If a person is authorized to access data for one purpose, is it a crime for them to access that data for an "improper" purpose? That question lies at the heart of a case the US Supreme Court will hear next month — the first time it will ever hear oral arguments on the Computer Fraud and Abuse Act (CFAA).
The case could have serious implications for cybersecurity researchers. Here's what you should know about the CFAA, as it works today.
What Is the CFAA?
The CFAA, (also known as 18 US Code 1030), is the pre-eminent anti-hacking law in the United States. The CFAA was first signed into law by President Ronald Reagan in 1986 (three years after the movie WarGames spooked the White House). Since then, the CFAA — an update to 1984's Comprehensive Crime Control Act — has been amended eight times to address newer cybersecurity threats.
As of today, the CFAA can apply to criminal as well as civil lawsuits; it covers all federal computer systems and all privately owned computers used in interstate or international commerce.
Prison sentences under the CFAA vary, ranging from one year for "trafficking in passwords" to 10 years for "obtaining national security information."
What Does It Have to Do With Security Research?
The broad phrasing of the statute could allow prosecutors to charge CFAA violations for just about any computer, network, or website-based research. In addition, the government can seize property used in crimes charged under the CFAA.
There are several specific phrases in the statute security pros should know:
• "authorization": Crucial to the CFAA is the concept of "authorization" -- although the law doesn't define the term. Conceptually, authorization for security researchers means the owner of the computing resource has explicitly given them permission to conduct their activities. This need for authorization is part of the reason for the existence of vulnerability disclosure agreements.
These agreements clarify and codify what authorization the owner of the computer, network, or web server has granted to researchers. However, important security research (such as investigating bias in algorithms) is often conducted without permission — and has even been the subject of a CFAA lawsuit.
• "unauthorized access"/"exceeds authorized access": What the CFAA does say is that "unauthorized access" is "hacking." Similarly, the phrase "exceeds authorized access" means "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter."
This phrase is a central component of the case that will be heard in the Supreme Court next month. More on this below.
• "obtaining anything of value": Another important but unclear phrase in the CFAA concerns "obtain[ing] anything of value," which can be construed to include data accessed or taken. The law does prevent prosecution if the object of the fraud, and the only "things" obtained are the use of the computer and/or a monetary value of $5,000 or less in a one-year period.
• "damage": The law further covers "damage" to a computer or information stored on the computer, meaning "impairment to the integrity or availability of data, a program, a system, or information."
How Has the CFAA Been Enforced in the Past?
Enforcement has varied. The CFAA has been used to indict nation-state cyberattackers and issue heavy prison sentences to prolific cybercriminals. However, it has also been used in the past for less severe offenses.
The most notorious case was brought against Aaron Swartz in 2011 for downloading articles from academic journals. An Internet activist and computer programmer who helped create Reddit, Swartz was charged with 11 violations of the CFAA and two counts of federal wire fraud. He faced 35 years in prison and more than $1 million in fines. Swartz killed himself in 2013 after prosecutors refused to agree to a plea deal.
In the late 1990s, the CFAA was used to prosecute computer security contractors in Texas and Georgia for attacking networks whose security they were hired to test, and a Wisconsin high-school student who wrote about school computer system security flaws for an underground high-school paper.
The CFAA has also been invoked by companies more broadly to charge individuals for violating terms of service, for example, or using bot crawlers. This has met with mixed success.
Does the CFAA protect White Hat Security Research?
Aaron's Law, a CFAA amendment proposed in the aftermath of Swartz's suicide, twice failed to pass Congress.
Had it succeeded, Aaron's Law would have protected security researchers, hackers, casual tinkerers, and privacy advocates from criminal prosecution, and prevent people caught violating a website or software application's terms of service from receiving prison time.
So if Aaron's Law Didn't Pass, Why Aren't All Security Pros in Jail Now?
Despite the lack of reform, computer security and privacy experts and their allies have taken steps to carve out legal protections under the CFAA as best they can, says Harley Geiger, director of public policy at cybersecurity company Rapid7.
What's important for people whose livelihoods and interests depend on avoiding charges of violating the CFAA, he says, is authorization.
"The CFAA hinges on authorization, and that means whether you're authorized to use, hack, or image a computer," says Geiger, who worked extensively on Aaron's Law from 2012 to 2014 as senior legislative counsel for the bill's co-author, Rep. Zoe Lofgren (D-Calif.).
"Bug bounty and vulnerability disclosure policies have been a bright spot in the progress for security researchers over the past few years," he says. "But their protective powers are limited. Bug bounties and vulnerability disclosure policies define the scope of authorization. Anything outside that is vulnerable to the CFAA."
What Will the Supreme Court be Reviewing?
As the scope of the CFAA has broadened, so has the impact of computer technology on the world. But for all the ways that computing has changed since 1986, the CFAA has never faced the scrutiny of the highest court in the nation.
That will change Nov. 30, when the Supreme Court is scheduled to hear oral arguments in Nathan Van Buren v. United States, a criminal case that hinges on the alleged improper use of a computer and network.
('Supreme Court review' continued on next page)
The facts of the case are straightforward: Georgia police officer Nathan Van Buren was convicted to 18 months in jail for accepting a bribe to look up a license plate on a state computer that he was authorized to use for that purpose.
The question at hand is whether Van Buren, or anyone else, who is authorized to access information on a computer violates Section 1030(a)(2) of the CFAA if they access the same information for an improper purpose. That section states:
Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains:
(a) information contained in a financial record of a financial institution, or of a card issuer as defined in Section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. §1681 et seq.);
(b) information from any department or agency of the United States; or
(c) information from any protected computer if the conduct involved an interstate or foreign communication… shall be punished as provided in subsection (c) of this section.
Depending on how the Supreme Court rules, the Van Buren case could improve or constrict the legal standing of cybersecurity research.
Broad but not Universal Support From Tech
While many digital rights groups, tech organizations, and independent experts have filed amicus briefs with the court supporting Van Buren, not all tech companies are in agreement. Voatz, a blockchain-based online electronic voting vendor, filed a brief in favor of the government's position in Van Buren — earning the ire of security experts, more than 70 of whom signed a letter slamming the mobile-voting company.
That's at odds with the history of the CFAA, says Andrew Crocker, senior staff attorney at the Electronic Frontier Foundation. "There's clearly a lot of people in the industry, from major firms to individual hackers, that are worried about this case law. In my work counseling these people, the CFAA comes up 99% of the time," he says.
Crocker hopes =the court has taken the case to clarify some of the less clear parts of the law. "The CFAA doesn't affect just cutting-edge research discussed at DEFCON. It can affect just the first step. Standing up for open ports, running a doorbuster, basic stuff," he says. "I'm not sure that the general public gets that."
To wrap things up, here's a handy CFAA timeline, originally posted on The Parallax.Seth is editor-in-chief and founder of The Parallax, an online cybersecurity and privacy news magazine. He has worked in online journalism since 1999, including eight years at CNET News, where he led coverage of security, privacy, and Google. Based in San Francisco, he also ... View Full Bio