15 Dec 2020

US Supreme Court debates major hacking law

The ongoing case of Van Buren v. United States is set to have huge consequences for cybersecurity and computer crime enforcement

By Roman Edwards 

The outcome of the case could affect how law enforcement uses the CFAA and whether employers can use it to defend against the unauthorised actions of their employees

Is a police officer who’s authorised to access information on a computer for certain purposes liable under the Computer Fraud and Abuse Act (CFAA) if he accesses the same information for an improper purpose? That is the question the US Supreme Court set out to answer on November 30 in Van Buren v. United States, which hinges on how “exceeds authorised access” should be defined.

The case follows the Supreme Court’s decision to review the CFAA for the first time since it was enacted in 1986 as a result of a federal Circuit split over whether it can only be applied to unauthorised users of electronic systems, or also those who are authorised but use the information on those systems in improper ways.  

Some 23 amicus curiae briefs have been filed by a wide range of bodies, including the National Association of Criminal Defense Lawyers, the National Whistleblower Centre and the Electronic Frontiers Foundation.

The briefs represent a contention between those who support reform to the CFAA for research, accountability and antitrust purposes and those who are against reform on grounds that “faithless insiders” could abuse their access to information stored by their employer.

Drawn up in 1984, the CFAA was allegedly inspired by the 1983 film WarGames, in which a young hacker accidentally accesses a US military supercomputer with nuclear missile capabilities and almost triggers World War III.

“The motion picture WarGames showed a realistic representation of the automatic dialing and access capabilities of the personal computer” reads the House Committee Report to the original bill.

In 2015, Nathan Van Buren was charged for honest services fraud and violating the CFAA. A Georgia police officer at the time, he accepted $5,000 from an acquaintance in a sting operation and used a police computer to perform a license plate search in return. 

After a rejection from the Court of Appeals for the Eleventh Circuit, Van Buren successfully petitioned the Supreme Court for a writ of certiorari. The question presented on the petition is “whether a person who is authorised to access information on a computer for certain purposes violates Section 1030(a)(2) of the CFAA if he accesses the same information for an improper purpose.”

Jeffrey L. Fisher, professor of law at Stanford University and a Supreme Court litigator, argued in defence of Van Buren. He based his argument on the rule of lenity, positing that the statute was inherently vague and that the government’s interpretation of the law’s wording “transform[s] the CFAA into a sweeping Internet police mandate.”

“It is no overstatement to say that this construction would brand most Americans criminals on a daily basis” he added, and gave examples such as a secretary who violates the terms of their employee handbook by using a company computer to access a family Zoom meeting for Thanksgiving.

Representing the US, Eric Feigin dismissed the examples as a “parade of horribles” arising from a “wild caricature” of the government’s position. He pushed back against Fisher’s rule of lenity argument by claiming that ‘anti-surplusage’ practice by Congress had ensured more precise definitions in the law than those extracted by Fisher.

The positions of the Justices of the Court were mixed. Polar views were held by Justices Sotomayor and Gorsuch, with the former branding the law “dangerously vague” and the latter saying: “I’m just kind of curious why we’re back here again on a rather small state crime that is prosecutable under state law, and perhaps under other federal laws.”

Speaking to The Robotics Law Journal, Jeffrey Fisher said: “The way for [Van Buren] to win the case, is for us to explain to the court that opening the door to liability, in a case like this, irrevocably opens the door to all kinds of other potential liability that is extremely problematic, if not unconstitutional.”

The CFAA applies if the defendant does at least $5,000 in aggregate damages, harms medical equipment, threatens public safety or health, injures someone or targets many computers to be liable either criminally or in civil court. It has been amended seven times and has been expanded beyond federal computers to include all computers.

The development of technology still leaves much of the CFAA open to interpretation. The second, fourth and ninth US Circuit Courts of Appeals criminalise only unauthorised access to company-owned computers by employees, regardless of the purpose of the use. The first, fifth, seventh and eleventh Circuits have more broadly interpreted "exceeds authorised access" to include misuse of data, even if the offender gained access to the information permissibly.

The CFAA has been criticised by researchers, activists, journalists and cybersecurity professionals, who believe its broad application impinges on the freedom of the press and ethical hacking to expose and report cybersecurity vulnerabilities.

Alex Rice, CTO and co-founder of HackerOne, the world’s biggest ethical hacking platform, said: “Good-faith hackers are here to defend every aspect of our lives. From finding vulnerabilities in social networking software housing precious data to searching for security holes in elections systems, our democracy directly depends on those who can protect and safeguard our information from being abused. The contribution that security researchers make to society is vital and we must establish the proper protections for those who do it.”

White-hat (ethical) hackers have faced legal threats and formal legal suits in the past for reporting bugs, resulting in a ‘chilling’ effect on security research. Dropbox are among companies including Tesla and Mozilla that have vowed not to sue ethical hackers under the CFAA in their vulnerability disclosure programs (VDPs).

Their VDP states: “We encourage, support, and celebrate independent open security research” and argues that bug-bounties, though valuable, are not an adequate substitute for open security research policies.

A bug bounty program is a scheme that offers rewards to individuals for discovering and reporting software bugs. The parameters of bug bounties are often difficult to define and easy to stray across and so ethical hackers can still be deterred due to the extreme penalties levied under the CFAA.

In 2011, United States v. Aaron Swartz saw Swartz charged with two counts of wire fraud and eleven violations of the CFAA after being arrested by MIT police on state breaking-and-entering charges.

Swartz had connected a computer on site to the MIT network and set it to download academic journal articles systematically from JSTOR using a guest user account issued to him by MIT.

He faced maximum $1m in fines, 35 years in prison, asset forfeiture, restitution and supervised release. Swartz denied a plea bargain that would have seen him serve six months in prison and committed suicide two days after the prosecution rejected his counter offer.

Riana Pfefferkorn, former associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society and currently a research scholar at the Stanford Internet Observatory, said:

“The CFAA largely serves to inhibit white-hat hackers, ‘chilling’ security research in general. Black-hats, by nature, will not necessarily heed the law – especially those located outside the US. The act discourages white-hats from performing the impartial, third-party security evaluations that any organisation would benefit from. There may thus be more vulnerabilities for black-hats to exploit if white-hats are dissuaded from finding them first.”

The ambiguity of the CFAA has posed problems in antitrust, as its large scope lends itself as a litigation tool. In 2019, LinkedIn served hiQ Labs with a cease-and-desist order in response to hiQ’s ‘scraping’ of information from the platform.

Web scraping is a process whereby programs (often automated) extract human-readable data from a website. In hiQ v. LinkedIn, the Ninth Circuit ruled in hiQ’s favour, finding that “hiQ established a likelihood of irreparable harm because the survival of its business was threatened.”

Michael Rubin, Latham & Watkins data privacy and security practice leader and global vice chair of the Technology Industry Group, said:

“The most obvious risk scraping carries is facing a breach of contract claim; many websites’ terms of service say that one cannot take the information from this site and use it for commercial purposes. Though as a mere contractual claim, it does not carry much weight, if the terms are even enforceable. Claims under the CFAA or even the Copyright Act are often the hammer that companies are looking to wield in this environment.”

A more emergent issue is adding further strain to the CFAA: the spread of AI and machine learning.

In the recently-published Is Tricking a Robot Hacking?, a group of Washington University students and professors led by Prof. Ryan Calo said that, under the CFAA, “designers and distributors of AI-enabled products will not understand the full scope of their obligations with respect to security.”

They separate hacking and ‘gaming’, where gaming constitutes a simple fooling of the AI. They give the example of someone wearing makeup to withhold their true identity from AI-powered facial recognition technology.

They call for clarity over how gaming and AI would be seen and note that it is the FTC whom currently investigates a company when their cybersecurity is inadequate, under a theory of “unfair or deceptive practice.”

Similarly, it remains to be seen how adversarial machine learning (AML), a competitive machine learning technique that attempts to fool models with deceptive input, will be treated under the CFAA.

Speaking in a podcast, Calo said: “if you were to define security today and leave out adversarial machine learning that would be a very significant omission.”

A verdict on the Van Buren v. United States is expected in two to five months.



related topics