Shostack + Friends Blog


Van Buren

The Supreme Court has ruled in the van Buren case, and there's a good summary on the EFF's blog: "The decision is a victory for all Internet users, as it affirmed that online services cannot use the CFAA’s criminal provisions to enforce limitations on how or why you use their service..."

As I said at the time, I was honored to be a part of EFF's amicus brief in this case.

There were nuanced arguments that the CFAA can and should be used to protect sensitive personal information. I agree with their goal, but I am not persuaded that the distinctions are as easy to make as they argued. The crisp distinctions they laid out remind me of the distinctions made in the Electronic Communications Privacy Act of 1986. It too has clear distinctions, such as emails left on a server for 30 days lose privacy protections — a distinction that was justifiable when storage was expensive. Their distinctions are more nuanced. However, I've had several long conversations with my employer's lawyers about exactly how words in the CFAA might be parsed. Congress is the right place for those debates.