Should privacy act terms of service violations be a crime? Special

Posted Aug 1, 2020 by Tim Sandle
Researchers have warned that if violations of a company’s “terms of service” are deemed to be illegal, this risks stalling important research into voting systems, medical devices and other key equipment.
Two Chinese men use their laptop computers at a cafe in Beijing.
Two Chinese men use their laptop computers at a cafe in Beijing.
Wang Zhao, AFP/File
A brief has been filed at the U.S. Supreme Court from the digital rights group Electronic Frontier Foundation (EFF). The brief, as NBC reports, is based on a study which concludes that if violations of a company’s “terms of service” are deemed to be illegal, then this will counter key research into digital data processing and analysis.
The primary issue relates to the U.S. Computer Fraud and Abuse Act (CFAA,. This is law instigated in 1986 used to prosecute people who break into computers. Legal experts and cybersecurity researchers have long complained that the law could be abused to target altruistic researchers who are breaking systems in order to make them more secure.
When its next term begins in October 2020, the Supreme Court is set to consider whether corporate terms of service can be considered an inviolable boundary under the CFAA. The EFF activists are supported by Bugcrowd and other cybersecurity companies and researchers in its amicus brief.
Looking at the issue from one of the supporting partners, Casey Ellis, CTO and founder of Bugcrowd sets out why the filing to the Supreme Court is so important.
Ellis notes that: "Congress originally passed the Computer Fraud and Abuse Act in response to growing threats from malicious actors in 1986, when the Internet as we know it today was still a nascent concept."
So with things moving on rapidly, the law does not appear to be fit-for-purpose, according to Ellis. He says: "The law is so broadly written that it criminalizes acts that ethical security researchers take to identify cybersecurity vulnerabilities that could cause significant economic and societal harm."
Ellis notes that "While organizations need to be able to prosecute malicious attackers, it's important to ensure that the increasing importance of ethical researchers working to make the digital world safer isn't chilled by the threat of prosecution, as it has been in the past."
Adding further caution to the mix, Ellis states: "Speed is the natural enemy of security, and even organizations with in-house security teams still rely on the findings from outside researchers to provide continuous security feedback. By working independently of, or in-tandem with both private and government institutions, researchers have disclosed serious vulnerabilities in widely-used software and devices."
Highlighting the good work that cybersecurity researchers undertake, Ellis explains how such teams "have identified countless security threats in voting systems, medical devices, critical infrastructure and vehicle software. Bugcrowd is proud to stand with the EFF in support of altering the CFAA so that ethical researchers can continue their socially beneficial work."