Security news that informs and inspires

Van Buren Decision Narrows CFAA Interpretation

In its first ever decision on a Computer Fraud and Abuse Act case, the United States Supreme Court has clarified some of vague language in the law and specified that websites and online service providers can’t use the law to limit how people use their services.

The ruling in Van Buren v. United States delivered Thursday narrows the interpretation of the CFAA, which is the main federal law used to prosecute computer crimes and has been the subject of much criticism by the technical legal community and security researchers. The ruling is the first time the CFAA has been addressed by the court and it’s considered a significant step in curbing some of the overly broad usage of the law that has plagued the security research community for many years.

“The Van Buren decision is especially good news for security researchers, whose work discovering security vulnerabilities is vital to the public interest but often requires accessing computers in ways that contravene terms of service. Under the Department of Justice’s reading of the law, the CFAA allowed criminal charges against individuals for any website terms of service violation. But a majority of the Supreme Court rejected the DOJ’s interpretation,” wrote Aaron Mackey and Kurt Opsahl, attorneys at the Electronic Frontier Foundation, which has pushed for CFAA reform.

“And although the high court did not narrow the CFAA as much as EFF would have liked, leaving open the question of whether the law requires circumvention of a technological access barrier, it provided good language that should help protect researchers, investigative journalists, and others.”

"The good news is that security researchers would seem to have greater leeway to conduct research."

The case involved the actions of Nathan Van Buren, a former police officer in Georgia who allegedly ran a license plate check on his department’s computer in exchange for a payment, which was part of an FBI sting operation. Van Buren had the authority to access the database and run the check, although the purpose for which he was doing so was not authorized.

“Van Buren’s conduct plainly flouted his department’s policy, which authorized him to obtain database information only for law enforcement purposes,” the Supreme Court opinion says.

But when it came to the question of whether Van Buren had violated the CFAA, the court ruled that he had not.

“This provision covers those who obtain infor- mation from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them,” the opinion says.

The CFAA has cast a long shadow over the security research community since its passage in 1986, and while the Van Buren ruling provides a narrower interpretation of the law, it does not completely reform it.

“When it comes to cybersecurity, there is good news and bad news. The good news is that security researchers would seem to have greater leeway to conduct research on computers or information to which they have authorized access, such as scraping data from publicly accessible websites even if the website TOS prohibits scraping or using the website information for security research. However, the ruling will also be perceived to exacerbate the “insider threat” problem, such as employees misusing sensitive data which they are authorized to access,” said Harley Geiger, an attorney and senior policy director at Rapid 7.