California court refuses to dismiss computer crime charges against an entity that analyzed Hunter Biden’s laptop.

On June 20, 2024, United States District Court Judge Hernán D. Vera refused to dismiss a civil lawsuit filed in Los Angeles federal court by Hunter Biden against right-wing flamethrower and Biden opponent Garret Ziegler (cousin of former Nixon Administration Press spokesman, Ron Zeigler) and his organization Marco Polo, for unlawfully accessing both his laptop computer, and data contained on the laptop, including photos, videos and email communications.

The lawsuit alleged that the access to the computer was “without authorization” in violation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. The CFAA is designed to combat various forms of computer-related misconduct. Key provisions relevant to this case include sections 1030(a)(2), 1030(a)(4), and 1030(g). Section 1030(a)(2) prohibits intentional access to a computer without authorization to obtain information, while section 1030(a)(4) addresses unauthorized access with intent to defraud, furthering the fraud and obtaining value. Section 1030(g) provides a private right of action for individuals who suffer damage or loss due to CFAA violations. As a result, certain violations of the CFAA can result in both civil damages as well as criminal prosecution.

In his defense, Ziegler asserted that the CFAA did not apply because the younger Biden – recently convicted in Delaware on false statements related to the purchase of a firearm – no longer owned the computer in question. Biden had dropped off the laptop for repair to a computer shop in Wilmington, Delaware, and failed to pick it up when the repairs were due. Under the contract with the repair shop, the shop had the authority to dispose of the computer if it was not paid for. Apparently, the owner of the repair shop provided copies of the hard drive of the computer to various persons or entities – reportedly including the FBI, but also including various political organizations, including Zieler’s Marco Polo non-profit. Because Biden allegedly abandoned possession of the computer, Ziegler argued no violation of the CFAA (or its California equivalent, the CCDAFA) could have occurred.

In determining whether or not to dismiss the case at the preliminary stage, the District Court disagreed, noting “Defendants fail to point to language in these statutes that require possession of the physical device. Neither the CFAA nor the CCDAFA contain any requirement that Plaintiff must “own,” “possess,” or “control” the physical device or computer that Defendants accessed. The statute concerns the ownership of the data accessed.” Even if Biden no longer owned the laptop, he continued to “own” or have a privacy interest in the data on the laptop.

Maybe.

Trespass vs Theft vs Privacy

The problem is that the CFAA is like the 1976 SNL “Shimmer” ad – it’s a floor wax AND a dessert topping! While the purpose of the statute is to protect the confidentiality, integrity and availability of data (or at least some types of data) the way it attempts to do so is through a “trespass” statute. The statute requires, as a predicate for the civil or criminal offense, “unauthorized access” to a computer, or “exceeding authorized access” to a computer. If no “unauthorized access,” no crime.

IRL, if I break into your house and steal a Ming Vase, I am guilty of larceny (theft), trespass and burglary. But if I am invited to your house and steal the vase, then likely only theft, because the trespass and burglary laws require entering (or remaining) unlawfully. Since the CFAA does not strictly prohibit “theft” of information (and since it’s not clear how you “steal” intangible information) the Plaintiff or Government must prove “unauthorized access” to the “computer.”

So what “computer” did Zieger “access” without authorization, or in excess of authorization? Clearly it was the abandoned (or at least the potentially abandoned) laptop from hell. The court is correct to the extent that “ownership” of the laptop is not the relevant issue. When a company uses a cloud service, email provider, third-party host, etc., it may not “own” the computers on which its data resides. Yet, it still has the authority to dictate rules on who may access the computers and the data upon which the computers reside, and determine what access is “authorized” and what is “unauthorized” – and, at least to some degree, the scope of authorization on that computer.

Whose Computer Is It?

The case continues to illustrate the fact that it’s important in cloud contracts, third-party contracts, or any data-sharing agreements to understand not only who may access data on these devices and for what purposes, but also critically, who gets to make those determinations. If you have files on a cloud service, and those files are hacked, who is the injured party? You? Or AWS? Whose “computer” was “accessed” without authorization? In a shared situation, where one cloud user accesses the data of another cloud user, the Defendant may have had lawful access to the “computer” but not to specific data on that computer, which would require the Plaintiff (or, in a criminal case, the government) to prove that accessing the data was done by “exceeding authorization to access the computer.”

The problem is highlighted by a recent Supreme Court decision narrowing (somewhat) the scope of the CFAA’s “exceeding authorization to access” a computer. In VanBuren v. United States, the Supreme Court held that a Georgia Police officer who accessed a law enforcement database that was restricted for use for law enforcement purposes only did not “exceed authorized access” to that computer, when he logged into the computer with his credentials, and downloaded data for prohibited purposes (to sell the data to third parties). The ACCESS to the COMPUTER (not the data) was authorized, and the fact that he used the data for a prohibited purpose did not convert the misuse of data into a “trespass.’

Biden’s Claims

Garrett Ziegler has fashioned himself as a Hunter Biden specialist, delving deeply into Biden’s personal and financial records. Ziegler’s nonprofit, Marco Polo, has published extensive details about Biden’s life, including sensitive and embarrassing information. Zieger claimed to have found evidence of hundreds of criminal violations by the younger Biden, but to date, the Trump-appointed Special Counsel and grand juries in Delaware and California have charged Hunter Biden only with the gun charges and with failure to file and timely pay his income taxes.

This case exemplifies how an individual can use the internet to disseminate personal data, raising significant privacy concerns. Biden’s complaint contained detailed factual allegations supporting the claim of unauthorized access. He alleged that Ziegler accessed his data from his iPhone backup and laptop without authorization, tampered with it, and used it to create a report and online database. These allegations included that Ziegler used “technical measures to circumvent security barriers,” further substantiating the claim of unauthorized access. The court found these assertions sufficient to meet the CFAA’s pleading standards for evidence of “unauthorized access” or “exceeding authorized access” to the computer.

The court’s ruling in this case highlights the importance of the CFAA in protecting individuals from unauthorized access to their digital data, but also focuses on the limitations of the language of the statute.

At the end of the day, this case arose out of a contract between Hunter Biden and John Paul Mac Isaac, the owner of the Delaware computer repair shop – the kind of contract that we see every day and never read. For privacy and security professionals the case highlights the need to read contracts and determine who has access to data, computers, and networks, and why. And for good measure, have a lawyer take a look too.