If a person is authorized to access data for one purpose, is it a crime for them to access that data for an “improper” purpose? That question lies at the heart of a case the US Supreme Court will hear next month — the first time it will ever hear oral arguments on the Computer Fraud and Abuse Act (CFAA).
The case could have serious implications for cybersecurity researchers. Here’s what you should know about the CFAA, as it works today.
What Is the CFAA?
The CFAA, (also known as 18 US Code 1030), is the pre-eminent anti-hacking law in the United States. The CFAA was first signed into law by President Ronald Reagan in 1986 (three years after the movie WarGames spooked the White House). Since then, the CFAA — an update to 1984’s Comprehensive Crime Control Act — has been amended eight times to address newer cybersecurity threats.
As of today, the CFAA can apply to criminal as well as civil lawsuits; it covers all federal computer systems and all privately owned computers used in interstate or international commerce.
Prison sentences under the CFAA vary, ranging from one year for “trafficking in passwords” to 10 years for “obtaining national security information.”
What Does It Have to Do With Security Research?
The broad phrasing of the statute could allow prosecutors to charge CFAA violations for just about any computer, network, or website-based research. In addition, the government can seize property used in crimes charged under the CFAA.
There are several specific phrases in the statute security pros should know:
• “authorization”: Crucial to the CFAA is the concept of “authorization” — although the law doesn’t define the term. Conceptually, authorization for security researchers means the owner of the computing resource has explicitly given them permission to conduct their activities. This need for authorization is part of the reason for the existence of vulnerability disclosure agreements.
These agreements clarify and codify what authorization the owner of the computer, network, or web server has granted to researchers. However, important security research (such as investigating bias in algorithms) is often conducted without permission — and has even been the subject of a CFAA lawsuit.
• “unauthorized access”/”exceeds authorized access”: What the CFAA does say is that “unauthorized access” is “hacking.” Similarly, the phrase “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.”
This phrase is a central component of the case that will be heard in the Supreme Court next month. More on this below.
• “obtaining anything of value”: Another important but unclear phrase in the CFAA concerns “obtain[ing] anything of value,” which can be construed to include data accessed or taken. The law does prevent prosecution if the object of the fraud, and the only “things” obtained are the use of the computer and/or a monetary value of $5,000 or less in a one-year period.
• “damage”: The law further covers “damage” to a computer or information stored on the computer, meaning “impairment to the integrity or availability of data, a program, a system, or information.”
How Has the CFAA Been Enforced in the Past?
Enforcement has varied. The CFAA has been used to indict nation-state cyberattackers and issue heavy prison sentences to prolific cybercriminals. However, it has also been used in the past for less severe offenses.
The most notorious case was brought against Aaron Swartz in 2011 for downloading articles from academic journals. An Internet activist and computer programmer who helped create Reddit, Swartz was charged with 11 violations of the CFAA and two counts of federal wire fraud. He faced 35 years in prison and more than $1 million in fines. Swartz killed himself in 2013 after prosecutors refused to agree to a plea deal.
In the late 1990s, the CFAA was used to prosecute computer security contractors in Texas and Georgia for attacking networks whose security they were hired to test, and a Wisconsin high-school student who wrote about school computer system security flaws for an underground high-school paper.
The CFAA has also been invoked by companies more broadly to charge individuals for violating terms of service, for example, or using bot crawlers. This has met with mixed success.
Does the CFAA protect White Hat Security Research?
Aaron’s Law, a CFAA amendment proposed in the aftermath of Swartz’s suicide, twice failed to pass Congress.
Had it succeeded, Aaron’s Law would have protected security researchers, hackers, casual tinkerers, and privacy advocates from criminal prosecution, and prevent people caught violating a website or software application’s terms of service from receiving prison time.
So if Aaron’s Law Didn’t Pass, Why Aren’t All Security Pros in Jail Now?
Despite the lack of reform, computer security and privacy experts and their allies have taken steps to carve out legal protections under the CFAA as best they can, says Harley Geiger, director of public policy at cybersecurity company Rapid7.
What’s important for people whose livelihoods and interests depend on avoiding charges of violating the CFAA, he says, is authorization.
“The CFAA hinges on authorization, and that means whether you’re authorized to use, hack, or image a computer,” says Geiger, who worked extensively on Aaron’s Law from 2012 to 2014 as senior legislative counsel for the bill’s co-author, Rep. Zoe Lofgren (D-Calif.).
“Bug bounty and vulnerability disclosure policies have been a bright spot in the progress for security researchers over the past few years,” he says. “But their protective powers are limited. Bug bounties and vulnerability disclosure policies define the scope of authorization. Anything outside that is vulnerable to the CFAA.”
What Will the Supreme Court be Reviewing?
As the scope of the CFAA has broadened, so has the impact of computer technology on the world. But for all the ways that computing has changed since 1986, the CFAA has never faced the scrutiny of the highest court in the nation.
That will change Nov. 30, when the Supreme Court is scheduled to hear oral arguments in Nathan Van Buren v. United States, a criminal case that hinges on the alleged improper use of a computer and network.
(‘Supreme Court review’ continued on next page)
Seth is editor-in-chief and founder of The Parallax, an online cybersecurity and privacy news magazine. He has worked in online journalism since 1999, including eight years at CNET News, where he led coverage of security, privacy, and Google. Based in San Francisco, he also … View Full Bio
1 of 2