30 November 2020 at 16:53 UTC
Updated: 30 November 2020 at 17:46 UTC
Ruling over interpretation of ageing law could have a chilling or liberating effect on security research
The US Supreme Court has begun hearing arguments regarding a case that could have seismic ramifications for the future of security research.
From today (November 30), the country’s highest court is considering an appeal launched by police officer Nathan Van Buren over his 2017 conviction on charges including violation of The Computer Fraud and Abuse Act (CFAA).
Passed in 1986 in an era far removed from today’s hyper-connected world, the federal act is used by law enforcement to convict cybercriminals, fraudsters, and white-collar crooks, and in civil actions by businesses seeking remedies for the theft of trade secrets.
Van Buren, a former Georgia state police officer, was arrested after being induced by undercover FBI agents into running a license plate search, allegedly in return for money, on a law enforcement database.
A matter of interpretation
Following his appeal, the Supreme Court will rule on a split in how US appeal courts interpret the CFAA’s prohibition on the use of computers without authorization, or in excess of authorization.
BACKGROUND US Computer Fraud and Abuse Act: How an upcoming Supreme Court ruling could have serious ramifications for ethical hackers
Speaking to The Daily Swig in May, Gabriel Ramsey, partner at the San Francisco office of law firm Crowell & Moring, said that some circuit courts “require much more technical programmatic hacking”, while others “say it’s enough to violate the terms of service or an agreement”.
The latter interpretation encouraged LinkedIn to bring a web scraping case against talent management algorithm hiQ, also currently pending a Supreme Court ruling, while Facebook recently accused the Friendly Social Browser of violating its terms of service, the CFAA, and its Californian counterpart law, drawing criticism from the Electronic Frontier Foundation (EFF).
The EFF has also warned the Supreme Court that affirming the 11th Circuit’s Van Buren ruling could deter invaluable aspects of security research that often violate terms of service, such as port and network scanning.
Along with the Center for Democracy and Technology, Bugcrowd, Scythe, and Tenable, the non-profit has filed an amicus brief (PDF) with the Supreme Court arguing that “a broad interpretation of CFAA discourages [researchers] at every step: from conducting security research in the first place, to disclosing security flaws that they discover, to going public with security flaws when companies refuse to patch them.
“The results of this perverse system of incentives is that discoverable security vulnerabilities remain undetected or unpatched, effectively waiting for attackers to find and exploit them.”
RELATED Google security researcher banned from Call of Duty: Modern Warfare after ‘reverse engineering networking code’
A broader interpretation would be a serious setback for an industry that has made significant progress in dispelling the myth that ‘hacking’ is inherently malicious, formalizing the security vulnerability disclosure process, and offering financial rewards – bug bounties – for the discovery of security flaws.
One consequence could be that encouraging adoption of safe harbor principles, where organizations pledge not to pursue legal action against good-faith security researchers, could become a more urgent priority.
Whatever the outcome, for many industry insiders the reinterpretation of decades-old legislation is beside the point.
“It was written close to 40 years ago, long before the internet existed as it exists today,” Dan Tentler, founder of computer security outfit Phobos Group, told The Daily Swig in June, adding that “lawmakers, businesspeople, [and] huge corporations” abuse its ambiguity.
The CFAA must be “scrapped” and lawmakers must “start from scratch” in consultation with the business and security communities, Tentler added.
The Daily Swig has approached several cybersecurity experts for comment and we will update the article if we receive a response.
READ MORE Terms of engagement: US computer crime laws out of step with changing attitudes to pen tests, ethical hacking