At first glance, “Van Buren vs US” might appear to be some sort of musty decision from the 19th century. However, the case couldn’t be more relevant to the IT security industry. The case is under review by the Supreme Court, and will determine how the nearly 35-year-old Computer Fraud and Abuse Act (CFAA) is interpreted. The worst possible interpretation could put employees and contractors at the mercy of the terms of service of systems and software, allowing for criminal charges for “exceeding authorized access.”
A brief history of the CFAA
Established in 1986, the CFAA formally made accessing a computer without authorization illegal. It also established an “excess of authorization,” a point that has been debated and reviewed by courts and extended a number of times. The original CFAA terms were meant to cover only computers owned by the federal government, but revisions to the law have made it apply to a very broad range of computer and mobile devices due to application to “affecting interstate or foreign commerce or communication.”
Van Buren v. United States involves former Georgia police officer Nathan Van Buren, who was accused of taking money to look up a license plate number in the state’s police database. It was initially ruled a CFAA violation due to Van Buren exceeding his authorization to use the database, and the decision was upheld on appeal.
The Electronic Frontier Foundation (EFF) is the central force supporting Van Buren’s petition to the Supreme Court, arguing that the conviction was a “dangerously overbroad” interpretation of the law. The EFF makes the argument that upholding this decision would set a precedent that allows private companies to bring heavy criminal charges under the CFAA for violating terms of service.
The Supreme Court is currently hearing oral arguments. The Electronic Privacy Information Center (EPIC) reports that the majority of the court thus far appears to agree that Van Buren’s conduct should be considered a criminal act, but that several have also expressed a desire to limit the statute to exclusively serving a data protection function in cases involving access to sensitive personal information.
The CFAA case highlights a long-running debate between two valid competing interests. As the Van Buren case demonstrates, there is a clear need for a law that prevents officials from abusing their potentially far-reaching ability to access personal information. But it is important that the wording of the law does not allow both public and private entities to criminalize violations of a terms of service that never allows users that same level of access to private information. Proponents of limiting the CFAA terms tend to express the view that one should have to at least be making use of services that require credentials or an authentication check to access before the possibility of criminal charges comes into play, and that the crime should yield highly sensitive information such as personal data or trade secrets.
Legal scholars and observers point to the CFAA’s original intent as a data protection law, specifically to prevent hackers from accessing sensitive financial and government information. Chloé Messdaghi, VP of Strategy at Point3 Security, expands on how far the law is in danger of straying from its original purpose: “In general, this is a case that every single security research person needs to be aware of. Van Buren was convicted of violating the CFAA, and this type of interpretation of the CFAA is a huge issue. It would become a federal crime when someone violates a website’s Terms & Services, which would put pretty much everyone at risk of everyday online behavior, allowing private companies to decide who goes to prison for those violations … The law is very vague, and it has been being used in a broad interpretation. For instance, when hackers who are trying to disclose vulnerabilities disclosures with organizations, they can get slapped with a lawsuit tied to the CFAA, when in reality, hackers don’t exploit any vulnerability or information, just inform the company of it in the hopes to help make everything more secure, versus attackers who would exploit the vulnerability that they found. It’s really all about the interpretation of the law. It needs to be addressed.”
Van Buren’s legal argument tries to put a specific definition on the scope and intent of the CFAA. His lawyers argue that “exceeding authorized access” should not be construed as abusing an entitlement to access certain information, and that it should be limited to hacking cases in which the accused had no right to obtain the information in question. The petitioner brings up the example of so-called “time theft” in the workplace, or the unauthorized use of employer computers for personal uses (such as filling out a sports tournament bracket), becoming something that has actual force of criminal law behind it rather than an arbitrary definition largely enforced by HR department actions.
Dawn Mertineit, Attorney at law firm Seyfarth, provided some added expert analysis: “Even though this case will have implications on civil misappropriation cases, that likely won’t be the primary focus of SCOTUS’s review. The petitioner is expected to argue that statutes like the Defend Trade Secrets Act already govern misappropriation schemes (although the DTSA wasn’t enacted until more than three decades after the CFAA was passed), and that the Court should focus on the CFAA’s implications on criminal defendants. The petitioner will argue that if the Court agrees with the government’s broad interpretation of the statute’s language, it would criminalize daily activities or millions of Americans. Unsurprisingly, the government is arguing that those concerns are overblown, but I wouldn’t be surprised if at least some of the Justices appear hesitant to trust the government’s word that it won’t prosecute minor infractions … I also expect that the Court will focus on Congress’s 1986 amendments to the statute. The parties disagree as to the effect of those amendments, with the petitioner claiming that Congress excised language that would support the government’s interpretation of ‘exceeds authorized access,’ and as a result the Court should not effectively add that same language back into the statute by finding in favor of the government’s interpretation. The government’s response, frankly, appears to be a muddled and somewhat tortured explanation of what the word ‘so’ means in the statute, so it will likely have an uphill battle convincing the Court that the amendments support the broad interpretation of ‘exceeds authorized access.’ ”
The oral hearings addressed the potential extreme edge cases of overreach, noting that only one so far has really fit the profile. The 2009 case of U.S. v. Drew saw a CFAA charge brought against a teenage girl who had set up a fake Myspace profile to catfish another girl, pretending to be a boy that the other girl was interested in. The girl that was targeted was led to believe that the boy didn’t like her and ultimately committed suicide.
Worst possible interpretation of CFAA could put you at the mercy of the terms of service of systems and software, allowing for criminal charges for ‘exceeding authorized access.’ #cybersecurity #respectdata
Click to Tweet
Though there are almost no concrete cases of this nature to date, the interest by a number of the Supreme Court justices in these potential “parade of horribles” incidents points to concerns about the CFAA’s ambiguity. Observers may have to wait until early 2021 to get a final ruling, however. Substantial changes to the wording and scope of CFAA would be a matter for Congress to take up, which would likely mean that the issue could not be taken up until February 2021 at the earliest.