activity? I get your textual point, but I'm just trying to figure out why Congress would have narrowed it in that sense.

Jeffrey Fisher:
Well, for two reasons, I think, Justice Kavanaugh. One is, remember, it actually would not have covered this case in 1984 because that statute dealt only with federal employees and certain, particular kinds of information.

Brett Kavanaugh:
This kind of activity, I take your point.

Jeffrey Fisher:
And I think that's [crosstalk 00:25:15] the answer, is that when Congress expanded the statute eventually to cover all computers, basically, in the United States, it also did at the same time remove that murky ground of liability because it was not, as Congress said in the report, the core of the statutory [crosstalk 00:25:31].

Brett Kavanaugh:
I take your point, and I meant to say this kind of activity, not this case, but in a different context. And I take your point about the kind of computers covered. Why wouldn't a Mens Rea requirement solve your problems if the Court were to read intentionally to require knowledge of the law, not just the facts?

Jeffrey Fisher:
Well, I think the most a Mens Rea requirement could require would be knowledge that you are violating a use restriction and-

Brett Kavanaugh:
Let me just challenge your premise. What if we read it to avoid the concerns to require knowledge of the law as we do with statutes that use the term willfully, for example?

Jeffrey Fisher:
I think even there, Justice Kavanaugh, it would just be such a remarkably broad statute, and then you'd have the problem of people who use West Law for personal reasons. They use their work computers for personal reasons. They use any number of other websites, as I was describing, and are told on a daily basis by supervisors and parents and all kinds of other people, "Don't use the computer for this." And I do think-

John Roberts:
Thank you, Counsel. Justice Barrett?

Amy Barrett:
Good afternoon, Mr. Fisher. We've been focusing on the exceeds authorized access prong, which is the prong that mattered for Mr. Van Buren. But I want to ask you how that prong relates to the other prong, the accesses the computer without authorization prohibition. Let's imagine that Van Buren faced a very firm departmental policy that said he could not use the computer itself for any personal purpose, and he gets into the computer and does what he did here and looks up license plates for a personal use. Has he violated the earlier prong, the accesses the computer without authorization prong?

Jeffrey Fisher:
I think probably not, Justice Barrett. I think the question you're asking raises the question described in some of the amicus briefs about whether the without authorization prong covers just code-based restrictions or other kinds of directives. And I think the best evidence I can give you that it covers just code-based restrictions is subsection six at the top of 3A of the government's appendix. This is the statute-

Amy Barrett:
Well, let me interrupt you for one second, Mr. Fisher, because I'm actually getting, I think at a different point, perhaps, and [inaudible 00:27:49]. It seems to me that the way that you're reading the statute views authorization as an on-off switch. Either you're authorized to use a computer or you're not. Either you're authorized to get into a particular database or get a piece of information or you're not. So here Van Buren could get the license plates, and it didn't matter if he was getting them for a reason that he was not supposed to get them for.

Amy Barrett:
So, it seems to me that you are looking at authorization in a bright, gates up or gates down kind of way, whereas the government is looking at scope of authorization as included. For example, my babysitter might have a key to my car so she can pick up my kids from school, but then she uses the car to go run some personal errands. She's exceeded the scope of her authority. And I guess what I'm trying to get at is why should we understand entitlement or authorization to be just an on-off switch and not to have a scope component?

Jeffrey Fisher:
Well, I think for two reasons. One is that the statute itself doesn't have a scope component or a purpose component or anything like that. It simply asks whether the person, now I'm back to our prong, was entitled to obtain the information. And the answer here is, "Yes, he was."

Amy Barrett:
But doesn't the idea of entitlement or authorization itself have a scope component? That's what we would think of, an agent's authority that the principal has given him, for example.

Jeffrey Fisher:
It can sometimes, Justice Barrett. I don't disagree with that, but the question is whether it necessarily does. We don't think as a statutory construction matter it necessarily does. And when you compare this to other statutes that do carve out improper purpose, we think that's evidence that Congress didn't think this was one of those kinds of statutes.

Jeffrey Fisher:
And so, I think that's the other piece of it, is to compare back again to the prong that you started with, which is the without authorization prong. We know from the provision I was starting to read to you that Congress thought of that as sort of a password type restriction or a technological-based restriction. And that's what Congress was concerned about, not other kinds of softer scope-based restrictions.

Amy Barrett:
Thank you, Mr. Fisher.

John Roberts:
A minute to wrap up, Mr. Fisher.

Jeffrey Fisher:
Thank you. I think, Mr. Chief Justice, what I'd leave you with is the dialog that I've just had with Justice Barret and Justice Kavanaugh. The core problem here is that once you think the statute is ambiguous as to whether or not scope restrictions or purpose restrictions come in, the statute gives you no tools to distinguish the kinds of hypothetical, some of which are troubling, and some of which are more everyday, like Justice Barrett was asking me about. You cannot distinguish all those hypotheticals from the ones that the government wants to plant to the most troubling.

Jeffrey Fisher:
So you have this cascade of contract-based restrictions, employee handbook restrictions, course syllabus restrictions, oral restrictions, all the other things that could directly restrict the scope of use in a way that even as Justice Kavanaugh imagined, if the reader knew, if the user knew that that violated the statute. And that would be just the vast, sweeping criminal law that would bring the over-criminalization concern that this court has had over the last several years really home to roost in just one single statute. And so we urge you not to go that far in this case.

John Roberts:
Thank you, Counsel. Mr. Feigin?

Eric Feigin:
Thank you, Mr. Chief Justice, and may it please the Court. I don't think you heard my friend spend much time on the text, and I want to start right there. In the words of section 1030, petitioner used his access, that is the credentials entrusted to him as a police officer, to obtain database information that he was "not entitled so to obtain" when he looked up a license plate in return for a bribe. Such serious breeches of trust by insiders are precisely what the statutory language is designed to cover.

Eric Feigin:
If a statute prohibited accessing a warehouse with authorization and using such access to obtain items in the warehouse that the accessor is not entitled so to obtain, everyone would understand that language to cover an employee who's allowed to take items for work, who instead takes them for himself. Section 1030 used the same language to extend the same property-based protection to the private computer records that contain our most sensitive financial, medical and other data.

Eric Feigin:
Petitioner is trying to gut the statute and leave all of that data at the mercy of anyone who ever had any legitimate ground to see it under any circumstance. But in doing that, he fails to give effect to every word of the statute, as his answer to Justice Kagan showed, and he ignores its clear history and design, as his answer to Justice Breyer showed.

Eric Feigin:
What he's instead relying on here is a wild caricature of our position that tries to bury his own heartland statutory violation beneath an imaginary avalanche of hypothetical prosecutions that he can't actually identify in the real world for seemingly innocent conduct. But those invented cases would implicate textual limits, such as the need for an authorization based system and use of the access to reach otherwise inaccessible data that his own conduct clearly satisfies.

John Roberts:
Mr. Feigin, is your friend correct that everyone who violates a website's terms of service or a workplace computer use policy is violating the CFAA?

Eric Feigin:
Absolutely not, Your Honor, and I think the reasons are different than the two hypotheticals you've given. First of all, on the public website, that is not a system that requires authorization. It's not one that uses required credentials that reflect some specific individualized consideration.

John Roberts:
Then limit my question to any computer system where you have to log-on.

Eric Feigin:
Your Honor, I don't think all systems that require you to log-in would be authorization-based systems because what Congress was driving at here are [crosstalk 00:34:16].

John Roberts:
All right, well, then every system that has a password.

Eric Feigin:
No, Your Honor, and let me explain why. What Congress was aiming at here were people who were specifically-trusted, people akin to employees, the kind of person that has actually been specifically considered and individually authorized. I don't think we'd say that about-

John Roberts:
Well, you just talked about what Congress was aiming at. I'm concerned with the text of the statute.

Eric Feigin:
Sure, Your Honor. I think our reading of the text is consistent. Our reading of the word authorization to require individualized consideration. It makes sense in this context. It's consistent with the Court's decision at Washington County and the dictionary definitions cited in pages 37 to 38 of our brief. And I think it makes sense as just a matter of plain English.

Eric Feigin:
I don't think you'd say that a system that the Museum of National African American History and Culture required authorization to enter when you had a sign-up sheet, and anybody from the public could come in. They just had to register for a particular time. Services like Facebook and Hotmail that will give accounts to anybody who has a pulse and even people who don't because they don't really check, those aren't authorization-based systems. And I think that narrow meaning makes a great deal of sense in this statute, and it takes care of nearly his entire parade of horribles.

John Roberts:
Well, I don't understand your example of the museum. If the guards says, it would natural for him to say, "Are you authorized to enter at this time?" I don't understand your focus on authorization as a limiting term.

Eric Feigin:
Well, Your Honor, I think authorization, clearly as the Court used it in Washington County and as various dictionaries use it, refers to some level of consideration and affirmative, thought-out permission. And the question there-

John Roberts:
Thank you, Counsel. Justice Thomas?

Clarence Thomas:
Thank you, Mr. Chief Justice. Mr. Feigin, I'd like you to respond to Mr. Fisher's argument about the rule of lenity. He seems to think that, even if this was a toss-up or it looks like a toss-up, we should rely on that since this is a criminal statute. What's your response to that?

Eric Feigin:
I have two, Your Honor. Number one, and I'm happy to get into this, I don't think this is a grievously ambiguous statute, or even an ambiguous one. I think it clearly supports us, and his reading is textually insupportable. And I'll get back to that in a second. But the second thing I'd say is if the Court does think the rule of lenity ought to apply here, I think the better place to apply it is on words like authorization, as I was just discussing with the Chief Justice, or the word use, which I think really has to require that the access is instrumental to obtaining data that would otherwise be inaccessible. If you'd like, I can drill down on that textual point.

Clarence Thomas:
No, that's good enough. I'd like to go to something slightly different. The language before the '84 amendment seemed to cover this more precisely or expressly. And, of course, we have a change in the few words, and it flows a bit better. But would you explain, without getting too much in the legislative history, the change in language and why you think it actually expands its coverage as opposed to compressing it, as Mr. Fisher seems to think?

Eric Feigin:
Your Honor, I don't know that it expands it so much as it really just clarifies it. It's much simpler and more concise. And I think one thing that it does is if you look at the previous language, I think it was potentially subject to the interpretation that you had to look to the purposes behind the authorization, like why is this particular person authorized to use the system, whereas the current language is much more focused on the expressed limits that are inherent in the authorization itself. And I think it really clarifies that point and doesn't invite any further inquiry. And, Your Honor, I know the question was made without reference to legislative history, but I think the legislative history is quite clear on this particular point.

Clarence Thomas:
Thank you.

John Roberts:
Justice Breyer?

Stephen Breyer:
Well, I take it that if I go to my PC there are, seems to me, dozens and dozens and dozens of sites where they say, "You may enter this site and use the information here if you agree to the following terms of access." And then you have a big list in small print that goes on for quite a long ways, pages. Now, I take it that would be covered, and the terms of access would be what's permitted and what isn't, authorized and not, correct?

Eric Feigin:
No, Your Honor.

Stephen Breyer:
No? Why not?

Eric Feigin:
Authorization in this statute has a meaning of being granted specific, individualized permission, and-

Stephen Breyer:
Then I'm not granted that when they say in this piece of paper, or not on a piece of paper, it says in the thing, "Here are the terms of access. You can use whatever we're giving on this site for the following purposes, but not for the other purposes." That isn't covered?

Eric Feigin:
No, Your Honor, no more so than I think you would think that you've been specifically authorized to enter if you walk into a building and there's a sign posted on the outside about some things you're not supposed to do in that building. The word authorization, under the dictionary definition that this court made clear in Washington County, requires some kind of individualized permission. [crosstalk 00:40:35].

Stephen Breyer:
So if your employee tell you, "Mr. Jones, you work for me. Here is a PC. You will get all kinds of emails on this PC. You are never to use this email for a personal purpose," and then he does, uses it for personal purpose. That doesn't violate the statute?

Eric Feigin:
So, Your Honor, this gets to the second limiting feature of this statute. So, let's assume it's an employee who has satisfied the definition of authorization. He's been specifically, individually authorized to use the computer. I don't think the word use necessarily requires that the user do something the user couldn't otherwise do. And I think there's two reasons for that in this statute. First, the statute refers separately to accessing the computer and using the access, which shows that using the access has a further narrowing function. And second, the user has to use the access, not just the computer itself. So if you decide send and to your friend about when you're going to have lunch together, that's something you could do from your phone. There's nothing special about using the access.

Eric Feigin:
I'd point you back to the warehouse example I gave in my introductory remarks that just substitutes the word warehouse for computer and items for information. I don't think we'd have any trouble really understanding these distinctions, that that's a statute that's aimed at insiders who are people trusted to get into the warehouse, who obtain the items in ways that they're not supposed to obtain. And I don't think we'd think it would be covering these other kinds of scenarios. If I were to talk about a statute where somebody steps on a ladder and uses such step to retrieve an item, you'd think it was an idem that the person couldn't get without stepping on the ladder and using the ladder. Not an item that was easily reachable from the ground.

John Roberts:
Justice Alito?

Samuel Alito:
I find this a very difficult case to decide based on the briefs that we've received. In response to the concerns about the effect on personal privacy of adopting Mr. Fisher's recommended interpretation, he says, "Don't worry about that because there are other statutes that cover it." But I don't really know what those statutes are in many of those instances.

Samuel Alito:
And on your side, with respect to the argument that adopting your interpretation would criminalize all sorts of activity as largely innocuous, you suggest that there are limiting instructions, limiting interpretations, but I don't know exactly what they are. And it would really be helpful to see them in writing. So what exactly is authorization? What exactly does it mean to obtain or alter information? What is this statute talking about when it speaks of information in the computer? All information that somebody obtains on the Web is in the computer, in a sense. I have a feeling that's not what Congress was thinking about when it adopted this.

Samuel Alito:
So I don't really know what to do with... I don't really understand the potential scope of this statute without having an idea about exactly what all of those terms mean. What help can you give us on that? Is this something that would be helpful to have specific briefing on the meaning of all these terms?

Eric Feigin:
Well, Your Honor, I actually think the answer to that is no, and the problem you're facing is because of the way petitioner has teed-up the case for you. Petitioner is focusing on only one very small bit of the language here, the entitled so language. And then he's trotting out this parade of horribles and telling you the only to avoid it is to interpret that language, which I think is quite clear, in his manner as a way that would get rid of all the privacy protection that the statute provides.

Eric Feigin:
There are all these other limitations that Your Honor has pointed to. I don't think this is the case in which we can brief them because he acknowledges that his own conduct satisfies them. We have identified for the court some ways in which courts could limit these things. I think the proof is in the pudding, which is that I believe it was Your Honor who asked him where the parade really is. And he could identify two members of the parade, one was the Drew case that didn't actually result in a sustained conviction. And the other was a Ticket Master case in which the defendant hired Bulgarian hackers to circumvent some technological limitations. And I think that shows that everybody has understood this statute not to cover that kind of conduct and to cover the kind of conduct that's at issue here today just like [crosstalk 00:46:03].

John Roberts:
Justice Sotomayor? Justice Sotomayor?

Sonia Sotomayor:
I'm sorry, Mr. Feigin. My problem is that you are giving definitions that narrow the statute that the statute doesn't have. You're asking us to write definitions to narrow what could otherwise be viewed as a very broad statute and dangerously vague. But more importantly to me, you said that there is no ambiguity in this statute. But let me give you an example, imagine a law that says, "Anyone who drives on Elm Street who is not authorized so to drive shall be punished."

Sonia Sotomayor:
The so to drive, to me, could mean if you're not authorized to drive on Elm Street. But under your theory, it could be, and might very possibly be read as saying, "You can't ride on Elm Street if you're driving on it with an illegal purpose." You're speeding. You're breaking the law on curfew. You're texting. It could even cover people who drive on Elm Street on their way to commit a different crime because they weren't authorized to be on Elm Street for the purpose of committing a crime. So, to me, if all you're relying on is that word so, I don't get around the ambiguity, especially when the other side points to so many examples in the criminal code where the so refers to in the manner that has just been described.

Eric Feigin:
Well, Your Honor, what I petitioner relied, both at argument to day and on page three of his reply brief, is that so in the statute doesn't refer back to accessing the computer. It refers back to use such access. Everyone agrees that so means in that manner. And the statute refers to a particular discrete act. So if on some occasion user is not entitled to use his access to obtain certain information, I think he's clearly violated the statute. He tries to get around that-

Sonia Sotomayor:
Mr. Feigin, doesn't your reading sort of render superfluous the second part of the statute? I think what you're arguing is if I'm not authorized to go on this computer for this purpose, then we don't need the second half of the statute.

Eric Feigin:
Are you talking about the without authorization prong, Your Honor?

Sonia Sotomayor:
Exactly.

Eric Feigin:
Actually, Your Honor, I think it-

Sonia Sotomayor:
Without authorization or exceeding authorization access.

Eric Feigin:
Sure. Your Honor, I actually think it's their reading that collapses the two prongs because if all Congress were concerned about were people who get information they're not supposed to obtain, it would have a simple one-pronged statute that criminalizes accessing a computer and obtaining information that the accessor is not entitled to obtain. In stead, it broke out a piece for people who access without authorization, the hackers, and people who exceed authorized access, the insiders. And the main danger that insiders present is the precise danger that this case exemplifies.

Sonia Sotomayor:
One last question, Counsel. Why do we need other parts of the statute, like 30, 30A4 that speaks about exceeding authorized access for fraudulent purposes? For your theory of the case, that is a completely superfluous position.

Eric Feigin:
No, Your Honor. Something that would come in under A4 but not A2C would be, for example, somebody at Amazon who have access to the ordering database who modifies that database to get an extra item delivered to him or herself.

John Roberts:
Justice Kagan?

Elena Kagan:
Mr. Feigin, if I understand your brief correctly, you would concede, wouldn't you, that if the word so wasn't there you would lose this case?

Eric Feigin:
I think it would be a much tougher case for us without the word so, Your Honor.

Elena Kagan:
So then the question is what does so mean? And picking up on what you were saying to Justice Sotomayor, if I understand Mr. Fisher's argument, he says so means by accessing a computer. And you just said so means by using your access. And why is that we should pick your choice of the prior reference rather than his choice of the prior reference?

Eric Feigin:
The anti-surplusage canon, Your Honor. If all so is doing in the statute, and his is his reading, if all so is doing in the statute is to make sure that the statute covers someone who could get similar information from a non-computerized source, then it's entirely surplusage.

Elena Kagan:
I think he disputes that, and I think he has a point here. He's saying that what that prevents is using the statute as to cases where you could obtain the information in a non-digital manner.

Eric Feigin:
Well, your honor, the statute is already limited to information in the computer. That is, the computer record, the bits and bytes. And that has to be the case because the statute covers, not only obtaining, but also altering. When it refers to altering information in the computer, surely it's referring to altering the specific record of, say, my birthday, rather than the abstract fact of the day I was born simply because it happens to be contained in a computer or in the computer that was accessed. And so if we're limiting this to people who can't use their computer access, as opposed to having somebody read them something over the phone, then that limitation is already quite clearly baked into the statute.

Elena Kagan:
Thank you, Mr. Feigin.

John Roberts:
Justice Gorsuch?

Neil Gorsuch:
Good morning, Mr. Feigin. I guess I'm curious about a bigger picture question, and that is this case does seem to be the latest, as the petitioners point out, in a rather long line of cases in recent years in which the government has consistently sought to expand federal criminal jurisdiction in pretty significantly contestable ways that this court has rejected, whether we're talking about Maranello or McDonald or Yates or Bond, you pick your favorite recent example. And I'm just kind of curious why we're back here again on a rather small state crime that is prosecutable under state law, and perhaps under other federal laws, to try and address conduct that would be rather remarkable, perhaps, making a federal criminal of us all.

Eric Feigin:
Your Honor, we don't think the statute does that, for reasons I've tried to explain and we get into in our briefs. But we do think the statute is aimed at precisely this sort of thing, and I can give several examples of-

Neil Gorsuch:
I'm asking a bigger question, and that is there's this pattern. And I would have thought that the Solicitor General's Office isn't just a rubber stamp for the U.S. Attorneys offices, and that there would be some careful thought given as to whether this is really an appropriate reading of these statutes, in light of this court's holdings over now about 10 years, maybe more, in similar laws.

Eric Feigin:
Your Honor, we do think this is the correct reading of the specific narrow portion of the language that is at issue here. We do not think that every prosecution that they're [inaudible 00:54:13], or even every prosecution we've brought, let's take the Drew prosecution as an example is one that would validly be brought under this statute. But the kind of misconduct we have here where a police officer tips off a criminal about something is exactly the kind of misconduct that the statute was aimed at because the police officer is abusing his trust and has access to state and national databases, which petitioner here abused.

Neil Gorsuch:
Thank you, Mr. Feigin.

John Roberts:
Justice Kavanaugh.

Brett Kavanaugh:
Thank you, Chief Justice, and good afternoon Mr. Feigin. Let's focus on the text a bit. I look at the text and think, "Accesses a computer without authorization means someone who gets on a computer that they're not allowed to get on." And exceeds authorized access and obtains information, I would think, means you're allowed onto the computer, but you go into a file that you're not allowed to access. And that those two things are what the statute might speak to, and that disclosure of information that you obtain or misuse of information you obtain is something distinct. But merely browsing around obtaining the information that you're not in a file you're not allowed to look at is what that second prong is getting at. So why is that wrong as a textual matter?

Eric Feigin:
Well, a couple of points, Your Honor. First, if that's all the second prong covers, then, basically, that's just like saying, if we do brick and mortar analogy, that's just like saying it's a crime for an employee of the store to go into the back office and take money out of the shoebox where we keep petty cash because he's not allowed ever to get at the petty cash box. But he can take as much money as he wants for himself out of the cash resister because he's entitled to go into the cash register to make change. So it's not just limited to files. We do think it goes to the limits of the authorization.

Eric Feigin:
The second point I would make, just to get back to the text here, Your Honor, as I was trying to explain earlier to the Chief Justice, authorization has a meaning here. And everyone, I think, can fairly agree that one meaning of authorization is that you are giving someone specific permission. That's the definition that we've cited in our briefs, and it's amply supported. There might be a question of how specific the permission has to be, but in context, I think the permission needs to be fairly specific. So there are going to be a number of systems that aren't necessarily covered by either prong directly. [crosstalk 00:57:16].

Brett Kavanaugh:
Sorry to interrupt, I want to get one more question, and I think you acknowledged to Justice Kagan that you would be in trouble here if the word so were deleted and you relied on the surplusage canon. But she pointed out that there is some meaning offered by petitioner to the word so. But even if it were surplusage, that canon can only take you so far, and this would be, as Justice Gorsuch said, a fairly substantial expansion of federal criminal liability based on one word that you're saying we have to interpret a particular way because of avoiding surplusage, can you respond to that quickly?

Eric Feigin:
Well, let me say a couple of quick things about that. One is, this may sound a little trite, but just because the word is two letters doesn't mean the anti-surplusage canon ought not to apply. The second thing I'd say is that the word so here really does ensure that this is covering the kind of conduct that Congress wanted to cover. Without our interpretation, this is going to leave open anybody to use any information that they have or look up any information under any circumstances whatsoever, so long as there's some narrow, conceivable circumstance under which they'd be allowed to do so, and that doesn't really make a lot of sense.

John Roberts:
Justice Barrett?

Amy Barrett:
Good afternoon, Mr. Feigin. So I want to follow up on Justice Kavanaugh's question. The interpretation that he offered to you of that language, accesses a computer without authorization, or exceeds authorized access is similar to the kind of on-off switch that I was describing to Mr. Fisher. And so you're either authorized to be there or you're not. And it doesn't really take into account questions of scope. You say that so is what really makes your argument, so are you saying that there isn't any kind of inherent idea of a scope of authorization simply in the word authorize itself?

Eric Feigin:
There is inherent in the word authorize the scope of authorization, Your Honor. I think that is the access is the authorized access, and then you're using the access in a manner you're not permitted so to use it. So you are exceeding a limit on your authorization. But I think so actually refers back to the word access.

Eric Feigin:
But just to clear up any confusion here, the word authorization refers to specific, individualized permission. And there are going to be systems that don't really require that at all. And so if I access a public website, just like I wouldn't really, normally talk about going to a public park with or without authorization, it's just a thing everyone can do, a public website wouldn't be a system that has authorization [crosstalk 01:00:13].

Amy Barrett:
And it seems to me, though, you're attributing an awful lot of specificity to the word authorization that it doesn't have. You can have very specific authorization from an employer, even from a professor. What if a professor teaching a class, a small class, it's very individualized, 12 seminar students, and she says, "You may use a computer in class to take notes, but for no other reason. You shouldn't check personal Gmail."

Eric Feigin:
Well, Your Honor, I don't think that's the kind of authorization the statute is referring to. It's talking about authorization by the owner of the computer data, not just some external constraint that's place on anybody. And I think that would be problematic, even under petitioner's reading of the statute because all of a sudden you're prohibited from going into any file in your computer. And the person has flatly prohibited that for that period of time. So he doesn't really avoid that. The same way his parent-child hypothetical falters on his own reading of the statute because I could instruct my child not to go into a particular file or use a particular program.

Eric Feigin:
I understand the Court's reaction that we are pointing to a bunch of limitations and trying to kind of spec them out. But I really think that's a problem with the way petitioner has keyed-up this case. He's focused on this very limited, specific portion of the language. He's then argued that unless you do what he wants, all of this other stuff is going to be opened up. And we don't have much case law on the other stuff because nobody has ever really made any sustained effort to try to bring those kind of cases. They certainly haven't resulted in any kind of liability. Our point here isn't to defend any particular case that isn't this one. And to the extent we start to see cases like that, that'll give courts, including this court, if necessary, the opportunity to further articulate those limits. [crosstalk 01:02:13].

John Roberts:
We need to wrap-up, Mr. Feigin.

Eric Feigin:
Thank you, Your Honor. I think just to continue with what I was saying, I think what the Court should not do is to interpret this particular portion of the statute in an a-textual manner that's different from how the Court viewed it, the plain language in Musacchio, in order to avoid a parade of hypotheticals that hasn't really occurred.

Eric Feigin:
Let me give you some examples of things that on his reading wouldn't be covered by this or any other federal statute, so far as we know. A police officer tipping off a friend with insider information that he got from a database. He knows the friend is a criminal, but he doesn't know the purpose to which the friend is going to put it, so we can't get him for attempt. We can't get him for conspiracy. Someone who is leaving a company and he takes the entire customer database with him. It's not a trade secret. He just wants to use it for himself, or an IT technician at a court who reveals pre-decisional emails from the court's email server. Thank you, Your Honor.

John Roberts:
Thank you, Counsel. Rebuttal, Mr. Fisher?

Jeffrey Fisher:
Thank you. I'd like to make two textual points and one consequences point. First, as to the text, I don't think it matters, as Mr. Feigin said, whether so refers strictly to accessing the computer with authorization or whether it refers to such access. Either way, it's referring to the manner of getting the information, which is by computer. And I think that also disposes of his surplusage argument about the words later in the statute "In the computer." Yes, it picks up "In the computer," but that same information might be available from some other source. And so that's what so is doing.

Jeffrey Fisher:
The second textual point is about the word authorization. Government clearly is putting an enormous amount of weight on that term in the statute. But there's just very serious problems with that. For one thing, the statute talks about either without authorization or without authorization. And so if you're going to say that none of these public-facing websites are being accessed with authorization, then it might be they're all being accessed without authorization, which would open up a whole other set of problems.

Jeffrey Fisher:
But even as to the plain meaning of the term that Mr. Feigin proposes, it just escapes me why logging into your work computer does not establish authorization, or logging into your West Law account, or satisfying an age-based restriction on Facebook, or being single and therefore being authorized to use a dating website, etcetera, etcetera. All of these websites and work computers are accessed only with authorization, as even Mr. Feigin defines the term. And so that doesn't meaningfully narrow the statute.

Jeffrey Fisher:
And then I think what you're left with is this problem about consequences. And the best thing the government can say is, "We haven't brought a whole bunch of these prosecutions yet." Remember, even the government's 2014 charging policy doesn't talk about any of these other restrictions Mr. Feigin has been talking about today. Instead, what it says is federal prosecutors "may" decide not to decide not to bring these kinds of cases. But, for all the textual reasons we've described, they would be available under the government's reading.

Jeffrey Fisher:
And then I think you're left with Justice Gorsuch's point, which is the court over and over again has had cases in recent years, and even further back, cases like Kozninsky, whether the government offers a reading of a federal statute that would sweep in everyday conduct. And it's never been an answer to that kind of an argument to say, "Trust us, we won't bring those kinds of cases," or even saying, "Construe the statute the way we have now. And if those problems arise in the future, then you can address them." What the court has done in every one of those cases is apply the traditional tools of construction to say any ambiguity in the statute must be construed narrowly because of fair notice and other federalism and related principles. So for those reasons we'd ask the Court to reverse.

John Roberts:
Thank you, Counsel, the case is submitted.

Speaker 12:
The Honorable Court is now adjourned until tomorrow at 10:00.

Speaker 13:
The Supreme Court has through next June to issue a ruling in Van Buren versus U.S. dealing with when people can legally access online information. Today's oral argument will be available online at CSPAN.org.