Overly broad interpretations of the Computer Fraud and Abuse Act (CFAA)
Ethical hacking involves utilizing mathematical and programming abilities to pinpoint weak areas or susceptibilities in information systems. The hacking realm is categorized based on purpose, with a white hat hacker being an ethical hacker with good intentions. These professionals specialize in penetration testing and other examination methodologies that guarantee the security of an organization’s information systems. Most ethical hackers possess advanced knowledge in mathematics, computer programming, networking, and operating systems.
The security obstacles we encounter in the present day pale in comparison to those that we will encounter in the future. Our world is so interconnected with technology that cybersecurity has an impact on our financial stability, families, and even electoral processes. As technology continues to progress, the threat posed by hacking increases.
The booming industry of cybersecurity has been brought about by the ransom of hospitals, the shutdown of power grids, and the theft of intellectual property and trade secrets. Malicious attackers, who are often well-funded and supported by governments, operate globally, use sophisticated technology and methods, and are constantly improving their tactics.
To combat the rise of computer-based crimes and the tampering of sensitive information, skilled experts, known as ethical hackers or “white hats,” evaluate computer systems to identify vulnerable spots and then reinforce them through hardening or improvements. Ethical hacking is legal since the actions are aimed at increasing the security of computer and network systems. Essentially, ethical hacking involves the breaking of a system to identify vulnerable areas, whereas the act of computer hacking refers to modifying or altering computer software and hardware to achieve objectives outside the creator’s original intent. Ethical hackers play an essential role in safeguarding systems from malicious penetrations.
The United States has a significant number of federal and state laws enacted during the last 3 decades. Unfortunately, the law is about five years behind developing technology.
Federal cybersecurity laws
There are several federal laws that address hacking, including:
• 18 USC Section 1030 of The Computer Fraud and Abuse Act (CFAA);
• 18 USC Section 1029: The Access Device Statute;
• The Stored Communications Act (SCA);
• The Digital Millennium Copyright Act (DMCA);
• 18 USC Sections 2510, 2701 of The Electronic Communications Privacy Act (ECPA); and
• The Defend Trade Secrets Act (DTSA).
The Computer Fraud and Abuse Act
The focus of our post is on the Computer Fraud and Abuse Act (CFAA) which has been amended by the USA PATRIOT Act, a crucial federal law that deals with acts that compromise computer network security. The CFAA prohibits unauthorized access to computer systems and networks, extortion by means of threatening such attacks, the dissemination of code or programs that harm computers, and other related actions.
The Computer Fraud and Abuse Act (CFAA) was enacted in 1986 as an extension to existing computer fraud law under the Comprehensive Crime Control Act of 1984, and is the primary cybersecurity legislation in the United States. Its primary purpose is to prohibit unauthorized access to computer systems, including the unauthorized exceeding of authorized access. Although initially intended to protect the computer systems of U.S. government entities and financial institutions, subsequent amendments have broadened its scope to include virtually any computer in the country, such as servers, desktops, laptops, cell phones, and tablets.
The CFAA plays a significant role in regulating the activities of ethical hackers, who must ensure they are authorized to conduct security testing to avoid running afoul of the law. Additionally, it is important to note that the CFAA has been criticized for its broad and vague language, which could lead to unintended consequences, such as the criminalization of seemingly innocuous activities. While virtually anyone can potentially be convicted under the CFAA, it should be noted that a violation requires the individual to access a computer system without authorization or exceed authorized access, meaning being in the wrong place at the wrong time would not necessarily result in a conviction.
The following are examples of CFAA violations and their corresponding penalties:
1. Accessing a computer to defraud and obtain value – 5 years imprisonment, and up to 10 years for a second conviction.
2. Accessing a computer and obtaining information – 1 to 5 years imprisonment, and up to 10 years for a second conviction. 1 to 10 years imprisonment, and up to 20 years for a second conviction.
3. Extortion involving computers – 5 years imprisonment, and up to 10 years for a second conviction.
4. Intentionally damaging by knowing transmission – 1 to 10 years imprisonment, and up to 20 years for a second conviction.
5. Trafficking in passwords – 1 year imprisonment, and up to 10 years for a second conviction.
Password trafficking refers to the sharing, selling, or purchasing of stolen passwords, which is penalized under the Computer Fraud and Abuse Act (CFAA) due to the potential for criminals to use the stolen passwords to gain unauthorized access to sensitive information such as bank accounts.
While ethical hacking can be a risky profession, it becomes illegal when the individual, known as a white hat, exceeds the limits of their authorization or permission. This can be a challenge, given the complexity of modern websites and systems, and it is easy to unintentionally exceed the limits of authorization.
Many modern websites contain contents form hundreds or even thousands of third parties. For example bank website can have merchant services, debit cards information storage providers, cloud service providers, cookies and many other services and codes from various third parties.
In many cases, obtaining consent from all parties involved can be virtually impossible, and ethical hackers may accidentally access someone else’s application or data during routine testing work.
Van Buren Case
Recently, the United States Supreme Court made a significant decision in the Van Buren case regarding the application of the Computer Fraud and Abuse Act (CFAA). Jeffrey L. Fisher, a law professor at Stanford University who represents the petitioner in the case, argues that the law’s language is outdated in the context of modern computer usage, and that its broad interpretation could criminalize ordinary breaches of computer restrictions and terms of service that individuals may not even be aware of.
The Van Buren case has sparked a significant debate within the academic community, with some, such as Sacharoff, a professor from the University of Arkansas, suggesting that any violation under the CFAA must be done knowingly. In other words, individuals who unintentionally gain access to a platform without proper authorization or violate its terms of service would not be guilty of a federal crime. This has particular relevance to ethical hackers who may exceed authorized access while performing penetration testing, but do not do so knowingly with malicious intent.
There have been numerous instances where ethical hackers have been arrested while performing their job, indicating a need for correction in the way the law treats and understands their work. A recent case in the United States involved two penetration testers hired to assess the security of an Iowa courthouse, who were subsequently arrested, charged, and jailed for physically entering the courthouse despite it being a planned security test commissioned by the government.
Modern websites often contain codes and contents from numerous third parties, making it easy for ethical hackers to accidentally exceed authorized access and access information that belongs to these third parties. As a result, they can be subject to punishment under the Computer Fraud and Abuse Act (CFAA).
Retaining a cybercrime lawyer can be an expensive endeavor, depending on various factors such as the type of advice required and the legal jurisdiction. It can be particularly challenging for ethical hackers to deal with big tech corporations, even with the assistance of an experienced cybercrime lawyer.
Thankfully, there are organizations that advocate for the rights of individuals and small businesses against big corporations. One such organization is the Electronic Frontier Foundation (EFF), which has provided legal assistance to people in cases involving large companies. For instance, EFF helped individuals accused of copyright infringement by 28 of the world’s biggest entertainment firms, led by MGM Studios, for distributing peer-to-peer file-sharing software. Additionally, EFF sued Sony Corporation for using software that could spy on users’ listening habits.
However, there is a pressing need for reform to protect ethical hackers who are often mistreated and misunderstood by the law. Unfortunately, there are gray areas in ethical hacking that can lead to misunderstanding and confusion. For example, two ethical hackers were recently hired to evaluate the security of an Iowa courthouse but were arrested, charged, and jailed for physically entering the courthouse, despite the fact that it was a planned security test commissioned by the government. This case highlights how legal systems view and treat ethical hackers and cybersecurity professionals.
Ethical hackers must be able to think creatively to identify and solve technical problems in computer systems while being mindful not to exceed the authorized boundaries. However, there is always a risk that they may unintentionally access sensitive information during the process of assessing systems and networks. It is crucial that ethical hackers are granted protected status under federal law. This would allow security professionals to access systems on the internet and disclose weaknesses without fear of prosecution under federal and state laws.
The current situation is akin to a pharmacist being arrested for drug possession while performing routine work. Trusted hackers should be able to inspect the security of websites and public-facing applications with more freedom, similar to how a police officer can investigate a person or location with reasonable grounds to do so. Professional penetration testers currently conduct assessments only with explicit consent from the owner, but it would be beneficial for security professionals to have more leeway to assess systems in the public domain and disclose any significant security risks without facing punishment.
Bug bounty programs are offered by some organizations and software developers as a way to incentivize individuals to report security vulnerabilities and bugs. These programs offer recognition and compensation to those who report such vulnerabilities. However, not all organizations have bug bounty or responsible disclosure programs, and even those that do often have limitations. In some cases, participants may be required to sign non-disclosure agreements in order to receive compensation, which can result in vulnerabilities not being addressed as quickly as they should be.
The effort highlights how federal anti-hacking laws aren’t keeping pace with the way security vulnerabilities are often identified and patched. Laws such as the CFAA and the DMCA don’t contain protections for researchers who disclose bugs, creating a legal gray area discouraging ethical hacking.
The cybersecurity community is well aware of the issue of companies taking legal action against security researchers and professionals who uncover critical security vulnerabilities. Last year, for instance, the FBI investigated security researchers in Georgia after they discovered millions of publicly accessible voter registration records on the state’s election website. The law often lags behind technology advancements, and private companies and organizations have varied and often inconsistent policies for managing vulnerability disclosures. This inconsistency makes it challenging for ethical hackers to discern the boundary between what is deemed permissible and what could potentially result in legal repercussions.
The act of accessing another person’s computer without authorization is criminalized by the CFAA. It is recommended that the CFAA be amended to require that any violation under the statute must be done knowingly or intentionally. Similarly, other laws, including state laws, should also be changed to require knowingly as a form of intent. The application of the CFAA to ethical hackers and even users who may exceed the “terms of service” of particular applications or social networking websites in everyday practice is ambiguous.
In the recent case of Van Buren v. United States, the Supreme Court ruled on concerns regarding the Computer Fraud and Abuse Act (CFAA). The case involved the prosecution of a former police sergeant who used a law enforcement computer to run a license plate search in exchange for an anticipated payment of around $5,000. The question was whether this action violated the CFAA, which criminalizes intentional access to a computer without authorization or exceeding authorized access to obtain certain types of information, subjecting the offender to criminal liability. In a 6-3 decision written by Justice Barrett, the Supreme Court concluded that it was not a violation of the CFAA. However, the language of the CFAA is still concerning as it can make everyday systems that internet users commonly access, such as social media, news, online gaming, and streaming services, “protected computers” subject to criminal liability. A major problem with the CFAA is the ambiguous nature of the statutory language. The term “without authorization” is not defined in the statute. “Exceeds authorized access” is defined, but only in a somewhat circular manner that does little to limit its scope. Many academic papers, commentary pieces, news articles, and amicus briefs have noted that the language of the CFAA, when interpreted overly broadly, can be used to criminalize commonplace uses of computers that most people would consider innocuous.
Consider the scenario where exceeding authorized access is interpreted to include breaking a website’s terms of service. In such a case, violating the terms of service could result in criminal liability, as pointed out by the Electronic Frontier Foundation. Similarly, if violating an employer’s computer-use policy is seen as exceeding authorized access, it could also lead to concerns about overcriminalization. The Supreme Court addressed this issue in the Van Buren case, stating that if every violation of a computer-use policy is deemed as exceeding authorized access, then millions of law-abiding citizens would become criminals. For instance, many employers restrict computer and electronic device use to business purposes only. Therefore, under the government’s interpretation of the CFAA, an employee who uses their work computer to read the news or send a personal email would be in violation of the statute.
In its ruling, the Supreme Court determined that someone exceeds authorized access “when he accesses a computer with authorization but then obtains information located in particular areas of the computer – such as files, folders, or databases – that are off limits to him.” Since Van Buren had permission to access the license plate database, his misuse of the information did not constitute a violation of the CFAA, although it may have resulted in liability under other laws.
Conclusion
The recent Van Buren decision has partially addressed concerns about the broad scope of the CFAA, but several questions remain unanswered. One such issue is the definition of accessing a computer “without authorization” or “exceeding authorized access.” Is it limited to bypassing technical barriers or also includes violating access limits specified in a contract or policy? UC Berkeley law professor Orin Kerr notes that the ruling is somewhat ambiguous on this point. Although the risk of overly broad interpretations of the CFAA has decreased, reform is still necessary.
To address this, first, the Supreme Court should change its interpretation of the CFAA and establish that intent is a necessary element of the crime. Most people who access a platform without authorization or violate its terms of service may not know that their access is unauthorized. Therefore, they should not be found guilty of a federal crime. Second, new laws should be enacted to create and protect ethical hackers as independent professionals, even in cases of accidental unauthorized access. Such laws should require licensure for ethical hackers to operate within the legal framework.
References<
Allen Harper, Daniel Regalado, Ryan Linn, Stephen Sims, Branko Spasojevic, Linda Martinez, Michael Baucom, Chris Eagle, Shon Harris. Gray Hat Hacking: The Ethical Hacker’s Handbook. 5th Edition, 2018.
Harry Halpin. “The Philosophy of Anonymous”. https://www.radicalphilosophy.com/article/the-philosophy-of-anonymous
Chris Gebhardt. “Ethical Hacking Is Far From Ethical or Legal”. https://medium.com/@christcpd/ethical-hacking-is-far-from-ethical-or-legal-483f8b3fb00c
Matthew Hickey, Jennifer Arcuri. Hands on Hacking: Become an Expert at Next Gen Penetration Testing and Purple Teaming. 1st Edition. 2020.
CISA. “Understanding Denial-of-Service Attacks”. https://us-cert.cisa.gov/ncas/tips/ST04-015
FindLaw’s team of legal writers and editors. “Hacking Laws and Punishments”. https://www.findlaw.com/criminal/criminal-charges/hacking-laws-and-punishments.html
Mark Nicholl. “Should the law treat ethical hackers differently to regular citizens?”. https://www.itproportal.com/features/should-the-law-treat-ethical-hackers-differently-to-regular-citizens/
“Iowa Prosecutors Drop Charges Against Men Hired to Test Their Security”, https://krebsonsecurity.com/2020/01/iowa-prosecutors-drop-charges-against-men-hired-to-test-their-security
Derek Hawkins. “The Cybersecurity 202: The law doesn’t protect ethical hackers. This new project could help close that gap”. https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/08/03/the-cybersecurity-202-the-law-doesn-t-protect-ethical-hackers-this-new-project-could-help-close-that-gap/5b6330421b326b0207955ecb/
“Law Professor Offers Simpler Guidelines to Interpreting the Computer Fraud and Abuse Act”. https://news.uark.edu/articles/55735/law-professor-offers-simpler-guidelines-to-interpreting-the-computer-fraud-and-abuse-act
Orin Kerr. “The Case for the Third-Party Doctrine”, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1138128