Amicus Brief
Total Page:16
File Type:pdf, Size:1020Kb
No. 19-783 IN THE Supreme Court of the United States NATHAN VAN BUREN, Petitioner, v. UNITED STATES, Respondent. ON WRIT OF CERTIORARI TO THE UNITED STATES CouRT OF APPEALS FOR THE ELEVENTH CIRcuIT BRIEF FOR AMICUS CURIAE UNITED STATES TECHNOLOGY POLICY COMMITTEE OF THE ACM IN SUPPORT OF NEITHER PARTY ARNON D. SIEGEL, ESQ. ANDREW GROssO 655 Avenue of the Americas Counsel of Record New York, New York 10010 MARK D. RasCH RONALD J. JARVis ANDREW GROssO & AssOCiaTES 1101 Thirtieth Street NW, Suite 500 Washington, D.C. 20007 (202) 298-6500 [email protected] Counsel for Amicus Curiae 297053 A (800) 274-3321 • (800) 359-6859 i TABLE OF CONTENTS Page TABLE OF CONTENTS..........................i TABLE OF AUTHORITIES ..................... ii INTEREST OF THE AMICUS CURIAE ..........1 SUMMARY OF THE ARGUMENT................2 ARGUMENT....................................3 THE DEFINITION OF “EXCEEDING UNAUTHORIZED ACCESS” CANNOT BE INTERPRETED TO INCLUDE ACCESSING DATA PUBLICLY DISCLOSED ON THE INTERNET .........................3 A. The CFAA Must Be Construed Narrowly ......4 B. Publishing Information on the Internet Grants Authority to Access That Information .........5 C. The Automated Scraping of the Internet for Publicly Posted Data, for Whatever Purpose, Is Not Prohibited by the CFAA ......9 D. Automated Scraping Is an Invaluable Tool for Information Technology Professionals.....12 CONCLUSION .................................20 APPENDIX ....................................1a ii TABLE OF CITED AUTHORITIES Page Cases Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058 (9th Cir. 2016).....................6 HiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir. 2019)......................7 Jones v. United States, 529 U.S. 848 (2000) ............................4 Leocal v. Ashcroft, 543 U.S. 1 (2004)...............................4 QVC, Inc. v. Resultly, LLC, 159 F. Supp. 3d 576 (E.D. Pa. 2016) ...............7 Sandvig v. Barr, 2020 U.S. Dist. LEXIS 53631 (D.D.C. March 27, 2020) ........................9 United States v. John, 597 F.3d 263 (5th Cir. 2010)......................6 United States v. Morrison, 844 F.2d 1057 (4th Cir. 1988)....................12 United States v. Nosal, 676 F.3d 854 (9th Cir. 2011)......................8 iii Cited Authorities Page United States v. Thompson/Center Arms Co., 504 U.S. 505 (1992).............................5 United States v. Valle, 807 F.3d 508 (2d Cir. 2015) ......................5 United States v. Wiltberger, 18 U.S. (5 Wheat.) 76 (1820) .....................4 Yates v. United States, 574 U.S. 516 (2015) .............................4 Statutes and Other Authorities 17 U.S.C. § 506(a)(B) .............................12 17 U.S.C. § 506(a)(C) .............................12 17 U.S.C. § 1201 .................................11 18 U.S.C. § 641 ..................................12 18 U.S.C. § 1029 .................................11 18 U.S.C. § 1030(a)(2) .............................3 18 U.S.C. § 1030(a)(2)(B) ..........................12 18 U.S.C. § 1030(a)(2)(C) .....................passim iv Cited Authorities Page 18 U.S.C. § 1030(a)(5)(A)..........................10 18 U.S.C. § 1030(e)(6)..............................8 18 U.S.C. § 1030(g) ..............................11 18 U.S.C. § 1343 .................................11 18 U.S.C. § 1831 .................................11 18 U.S.C. § 2701 .................................11 SimsON GARFINKEL & GENE SPAFFORD, WEB SECURITY, PRIVACY AND COmmERCE (2d ed. 2011)..............6 1 INTEREST OF THE AMICUS CURIAE The United States Technology Policy Committee (“USTPC”) is the U.S. public policy committee of the Association for Computing Machinery (“ACM”). ACM is the oldest and largest international scientific and educational organization in the field of computing, with a membership of over 100,000 professionals. It is dedicated to advancing the arts, sciences, and applications of information technology. USTPC educates U.S. government organizations, the computing community, and the American public on matters of U.S. public policy concerning information technology. USTPC submits1 this brief amicus curiae out of a firm conviction that the questions posed in this case affect in pivotal ways data and computing scientists, as well as other professionals who make use of the Internet and computing technology. Increased reliance upon the use of the Internet in all professions makes it critical that clear, bright, and unambiguous lines be drawn as to what the laws do and do not proscribe. Such clarity is particularly important when the underlying technology and the ubiquitous use of that technology continue to change at a rapid and accelerating pace, and where the laws to be clarified include criminal as well as civil liability for their breach. The members of the USTPC on this brief are listed in the appendix. 1. No counsel for a party authored this brief in whole or in part, and no such counsel or party made a monetary contribution intended to fund the preparation or submission of this brief. No person other than amici curiae, their members, or their counsel made a monetary contribution to its preparation or submission. The parties have consented to the filing of this brief. 2 SUMMARY OF THE ARGUMENT Section 1030(a)(2)(C) of the Computer Fraud and Abuse Act (“CFAA”) proscribes “exceeding authorization” when accessing a computer and thereby obtaining information. This statute is both criminal and civil. Moreover, it is capable of both a broad reading, proscribing any use of any kind of electronic device in any manner and for any purpose not expressly permitted by the device’s owner— essentially using the CFAA to furnish civil, contractual prohibitions with criminal penalties; or a narrow reading, interpreting the Section as akin to a “data theft statute”— thereby restricting this provision of the statute to the proscription actually set forth in its text. The USTPC represents information technology professionals, including data scientists, who use computer systems and the Internet to conduct research and to learn about society and the world. These professionals, along with security researchers, innovators, and those who test, prod, and probe the connections between and among systems functioning on the Internet, must remain free to find, collect, and use publicly-available data, and to access the publicly-available systems on which data are maintained, without the threat of prosecution or civil lawsuit. The CFAA must be read narrowly, according to its stated terms as drafted by Congress, allowing free access to publicly available information. 3 ARGUMENT THE DEFINITION OF “EXCEEDING UNAUTHORIZED ACCESS” CANNOT BE INTERPRETED TO INCLUDE ACCESSING DATA PUBLICLY DISCLOSED ON THE INTERNET Section 1030(a)(2) of the CFAA prohibits a person from intentionally “access[ing] a computer without authorization,” or doing so while intentionally “exceed[ing] authorized access,” and thereby “obtaining information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C). A “protected computer” includes any computer operating in interstate commerce. 18 U.S.C. § 1030(e) (2)(B). This definition includes any computer connected to the Internet—which today is almost every computer. Therefore, the information protected by Section 1030(a) (2)(C) includes all websites that are maintained on such computers and all the information on those websites. The Court and the Petitioner have framed the issue here as follows (emphasis added): Whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose. This framing raises, indeed it begs, two questions: first, what is an “improper purpose”; and, second, what does a person’s “purpose” for accessing information have to do with the prohibitions in the Act, if anything. 4 “Proper” and “improper” purposes are neither defined nor otherwise referenced by the Act. These questions are significant because of the usual way that the Internet operates: by posting information (i.e., webpages and their contents, without password protections, copyright protection, or other control devices), the information is publicly disclosed—it is made available to the public for anyone to access. Thereafter any attempt to limit access to that information results in an inherent contradiction: by making the information available in this manner to the public, the posting entity has given access to the information to the world; so how can access by any particular person, or access for any particular purpose, exceed the authorization that was initially given? The answer is that it cannot. A. The CFAA Must Be Construed Narrowly The CFAA imposes both civil and criminal liability. For this reason, the rule of lenity applies;2 and the prohibitions in the Act, whether in the criminal or civil context, must be interpreted similarly. See Leocal v. Ashcroft, 543 U.S. 1, 11 n.8 (2004). 2. The rule of lenity requires “penal laws . to be construed strictly.” United States v. Wiltberger, 18 U.S. (5 Wheat.) 76, 95 (1820). “[W]hen choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite.”Jones v. United States, 529 U.S. 848, 858 (2000) (internal quotation marks and citation omitted); see also Yates v. United States, 574 U.S. 516, 547-48 (2015) (application of the rule of lenity