The US Supreme Court issued its long-awaited-by-cybersecurity-nerds opinion on Van Buren v. United States. The case examined whether it was a violation of the Computer Fraud and Abuse Act (CFAA) for a police officer to access a law enforcement database to obtain information, which the officer then used for a non-law enforcement purpose in violation of his department policy.
[Rapid7 joined an amicus brief in the Van Buren case, focusing on the problems a broad CFAA interpretation would create for beneficial cybersecurity research.]
The Supreme Court’s Van Buren opinion establishes a narrower interpretation of the CFAA. According to the Court, it is not a CFAA violation to obtain or use information on a computer for impermissible purposes, so long as you are authorized to access the information in the first place. [Pg. 20] The implication is that CFAA violations do not encompass breach of TOS or contract terms which grant access but limit that access or use based on purpose, intent, or manner of access. [Pgs. 14-15] However, the Court seems to uphold (or at least sidestep) the validity of contract/policy-based limits on access, as well as technological/code-based access limitations, for establishing authorization under CFAA. [FN 8, pg. 13]
The Court goes out of its way to note the problems a broad reading of CFAA would pose for commonplace computer activity. Per the Court: ‘If the “exceeds authorized access” clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals,’ such as those that contravene an employee computer use policy by checking sports scores on their work computer. [Pgs. 17-20] The Court concludes that the CFAA does not turn such simple TOS or contract violations into hacking crimes if the user has authorized access to the computer but uses the computer in an unauthorized way.
When it comes to cybersecurity, there is good news and bad news. The good news is that security researchers would seem to have greater leeway to conduct research on computers or information to which they have authorized access, such as scraping data from publicly accessible websites even if the website TOS prohibits scraping or using the website information for security research.
However, the ruling will also be perceived to exacerbate the “insider threat” problem, such as employees misusing sensitive data which they are authorized to access, since this misuse is no longer covered under CFAA by contract-based use restrictions alone. [Pgs. 16-17]
The ruling may well prompt renewed discussion about legislation to modify the CFAA to address this perceived insider threat issue. However, we believe any such effort must tread carefully to avoid over-criminalizing commonplace internet behavior, and the effort should also address other vague or problematic areas of the CFAA.
Finally, it is important to remember that even if the CFAA no longer categorizes these activities as federal hacking crimes, other laws may still apply. For example, breach of contract, privacy laws, theft of trade secrets, disclosure of classified information, other parts of the CFAA (such as the prohibition against damaging computers without authorization), and state computer crime laws (which are often more broad than the CFAA) are all still in place.