Argument on legal access to online information and whether police and other enforcement officers can access information for personal purposes. Hear argument next in van buren versus united states. Mr. Fisher. Mr. Chief justice and may it please the court, the cfaa is an antihacking statute. To ensure comprehensive coverage, the statute prohibits exceeding authorized access. This ensures that the statute covers not just outside, but also inside hackers. In this case, however, the government seeks to transform the prong of the cfaa into a different prohibition. This prong covers obtaining any information via computer that the assessor is not entitled under the circumstances to obtain. It is no overstatement to say that this construction would brand most americans criminal on a daily basis. The scenarios are limitless, but a few examples will suffice. Imagine a secretary who says that her email or zoom account may be used only for businesses purposes or a person using a dating website where users include false information on their profiles. Or think of a lawsuit who has issued a login credentials for educational use only. If the government is right, then a computer user who disregards any of these statements commits a federal crime. For example, any employee who used a zoom account over thanksgiving to connect with distant relatives would be subject to the grace of federal prosecutors. The main argument the government offers in response of that result is that a single twoletter word of exceeds authorized access, the term so demands it. That word requires no such thing. It clarifies that the user must be prohibed from obtaining the information. It relieves the government of having to negate every possible alternative means by which the defendant might have obtained the information at issue. Thats all the word does. It does transform the cfaa into a sweeping policeman date. The court should reverse. Mr. Fisher, this is what we said, that statute provides two ways of committing the crime of improperly accessing a protected computer, obtaining access without authorization, and obtaining access with authorization but using that access improperly. You didnt mention that case in our opening brief. The government relied on it. You didnt mention it in your reply brief. I wonder what your answer to that quote is. Mr. Chief justice, my understanding in that case was the court was giving a thumbnail summary of how the statute works. The question presented here was not presented there. In fact, not even the exceeds authorized access prong was at issue there in the conspiracy issue the court reached. I understood what the court was doing in that summary, simply to be using the word improperly as a shorthand for whatever it is the act prohibits and moving along thats not what it says. It says and this seems to me to go to point at issue here. The second way you can violate is is by obtaining access with authorization but using that access improperly. Go ahead. I think my answer would be to look at the words of the statute. I think the definition of exceeds authorized access doesnt talk about improper use. It talks about obtaining information that the assessor is not entitled to obtain. As weve explained in our papers, we think the definition of that term leaves out improper purposes because we know congress has those words in the very original provision of the statute and they took them out in 1986. We know from other enactment that is we cited, for example, in page 19 of our blue brief, when Congress Wants to criminalize or prohibit improper use or unauthorized purposes, it does so expressly. Just to make sure i have your interpretation correct. If a bank has a policy barring employees from accessing facebook, an employee exceeds authorized access and would be covered if she goes onto facebook, but it wouldnt be a violation if she used that access to look up customer Social Security numbers and sell them to a third party, right . Im not sure i follow, mr. Chief justice. I think my position is it would not violate the cfaa for the employee to go on facebook. If youre asking me about the Social Security numbers, for example, it would depend on whether the employee actually had access to that information. As we explained in our brief, if that employee has to use certain login credentials that of something else, for example, to get that information, that would be a violation of the statute thank you. Justice thomas. Thank you, mr. Chief justice. Mr. Fisher, you gave a brief list of a parade of horribles. In ca11, this has been the rule for a while. Can you give us examples of that happening, someone getting violating this provision because of accessing zoom or Something Like that, or facebook . Justice thomas, not in the 11th circuit. But the papers discuss the drew case which was before the 9th circuit where somebody was prosecuted for misusing my space. Theres a case involving ticketmaster that we cite in the brief. More generally, i would point you to two other things. One is, remember, that the language of this statute has its own deterrent effect. And so for people who use the internet every day, they have to be aware of the criminal law both on the criminal side and, remember, this statue had a civil component. I think thats the critical thing that the court said in many other cases that you cant construe a statute simply on the assumption the government will use it responsibility. That doesnt enable the court to simply construe the statute on that promise. And so i think thats the critical problem with the governments point here. I would point you to the committee for justice brief which gives an example of just not everyday zoom use, but political prosecutions, mcdonald a little bit earlier. I think theres a case made in that brief how any one of those prosecutions could simply be repackaged as a cfaa prosecution if the government would win here. You seem to be making a point that, well, if you dont have the authority to access a certain area, for example, you have a level a clearance but you access information that is at a level b or something, that would be certainly with would exceed authorization. But why cant you have the exact same thing on the other end, that is you have authority to access information, but you are limited, that authorization is limited as to what you can do with it. For example, you work for a car rental and you have the access to the gps. But rather than use it to determine the location of a car that may be missing, you use it to follow a spouse or as in this case, the use of the information is a problem. So i dont understand why you make the distinction between this two ways that you can have or not have authorization. Because of the language of the statute, justice thomas. The statute asks whether the user is entitled to obtain the information and to use your car rental example, the user there is entitled to obtain that gps information. It may be a breach of company policy, it may be in the kacasef the stalking example, it may be a different crime. But the question in front of you here is whether it violates the cfaa as enacted and existing right now. Justice breyer . The argument on the history im interested in because there was a earlier statute which did say pretty clearly its a crime to use your access for purposes to which such authorization does not extend. And then that was changed to the present language. But at that time, the history says they didnt mean to make a substantive change. What do you respond to that . Two things, justice. Remember, first of all, that original provision of the statute was narrow. It applied to certain federal employees and certain information. When congress changed that law two years later in 1986, youre right, at one point of the committee report, it talked about simply clarifying the statute. In the other part, dealing with the same words, with the what Congress Said they had removed one of the murkier grounds for liability and refocused the statute on its principle object. You have those crosscutting pieces of legislative history. Even the government, i would stress, does flnot argument tha all that amendment did was clarify. The government says it expanded the statute to go beyond improper purposes to a violation of any stated use restrictions. Nobody here is arguing that the statute didnt change in 1986. Its a question of whether it expanded dramatically or took away that purpose language. I think justice breyer, the other thing i would stress is, because this is a criminal case, we think its improper in the very least very change to resolve ambiguity. You should look toward the principle last term in kelly where the court has resisted construes ambiguity in federal criminal statutes to vastly enlarge the speak of criminal liability. Thank you. Justice alito. Mr. Fisher, in this case, weve received amicus briefs from a number of organizations and individuals who are very concerned about what your interpretation would mean for personal privacy. There are many Government Employees who are given access to all sorts of highly personal information for use in performing their jobs. But if they use that for personal purposes, to make money, protect our carry out criminal activity, to hazarass people they dont like, they can do enormous damage. And the same thing for people who work for private entities. Think of the person in the fraud detection section of a bank who has access to credit card numbers and uses that information to sell for a personal profit. Do you think that that none of that was of concern when congress enacted this statute . Justice alito, i do not think it was. What congress was concerned about is computer hacking. This new problem of hacking. And i think that the two things i would add to that i understand the concern and there are powerful briefs about the policy question you raise and its possible congress may want to step in and regulate that, even criminalize to some effect. The question is, what is the statute you have in front of you right now do . And the problem with the governments view or those amicus briefs, theres no way to reach the federal the Government Employee or the financial employee that youre imagining without also reaching every other ordinary employee who violates an employee handbook let me ask you about that. Because you rely heavy on the parade of horribles. But in doing that, you read the provisions of this section very, very broadly. Take the example of the person who puts who lies about weight on the dating website. How would that be a violation of a statute . Well, under the governments theory, its a violation to use a website in violation of the terms of service. I think the government let the statute obtain information, obtain or alter information. How is that person obtaining or altering information . Its not the entering of the false information. Its then obtaining information on a dating website about a potential mate. Youre obtaining information from the website through a p profile that is false. Youve obtained that youve gotten on that website with authorization, with your login credentials because youre a Single Person and not married, et cetera, and you have obtained information in violation of the stated use restrictions on that website. So i dont see how the government gets out of that hypothetical. Thank you. Justice sotomayor. Counsel, i very much understand the concerns of my colleagues about the amicus briefs of illegal conduct that this would not cover. Including the one at issue here, your client, a local Police Officer. Not your client, im sorry yes, your local Police Officer. Who paid for information he got from a federal Computer System for personal reasons. But the fact that there isnt this federal crime doesnt mean this conduct isnt prosecuted in other ways, does it . No. For example, my client in this case was prosecuted also under a separate count that is pending on remand and as i said in the reply brief, other types of misconduct the government talks about, like the stalking example, misobtaining health information, misuse of trade secrets, all of those things can be prosecuted under different federal statutes. If congress decided it could enact the proposal the department of justice has given it a couple of times over the last several years to expand the cfaa in certain limited respects. As i was trying to say earlier, the core of the problem is theres no foothold in the statute to inch the statute forward to cover the conduct in this case without also covering all kinds of other violations of perpbas per purposebased restrictions, go back to the fact of this case and imagine mr. Van counsel, are there targeted changes that could be made to limit the reach of this statute to exactly the fears that i think one of my colleagues expressed of the kind of conduct that we would think of as subjecting someone to punishment . I know, for example, most statutes have obtaining information and using it for financial gain. Yes, justice sotomayor, the government itself has proposed amendments to the statutes that we cite in our brief. But i think g again, that shoul come from congress. Just back to this statute, as i was saying, what about oral directives to an officer that tomorrow when youre out on patrol, dont run license plates just in ordinary traffic stops. I want you to be more efficient. Any number of questions that would have to be addressed. Just look at subsection one of the statute. It does restrict federal employees use of information and giving it to third parties. That is not part of the provision at issue here. So, again, that would be a choice for congress to make and all of these things should be done on a legislative basis. Justice kagan. Thank you, council. Mr. Fisher, could you tell me again what you think so is. It means in the manner so described. Thats the blacks law definition. Translated to this statute what it means is, that youve accessed and obtained the information viac computer. Could you parse that a little bit. It asks for a reference back. What are we referring back to on your theory . Youre referring back to access a computer with authorization. So Justice Kagan, two things that might flesh this out for you, we give an example of another statute on page 2 of our yellow brief that uses so in this manner. It picks up what was said that was earlier. And the governments own hypothetical is the best way this plays out. Where they worry about a federal contractor obtaining salary information from a salary database that he does not have access to. And what so does, it prohibits that person from defending himself in a prosecution for hacking into that database saying i could have filed a request or called the employees themselves and asked them what they made and therefore i was entitled to obtain the information. That defense is off limits because of the word so. In that way, so helps the government. Okay. On your parade of horribles, one of your the features of your parade is an employee checking instagram at work. How is that obtaining or altering information . Its obtaining information because you are literally obtaining the words or pictures out of instagram and it would violate the governments rule the prosecutor himself told the jury this at closing argument. It would violate the governments rule because the employee would be at least theoretically, prohibited from using her work computer for personal reasons. Checking instagram through your work computer would be an improper purpose, it would be an improper use and you would obtain the information from the computer in the form of those pictures or words or whatever they might be. Thank you, mr. Fisher. Justice gorsuch. Picking up on your parade of horribles, could you explain to us what the institutionconstitu issues are with the parade. Thank you, Justice Gorsuch. There are two constitutional problems. One is the First Amendment problems with Certain Applications of the governments rule that are described in the amicus briefs. Secondly, theres the vagueness problem. Under the governments view, remember, using obtaining information viacom pewt via computer violates the statute. Either one of two things has to be correct. Either under the circumstances means literally every possible circumstance you could imagine, right down to somebody telling you not to do that. Imagine a parent telling her teenager, dont use instagram tonight until your homework is done. Or dont use facebook to talk to your friends. So theres opportunities for prosecutorial discretion are probably broader than any statute that the court has ever seen. The only alternative is under the circumstances, somehow, some of those circumstances in, some of them out, thats wholly indeterminant problem that violates the most basic fair notice principles of the law. On the reverse parade of horribles we heard from the other side. I guess im struggling to imagine how long that parade would be, given the abundance of criminal laws available. So if this one didnt cover that kind of conduct, but there were troublesome forms of it, like your clients behavior in this case, misusing a police database, i assume there are ample state laws available that criminalize a lot of that conduct. Am i mistaken . No, this case cos from georgia, and georgia has a statute about hacking or. Isusing computer information the government, as we point out in our reply brief, the government gave a few hypotheticals in its brief and a most everyone of them is already addressed by some other provision of even the u. S. Code, let alone state law. Even, remember, my client himself has already lost his job and has other forms of punishment that have already been brought to bear. If congress decides somehow that is not enough and it wants the cfaa to also be available in situations like this, it could amend the statute, but i do not think there is anything like or a comparable problem on the other side in terms of the breath issue in front of the court. Chief Justice RobertsJustice Kavanaugh . Justice kavanaugh thank you, mr. Chief justice, and good afternoon, mr. Fisher. Picking up on Justice Gorsuchs question there at the end, and following up on questions from earlier, one of the concerns, i suppose, are Government Employees, financial employees, or Health Care Company employees who have access to very sensitive, personal and i appreciate if you could give us a sense of federal statutes that you think would cover such disclosures, if any. I take your reference to state statutes. Are there any federal statutes that you want to identify that would cover that situation . I would start with page 19 where we cite a federal statute which prohibits obtaining clas