Rapid7 joined a brief to the US Supreme Court on the chilling effect of the overbroad Computer Fraud and Abuse Act (CFAA) on independent security research. The “friend of the court” brief in the Van Buren v. US case, led by the Electronic Frontier Foundation, was also joined by the Center for Democracy & Technology, Bugcrowd, Scythe, Tenable, and 18 prominent technologists and researchers. The brief is available here.
Rapid7 signed on to the amicus brief to add our voice to the call for a narrower interpretation of the CFAA, as part of our long-held support for independent security research. The brief provides a strong overview of why independent research is beneficial to security and society, and how an overbroad interpretation of CFAA can chill security research.
The Supreme Court will hear the underlying case, Van Buren v. US, in the fall. The ruling may turn out to be the most significant development in the CFAA in a decade. The Court’s ruling will likely address, for the first time, how broadly to interpret the CFAA's prohibition on "exceeding authorized access" to computers. US court circuits are deeply split on this issue, with the 1st, 5th, 7th, and 11th Circuits interpreting the CFAA broadly, and the 2nd, 4th, and 9th Circuits interpreting the CFAA more narrowly. The question before the Court is whether a person who is authorized to access information on a computer for certain purposes violates the CFAA [specifically Sec. 1030(a)(2)] if they access the same information for an improper purpose.
The issue is not whether this type of behavior is morally wrong, but whether it should be a federal hacking crime. Rapid7 acknowledges that the Dept. of Justice has a legitimate interest in prosecuting insider threats and malicious hacking. However, a broad interpretation of the CFAA’s restrictions on “exceeding authorized access” has far-reaching legal implications for beneficial security research and even ordinary internet behavior.
Should it be a federal hacking crime to disobey your workplace computer use policy, or a website's terms of service, such as by lying about your identity on Facebook or through automated scanning of publicly available websites and assets? If written policies govern "authorization" for CFAA, then those policies effectively become the legal boundaries for how computers may be used, with disproportionate potential consequences, such as private lawsuits, fines, or imprisonment. This would be unsustainable for cybersecurity research, innovation, and individual liberty in the Connected Age.
The Supreme Court could rule a number of ways on this issue. No matter which direction the Court goes, we anticipate increased interest in legislation to amend the CFAA by parties that perceive a negative impact from the ruling. This is healthy. Rapid7 continues to believe the CFAA should be reformed holistically, not just on the narrow issues presented in this case, but also on such issues as penalties, private civil liability, and the concepts of intent and authorization. The CFAA was enacted in 1986 and was quite forward-looking at the time, but the vastly different technological landscape and penetration 34 years later merit a serious modernization effort.
Rapid7 looks forward to continuing our efforts to promote workable modifications to the CFAA that deter cybercrime while protecting security research and internet users from overbroad liability.
In the meantime, all eyes on SCOTUS.