U.S. Supreme Court, landmark building in Washington DC showing decision on CFAA and impact on cybersecurity research

Supreme Court Decision on Van Buren Case Restricts Excesses of CFAA, Is a Boon for Cybersecurity Research

When it was first instituted in 1986, the Computer Fraud and Abuse Act (CFAA) was informed by fantasy scenarios from movies such as WarGames and Ferris Bueller’s Day Off as much as it was by expert opinion on emerging computer technology. Overly broad language has created opportunity for unscrupulous prosecutors to levy excessive charges into plea deals and excessive sentences for over three decades since.

Some of that potential for abuse has been reined in by a recent Supreme Court decision. The case of Van Buren v. U.S. has concluded with a decision resulting in a clarification of how crimes involving “authorized access” are defined, the prime point of abuse that made it possible to attach prison sentences of years and large fines to relatively innocuous actions. The court has essentially established a “digital gate” provision, requiring that some sort of access barrier be broken through in order for charges to be brought.

CFAA decision limits criminalization of terms of service violations, arbitrary system boundaries

The problems with the CFAA center on how it defines “exceeding authorized access,” or more importantly how it fails to clearly define that term.

A reasonable assumption by a layman would be that you can’t be charged with “hacking” unless you actually break into something, i.e. force or con your way through a login or credential system that you are not authorized to access. The vagueness in the CFAA’s definitions has been used to take charges far beyond that. In theory, it can be considered a criminal act (accompanied by steep incarceration time and fines) to violate the terms of service of a system that you have access to or to access a portion of that system that is open but that you have not been granted formal permission to explore. In practice, this has created serious legal complications in the field of security research. In the interest of security systems, cybersecurity professionals often need to do things that violate the letter of the CFAA.

The case that ultimately refined the terms of the CFAA did not have quite that level of moral clarity. A former Georgia police sergeant was caught using the state’s license plate database for law enforcement to provide information to unauthorized parties in exchange for money. The sergeant was eventually caught using his own credentials for this purpose in an FBI sting. He was sentenced to 18 months in prison, appealing the sentence by arguing that the “exceeding authorized access” clause should not apply in cases where the defendant is in fact authorized to access the information in question, with the crime instead being how it was used.

While the sergeant clearly did something wrong, if the court had upheld the CFAA charge it might have cleared a path for end user license agreements (EULA) and terms of service (TOS) to become enforceable by criminal law if violated. The Supreme Court’s reading instead establishes a “digital gate” requirement; a CFAA charge requires the defendant to have gone through some sort of barrier that they are not authorized to cross. Simply labeling certain files or folders as “off limits” to someone who otherwise has unfettered access to them no longer meets the standard of the law, at least if the defendant has not signed a legal agreement to not access them.

The decision also clarified that other forms of physical access to information does not translate to an entitlement to access the equivalent digital form, giving the example of hacking into a human resources system while having physical access to personnel files stored locally in a filing cabinet.

Implications on cybersecurity research

One specific element in the field of security research that is impacted by this decision is the practice of port scanning, an extremely common step in probing systems for vulnerabilities. If the computer is designated as being open to the public, that includes exploration of its ports as well.

Casey Ellis, CTO/chairman and founder of Bugcrowd, contributed to the amicus brief filed by the Center for Democracy and Technology, Bugcrowd, Scythe, Tenable, and others arguing that a broad interpretation of CFAA will deter good-faith security research (meaning discoverable security vulnerabilities remain undetected or unpatched until attackers find and exploit them): “With this ruling, the Supreme Court hasn’t updated or amended the law itself – but has effectively put a stop to any overly broad use of the Computer Fraud and Abuse Act (CFAA). The CFAA was originally passed by Congress in response to growing threats from malicious actors, but with the passage of time and progress of technology now serves to create a chilling effect for security researchers seeking to improve the overall safety of the Internet … For such an objectively odd case to produce a ruling which challenges the letter of the law itself in order to set a precedent that reflects an evolving technology environment (including, most importantly in this case, the impact the interaction that environment and the law have on the overall safety of the Internet) is hugely encouraging. Every time the CFAA is used in an overly broad way hackers acting in good-faith are disproportionately affected, so a SCOTUS ruling against this phenomenon is something I see as a fundamentally positive thing … The final Certiorari, as well as the earlier hearings, make it fairly clear that SCOTUS believes that the CFAA itself is antiquated in ways that make it impossible to apply to a case like Van Buren vs USA. Footnote 8 in particular stands out as SCOTUS’s attempt to encapsulate and allow for the law itself, whilst acknowledging the ambiguity which remains, in spite of the Van Buren ruling.”

Resolving conflicting interpretations of the CFAA

While opponents of the CFAA consider this an important victory, it does not address all of the issues with the law. For example, the Supreme Court decided not to opine on the legality of invoking an employee’s contractual agreement or formal agreement to company policy as a basis for a CFAA charge. The court did not draw a firm line establishing that the “digital gate” has to be an actual technological measure that restricts access only to authorized parties.

However, it did include language that specifies that this term applies to “confidential databases.” In other words, a social media platform could not criminalize a TOS violation that involves use of publicly posted information by invoking the user’s agreement to “policy” as part of their terms of access. Robert Cattanach, Partner at Dorsey & Whitney and previously a trial attorney for the United States Department of Justice and a special counsel to the Secretary of the Navy, added some expert insight to the implications of this decision and the possibility of future litigation it creates: “The consequences of the decision will be far-reaching, as an important tool for law enforcement will now be strictly limited to outside intruders. Conversely, however, the decision avoids the specter of vague line-drawing, and the threat of criminal prosecution, for when a user’s activities were ‘authorized.’ … The decision resolves a split among US Circuit Courts of Appeal, which had adopted conflicting interpretations of the law.”

Problems with the #CFAA center on how it defines 'exceeding authorized access,' or more importantly how it fails to clearly define that term … this ruling has clarified it. #cybersecurity #respectdataClick to Post

The court also clarified the terms under which civil cases can be brought under the CFAA. A plaintiff bringing such a case is required to show “loss and damages,” but this is another area where the wording was previously vague and broad. The Supreme Court ruled that “loss and damages” in this case means “technological harms,” citing the specific example of the corruption of files. The majority opinion stated that the CFAA’s intent is to dissuade and create a system of punishment for hacking, not to govern after-the-fact cases of misuse of information. The court cites other elements of the law as more appropriate tools for these cases: breach of contract, wire fraud, breach of fiduciary duty and theft of trade secrets charges among the examples given for victimized organizations to handle their pursuit of data thieves.