Supreme Court finally makes the world a bit safer for ethical hackers

Nathan Van Buren, an ex-cop from Cumming, Georgia, probably doesn’t see himself as a crusader for the rights of computer security researchers, investigative journalists, and activists.

He’s just been trying to stay out of jail for the past three years.

But in managing to do so through a successful appeal to the U.S Supreme Court, his case has become cause for widespread celebration by long-time critics of the Computer Fraud and Abuse Act (CFAA).

Van Buren is an inadvertent hero — there’s no dispute that he did something wrong. According to the U.S. Attorney’s office for the Northern District of Georgia, he searched a law enforcement database for a license plate number and then made it available to a man in exchange for $5,000. Unfortunately for Van Buren, that man was cooperating with law enforcement. A classic sting.

The search was obviously not done as part of Van Buren’s job, for law enforcement purposes. It was a violation of department policy.

But that wasn’t the dispute before the court. Van Buren was convicted of violating the CFAA for, as the U.S. Attorney put it, “unlawfully accessing a confidential law enforcement database.”

And Van Buren’s appeal argued that he hadn’t broken into anything since he had valid credentials to access the database. So even though he obtained the data for an improper purpose, he hadn’t violated the CFAA.

The high court agreed. “The parties agree that Van Buren accessed the law enforcement database system with authorization,” wrote Justice Amy Coney Barrett. “The only question is whether Van Buren could use the system to retrieve license-plate information. Both sides agree that he could. Van Buren accordingly did not ‘excee[d] authorized access’ to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose.”

If we weren’t talking computers and digital files, it might be a bit like a contractor who is given keys to a house to come and go while doing renovations, and then uses that authorized access for illegal or improper purposes — perhaps storing contraband, hiding a fugitive friend or hosting a weekend party .

While there would be little dispute that the contractor misused his access and likely could be prosecuted, it would also be clear that he shouldn’t be charged with breaking into the house. The owner gave him the key.

The result for Van Buren is that while the ruling doesn’t eliminate possible sanctions by his former employer, it overturns a conviction for violating the CFAA that could have sent him to jail for 18 months.

Broad implications

But it also has far-reaching implications for those groups mentioned earlier — security researchers (also known as ethical hackers), journalists, and activists — and the public at large because it reins in criminal charges for violations of terms-of-service (TOS) agreements (hardly anybody has the time to read them, nor can most people understand them).

While a user could still face some liability for violating a TOS, it would not be a crime under the CFAA and would therefore more likely be a civil, rather than criminal, matter.

Joe Jarzombek, director for government and critical infrastructure programs at Synopsys Software Integrity Group, said that “if lower courts apply Van Buren’s holding to criminal and civil cases alike, the ‘improper purpose’ theory of CFAA liability will be totally eliminated.”

Or, as Orin Kerr, a professor at the University of California at Berkeley School of Law, put it in a post on Lawfare, “It settles that the CFAA is fundamentally a trespass statute. The basic wrong is bypassing a closed gate, going where you’re not supposed to go.”

“The CFAA does not make it a crime to break a promise online. It does not make it a crime to violate terms of service. The statute is all about gates: When a gate is closed to a user, the user can’t wrongfully bypass the gate,” he wrote.

Aaron Mackey and Kurt Opsahl of the Electronic Frontier Foundation made the same point — that the ruling amounts to “a gates-up-or-down approach: either you’re entitled to access the information or you are not. If you need to break through a digital gate to get in, entry is a crime, but if you are allowed through an open gateway, it’s not a crime to be inside.”

This, according to critics, is long overdue. The CFAA, sponsored by the late U.S. Rep. William J. Hughes (D-NJ) and signed into law 35 years ago, has long been the target of frustration and anger from a significant portion of the cyber security community.

Robert Hansen, CTO at Bit Discovery, declared six years ago that “the law currently is so poorly written that almost nothing we do online is legal. Without consulting a lawyer on everything you do, it’s entirely possible that you’re breaking the law by not doing something — complicit in a crime, willful negligence, accomplice after the fact, etc.”

Millions of digital criminals

Indeed, the Department of Justice argued before the court that any website TOS violation was a criminal violation of the CFAA.

Mackey and Opsahl wrote that such an interpretation of the law would mean “millions of otherwise law-abiding citizens are criminals.”

“Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the government’s reading of the statute, an employee who sends a personal email or reads the news using her work computer has violated the CFAA.”

Jody Westby, CEO of Global Cyber Risk, said fear of prosecution for such things is exaggerated. “I think that’s a bit of an overreach, sort of like charging someone for trespass for turning around in your driveway,” she said.

But she said the decision is “a reasonable interpretation and does eliminate overly zealous prosecutions.”

Harley Geiger, attorney and senior policy director at Rapid7, agrees, noting that the decision “goes out of its way to note the problems a broad reading of CFAA would pose for commonplace computer activity.”

It says, “If the ‘exceeds authorized access’ clause criminalizes every violation of a computer use policy, then millions of otherwise law-abiding citizens are criminals.”

That dragnet, Geiger said, would snare “those who contravene an employee computer use policy by checking sports scores on their work computer. The court concludes that the CFAA does not turn such simple TOS or contract violations into hacking crimes if the user has authorized access to the computer but uses the computer in an unauthorized way.”

It’s not open season

None of this means it’s now open season for miscreants on the internet. The court’s decision has been described as “narrow” by most experts and has left some confusion about whether breaking the law requires circumvention of a technological access barrier. TOS provisions still apply and can be enforced through other means.

Even if the CFAA can no longer categorize activities like Van Buren’s as federal hacking crimes, “other laws may still apply,” Geiger said. “Breach of contract, privacy laws, theft of trade secrets, disclosure of classified information, other parts of the CFAA such as the prohibition against damaging computers without authorization, and state computer crime laws that are often more broad than the CFAA are all still in place.”

Westby agrees, noting that ethical hackers will still have to proceed with caution — and authorization. “(TOS) contracts need to specify the parameters of what ethical hackers are authorized to do,” she said.

“For example, they don’t have authorization to steal data or exfiltrate it and keep it. If a company felt they overreached, they need to have provisions in the contract to deal with that, but this ruling limits a company’s ability to pummel the ethical hacker with the CFAA if they didn’t like what he/she did once they authorized them to hack the system,” she said.

Or, as Jarzombek put it, “Unless an ethical hacker has an agreement with the organizational owner of the target asset — apps, networks, websites — to have ‘authorized access,’ then this decision does not apply. They could be charged with unauthorized access and any resulting damages.”

He added while “improper use” may no longer be a CFAA violation, it could “still trigger liability under a host of other laws, including the federal Defend Trade Secrets Act.”

But the ruling does clarify and set some limits on how the CFAA can be used. Joseph Lorenzo Hall, senior vice president at Strong Internet, said the law “has long had this problem that the phrase ‘exceeds authorized access’ was not clear. This allowed the government and businesses to make wild claims about things they simply didn’t like or didn’t think about in the design of their systems.”

He said security researchers who “encounter a TOS that says, ‘by interacting with this machine on Tuesdays, you owe Rich Corp. US$1 million,’ can at least understand that they can’t be bound by particularly silly or outrageous terms.”

“While it’s not perfectly clear now — it’s still unclear whether or not one has to specifically exceed a technical measure — it’s at least clearer and that is something to celebrate,” he said.

Kerr agrees. “[The ruling] doesn’t answer everything. But it answers a lot. And it frames the debate over how the CFAA applies going forward on what I think is ultimately the right question,” he wrote.

I’m a security advocate at the Synopsys Software Integrity Group. I write mainly about software security, data security and privacy.