In 1986, personal computer technology was still in its relative infancy. Yet in that same year, the first PC virus appeared in the wild. In response to the growing threat of hackers, lawmakers passed the Computer Fraud and Abuse Act (CFAA), establishing any act of unauthorized access (or one that exceeds authorized access) to a computer as illegal.
Over the years, security researchers, pen testers, and others in the IT field have expressed concern about the vagueness of the law. Without defining what “without authorization” means, those in cybersecurity have questioned the ability of US courts to accurately interpret its meaning — without unduly punishing security professionals for doing their jobs.
So when the Supreme Court heard arguments in the computer crimes case Van Buren vs. the United States on Monday, November 30, the IT and security communities took notice. Their ruling in this case could significantly broaden or narrow the scope of the law.
With the Department of Justice bringing charges against one of their own for using a database he already had access to (but for a different purpose), several justices expressed alarm that a ruling in their favor “risked making a federal criminal of us all.”
The 1986 Computer Fraud and Abuse Act (CFAA) states that whoever has “knowingly accessed a computer without authorization or exceeding authorized access” is subject to a fine and imprisonment relative to the type of information obtained or damage caused to the personal computer. Seems pretty straight-forward on the surface. But as you dig deeper into the law’s provisions, the broad range of prohibited actions and protected data described can spin the head of the most seasoned security professional. For example, here are some of the types of data that are illegal to obtain according to the law:
- Data that requires protection from disclosure for national security purposes
- Information contained in a financial record of a financial institution
- Information from any department or agency of the United States
- Information from any protected computer
Besides the aforementioned “unauthorized access” statute, the CFAA also bans the following actions:
- Knowingly causing the transmission of a program, information, code, or command, and as a result, causing damage to a protected computer
- Knowingly and with intent to defraud traffic using a password or similar information to access a computer, which affects commerce or is used by or for the US government
- With intent to extort, transmitting any communication containing any threat to cause damage to a protected computer
Amendments to the law over the years have resulted in this hodge-podge of changing provisions, and the punishments for violating any one of them range from a slap-on-the-wrist fine to up to 20 years in prison. For a pen tester who needs to knowingly access unauthorized systems as part of her job, the danger of a judge misinterpreting any one of these provisions likely keeps her up at night.
The ruling in the Van Buren case, then, could set the stage for either clarifying an obscure law or for making a mess for bug testers, ethical hackers, or even folks sharing their Netflix password. (Under the current interpretation of the law, sharing a password to an account is technically illegal, though no prosecutor has ever charged someone for this “crime.”)
Looking closely at the spirit of the law, its original intent was to prevent cybercriminals from hacking into personal or business computers and stealing data or causing damage. However, without a firm definition of the meaning of “authorized access,” including addendums for potential exceptions to the rule, the Supreme Court could possibly make hackers of us all. After all, anytime you access a website, a server, the cloud, a streaming service — you are accessing someone else’s computer.
Let’s hope the Supreme Court gives this law the 21st century update it requires by adding sharper focus that serves a punishment fit for the crime, while letting the good guys keep fighting the good fight.
For more information on the CFAA, here’s an article from the National Association of Criminal Defense Lawyers: https://www.nacdl.org/Landing/ComputerFraudandAbuseAct
And for a closer legal analysis of the Supreme Court case: https://www.politico.com/news/2020/11/30/supreme-court-computer-crime-law-441441