Supreme Court Narrows Interpretation Of CFAA, To The Relief Of Ethical Hackers

Individuals who have been granted official permission to access a computer, system or website have not illegally exceeded their authority under the terms of the federal Computer Fraud and Abuse Act (CFAA) if they obtain information from the system or site for unsanctioned reasons, according to a ruling today from the U.S. Supreme Court.

The interpretation of the law could serve to insulate ethical hackers, bug hunters and pen-testers from criminal or civil punishment if in the course of their authorized work they perform an action that’s considered out of contractual scope. On the other hand, some privacy advocates could be disappointed federal law enforcement will not be able to use the CFAA as a tool to deter the willful misuse of authorized data access.

The verdict corresponds to the case of Van Buren v. United States, which centered around the conviction of Nathan Van Buren, a police officer in Georgia who, in exchange for a bribe, used his access to a law enforcement database to look up license plate information for an acquaintance. Although Van Buren was authorized to access the database, he was charged with computer fraud under CFAA because his actions were outside the purview of his job.

Attorneys for the U.S. argued that language incorporated into the 1986 act suggests that persons are committing computer fraud when are accessing data they are normally entitled to, but are doing so outside of their agreed-to terms of usage. However, six of the nine justices rejected that argument, thereby overturning the previous ruling set by the U.S. Eleventh Circuit Court of Appeals.

Justice Amy Coney Barrett took what she referred to as a black-and-white “gates-up-or-gates-down,” approach: you’re either allowed to access systems and data, or you aren’t. The circumstances beyond that should not be taken into consideration, she explained.

“This provision covers those who obtain information from particular areas in the computer – such as files, folders, or databases – to which their computer access does not extend,” wrote Barrett in her majority decision. “It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.”

This should be a relief to parties concerned that the CFAA’s vagueness gave federal prosecutors too much latitude to charge workers or ethical hackers with computer crimes for innocuous breaches of terms of usage.

“Given that the Court has indicated through the Van Buren decision that a narrower interpretation of the CFAA is appropriate, I do think in general it will be more difficult to prosecute violations of the statute unless there is clear evidence that the defendant was not authorized to access the relevant computer systems,” said Dawn Mertineit, a partner in the law firm Seyfarth Shaw.

“I’m not surprised. I think the fact that this statute has both civil and criminal penalties meant that the Court was going to take a narrow view of the ‘exceeds authorization’ language,” Mertineit continued. “For employers, the broader language was preferable because it gave more leeway to bring a claim in federal court for misuse of confidential information, but it’s not a shock that the majority was swayed by Van Buren’s argument that the government’s interpretation would criminalize conduct engaged in by millions of Americans.”

Indeed, Jeffrey Fisher, the attorney representing Van Buren, had argued before the Court last December that individuals could conceivably be prosecuted for using a corporate laptop for personal business or disregarding written or verbal instructions for how to interact with a particular website or computer system.

Barrett herself wrote in her decision that many websites, services and databases “authorize a user’s access only upon his agreement to follow specified terms of service.” But “if the ‘exceeds authorized access’ clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers,” which would “criminalize everything from embellishing an online dating profile to using a pseudonym on Facebook.”

U.S. attorneys argued that the government would not abuse the CFAA in such a manner, and that additional language in the status would curb its ability to prosecute such activity. But Barrett expressed skepticism, noting that the government “stops far short of endorsing such limitations.”

“If anything, the Government’s current CFAA charging policy shows why Van Buren’s concerns are far from hypothetical,” she said.

“We’re gratified that the Supreme Court today acknowledged that overbroad application of the CFAA risks turning nearly any user of the internet into a criminal based on arbitrary terms of service,” proclaimed digital rights group the Electronic Frontier Foundation, in an online statement. The EFF further asserted that the CFAA was passed with the intention “to outlaw computer break-ins that disrupted or destroyed computer functionality, not anything that the service provider simply didn’t want to have happen” – lest computer security researchers be put “at legal risk for engaging in socially beneficial security testing through standard security research practices, such as accessing publicly available data in a manner beneficial to the public, yet prohibited by the owner of the data.”

Casey Ellis, founder, chairman and CTO of Bugcrowd, also expressed satisfaction. “With this ruling, the Supreme Court has effectively put a stop to any further broadening of the scope of the Computer Fraud and Abuse Act,” he said. “I believe the decision to limit the scope of the CFAA will protect researchers significantly. If it were to have been expanded and suddenly they were to face the threat of legal action for retrieving publicly accessible data using methods that are beneficial to the public yet banned by the owner of the data we would have been headed down a very slippery slope.”

Less pleased, however, is the Electronic Privacy Information Center (EPIC), which had previous filed an amicus brief arguing that Van Buren’s actions constituted a significant invasion of privacy – exactly what the CFAA is meant to protect against. “The CFAA protects sensitive personal data and should be interpreted consistent with that purpose,” the brief stated at the time. “We need the CFAA, now more than ever, to be an extra check against abuse by the people entrusted to access sensitive data and systems.” SC Media reached out to EPIC for comments on the latest ruling, but did not hear back.

In a written dissent, Justice Clarence Thomas argued that it is common sense to incorporate circumstances when judging if a user exceeds unauthorized access. 

“The question here is straightforward: Would an ordinary reader of the English language understand Van Buren to have ‘exceed[ed] authorized access’ to the database when he used it under circumstances that were expressly forbidden? In my view, the answer is yes,” wrote Thomas. “The necessary precondition that permitted him to obtain that data was absent.” 

“Entitlements are necessarily circumstance dependent; a person is entitled to do something only when ‘proper grounds’ or facts are in place,” Thomas continued. Thomas was joined in his dissent by Justices John Roberts and Samuel Alito, while the majority was represented by Justices Stephen Breyer, Sonia Sotomayor, Elena Kagan, Neil Gorsuch and Brett Kavanaugh.