Cybersecurity In-Depth

The Edge

CFAA 101: A Computer Fraud & Abuse Act Primer for InfoSec Pros

From WarGames, to Aaron Swartz, to bug bounties, to Van Buren, here's what cybersecurity researchers should know about the US's primary anti-hacking law before it gets its day in the Supreme Court.

The facts of the case are straightforward: Georgia police officer Nathan Van Buren was convicted to 18 months in jail for accepting a bribe to look up a license plate on a state computer that he was authorized to use for that purpose.

The question at hand is whether Van Buren, or anyone else, who is authorized to access information on a computer violates Section 1030(a)(2) of the CFAA if they access the same information for an improper purpose. That section states:

Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains:

(a) information contained in a financial record of a financial institution, or of a card issuer as defined in Section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. §1681 et seq.);

(b) information from any department or agency of the United States; or

(c) information from any protected computer if the conduct involved an interstate or foreign communication… shall be punished as provided in subsection (c) of this section.

Depending on how the Supreme Court rules, the Van Buren case could improve or constrict the legal standing of cybersecurity research. 

Broad but not Universal Support From Tech
While many digital rights groups, tech organizations, and independent experts have filed amicus briefs with the court supporting Van Buren, not all tech companies are in agreement. Voatz, a blockchain-based online electronic voting vendor, filed a brief in favor of the government's position in Van Buren — earning the ire of security experts, more than 70 of whom signed a letter slamming the mobile-voting company

That's at odds with the history of the CFAA, says Andrew Crocker, senior staff attorney at the Electronic Frontier Foundation. "There's clearly a lot of people in the industry, from major firms to individual hackers, that are worried about this case law. In my work counseling these people, the CFAA comes up 99% of the time," he says. 

Crocker hopes =the court has taken the case to clarify some of the less clear parts of the law. "The CFAA doesn't affect just cutting-edge research discussed at DEFCON. It can affect just the first step. Standing up for open ports, running a doorbuster, basic stuff," he says. "I'm not sure that the general public gets that."


To wrap things up, here's a handy CFAA timeline, originally posted on The Parallax.