Computer Fraud and Abuse Act: Is it Bad for Cybersecurity?
Certain tech companies, lawyers and nonprofit advocacy groups are urging the U.S. Supreme Court to reverse a lower court's ruling that broadly construed the Computer Fraud and Abuse Act ("CFAA"). The tech companies contend that the broad interpretation criminalizes activity that is meant to strengthen cybersecurity.
In April, the US Supreme Court agreed to review former Georgia police officer Nathan Van Buren's conviction under the CFAA for selling license plate information obtained from a police database. The Eleventh Circuit upheld his conviction.
The Eleventh Circuit acknowledged the federal circuit split over the proper scope of the CFAA. The First, Fifth, Seventh and Eleventh Circuits have each adopted a broad interpretation of the statute. An individual authorized to access a computer violates the CFAA by using information gained for an improper purpose.
In contrast, the Second, Fourth and Ninth Circuits do not consider mere misuse of information that an individual is authorized to access a violation of the statute. In adopting this narrower interpretation, the Ninth Circuit relied on the history of the CFAA as an “anti-hacking statute” while also noting the vast expansion of federal criminal law that would accompany a broader interpretation and the parade of horribles that could follow. Specifically, the court noted that “the computer gives employees new ways to procrastinate, by g-chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although, employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes.” United States v. Nosal, 676 F.3d 854, 860 (9th Cir. 2012).
CFAA and Cybersecurity
On appeal, Van Buren's primary argument to overturn the conviction was that it sets a dangerous precedent that allows prosecutors to threaten prison time for innocuous online activities that may technically violate employers' policies, websites' terms of service and other third-party restrictions.
A group of non-litigants filed an amicus curiae brief to the Supreme Court in support of Van Buren's interpretation.
Footnote: An amicus curiae brief is a fancy word for a persuasive legal document filed by a non-litigant, usually while the case is on appeal, who has an interest in the outcome.
The non-litigants included a group of tech companies, including Mozilla Corp., Shopify Inc. and Atlassian. The tech companies contended that reading the CFAA's prohibition on accessing computers without authorization or in excess of one's authorization, to encompass behavior like Van Buren's improper search, threatened to endanger work being done by security researchers to keep networks safe from cyber threats.
The amicus brief is littered with persuasive arguments related to the nation's cybersecurity. The brief echoed my thoughts that as every segment of our society becomes increasingly connected, all companies are becoming technology companies.
Car manufacturers are now in the business of creating computers on wheels.Grocery stores collect troves of shopper data. Even household appliances are becoming voice-activated by default. With this shift comes a fast-growing need for robust consumer privacy, system integrity, and cybersecurity—especially at a time when data breaches have increasingly serious consequences. In the last few years alone, critical online systems—from credit agencies to hospital systems to social networks—have been exploited to devastating effect. As a result, today’s businesses must devote significant attention and resources toward building and maintaining system security and consumer privacy.
The tech companies recognized that computer intrusion attempts are inevitable (a scary thought). Effective computer security thus entails creating systems that are resilient to computer hackers. That requires letting people, including members of the robust community of independent security researchers, probe and test our computer networks.
The tech companies urged our highest Court to find that the CFAA should not be interpreted to undermine cybersecurity. An overbroad reading of the CFAA will drive—indeed, has driven—security researchers underground, discouraging them from testing and reporting vulnerabilities in computer systems.
Old Law New World
A law that has unintended consequences in the connected digital world? The CFAA was enacted in 1986 before our society relied on the internet and before cyber threats impacted our economy and nation security. I'm not sure if our highest Court should render an "interpretation" or if congress should update the law itself. Whatever the outcome, there is a real concern that the CFAA might deter cybersecurity research.
The case is cited as Nathan Van Buren v. United States of America, Supreme Court of the United States, No. 19-783.
~ Florida Cyber Lawyer, Robert Stines, Esq., CIPP