April 29, 2020
Many cybersecurity experts believe the current anti-hacking law, the 1986 Computer Fraud and Abuse Act (CFAA), is woefully out of date and applied too broadly by prosecutors and law enforcement. The Supreme Court is now taking another look at the law with a case in which a former Georgia police officer, Nathan Van Buren, was convicted in 2017 after allegedly selling information from a police database to an acquaintance for $6,000. Stanford University law professor Jeffrey L. Fisher is the lead attorney in the case.
The Washington Post reports that, “the fight centers on whether the law should apply just to hacking or more broadly to breaking rules on a computer … a distinction that didn’t matter much when the law was drafted in the mid-1980s.” But now, it adds, “people routinely spend hours each day visiting a slew of websites that all have their own terms of service that most people never read.”
“It’s making a crime out of ordinary breaches of computer restrictions and terms of service that people likely don’t even know about and if they did would have no reason to think would be a federal crime,” said Fisher.
In this case, the information Van Buren provided was “allegedly focused on helping the acquaintance figure out whether a local stripper was actually an undercover cop.” Advocates of changing CFAA noted that, “Van Buren didn’t actually hack into anything … he just broke the rules for a database that he was legitimately allowed to use.” Other “innocuous behavior” that is criminalized by CFAA includes “lying about your name or location while signing up on a website or otherwise violating the site’s terms of service.”
Among those impacted by the law are researchers who “routinely skirt websites’ strict terms of service when they investigate them for bugs that cybercriminals could exploit.” In addition to attracting the attention of law enforcement, such researchers can also be sued in civil courts by the involved companies.
“Computer researchers are constantly afraid that a security test they run is going to run them afoul of the law,” said attorney Tor Ekeland, who specializes in defending those accused of violating the CFAA. “This law makes the Internet less safe because it chills legitimate information security research and it’s bad for the economy because it chills innovation.”
Lead attorney Fisher already tried two related cases but believes that, now “the justices will also be ready in this case to roll back police powers that no longer make sense given modern technology.”
“This is important because the law either says very few people are criminals under CFAA or almost everyone is a criminal under CFAA,” said Georgia State University law professor Jeffrey L. Vagle, who focuses on cybersecurity law. Center for Democracy and Technology senior counsel Greg Nojeim agreed, noting that the statute has been “drafted so broadly that everyone is committing crimes all the time and the government gets to choose who to prosecute.”