In the U.S. this week, the Supreme Court’s 6-3 decision on Van Buren v. United States was announced. The decision significantly narrows the scope of the Computer Fraud and Abuse Act (“CFAA”). The ruling overturned a former Georgia police officer’s conviction for misusing a government database to investigate whether a purported local stripper was an undercover cop.
This now means that federal prosecutors can no longer use the CFAA to charge people who misused databases they are otherwise entitled to access.
As to what this means, together with the associated implications, Digital Journal caught up Casey Ellis, CTO, founder, and chairman of Bugcrowd.
Ellis is well placed to provide commentary, given he was part of the amicus brief filed by the Center for Democracy and Technology, Bugcrowd, Scythe, Tenable, and others arguing that a broad interpretation of CFAA will deter good-faith security research, meaning discoverable security vulnerabilities remain undetected or unpatched, effectively waiting for attackers to find and exploit them.
Ellis begins by explaining the significance of the change: “With this ruling, the Supreme Court hasn’t updated or amended the law itself – but has effectively put a stop to any overly broad use of the Computer Fraud and Abuse Act (CFAA).”
With this act, Ellis summarizes: “The CFAA was originally passed by Congress in response to growing threats from malicious actors, but with the passage of time and progress of technology now serves to create a chilling effect for security researchers seeking to improve the overall safety of the Internet.”
Looping back to the specific case, Ellis states: “For such an objectively odd case to produce a ruling which challenges the letter of the law itself in order to set a precedent that reflects an evolving technology environment (including, most importantly in this case, the impact the interaction that environment and the law have on the overall safety of the Internet) is hugely encouraging.”
He adds that: “Every time the CFAA is used in an overly broad way hackers acting in good-faith are disproportionately affected, so a SCOTUS ruling against this phenomenon is something I see as a fundamentally positive thing.”
With the significance, Ellis concludes by saying: “The final Certiorari, as well as the earlier hearings, make it fairly clear that SCOTUS believes that the CFAA itself is antiquated in ways that make it impossible to apply to a case like Van Buren vs USA. Footnote 8 in particular stands out as SCOTUS’s attempt to encapsulate and allow for the law itself, whilst acknowledging the ambiguity which remains, in spite of the Van Buren ruling.”
As for going forwards, Ellis states: “While there is no question that the SCOTUS ruling will have a meaningful impact on protecting researchers, the work to achieve a safer and more resilient internet isn’t done. This SCOTUS decision does not change the law itself. It is up to the U.S. Congress to overhaul it. Until that happens, Safe Harbor is still the rule of law that organizations should set to ensure the security research that is being done or vulnerability reports that are being flagged to the organization are legally covered.”
