Supreme Court to Hear First Major CFAA Case – Heaven32

The Supreme Court will hear arguments Monday, in a case that could lead to sweeping changes in controversial US hacking laws, affecting the way millions of people use their computers and access online services.

The Computer Fraud and Abuse Act became federal law in 1986 and predates the modern Internet as we know it, but to this day it governs what constitutes hacking or “unauthorized” access to a computer or computer. to a network. The controversial law was designed to prosecute hackers, but has been dubbed the “worst law” on tech law books written by critics who say their vague and outdated language does not protect bona fide hackers from finding and exposing security holes.

At the center of the case is Nathan Van Buren, a former police sergeant in Georgia. Van Buren used his access to a database of police license plates to search for acquaintance in exchange for money. Van Buren was arrested and prosecuted on two counts: accepting a bribe for accessing the police database and violating the CFAA. The first conviction was overturned, but the CFAA conviction was upheld.

Van Buren may have been granted access to the database through his police work, but the question of whether he exceeded his access remains the main legal question.

Orin Kerr, professor of law at the University of California at Berkeley, said Van Buren v United States it was an “ideal case” for the Supreme Court. “The question could not be presented more properly,” he argued. in a blog post

in April.

The Supreme Court will attempt to clarify the decades-old law by deciding what the “unauthorized” access law means. But it is not a simple answer in itself.

“The Supreme Court’s opinion in this case could decide whether millions of ordinary Americans commit a federal crime whenever they engage in computer activities that, while common, do not correspond to an online service or to the terms of use. of the employer, ”said Riana Pfefferkorn. Associate Director of Surveillance and Cyber ​​Security at Stanford University Law School. (Pfefferkorn’s colleague Jeff Fisher represents Van Buren on the Supreme Court.)

How the Supreme Court will determine what “unauthorized” means is a guess. The court can define unauthorized access anywhere violate a site’s terms of service to log into a system for which a person does not have a user account.

Pfefferkorn said that a wide read of the CFAA could criminalize anything lying on a dating profile, password sharing to a streaming service or using a work computer for personal use in violation of employer’s policies.

But the possible Supreme Court ruling could also have far-reaching ramifications for bona fide hackers and security researchers who deliberately break systems to make them more secure. Hackers and security researchers have operated for decades in a gray legal area as the law as drafted exposes their work to prosecution, even though the goal is to improve cybersecurity.

Tech companies have for years encouraged hackers to communicate privately with security bugs. In return, companies repair their systems and pay hackers for their work. Mozilla, DropboxYes You’re here They are among the few companies that have taken it one step further by promising not to prosecute bona fide hackers under the CFAA. Not all companies welcome the review and have not stood up to the trend threatening to sue investigators about their findings, and in some cases actively initiate legal action to avoid unflattering headlines.

Security researchers are no strangers to legal threats, but a Supreme Court ruling against Van Buren could have a chilling effect on their work and lead to the vulnerability being exposed underground.

“If there are potential criminal (and civil) consequences for violating the policy on the use of a computerized system, this would give the owners of such systems the power to prohibit good faith security investigations and prevent investigators will reveal any vulnerabilities that found in these systems, ”Pfefferkorn said. . “Even inadvertently coloring outside the lines of a bug bounty rule set could expose an investigator to liability.”

“The court now has the opportunity to resolve the ambiguity over the scope of the law and make it safer for security investigators to do their job when needed by tightly building the CFAA,” Pfefferkorn said. “We cannot afford to scare people who want to improve cybersecurity.”