Justices Concerned for Privacy of Personal Information if Insiders Can Abuse Access Privileges
December 2, 2020
During oral argument this week in Van Buren v. United States, a case concerning the scope of the Computer Fraud & Abuse Act, several Justices of the U.S. Supreme Court emphasized the need to protect sensitive personal data from both hackers and insiders who could abuse their access privileges. Van Buren, a police officer, was prosecuted under the CFAA for improperly accessing personal data in a government system for financial gain. He argued that he didn't violate the law because he had credentials to access the system. EPIC filed an amicus brief in the case, arguing that the CFAA was enacted "to protect personal information stored in recordkeeping systems" and the scope of the law "should be co-extensive with its data protection purpose." At oral argument, many of the justices questioned Van Buren's attorney about the impact of his interpretation on the privacy of sensitive personal information, and a majority seemed to agree that the conduct at issue in this case should be criminalized. Justice Alito said that insiders who abuse their access can do "enormous damage" to personal privacy and referenced EPIC's amicus brief. In the brief, EPIC explained that government databases "hold vast quantities of some of the most sensitive personal data imaginable" and that "we need the CFAA, now more than ever, to be an extra check against abuse by the people entrusted to access sensitive data and systems." EPIC also argued that the Court need not limit CFAA liability to those who bypass a login system to avoid criminalizing the activity of ordinary internet users. During argument, several justices were interested in alternative ways to limit the statute to better align the law with its data protection purpose. EPIC has also participated as amicus in another CFAA case before the Court, LinkedIn v. hiQ Labs. The petition for review in LinkedIn is currently pending.