The Supreme Courtroom will hear its first main CFAA case


The Supreme Court on Monday will hear arguments in a case that could lead to profound changes to controversial American computer hacking laws – and affect how millions use their computers and access online services.

The Computer Fraud and Abuse Act was incorporated into federal law in 1986 and predates the modern Internet as we know it. However, it still regulates what constitutes hacking – or "unauthorized" access to a computer or network. The controversial law was designed to prosecute hackers, but has been called the "worst law" by critics who say it is outdated and vague language that in good faith does not protect hackers from finding and exposing security vulnerabilities referred to in the books on technology law.

At the center of the case is Nathan Van Buren, a former Georgia police sergeant. Van Buren used his access to a police license plate database to look for an acquaintance in exchange for cash. Van Buren was caught and prosecuted for two reasons: He accepted a setback for accessing the police database and he broke the CFAA. The first conviction was overturned, but the CFAA's conviction was confirmed.

Van Buren may have been given access to the database as part of his police work, but whether he exceeded his access remains the central legal issue.

Orin Kerr, a law professor at the University of California at Berkeley, said Van Buren v. The United States was an "ideal case" for the Supreme Court. "The question couldn't be asked any cleaner," he argued in a blog post in April.

The Supreme Court will seek to clarify the decade-old law by deciding what the law means by "unauthorized" access. However, this is not an easy answer.

"The Supreme Court's opinion on this case could determine whether millions of common Americans are committing a federal crime for engaging in computer activities that are common but incompatible with an online service or employer's terms of service," said Riana Pfefferkorn. Associate Director of Surveillance and Cybersecurity at Stanford University Law School. (Pfefferkorn's colleague Jeff Fisher represents Van Buren on the Supreme Court.)

How the Supreme Court will determine what "unauthorized" means is unclear. The court can define unauthorized access from violating the terms of use of a website to logging into a system for which an individual does not have a user account.

Pfefferkorn said a broad reading of the CFAA could criminalize anything that consists of lying on a dating profile, giving the password to a streaming service, or using a work computer for personal use, which is against an employer's guidelines violates.

However, the eventual Supreme Court decision could also have far-reaching implications for bona fide hackers and security researchers who deliberately break systems to make them more secure. Hackers and security researchers have worked in a legal gray area for decades because the law in its written form prosecutes their work, even if the goal is to improve cybersecurity.

Tech companies have been encouraging hackers to deal with security vulnerabilities privately for years. In return, the companies repair their systems and pay the hackers for their work. Mozilla, Dropbox and Tesla are among the few companies that have gone a step further and promised not to sue any bona fide hackers under the CFAA. Not all companies welcome the audit and buck the trend by threatening to sue researchers over their findings and, in some cases, actively taking legal action to avoid flattering headlines.

Security researchers are no stranger to legal threats, but a Supreme Court ruling that rules against Van Buren could have a deterrent effect on their work and spur underground security vulnerability disclosure.

"If there are potential criminal (and civil) consequences for violating the usage guidelines of a computer system, the owners of such systems can prohibit trusted security research and prevent researchers from disclosing vulnerabilities in these systems," said Pfefferkorn. "Even accidentally coloring outside the limits of a number of bug bounty rules could expose a researcher to liability."

"The court now has the opportunity to remove the ambiguity about the scope of the law and make it safer for security researchers to do their much-needed work by interpreting the CFAA narrowly," said Pfefferkorn. "We can hardly afford to deter people who want to improve cybersecurity."

The Supreme Court will likely decide the case later this year or early next year.

Continue reading: