The Supreme Court on 30th November will hear arguments in a case that could result in profound changes to controversial American computer hacking laws.
The Computer Fraud and Abuse Act (CFAA) was incorporated into federal law back in 1986 and predate the modern Internet as we know it. However, it still regulates what constitutes hacking or “unauthorized” access to a computer or network.
This law was made to litigate against hackers, but eventually, it did more bad than good. Considered as one of the “worst law” in the technology law books by critics, this law is said to be very outdated and vague. Moreover, the law language fails to protect good-faith hackers from finding and disclosing security vulnerabilities.
This law and its outdated nature came into public light during the hearing of the case of Nathan Van Buren, a former Georgia police sergeant.
Van Buren used his access to the police license plate database to search for an acquaintance for $15,000 cash. Van Buren was caught and prosecuted for two reasons: He accepted a setback for accessing the police database and he violated the CFAA. The first conviction was overturned, but the CFAA’s conviction was confirmed. Van Buren may have been given access to the database due to police work, but whether he exceeds his reach remains a central legal issue.
The Supreme Court will try to clarify the decades-old law by deciding what the law means by “unauthorized” access. But it’s not as easy and simple as you think it is.
The question that arises in everybody’s mind here is how will the Supreme Court decide what “unauthorized” mean. Well, the court could define unauthorized access anywhere from violating a site’s terms of service to logging in to a system that a person has no user account for.
According to Riana Pfefferkorn, a broad reading of the CFAA could criminalize anything from lying on a dating profile, sharing the password to a streaming service, or using a work computer for personal use in violation of an employer’s policies.
Yes, you read it right. Sharing the password can be criminalized as per CFAA, it involves you sharing your Netflix password with your friends as well.
The decision by the Supreme Court will have an immense impact on the ethical hackers out there.
Ethical hackers and security reachers have been working for decades to improve cybersecurity by reaching out to techs and letting them know about the security bugs and getting paid in return.
Mozilla, Dropbox, and Tesla are among the few companies that have gone a step further by promising not to sue good-faith hackers under the CFAA. Not all companies welcome the scrutiny and bucked the trend by threatening to sue researchers over their findings, and in some cases actively launching legal action to prevent unflattering headlines.
Security researchers are no stranger to legal threats, but a decision by the Supreme Court that rules against Van Buren could have a chilling effect on their work, and drive vulnerability disclosure underground.
“The Court now has the chance to resolve the ambiguity over the law’s scope and make it safer for security researchers to do their badly-needed work by narrowly construing the CFAA,” said Pfefferkorn. “We can ill afford to scare off people who want to improve cybersecurity.”
The Supreme Court will likely rule on the case later this year, or early next.