CFAA Before the Supreme Court

Oral arguments have been presented to the Supreme Court in Van Buren vs. United States, a case concerning the Computer Fraud and Abuse Act. The decision could have a major impact on security researchers, consumers, and corporations. Van Buren is a former police officer who used his lawful access to a police license plate database to look someone up for money, and was convicted of violating the CFAA for using legal access in a way that it was not intended. The CFAA was enacted almost thirty-five years ago, long before lawyers and techies had any sense of how the Internet would evolve. It is so outdated that it specifically excludes typewriters and portable hand-held calculators as types of computer, but the main problem is in the vague but draconian description of “unauthorized” computer use. According to the Ninth Circuit, you could potentially be committing a felony by sharing subscription passwords. White-hat hackers are in particular jeopardy. They act in good faith to report vulnerabilities to a company, but face the same legal risks as cybercriminals who actively exploit those vulnerabilities. The hope is that the Supreme Court will narrow the scope of the CFAA to protect consumers and security researchers.