Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

03:30 PM
Seth Rosenblatt
Seth Rosenblatt
Edge Articles
Connect Directly

CFAA 101: A Computer Fraud & Abuse Act Primer for InfoSec Pros

From WarGames, to Aaron Swartz, to bug bounties, to Van Buren, here's what cybersecurity researchers should know about the US's primary anti-hacking law before it gets its day in the Supreme Court.

The facts of the case are straightforward: Georgia police officer Nathan Van Buren was convicted to 18 months in jail for accepting a bribe to look up a license plate on a state computer that he was authorized to use for that purpose.

The question at hand is whether Van Buren, or anyone else, who is authorized to access information on a computer violates Section 1030(a)(2) of the CFAA if they access the same information for an improper purpose. That section states:

Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains:

(a) information contained in a financial record of a financial institution, or of a card issuer as defined in Section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. §1681 et seq.);

(b) information from any department or agency of the United States; or

(c) information from any protected computer if the conduct involved an interstate or foreign communication… shall be punished as provided in subsection (c) of this section.

Depending on how the Supreme Court rules, the Van Buren case could improve or constrict the legal standing of cybersecurity research. 

Broad but not Universal Support From Tech
While many digital rights groups, tech organizations, and independent experts have filed amicus briefs with the court supporting Van Buren, not all tech companies are in agreement. Voatz, a blockchain-based online electronic voting vendor, filed a brief in favor of the government's position in Van Buren — earning the ire of security experts, more than 70 of whom signed a letter slamming the mobile-voting company

That's at odds with the history of the CFAA, says Andrew Crocker, senior staff attorney at the Electronic Frontier Foundation. "There's clearly a lot of people in the industry, from major firms to individual hackers, that are worried about this case law. In my work counseling these people, the CFAA comes up 99% of the time," he says. 

Crocker hopes =the court has taken the case to clarify some of the less clear parts of the law. "The CFAA doesn't affect just cutting-edge research discussed at DEFCON. It can affect just the first step. Standing up for open ports, running a doorbuster, basic stuff," he says. "I'm not sure that the general public gets that."


To wrap things up, here's a handy CFAA timeline, originally posted on The Parallax.  

Seth is editor-in-chief and founder of The Parallax, an online cybersecurity and privacy news magazine. He has worked in online journalism since 1999, including eight years at CNET News, where he led coverage of security, privacy, and Google. Based in San Francisco, he also ... View Full Bio
2 of 2

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Swift Reminder About Cybersecurity

Source: The Security Awareness Company

What security-related videos have made you laugh? Let us know! Add them to the Comments section or email us at [email protected].

Name That Toon: Masks and Manners
Flash Poll