‘Authorized access’ debate may impact security researchers and pen testers who probe US-based technologies
ANALYSIS An FBI sting that led to the arrest of a US police officer could have significant ramifications for how the country’s security researchers go about their work.
Nathan Van Buren was convicted in 2017 of two federal charges after he agreed to run a license plate search, allegedly in return for money, on the Georgia Crime Information Center database.
After a local man alerted the FBI that the former state police officer had asked him for money, the FBI concocted a sting in which the informant offered cash in return for information that would ascertain whether a fictional local stripper was in fact an undercover cop.
Following an appeal by Van Buren, the Supreme Court agreed on April 20 to rule on a split in how a law defining unauthorized access to, and use of, computers and their resources is interpreted by the courts.
What is the CFAA?
The Computer Fraud and Abuse Act (CFAA) is a US law that prohibits anyone from accessing a computer without authorization, or in excess of authorization.
The legislation can be used for criminal actions by the government to convict fraudsters, cybercriminals, and white-collar crooks, and for civil actions by businesses seeking to protect their intellectual property.
Passed in 1986, the act expanded the scope of a 1984 statute beyond classifying “intentionally using a computer without authorization” as a crime to also encompass exceeding “the scope of [that] authorization”.
However, the CFAA is ambiguous on the meaning of the terms “without authorization” and “exceeds authorized access”.
The CFAA prohibits accessing a computer without authorization, or in excess of authorization
“Right now, the courts in the United States are split,” on what constitutes a CFAA violation, Gabriel Ramsey, partner at the San Francisco office of law firm Crowell & Moring, told The Daily Swig – something the Van Buren case could settle for a generation.
Some circuit courts “require much more technical programmatic hacking”, while others “say it’s enough to violate the terms of service or an agreement,” said Ramsey.
The court ruling on the 1987 case of Roberto Rodriguez, for instance, took a broader view.
The Eleventh Circuit ruled that the former employee of the Social Security Administration (SSA), who among other things had sent flowers to a woman’s address obtained from an SSA database, had “exceeded his authorized access” in violation of SSA policy.
By contrast, a narrower interpretation was taken by the Ninth Circuit in 2016. A defendant, David Nosal, was judged to have not violated the CFAA in inducing employees at his former employer to giving him sensitive company data for use in his own, competing executive search business.
Implications for security researchers
Whether the Supreme Court agrees with the Eleventh Circuit’s rejection of Van Buren’s defense – that he was “innocent of computer fraud because he accessed only databases that he was authorized” to access – potentially has implications for security researchers, said Ramsey.
“The core question the Supreme Court is going to resolve” is whether the act “requires some technical step” – or “hacking as we know it” – in order “to violate the statute”, or whether a violation of some form of data use policy, employment agreement restricting data use, or similar agreements such as the terms of service is enough.”
That the CFAA requires malevolent intention “is useful […] for researchers and penetration testing broadly,” says Ramsey.
Nevertheless, if the Supreme Court favors a “broader interpretation”, then it “could be risky” for a pen tester to flout any “terms and conditions” constraining their activities.
In that scenario, Ramsey said that penetration testers and researchers will want “as much clarity about their relationship with [clients] as they can”.
The legal environment for “good-intentioned researchers” operating outside such formal frameworks will likely be more hostile.
Ramsey, who recently co-authored an analysis of ‘The Supreme Court’s first foray into analyzing the precise contours of CFAA liability’, couldn’t recall a notable case where security researchers had fallen foul of the CFAA.
However, the indictment of a student who “accessed academic resources in a pretty aggressive way” about a decade ago “makes one wonder if the threat of criminal [sanctions] should be applied in as broad a way as it can be.”
The Van Buren verdict could settle the legal parameters of legitimate security research for a generation
The benign outcome for security research
A narrower interpretation of the Van Buren case will clearly make ethical hacking less perilous.
However, it wouldn’t necessarily have a zero-sum impact where black hats, fraudsters, and disgruntled employees can readily escape legal repercussions.
“If I’m a prosecutor or civil enforcer of the CFAA, if the narrower view prevails, I’m not left without tools,” Ramsey explained. “A prosecutor can still pursue criminal theories regarding theft of data” and “a private party can still bring a breach of contract claim or assert common law theories regarding data theft.”
Such alternatives do “all the heavy lifting” I would need as a prosecutor or civil plaintiff, says Ramsey.
So hypothetically, why would you need a very broad CFAA? How effective is the law currently in convicting cybercriminals?
“I use it a lot in civil lawsuits against aggressive actors, and it is useful because it does fit the context of very technical hacking [that can be] characterized as crime,” said Ramsey.
However, the ambiguity makes for some “uncomfortable” situations.
HiQ versus LinkedIn
In another case with implications for CFAA interpretations, LinkedIn is hoping to see the automated harvesting of personal data from public-facing websites defined as intentionally accessing “a computer without authorization”.
The social media platform brought a case against hiQ, a ‘talent management algorithm’ that scraped information from public LinkedIn profiles and sold it to clients, in 2017.
Should the Supreme Court join the Northern District of California and Court of Appeals in siding with HiQ, websites whose data has been scraped will still have other legal avenues to pursue.
This includes “breach of contract, copyright infringement, common law misappropriation, unfair competition, trespass and conversion, DMCA anti-circumvention provisions, violation of FTC, Section 5, and violation of state UDAP laws,” according to Jenny L Colgate, an intellectual property litigator at Rothwell Figg.
Is the CFAA fit for purpose?
Whichever way the Supreme Court leans in the Van Buren and HiQ cases, Ramsey is clear that a law devised several years before the World Wide Web was born is not entirely fit for purpose in 2020.
“Legislators need to work from the ground up with an overhaul of this statute,” he explains.
“The basic architecture” of computers and computing networks “is the same”, he adds, “but the way people use” computers, networks, and data, and “the spectrum of accessibility, is way less binary than it was in the 1980s. It’s this massive spectrum that the law didn’t account for.”