Skip to content

Legal Foundation

Legal foundation entries collect cases and authorities that shape security-law reasoning but do not need a full security case pack. These are doctrine anchors: privacy rights, speech rules, standing principles, statutory interpretation, and other legal baselines that security professionals should understand before applying operational controls.

Use this page for cases where the value is primarily the legal rule, not a technical incident record or regulatory remediation pattern.

Constitutional Privacy

Year Authority Legal foundation Security-law relevance Primary source
1967 Katz v. United States, 389 U.S. 347 Fourth Amendment protection turns on people and reasonable expectations of privacy, not only physical trespass into protected places. Foundation for analyzing electronic surveillance, communications monitoring, wiretap-style collection, and privacy review before deploying tools that capture communications content. Cornell LII
2001 Kyllo v. United States, 533 U.S. 27 Use of sense-enhancing technology not in general public use to obtain information about the home can be a Fourth Amendment search. Foundation for thermal imaging, sensor analytics, remote observation, and privacy review for technologies that infer activity inside protected spaces. Cornell LII
2012 United States v. Jones, 565 U.S. 400 Physical installation of a GPS device on a vehicle for location monitoring is a Fourth Amendment search. Foundation for GPS tracking, device placement, physical trespass theories, and location-surveillance governance. Cornell LII
2014 Riley v. California, 573 U.S. 373 Police generally need a warrant before searching digital information on a cell phone seized incident to arrest. Foundation for mobile-device privacy, endpoint search, digital evidence handling, and separation between physical seizure and data search. Cornell LII
2018 Carpenter v. United States, 585 U.S. 296 Government acquisition of historical cell-site location records is a Fourth Amendment search requiring a warrant in the ordinary case. Foundation for location-data privacy, third-party data limits, telecommunications records, and persistent movement tracking. Cornell LII

Online Speech and Software Foundations

Year Authority Legal foundation Security-law relevance Primary source
1997 Reno v. American Civil Liberties Union, 521 U.S. 844 Internet speech receives strong First Amendment protection; broad content-based restrictions on online speech face stringent review. Foundation for platform moderation, online-safety regulation, child-protection rules, and overbreadth analysis for internet controls. Cornell LII
2021 Google LLC v. Oracle America, Inc., 593 U.S. 1 Limited reuse of API declaring code can be fair use where copying enables programmers to use existing skills in a new transformative platform. Foundation for API interoperability, software reuse, platform migration, and legal review of developer-facing interfaces. Cornell LII

Article III Standing

Year Authority Legal foundation Security-law relevance Primary source
2013 Clapper v. Amnesty International USA, 568 U.S. 398 Future injury must be certainly impending; speculative surveillance risk is not enough for Article III standing. Foundation for risk-only privacy, surveillance, and data-exposure claims where plaintiffs allege future harm or mitigation costs. Cornell LII
2016 Spokeo, Inc. v. Robins, 578 U.S. 330 Article III injury must be both concrete and particularized, even when Congress creates a statutory right of action. Foundation for privacy, FCRA, and data-incident standing arguments based on statutory violations and intangible harms. Cornell LII
2021 TransUnion LLC v. Ramirez, 594 U.S. 413 Only plaintiffs concretely harmed by a statutory violation have Article III standing to seek damages in federal court. Foundation for class-action standing, data accuracy, dissemination harm, and damages claims after privacy or security failures. Cornell LII

Cybersecurity Reasonable Security Foundations

Year Authority Legal foundation Security-law relevance Primary source
2015 FTC v. Wyndham Worldwide Corp., 799 F.3d 236 The FTC may use Section 5 unfairness authority to challenge unreasonable cybersecurity practices that expose consumers to substantial injury. Foundation for reasonable-security expectations, payment-card data protection, network segmentation, access controls, incident prevention, and FTC cyber enforcement. FTC case page

Administrative Law and Agency Power

Year Authority Legal foundation Security-law relevance Primary source
1984 Chevron U.S.A. Inc. v. Natural Resources Defense Council, Inc., 467 U.S. 837 Established the two-step framework for judicial deference to reasonable agency interpretations of ambiguous statutes. Foundation for understanding historical deference to cyber regulators before Loper Bright. Cornell LII
2015 King v. Burwell, 576 U.S. 473 Courts may decide major statutory questions directly rather than assume Congress delegated them to an agency. Foundation for high-stakes regulatory interpretation where cyber or privacy rules have broad economic and political significance. Cornell LII
2022 West Virginia v. Environmental Protection Agency, 597 U.S. 697 Major policy decisions require clear congressional authorization before an agency may assert broad regulatory power. Foundation for cyber and privacy rule challenges invoking the major questions doctrine. Cornell LII
2024 Loper Bright Enterprises v. Raimondo, 603 U.S. 369 Courts must exercise independent judgment on statutory meaning; Chevron deference is overruled. Foundation for modern litigation over agency cybersecurity, privacy, disclosure, and safety rules. Cornell LII

Computer Access and CFAA Boundaries

Year Authority Legal foundation Security-law relevance Primary source
2021 Van Buren v. United States, 593 U.S. 374 CFAA exceeds-authorized-access liability is gate-based, not a general ban on improper use of information one may access. Foundation for insider-access, credential misuse, and acceptable-use boundary analysis. Cornell LII

Platform Liability and Online Harm

Year Authority Legal foundation Security-law relevance Primary source
1982 New York v. Ferber, 458 U.S. 747 Child sexual abuse material may be excluded from First Amendment protection because production and distribution are tied to child exploitation. Foundation for platform CSAM enforcement, content moderation, and child-protection duties. Cornell LII
1990 Osborne v. Ohio, 495 U.S. 103 States may criminalize possession of child pornography when the law is tied to protecting victims and reducing the market for exploitation. Foundation for possession, retention, and storage controls involving exploitative digital material. Cornell LII
2002 Ashcroft v. Free Speech Coalition, 535 U.S. 234 Virtual depictions not involving real children cannot be banned as child pornography merely because they appear to depict minors. Foundation for synthetic-content, AI-generated material, and overbreadth limits in online child-protection law. Cornell LII
2023 Gonzalez v. Google LLC, 598 U.S. 617 The Court avoided deciding Section 230 where the terrorism-liability complaint appeared deficient under related aiding-and-abetting doctrine. Foundation for platform-liability litigation involving recommendation systems, terrorism claims, and pleading limits. Cornell LII

Online Threats and Speech

Year Authority Legal foundation Security-law relevance Primary source
2015 Elonis v. United States, 575 U.S. 723 Federal online-threat convictions require a culpable mental state beyond negligence. Foundation for online-threat, harassment, and platform-safety enforcement involving user intent. Cornell LII
2023 Counterman v. Colorado, 600 U.S. 66 True-threat prosecutions require proof that the defendant was at least reckless about the threatening character of the speech. Foundation for constitutional limits on digital harassment, stalking, and threat prosecutions. Cornell LII

Case Brief

Katz v. United States

Katz v. United States, 389 U.S. 347 (1967)

Source quote: "For the Fourth Amendment protects people, not places."

Issue: Whether the government's warrantless electronic recording of conversations from a public telephone booth violated the Fourth Amendment.

Rule: The Fourth Amendment protects reasonable expectations of privacy, and electronic surveillance that captures protected private communications generally requires prior judicial authorization.

Application:

  • Plaintiff: Katz argued that he used the telephone booth to make private calls and that the government violated the Fourth Amendment by recording those communications without a warrant.
  • Defendant: The United States argued that the agents did not physically penetrate the booth and that the recording device was attached outside the booth, so no constitutionally protected area had been invaded under a property-based theory.
  • Court: The Court rejected the narrow property-trespass framing and held that the Fourth Amendment protects people, not merely places. Because Katz sought to preserve his telephone conversation as private, the warrantless electronic recording violated the Fourth Amendment.

Conclusion: The conviction was reversed; Katz became the foundation for modern reasonable-expectation-of-privacy analysis in electronic surveillance cases.

Significance: Establishes the modern Fourth Amendment privacy frame for electronic communications monitoring. (Cornell LII: "For the Fourth Amendment protects people, not places.")

References used:

Kyllo v. United States

Kyllo v. United States, 533 U.S. 27 (2001)

Source quote: "Where, as here, the Government uses a device that is not in general public use, to explore details of the home that would previously have been unknowable without physical intrusion, the surveillance is a “search” and is presumptively unreasonable without a warrant."

Issue: Whether police use of a thermal-imaging device from a public street to detect heat patterns inside a home was a Fourth Amendment search.

Rule: Use of sense-enhancing technology not in general public use to obtain information about the interior of the home that otherwise would require physical intrusion is a Fourth Amendment search and is presumptively unreasonable without a warrant.

Application:

  • Plaintiff: Kyllo argued that thermal imaging revealed information about the interior of his home and therefore invaded the heightened privacy protection the Fourth Amendment gives the home.
  • Defendant: The United States argued that the device detected only heat radiating from exterior surfaces and did not reveal intimate details or physical activity inside the home.
  • Court: The Court treated the home as the core Fourth Amendment setting and rejected a rule that would leave privacy to the pace of advancing technology. Because the thermal imager was not in general public use and revealed otherwise unknowable information about the home, the surveillance was a search.

Conclusion: The judgment was reversed and remanded; Kyllo anchors privacy limits on government use of advanced sensing tools directed at the home.

Significance: Limits government use of advanced sensors that reveal otherwise hidden details of protected spaces. (Cornell LII: "the surveillance is a “search” and is presumptively unreasonable without a warrant.")

References used:

United States v. Jones

United States v. Jones, 565 U.S. 400 (2012)

Source quote: "We hold that the Government’s installation of a GPS device on a target’s vehicle, and its use of that device to monitor the vehicle’s movements, constitutes a “search.”"

Issue: Whether the government's installation and use of a GPS tracking device on a vehicle was a Fourth Amendment search.

Rule: A physical intrusion on private property for the purpose of obtaining information can constitute a Fourth Amendment search, even apart from the reasonable-expectation-of-privacy test.

Application:

  • Plaintiff: Jones argued that the warrantless GPS installation and prolonged tracking violated the Fourth Amendment because the government physically occupied his vehicle to gather location information.
  • Defendant: The United States argued that Jones had no reasonable expectation of privacy in movements on public roads and that tracking those movements did not require suppression.
  • Court: The Court revived the property-based search theory: the vehicle was an "effect," and attaching a GPS device to it for information gathering was a physical intrusion that qualified as a search.

Conclusion: The judgment was affirmed; Jones is foundational for location tracking and for physical-device surveillance theories under the Fourth Amendment.

Significance: Restores property-based Fourth Amendment limits for device placement and location tracking. (Cornell LII: "constitutes a “search.”")

References used:

Riley v. California

Riley v. California, 573 U.S. 373 (2014)

Source quote: "Our answer to the question of what police must do before searching a cell phone seized incident to an arrest is accordingly simple—get a warrant."

Issue: Whether police may search digital information on a cell phone seized from an arrestee without a warrant under the search-incident-to-arrest exception.

Rule: Police generally may not search digital information on a cell phone seized incident to arrest without a warrant, though exigent circumstances may justify a warrantless search in particular cases.

Application:

  • Plaintiff: Riley and Wurie argued that cell phones contain immense quantities of private digital information and that searching their contents without a warrant exceeded the traditional justifications for searches incident to arrest.
  • Defendant: California and the United States argued that officers needed categorical authority to inspect phones found on arrestees to protect officer safety, prevent destruction of evidence, and preserve administrable search rules.
  • Court: The Court distinguished physical items from digital data, emphasizing the quantity, quality, and pervasiveness of information on modern phones. The officer-safety and evidence-preservation rationales did not justify categorical warrantless searches of phone contents.

Conclusion: Riley's conviction was reversed and Wurie's suppression ruling was affirmed; Riley is foundational for digital-device privacy and mobile evidence handling.

Significance: Treats cell-phone data as categorically different from ordinary physical items during arrest searches. (Cornell LII: "get a warrant.")

References used:

Carpenter v. United States

Carpenter v. United States, 585 U.S. 296 (2018)

Source quote: "The Government’s acquisition of Carpenter’s cell-site records was a Fourth Amendment search."

Issue: Whether government acquisition of historical cell-site location information from wireless carriers was a Fourth Amendment search requiring a warrant.

Rule: Individuals have a reasonable expectation of privacy in the whole of their physical movements as revealed by historical cell-site location information; government acquisition of such records generally requires a warrant supported by probable cause.

Application:

  • Plaintiff: Carpenter argued that months of cell-site records revealed a comprehensive chronicle of his movements and that obtaining them without a warrant violated the Fourth Amendment.
  • Defendant: The United States argued that the third-party doctrine controlled because the records were business records held by wireless carriers and generated through phone use.
  • Court: The Court declined to mechanically extend the third-party doctrine to historical CSLI, emphasizing the depth, breadth, and automatic nature of cell-phone location records. The Stored Communications Act order fell short of probable cause.

Conclusion: The judgment was reversed and remanded; Carpenter is foundational for location-data privacy and limits on third-party data collection.

Significance: Extends constitutional privacy protection to long-term carrier-held location records. (Cornell LII: "The Government’s acquisition of Carpenter’s cell-site records was a Fourth Amendment search.")

References used:

Reno v. American Civil Liberties Union

Reno v. American Civil Liberties Union, 521 U.S. 844 (1997)

Source quote: "The interest in encouraging freedom of expression in a democratic society outweighs any theoretical but unproven benefit of censorship."

Issue: Whether the Communications Decency Act's restrictions on "indecent" and "patently offensive" online communications violated the First Amendment.

Rule: Content-based restrictions on internet speech receive stringent First Amendment scrutiny and must be narrowly tailored; broad, vague restrictions that suppress substantial protected adult speech are unconstitutional.

Application:

  • Plaintiff: The ACLU and other challengers argued that the CDA's undefined and broad restrictions chilled protected online speech and imposed criminal liability on speakers across a uniquely open medium.
  • Defendant: The United States argued that Congress could restrict indecent online communications to protect minors and analogized the internet to other regulated media.
  • Court: The Court rejected the broadcast and zoning analogies, treated the internet as entitled to strong speech protection, and held that the CDA's breadth and lack of narrow tailoring burdened protected speech.

Conclusion: The judgment enjoining the challenged provisions was affirmed; Reno is foundational for online speech, platform regulation, and constitutional limits on internet content controls.

Significance: Establishes strong First Amendment protection for internet speech against broad content-based restrictions. (Cornell LII: "freedom of expression in a democratic society outweighs any theoretical but unproven benefit of censorship.")

References used:

Google LLC v. Oracle America, Inc.

Google LLC v. Oracle America, Inc., 593 U.S. 1 (2021)

Source quote: "Google’s copying of the Java SE API, which included only those lines of code that were needed to allow programmers to put their accrued talents to work in a new and transformative program, was a fair use of that material as a matter of law."

Issue: Whether Google's copying of Java SE API declaring code for Android was fair use under copyright law.

Rule: Fair use is a flexible doctrine that considers purpose and character, nature of the work, amount used, and market effect; in the software context, limited copying of interface code may be fair use when it enables transformative reimplementation and interoperability.

Application:

  • Plaintiff: Oracle argued that Google copied protected declaring code and organizational structure from Java SE and used it in a competing platform without permission.
  • Defendant: Google argued that it copied only what was needed for programmers to use familiar commands in a new smartphone environment and that its use was transformative and interoperability-enhancing.
  • Court: The Court assumed copyrightability for argument's sake and held that the fair-use factors favored Google, emphasizing the functional character of APIs, the limited amount copied relative to the whole, transformative platform use, and lack of market substitution.

Conclusion: The Federal Circuit was reversed; Google v. Oracle is foundational for software interoperability, API reuse, and fair-use analysis in platform engineering.

Significance: Supports fair-use analysis for limited API reuse that enables interoperability and developer skill transfer. (Cornell LII: "needed to allow programmers to put their accrued talents to work in a new and transformative program.")

References used:

Clapper v. Amnesty International USA

Clapper v. Amnesty International USA, 568 U.S. 398 (2013)

Source quote: "threatened injury must be certainly impending to constitute injury in fact"

Issue: Whether attorneys, journalists, and advocacy organizations had Article III standing to challenge FISA Amendments Act surveillance based on a risk that their international communications would be intercepted.

Rule: Article III requires injury that is concrete, particularized, and actual or imminent; threatened future injury must be certainly impending, and plaintiffs cannot manufacture standing by incurring costs to avoid speculative future harm.

Application:

  • Plaintiff: The respondents argued that their sensitive international communications were likely to be intercepted under Section 702 and that they had already incurred costs to protect confidentiality.
  • Defendant: The government argued that the alleged injury depended on a speculative chain of decisions by intelligence officials, the Foreign Intelligence Surveillance Court, service providers, and foreign contacts.
  • Court: The Court held that the respondents' feared injury was too speculative and that self-imposed mitigation costs based on a non-certain future harm could not create standing.

Conclusion: The Court reversed and held that respondents lacked Article III standing; Clapper is foundational for future-harm and surveillance-risk standing analysis.

Significance: Sets a high bar for future-harm standing in surveillance, privacy, and data-risk claims. (Cornell LII: "threatened injury must be certainly impending to constitute injury in fact.")

References used:

Spokeo, Inc. v. Robins

Spokeo, Inc. v. Robins, 578 U.S. 330 (2016)

Source quote: "an injury in fact must be both concrete and particularized"

Issue: Whether a plaintiff alleging FCRA statutory violations had adequately pleaded Article III injury in fact when the lower court focused on particularization but not concreteness.

Rule: A plaintiff invoking federal jurisdiction must show an injury in fact that is concrete and particularized, actual or imminent, fairly traceable to the defendant, and likely redressable; a statutory violation alone does not automatically satisfy Article III.

Application:

  • Plaintiff: Robins argued that Spokeo published inaccurate information about him and violated his statutory rights under the Fair Credit Reporting Act.
  • Defendant: Spokeo argued that Robins had not pleaded a concrete injury sufficient for federal jurisdiction.
  • Court: The Court held that the Ninth Circuit's standing analysis was incomplete because it addressed particularization but not the independent concreteness requirement.

Conclusion: The judgment was vacated and remanded; Spokeo is foundational for statutory privacy and data-accuracy standing analysis.

Significance: Prevents statutory privacy violations from automatically becoming federal cases without concrete harm. (Cornell LII: "an injury in fact must be both concrete and particularized.")

References used:

TransUnion LLC v. Ramirez

TransUnion LLC v. Ramirez, 594 U.S. 413 (2021)

Source quote: "No concrete harm, no standing."

Issue: Whether every class member whose credit file contained an allegedly misleading OFAC alert had Article III standing to seek damages when many alerts were not disseminated to third parties.

Rule: Article III standing for damages requires concrete harm. A statutory violation, internal inaccurate file, or risk of future harm does not itself establish standing for damages without concrete injury.

Application:

  • Plaintiff: Ramirez and the class argued that TransUnion violated FCRA duties by maintaining misleading OFAC alerts and sending defective mailings.
  • Defendant: TransUnion argued that many class members suffered no concrete harm because their misleading alerts were never disseminated and formatting errors caused no adverse effect.
  • Court: The Court held that the 1,853 class members whose reports were disseminated had concrete reputational harm, but the 6,332 class members whose files were not disseminated lacked standing for the reasonable-procedures damages claim.

Conclusion: The judgment was reversed and remanded; TransUnion is foundational for concrete-harm requirements in privacy, consumer reporting, and data-breach class actions.

Significance: Requires concrete harm for damages standing across privacy and consumer-data class actions. (Cornell LII: "No concrete harm, no standing.")

References used:

FTC v. Wyndham Worldwide Corp.

FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015)

Source quote: "Wyndham engaged in unfair cybersecurity practices that, taken together, unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft."

Issue: Whether the FTC could bring an unfairness claim under Section 5 of the FTC Act based on allegedly unreasonable cybersecurity practices, and whether Wyndham had fair notice that its cybersecurity practices could fall short of the Act.

Rule: Section 5 unfairness can reach cybersecurity practices that cause or are likely to cause substantial consumer injury that consumers cannot reasonably avoid and that is not outweighed by countervailing benefits.

Application:

  • Plaintiff: The FTC alleged that Wyndham's deficient cybersecurity practices, taken together, unreasonably exposed consumer payment-card data to unauthorized access and theft.
  • Defendant: Wyndham argued that the FTC lacked authority to regulate cybersecurity through unfairness and that it lacked fair notice of what cybersecurity practices Section 5 required.
  • Court: The Third Circuit affirmed denial of Wyndham's motion to dismiss, holding that the FTC had authority to pursue cybersecurity unfairness claims and rejecting Wyndham's fair-notice argument at that stage.

Conclusion: The FTC's authority was affirmed; Wyndham became the foundational appellate cybersecurity case for FTC Section 5 reasonable-security enforcement.

Significance: Establishes FTC unfairness as a central legal foundation for cybersecurity reasonable-security obligations. (FTC Third Circuit opinion PDF: "We thus affirm the District Court's decision.")

References used:

Chevron U.S.A. Inc. v. Natural Resources Defense Council, Inc.

Chevron U.S.A. Inc. v. Natural Resources Defense Council, Inc., 467 U.S. 837 (1984)

Source quote: "If the intent of Congress is clear, that is the end of the matter."

Issue: Whether EPA's interpretation of the Clean Air Act term "stationary source" was entitled to judicial deference.

Rule: Under Chevron, courts first ask whether Congress directly spoke to the precise question; if the statute is silent or ambiguous, courts defer to a permissible agency interpretation.

Application:

  • Plaintiff: NRDC argued that EPA's plantwide definition undermined statutory pollution-control requirements.
  • Defendant: Chevron and EPA defended the agency's interpretation as a reasonable construction of ambiguous statutory language.
  • Court: The Court held that EPA's interpretation was reasonable and entitled to deference under the agency-deference framework.

Conclusion: EPA's interpretation was upheld; Chevron became the foundational administrative-law doctrine for agency statutory interpretation until Loper Bright overruled it.

Significance: Shows the former baseline under which agencies often received deference for reasonable readings of ambiguous regulatory statutes. (Cornell LII: "the court must give effect to the unambiguously expressed intent of Congress.")

References used:

King v. Burwell

King v. Burwell, 576 U.S. 473 (2015)

Source quote: "This is not a case for the IRS."

Issue: Whether Affordable Care Act tax credits were available on federal exchanges as well as state exchanges.

Rule: Courts do not presume agency delegation for questions of deep economic and political significance; in such cases, courts may interpret the statute directly.

Application:

  • Plaintiff: King argued that statutory text limited tax credits to exchanges established by a state.
  • Defendant: Burwell and the government argued that the Act's structure and purpose made credits available on federal exchanges.
  • Court: The Court declined to apply ordinary agency-deference assumptions and interpreted the Act to preserve tax credits on both federal and state exchanges.

Conclusion: The IRS interpretation was upheld, but the Court itself resolved the major statutory question; King marks an important limit on automatic deference.

Significance: Supports direct judicial review of major regulatory questions rather than routine agency deference. (Cornell LII: "Had Congress wished to assign that question to an agency, it surely would have done so expressly.")

References used:

West Virginia v. Environmental Protection Agency

West Virginia v. Environmental Protection Agency, 597 U.S. 697 (2022)

Source quote: "A decision of such magnitude and consequence rests with Congress itself."

Issue: Whether EPA had authority under the Clean Air Act to adopt a generation-shifting emissions approach of broad economic and political significance.

Rule: Under the major questions doctrine, agencies need clear congressional authorization to decide issues of vast economic and political significance.

Application:

  • Plaintiff: West Virginia and other challengers argued that EPA claimed transformative authority without clear statutory authorization.
  • Defendant: EPA argued that the Clean Air Act authorized the generation-shifting approach as a system of emission reduction.
  • Court: The Court held that EPA lacked clear congressional authorization for the asserted power and invalidated the approach.

Conclusion: The Court constrained EPA's claimed authority; West Virginia v. EPA anchors major-questions challenges to expansive agency rulemaking.

Significance: Sets the clear-statement frame for broad agency claims that reshape regulated industries. (Cornell LII: "We presume that Congress intends to make major policy decisions itself, not leave those decisions to agencies.")

References used:

Loper Bright Enterprises v. Raimondo

Loper Bright Enterprises v. Raimondo, 603 U.S. 369 (2024)

Source quote: "Chevron is overruled."

Issue: Whether courts should continue deferring to agency interpretations of ambiguous statutes under Chevron.

Rule: The Administrative Procedure Act requires courts to exercise independent judgment in deciding whether an agency acted within statutory authority; ambiguity alone does not justify deference.

Application:

  • Plaintiff: Regulated fishing companies argued that the statute did not authorize the agency to require industry-funded monitoring.
  • Defendant: The government defended the rule under agency interpretive authority and prior deference doctrine.
  • Court: The Court overruled Chevron and held that courts, not agencies, must decide statutory meaning independently.

Conclusion: The judgments were vacated and remanded; Loper Bright resets judicial review of agency statutory interpretation.

Significance: Reshapes challenges to cybersecurity and privacy regulations by shifting interpretive authority from agencies back to courts. (Cornell LII: "courts may not defer to an agency interpretation of the law simply because a statute is ambiguous.")

References used:

Van Buren v. United States

Van Buren v. United States, 593 U.S. 374 (2021)

Source quote: "an individual 'exceeds authorized access' when he accesses a computer with authorization but then obtains information located in particular areas of the computer... that are off limits to him."

Issue: Whether a person violates the CFAA by accessing information for an improper purpose when the person is otherwise authorized to access that information.

Rule: The CFAA's exceeds-authorized-access clause is gate-based: it covers access to information one is not entitled to obtain, not misuse of information one is allowed to access.

Application:

  • Plaintiff: The government argued that Van Buren exceeded authorized access by querying a law-enforcement database for an improper personal purpose.
  • Defendant: Van Buren argued that he had authorized access to the database and that misuse of permitted access was not a CFAA crime.
  • Court: The Court adopted the narrower gate-based reading and rejected a purpose-based theory that would criminalize broad policy violations.

Conclusion: The conviction was reversed; Van Buren is foundational for distinguishing unauthorized access from misuse of authorized access.

Significance: Narrows CFAA exposure for insider misuse and ties liability to access boundaries rather than motive alone. (Cornell LII: "Van Buren did not 'excee[d] authorized access' to the database, as the CFAA defines that phrase.")

References used:

New York v. Ferber

New York v. Ferber, 458 U.S. 747 (1982)

Source quote: "The prevention of sexual exploitation and abuse of children constitutes a government objective of surpassing importance."

Issue: Whether a state may prohibit distribution of child sexual abuse material even when the material is not obscene under the ordinary obscenity test.

Rule: The First Amendment does not protect child pornography involving real children when the prohibition is tied to preventing sexual exploitation and abuse.

Application:

  • Plaintiff: New York argued that the statute targeted the distribution market that fuels child exploitation.
  • Defendant: Ferber argued that the material was constitutionally protected unless obscene under Miller.
  • Court: The Court upheld the statute because the state interest in protecting children justified categorical treatment of this material.

Conclusion: The conviction was reinstated; Ferber is foundational for online CSAM enforcement and platform safety obligations.

Significance: Establishes the constitutional basis for categorical CSAM prohibitions tied to real child exploitation. (Cornell LII: "The distribution of photographs and films depicting sexual activity by juveniles is intrinsically related to the sexual abuse of children.")

References used:

Osborne v. Ohio

Osborne v. Ohio, 495 U.S. 103 (1990)

Source quote: "The State may constitutionally proscribe the possession and viewing of child pornography."

Issue: Whether Ohio could criminalize possession of child pornography consistent with the First Amendment and due process.

Rule: A state may prohibit possession of child pornography when the law targets materials tied to child exploitation and is properly narrowed.

Application:

  • Plaintiff: Ohio argued that possession restrictions reduce demand and protect exploited children from continuing harm.
  • Defendant: Osborne argued that private possession was protected and that the statute was overbroad.
  • Court: The Court upheld the statute as narrowed by the state supreme court and tied possession liability to child-protection interests.

Conclusion: The judgment was affirmed; Osborne extends CSAM doctrine to possession and storage contexts.

Significance: Supports legal controls on possession and retention of exploitative digital material. (Cornell LII: "It is surely reasonable for the State to conclude that it will decrease the production of child pornography if it penalizes those who possess and view the product.")

References used:

Ashcroft v. Free Speech Coalition

Ashcroft v. Free Speech Coalition, 535 U.S. 234 (2002)

Source quote: "The CPPA prohibits speech that records no crime and creates no victims by its production."

Issue: Whether Congress could ban virtual child pornography and material that appeared to depict minors even when no real children were used.

Rule: Speech may not be categorically banned as child pornography absent the exploitation of real children or obscenity; overbroad restrictions on protected speech violate the First Amendment.

Application:

  • Plaintiff: Free Speech Coalition argued that the statute criminalized protected expression and chilled lawful works.
  • Defendant: The government argued that virtual material could encourage abuse and undermine enforcement against real CSAM.
  • Court: The Court held the challenged provisions overbroad because they reached protected speech beyond Ferber and Miller.

Conclusion: The Ninth Circuit was affirmed; Ashcroft is foundational for synthetic-content limits and First Amendment overbreadth analysis.

Significance: Draws the constitutional line between real-exploitation CSAM and protected virtual or synthetic expression. (Cornell LII: "Virtual child pornography is not 'intrinsically related' to the sexual abuse of children.")

References used:

Elonis v. United States

Elonis v. United States, 575 U.S. 723 (2015)

Source quote: "wrongdoing must be conscious to be criminal."

Issue: Whether conviction under 18 U.S.C. § 875(c) for online threats can rest on how a reasonable person would view the statements, without proof of a culpable mental state.

Rule: Criminal threat liability under the federal statute requires more than negligence; the government must prove a culpable mental state regarding the threatening nature of the communication.

Application:

  • Plaintiff: The United States argued that the posts were objectively threatening and sufficient for conviction.
  • Defendant: Elonis argued that he lacked the required mental state and that negligence was insufficient for criminal liability.
  • Court: The Court reversed because the jury instructions allowed conviction on a negligence-like standard.

Conclusion: The conviction was reversed; Elonis is foundational for mens rea requirements in online-threat prosecutions.

Significance: Prevents criminal online-threat liability from resting only on how a reasonable observer interprets a post. (Cornell LII: "The jury was instructed that the Government need prove only that a reasonable person would regard Elonis's communications as threats.")

References used:

Counterman v. Colorado

Counterman v. Colorado, 600 U.S. 66 (2023)

Source quote: "The State must prove in true-threats cases that the defendant had some understanding of his statements' threatening character."

Issue: Whether the First Amendment permits conviction for true threats using only an objective standard, without proof of the speaker's mental state.

Rule: True-threat prosecutions require at least recklessness as to whether the communication would be understood as threatening.

Application:

  • Plaintiff: Colorado argued that repeated direct messages caused fear and satisfied an objective true-threat standard.
  • Defendant: Counterman argued that the First Amendment required proof of subjective fault.
  • Court: The Court held that recklessness is the constitutional minimum and vacated the conviction.

Conclusion: The conviction was vacated; Counterman defines the constitutional mens rea floor for true-threat cases.

Significance: Sets the First Amendment fault threshold for prosecuting threatening online messages and harassment. (Cornell LII: "The State must show that the defendant consciously disregarded a substantial risk that his communications would be viewed as threatening violence.")

References used:

Gonzalez v. Google LLC

Gonzalez v. Google LLC, 598 U.S. 617 (2023)

Source quote: "We therefore decline to address the application of §230 to a complaint that appears to state little, if any, plausible claim for relief."

Issue: Whether Section 230 barred claims against Google based on YouTube recommendations allegedly connected to ISIS content.

Rule: The Court did not resolve Section 230; it vacated and remanded because the underlying claims appeared deficient in light of the companion Twitter v. Taamneh decision.

Application:

  • Plaintiff: Gonzalez's family argued that Google should face liability for YouTube recommendations and alleged support of terrorist content.
  • Defendant: Google argued that Section 230 and pleading deficiencies barred liability.
  • Court: The Court declined to decide the Section 230 question because the complaint appeared to fail independently under terrorism-liability doctrine.

Conclusion: The judgment was vacated and remanded; Gonzalez is foundational for understanding the unresolved boundary between recommendation systems and platform immunity.

Significance: Signals that platform-liability cases may fail on substantive causation and aiding-and-abetting grounds before Section 230 is reached. (Cornell LII: "much (if not all) of plaintiffs' complaint seems to fail under either our decision in Twitter or the Ninth Circuit's unchallenged holdings below.")

References used:

Selection Criteria

  • The entry is a legal doctrine anchor rather than a cybersecurity incident or enforcement remediation story.
  • The authority is useful across multiple technical contexts.
  • The page can explain the legal rule and security-law relevance without generating board, regulatory, legal-technical, policy, public-communication, or operational case-pack documents.
© 2026 Yi Zhang. Licensed under the MIT License.
Last updated: 2026 April 30 6:55 AM