The return of the laptop from hell

California court refuses to dismiss computer crime charges against entity that analyzed Hunter Biden’s laptop.

On June 20, 2024, U.S. District Court Judge Hernán D. Vera declined to dismiss a civil lawsuit filed by Hunter Biden in Los Angeles federal court against right-wing flamethrower and Biden opponent Garret Ziegler (cousin of former spokesperson for the Nixon administration, Ron Zeigler) and his Marco Polo organization, for unlawfully accessing both his laptop and the data on the laptop, including photos, videos and email communications.

The lawsuit alleged that the computer access was “without authorization,” in violation of the Computer Fraud and Abuse Act (CFAA), 18 USC § 1030. The CFAA is intended to combat various forms of computer-related misconduct. Key provisions relevant to this case include sections 1030(a)(2), 1030(a)(4), and 1030(g). Section 1030(a)(2) prohibits intentional access to a computer without authorization to obtain information, while Section 1030(a)(4) addresses unauthorized access with the intent to defraud, further the fraud, and obtain value. Section 1030(g) provides a private right of action for persons who suffer harm or loss as a result of violations of the CFAA. As a result, certain violations of the CFAA may result in both civil damages and criminal prosecution.

In his defense, Ziegler argued that the CFAA did not apply because the younger Biden — recently convicted in Delaware on false statements related to the purchase of a firearm — no longer owned the computer in question. Biden had dropped off the laptop for repairs at a computer store in Wilmington, Delaware, but was unable to pick it up when the repairs were due. According to the contract with the repair shop, the shop had the authority to throw away the computer if it was not paid for. Apparently, the repair shop owner provided copies of the computer’s hard drive to various individuals or entities – reportedly including the FBI, but also several political organizations, including Zieler’s Marco Polo nonprofit. Because Biden allegedly gave up possession of the computer, Ziegler argued that no violation of the CFAA (or California’s equivalent, CCDAFA) could have occurred.

In determining whether or not to dismiss the case at the preliminary stage, the court disagreed, noting: “Defendants do not point to the language in these statutes requiring possession of the physical device. Neither the CFAA nor the CCDAFA contain any requirement that the plaintiff must “own,” “possess,” or “control” the physical device or computer to which defendants had access. The statute concerns the ownership of the data accessed.” Even if Biden no longer owned the laptop, he continued to “own” or have a privacy interest in the data on the laptop.

Maybe.

Trespass vs. theft vs. privacy

The problem is that the CFAA looks like the 1976 SNL “Shimmer” ad – it’s a floor wax AND a dessert topping! While the purpose of the statute is to protect the confidentiality, integrity, and availability of data (or at least some types of data), the way it attempts to do this is through a “trespass statute.” The law requires, as a predicate for the civil or criminal offense, “unauthorized access” to a computer, or “exceeding authorized access” to a computer. If there is no ‘unauthorized entry’, there is no crime.

IRL, if I break into your house and steal a Ming vase, I am guilty of larceny (theft), trespassing, and breaking and entering. But if I am invited to your home and steal the vase, then it is probably just theft, because the trespassing and burglary laws require you to enter (or remain) illegally. Because the CAAA does not strictly prohibit “theft” of information (and because it is not clear how to “steal” intangible information), the plaintiff or the government must prove that there was “unauthorized access” to the “computer.”

So which ‘computer’ did Zieger ‘access’ without authorization, or outside of authorization? It was clearly the abandoned (or at least potentially abandoned) laptop from hell. The court is correct in that “ownership” of the laptop is not the relevant issue. When a company uses a cloud service, email provider, third-party host, etc., it may not “own” the computers where the data resides. Yet it still has the power to dictate rules about who has access to the computers and the data on which the computers reside, and to determine what access is “authorized” and what is “unauthorized” – and, at least to some extent height, its scope. of authorization on that computer.

Whose computer is it?

The case continues to illustrate that in cloud contracts, third-party contracts or other data sharing agreements, it is important to understand not only who has access to the data on these devices and for what purposes, but also, crucially, who is allowed to access the data to make. provisions. If you have files on a cloud service and those files get hacked, who is the injured party? You? Or AWS? Whose ‘computer’ was ‘accessed’ without permission? In a shared situation, where one cloud user has access to another cloud user’s data, the defendant may have had lawful access to the “computer” but not to specific data on that computer, causing the plaintiff (or, in a criminal case), government) to prove that access to the data was obtained by “exceeding the authorization to access the computer.”

The problem is highlighted by a recent Supreme Court ruling that (slightly) narrows the scope of “exceeding authority to access” a computer. In VanBuren v. United States, the Supreme Court ruled that a Georgia police officer who had access to a law enforcement database restricted from use for law enforcement purposes did not exceed authorized access to that computer when he logged into the computer with his credentials and downloaded data for prohibited purposes (to sell the data to third parties). The ACCESS to the COMPUTER (not the data) was authorized, and the fact that he used the data for a prohibited purpose did not convert the misuse of the data into an ‘infringement’.

Biden’s claims

Garrett Ziegler has developed himself into a Hunter Biden specialist and has delved deeply into Biden’s personal and financial information. Ziegler’s nonprofit, Marco Polo, has published extensive details about Biden’s life, including sensitive and embarrassing information. Zieger claimed to have found evidence of hundreds of criminal violations by the younger Biden, but so far the Trump-appointed special counsel and grand juries in Delaware and California have only indicted Hunter Biden on the weapons charges and for failing to file and pay on time. its income taxes.

This case illustrates how an individual can use the Internet to distribute personal information, which poses significant privacy concerns. Biden’s complaint detailed factual allegations supporting the claim of unauthorized access. He alleged that Ziegler accessed his data from his iPhone backup and laptop without permission, tampered with it, and used it to create a report and online database. These allegations included that Ziegler “used technical measures to circumvent security barriers,” further substantiating the claim of unauthorized access. The court found these allegations sufficient to meet the CFAA’s pleading standards for evidence of “unauthorized access” or “exceeding authorized access” to the computer.

The court’s ruling in this case highlights the CFAA’s importance in protecting individuals from unauthorized access to their digital data, but also addresses the limitations of the statute’s language.

Ultimately, this case arose from a contract between Hunter Biden and Delaware computer repair shop owner John Paul Mac Isaac — the kind of contract we see every day and never read. For privacy and security professionals, the case highlights the need to read contracts and determine who has access to data, computers and networks, and why. And just to be sure, have a lawyer look at it too.