Here are some thoughts on the landmark June 3 Supreme Court ruling which found, in a 6-3 vote, that the Computer Fraud and Abuse Act of 1986 (CFAA) does not cover situations in which people who are authorized to access a computer system do so for improper reasons. Newly minted Justice Amy Coney Barrett wrote the majority opinion, which featured an unusual coalition of the three Trump appointees joining the court’s three-member liberal wing.
The Feds set up a sting operation to nail the defendant in this case, a police sergeant who was unethically (but not illegally, evidently) accessing license plate info from his patrol-car and selling it. They caught him in the act and secured a guilty verdict, but then watched as SCOTUS ultimately overturned the conviction.
Civil liberties advocates are celebrating the verdict, because it appears to narrow the scope of CFAA such that people can’t be criminally charged for violating Acceptable Use policies or Terms of Service.
The reductio ad absurdum example given is an employee who could have been criminally charged for checking Facebook at work.
I suppose this ruling also applies to cases we’ve seen many times in which role-based access controls (RBAC) are improperly applied in a system. For example, say a system allows users to have access to info for which they’re not authorized (e.g., human resources data on other employees), but the users did nothing extraordinary (i.e., “hacking” or exploiting a vulnerability) to gain access to that data. They simply looked in a folder for which they had access.
Abacode has actually been called in on digital forensics investigations to explore such cases and seen employees fired for violating company policy – even though, strictly speaking, the company itself screwed up by not having proper access controls in place. Theoretically, under a broader interpretation of the CFAA, these people could previously have been criminally charged as well. But no more.
I’m not one to be soft on crime, but even I must admit the CFAA has some incredibly harsh penalties. A first-time offender who’s convicted of accessing a computer system without sufficient authorization (the definition of which has been up for much debate) can receive punishment of up to five years in prison, plus fines. Violations of other parts of the CFAA are punishable by up to 10 years, 20 years, and even life in prison.
This Supreme Court ruling comes too late for some other CFAA indictees, such as the following:
- Robert Morris (1989): the first major conviction under the CFAA, Morris was a grad student at Cornell who launched the infamous Morris Internet worm. He got three years’ probation and 400 hours of community service. He’s now a tenured professor at MIT. I doubt this ruling would have affected his outcome.
- Matthew Keys (2013): the former Reuters social media editor provided his user id and password for the content management system (CMS) of the Tribune Company to members of Anonymous. He got two years in federal prison. One wonders if, after this ruling, he would have been convicted.
- Aaron Swartz (2011): perhaps the most tragic case, Swartz was facing $1 million in fines and 35 years in prison when he hung himself in his Brooklyn apartment. An “open access” advocate, he had downloaded about 5 million journal articles from the online database JSTOR on the MIT network – where he was neither a student nor staff but had access through an account he had as a Harvard research fellow. Under this ruling, Swartz probably would not have been convicted, either.
Given that there was an overly broad interpretation of what “unauthorized access” entails, groups such as the Electronic Frontier Foundation (EFF) claim that the CFAA was often misused by zealous prosecutors to threaten additional jail time on relatively minor charges in order to ratchet up pressure on defendants and get them to plead guilty rather than risk trial. So, it seems like a good thing that SCOTUS performed this necessary pruning.
The ruling is probably most important for security researchers, whose work discovering security vulnerabilities is vital to the public interest but often requires accessing computers in ways that contravene terms of service.
In summary, I’m no legal expert, but as a civil libertarian myself, I must applaud this SCOTUS decision giving CFAA a trim, and I look forward to further rulings that will help protect security researchers, investigative journalists, activists, and others from government overreach. In the meantime, we will always be on watch looking for real violations of the CFAA, as I have covered in some of my other blog posts.
Download Our Free White Paper:
3 Simple Steps to Turn Your Cybersecurity Challenges into a Competitive Advantage