Supreme Court Skeptical About Law That Could Have a Chilling Effect on Security Research

Illustration for article titled Supreme Court Skeptical About Law That Could Have a Chilling Effect on Security Research
Photo: Drew Angerer / Staff (Getty Images)

The Supreme Court on Monday expressed skepticism about the sweeping nature of the 1986 Computer Fraud and Abuse Act, claiming that the cybercrime law — the only one of its kind in the United States — could lead to a slippery slope where average Americans are criminalized for innocuous transgressions like checking Facebook at work.

The reexamination of the law comes during arguments for a case involving a Georgia police officer convicted of violating the Act after he accessed a license plate database in during an attempt to obtain information on a strip club dancer in what lawyers argued was an improper manner. Lawyers for the officer, Nathan Van Buren, say that he had not violated the CFAA and had, in fact, had legitimate access to the database through the course of his work.

The case — the first significant challenge to the scope of the CFAA to reach the nation’s highest court — spurred a string of amicus briefs from a wide range of technology, privacy and cybersecurity experts, many of whom argued that the law could discourage computer researchers and good-faith hackers from uncovering and disclosing security flaws.

Advertisement

“Under the government’s broad interpretation of the CFAA, standard security research practices — such as accessing publicly available data in a manner beneficial to the public yet prohibited by the owner of the data — can be highly risky,” one group of experts wrote.

Despite arguments from the government’s lawyer, Deputy Solicitor General Eric Feigin, that anxieties about overzealous enforcement of the law were overhyped, many of the Justices seemed concerned about the law’s broad scope.

According to Justice Neil Gorsuch, the DOJ’s argument threatened to “[make] a federal criminal of us all.” Justice Sonia Sotomayor argued that the government was “...asking us to write definitions to narrow what could otherwise be viewed as a very broad statute, and dangerously vague.”

Other members of the bench raised concerns about the key terms outlined in the statute.

Advertisement

“What is this statute talking about when it speaks of information in the computer?” Justice Samuel Alito asked at one point. “All information that somebody obtains on the web is in the computer in a sense. I have a feeling that’s not what Congress was thinking about when it adopted this [law].”

While the Supreme Court’s decision will undoubtedly have far-reaching implications for security researchers in particular, the case could also affect the lives of millions of average Americans who could, under certain broad interpretations of the law, be found in violation of it just for lying on a dating profile, checking social media at work or committing any other innocuous act that violates an online service’s terms of use.

Advertisement

Share This Story

Get our newsletter

DISCUSSION

One of the biggest problem with the law is that it predated the internet. Before the internet, it would have been difficult accidentally get into someones system. You basically had to hack it. The language used in the law is inappropriate and excessively vague for today.

My personal opinion is that the prosecutor overreached with the law. The cop definitely abused his position, but did he actually “hack” in to a system using his own userID and password? The issue is more akin to using his patrol car as a taxi or selling information that was not his to sell. You can also say it is also akin to selling state secrets. The problem is that that state/municipality may not a law in the books that explicitly covers his crime.