Ruling over interpretation of aging law could have a chilling or liberating effect on security research
UPDATED The US Supreme Court has begun hearing arguments regarding a case that could have seismic ramifications for the future of security research.
From today (November 30), the country’s highest court is considering an appeal launched by police officer Nathan Van Buren over his 2017 conviction on charges including violation of The Computer Fraud and Abuse Act (CFAA).
Passed in 1986 in an era far removed from today’s hyper-connected world, the federal act is used by law enforcement to convict cybercriminals, fraudsters, and white-collar crooks, and in civil actions by businesses seeking remedies for the theft of trade secrets.
Van Buren, a former Georgia state police officer, was arrested after being induced by undercover FBI agents into running a license plate search, allegedly in return for money, on a law enforcement database.
A matter of interpretation
Following his appeal, the Supreme Court will rule on a split in how US appeal courts interpret the CFAA’s prohibition on the use of computers without authorization, or in excess of authorization.
Speaking to The Daily Swig in May, Gabriel Ramsey, partner at the San Francisco office of law firm Crowell & Moring, said that some circuit courts “require much more technical programmatic hacking”, while others “say it’s enough to violate the terms of service or an agreement”.
The latter interpretation encouraged LinkedIn to bring a web scraping case against talent management algorithm hiQ, also currently pending a Supreme Court ruling, while Facebook recently accused the Friendly Social Browser of violating its terms of service, the CFAA, and its Californian counterpart law, drawing criticism from the Electronic Frontier Foundation (EFF).
The EFF has also warned the Supreme Court that affirming the 11th Circuit’s Van Buren ruling could deter invaluable aspects of security research that often violate terms of service, such as port and network scanning.
Along with the Center for Democracy and Technology, Bugcrowd, Scythe, and Tenable, the non-profit has filed an amicus brief (PDF) with the Supreme Court arguing that a broad interpretation of CFAA will deter good-faith security research, meaning “discoverable security vulnerabilities remain undetected or unpatched, effectively waiting for attackers to find and exploit them.”
Casey Ellis, founder and CTO of bug bounty platform Bugcrowd, told The Daily Swig that while the Van Buren case only “lightly addressed” the impact on cybersecurity research, the amicus briefing and subsequent letter “were covered in the arguments.
“The CFAA currently creates a chilling effect which slows improvement of internet security through fear of prosecution amongst those engaged in good-faith security research whilst the adversary, who is most likely ignoring the law in the first place, carries on unimpeded,” he added.
“Any time the CFAA is broadened, the scope of this chilling effect expands as well, [and] good-faith hackers are disproportionately affected.”
A broader interpretation would be a serious setback for an industry that has made significant progress in dispelling the myth that ‘hacking’ is inherently malicious, formalizing the security vulnerability disclosure process, and offering financial rewards – bug bounties – for the discovery of security flaws.
One consequence could be that encouraging adoption of safe harbor principles, where organizations pledge not to pursue legal action against good-faith security researchers, could become a more urgent priority.
‘Start from scratch’
Whatever the outcome, for many industry insiders the reinterpretation of decades-old legislation is beside the point.
Some 34 years on since the CFAA was drafted after President Reagan watched the iconic hacker film Wargames, “not only does the internet look completely different, but Covid-19 has collectively forced the internet into the great zero trust experiment,” said Ellis. “The nature of the systems these laws are meant to govern are incredibly dynamic in nature, and the law itself is struggling to interpret these changes, let alone catch up and be able to reflect them.
Dan Tentler, founder of computer security outfit Phobos Group, told The Daily Swig in June that “lawmakers, businesspeople, [and] huge corporations” abuse the CFAA’s ambiguity.
The law must be “scrapped” and lawmakers must “start from scratch” in consultation with the business and security communities, he added.
This article was updated on December 2 with comment from Casey Ellis of Bugcrowd.