Security news that informs and inspires

Supreme Court to Review CFAA For First Time

For the first time, the United States Supreme Court has agreed to review a case involving the Computer Fraud and Abuse Act (CFAA), the highly controversial anti-hacking law that many in the civil liberties and digital rights communities have argued is overly broad and punitive. The case could be a landmark in the decades-old effort to narrow the scope of the CFAA.

On Monday, the court granted a petition from Nathan Van Buren, a former police officer in Georgia, to review his case, which involved a charge under the CFAA that he had exceeded his authorized access to a police database. The charge resulted from an FBI sting operation that included recorded conversations between Van Buren and an acquaintance named Andrew Albo who asked Van Buren to run a database search on a license plate number purportedly belonging to a woman he was interested in.

“Petitioner agreed to complete the search. When Albo gave him $5000 in return, petitioner ‘offered to pay Albo back, but Albo waved that off.’ Still, petitioner insisted, ‘I’m not charging for helping you out.’ Several days later, Albo ‘followed up’ with petitioner on the request, bringing him an additional $1000 and the ‘fake license plate number created by the FBI’,” the petition says.

After that exchange, Van Buren ran the license plate number through the Georgia Crime Information Center database, which he had official access to as a law enforcement officer. Van Buren let Albo know that he had the requested information. He was later charged under the CFAA and convicted. On appeal, Van Buren’s legal team argued that the CFAA charge should not hold up because Van Buren had authorization to access the GCIC database, but the Eleventh Circuit Court of Appeals upheld the conviction on the grounds that he had accessed the license plate information for “inappropriate reasons.”

The CFAA is 34 years old and was written at a time when few people had access to computers, let alone had one of their own. For many years, legal scholars have argued that the key language in the law is too broad and encompasses too many types of activity that aren’t malicious hacking. The clause at issue says that anyone who “intentionally accesses a computer without authorization or exceeds authorized access” to obtain information has violated the CFAA. In its explanation for accepting the case, the Supreme Court said the Van Buren case should serve as a method for answering the question of whether someone who obtains information he has authority to access is violating the CFAA by doing so for an unauthorized reason.

“The courts of appeals are openly divided four-to- three over whether a person with permission to access information on a computer violates the Computer Fraud and Abuse Act when he accesses that information for an improper purpose. This Court should use this case to resolve the conflict. This case squarely presents the issue, and the Eleventh Circuit’s expansive construction of the CFAA is incorrect,” the petition said.

“The most natural reading of the CFAA is that a person ‘obtain[s] information in the computer that [he] is not entitled so to obtain,’ only if he had no right at all to access the information. Reading the statute more broadly would criminalize ordinary computer use throughout the country, thereby inviting arbitrary enforcement and flouting the principle that a federal criminal statute should not be construed to encompass a broad swath of everyday behavior unless the statute’s text unambiguously demands that result.”

"It is intolerable for a broad swath of conduct to be entirely innocent in parts of the country but to constitute a federal crime in others."

CFAA prosecutions are very common, and a non-trivial number of them involve activities that have nothing to do with malicious hacking but rather are related to alleged misuse of resources or access to information. The CFAA has been interpreted and utilized in many different ways over time, and the Supreme Court cited those variances as a key reason for taking up the Van Buren case after rejecting many other CFAA cases in the past.

“The question whether such commonplace activities violate the CFAA should not be left unresolved. It is intolerable for a broad swath of conduct to be entirely innocent in parts of the country but to constitute a federal crime in others,” the petition said.

Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society said a change in the interpretation of the CFAA could have a wide range of effects, not just on security research but also on other activities.

"This case has ramifications beyond the computer security context. A narrow reading of the CFAA is also important for other research that depends on the creation of dummy accounts and listings. An example is the Sandvig v. Barr case recently decided in federal district court in D.C., which sided with the Ninth and other circuits’ narrow reading of the law," Pfefferkorn said.

In addition, in the circuits that adopt the broader reading, the CFAA can currently be used as a cudgel by employers against departing employees who start their own competing businesses. That’s something we can ill afford if we want to get the economy back off the ground. And finally, as the petition for certiorari notes, the broad reading of the CFAA turns a vast swath of ordinary online activity into a crime. Sharing your Netflix password, lying about your age on a dating app: these shouldn’t be a federal crime. With so many Americans homebound and relying even more heavily than before on online services, it is important not to let the question of who is a criminal be decided by the gatekeepers of those websites and apps.

The specter of CFAA prosecution also has had detrimental effects on legitimate security research over the years and groups such as the Electronic Frontier Foundation have been pushing for changes to the law for quite a long time, reasoning that its broad scope deters researchers from undertaking projects. The EFF filed an amicus brief with the Supreme Court asking it to review the Van Buren case.

“It would be a really positive development for security research if the Court ruled that the CFAA does not make it illegal to violate a computer use agreement, as Mr. Van Buren was charged with doing,” Andrew Crocker, a senior staff attorney at the EFF, said.

“Security researchers frequently encounter website terms of service and other agreements that technically prohibit their valuable work. Too often, the CFAA is used as a cudgel to stop the public from learning of vulnerabilities, and even the threat of litigation or prosecution chills research from ever getting started.”

CC By-2.0 license photo from Flickr.