Supreme Court Votes to Limit Computer Fraud and Abuse ActIn 6-3 Decision, Justices Side With Former Police Officer Convicted Under CFAA
In a decision that will have major implications for the cybersecurity industry, the U.S. Supreme Court ruled Thursday to limit the scope of the Computer Fraud and Abuse Act, which was originally created to target those who attacked IT networks and other computer-related crimes.
In the 6-3 decision, a mixed group of conservative and liberal justices sided with the arguments made by a former Georgia police officer who was convicted under the Computer Fraud and Abuse Act for taking money to look up license plate information in a law enforcement database.
In that case, Nathan Van Buren, a former police sergeant, was convicted in 2017 under the CFAA and sentenced to 18 months in prison. While other appeals court upheld Van Buren's federal conviction, the Supreme Court agreed to hear arguments about the case in 2020 and issued its ruling Thursday.
At the heart of the case was whether Van Buren could still access data from a government database even though he was conducting the search outside of his normal police duties and had taken money in exchange for looking up the data.
The U.S. Justice Department, which defended the Computer Fraud and Abuse Act, argued that Van Buren had exceeded his authority and did not have the right to access the database, making him essentially an insider threat. The former officer's attorneys, however, argued that he did have permission and a right to access the data even if it was for inappropriate reasons.
Writing for the 6-3 majority, Justice Amy Coney Barrett wrote that the law as written is overly broad and Van Buren could access the database because his job as a police officer allowed him to search the data the department collected.
"This provision covers those who obtain information from particular areas in the computer - such as files, folders or databases - to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them," Barrett wrote for the majority.
And while Barrett and five other justices ruled in favor of overturning Van Buren's conviction and limiting some aspects of the law, Justices Clarence Thomas, John Roberts and Samuel Alito sided with the Justice Department's arguments and keeping provisions of the Computer Fraud and Abuse Act in place.
Limiting the CFAA
Even before Van Buren v. United States made it to the Supreme Court's docket in 2020, security researchers, ethical hackers and civil liberty groups have argued that the 1986 Computer Fraud and Abuse Act was too broadly written by lawmakers and not designed to address the issues and challenges brought on by the internet era.
As part of the Supreme Court case, attorneys and organizations such as the Electronic Frontier Foundation argued that the CFAA is written in a way that puts everyday users of the internet as well as ethical hackers and researchers in legal danger for disclosing flaws in systems and software.
Security researchers and ethical hackers have argued that enforcement of certain parts of the CFAA by federal authorities has had a damaging effect on their ability to protect systems against vulnerabilities by limiting their ability to access software and apps to find flaws and bugs that could result in security problems and breaches. Under the old interpretation of the law, these researchers could be prosecuted for unauthorized access.
"The ruling itself was effectively a kibosh on the overbroad use of the CFAA, which is what I believe will be most impactful going forward," says Casey Ellis, CTO and founder of bug hunting firm Bugcrowd, which one of several IT and security companies that filed amicus or "friend of the court" briefs that supported the arguments made by Van Buren's attorneys. "The CFAA most often has a significant chilling effect on security research because of how it's often wielded in a civil context. This verdict amounts to a 'yeh, nah' on that practice."
In her ruling, Barrett notes that the CFAA is outdated at a time when almost everyone has access to a computer as part of their daily routine.
"Employers commonly state that computers and electronic devices can be used only for business purposes. So on the government's reading of the statute, an employee who sends a personal email or reads the news using her work computer has violated the CFAA," Barrett writes.
Tor Ekeland, a New York-based attorney who has defended high-profile hackers, noted on Twitter after the ruling was posted Thursday that the Supreme Court "gets it right in its first real attempt at interpreting the CFAA."
In its analysis, the Electronic Privacy Information Center, or EPIC, notes that while the Supreme Court decision does limit the current form of the CFAA in some cases, the justices still left other questions about the law open.
"The court endorsed a general 'gates-up-or-down approach' - meaning an individual either has authorization to access the computer or specific information within the computer or it does not - but explicitly left open the question of whether the prohibitions on access must be technical or whether they can be contract-based," according to EPIC's analysis. "The range of criminalized activities may, in some respects, still be much broader than even the government was advocating."
While researchers and ethical hackers have long sought to change some aspects of the CFAA, not everyone is convinced the law needs to be changed.
In his dissenting opinion, Justice Thomas notes that Van Buren's access of a police database outside of his duties as a police officer is illegal. "Using a police database to obtain information in circumstances where that use is expressly forbidden is a crime," the justice wrote.
Fred Cate, vice president for research at Indiana University and a cybersecurity expert specializing in information privacy and security law issues, believes that the Supreme Court majority, in this case, has hampered one of the few laws that the FBI and the federal prosecutors could use to prosecute computer crimes.
"The court in Van Buren vs. United States redefined 'exceeds authorization' to exclude someone - in this case a police officer - who is given credentials to access sensitive computerized data for one purpose from using those credentials to access the data for another, explicitly prohibited, illegal purpose," Cate says. "Along the way, the court significantly gutted one of the nation's few and most effective cybersecurity laws and cleared the way for insider cybercrime - a dominant form of cyber fraud today."
Cate notes that lawmakers need to step in now and address these cybersecurity issues.
"Congress needs to respond to this dangerous opinion by revising the law to make crystal clear that people who abuse their access to steal sensitive information violate the law," Cate notes.
Some companies also wanted the CFAA to stay the same. In a friend of the court brief, voting startup Voatz argued that most security research should be limited to those who have clear permission from organizations to probe systems and software for vulnerabilities and flaws (see: Online Voting Startup Wants to Limit Some Security Research).