US Supreme Court to Hear CFAA Case
US Supreme Court will hear a case that could determine whether the 1986 Computer Fraud and Abuse Act (CFAA) is overly broad. The Electronic Privacy Information Center (EPIC) has filed an amicus brief on behalf of the plaintiff, a police officer who was convicted of violating the CFAA when he accessed a law enforcement database to obtain personal information for a third party. Voting app maker Voatz has submitted an amicus brief on behalf of the US government in the case, arguing that researchers who do not have permission to examine code for vulnerabilities should not be exempt from prosecution under CFAA.
The tricky part is connecting the two halves of this story. The officer was convicted after tracing a phony license plate in exchange for money, under the CFAA, rather than other laws he is alleged to have violated. As such, the subject of authorized use is being scrutinized, as it is not currently defined in the CFAA. The risk is that the current interpretation would make it a crime to violate any web sites terms of service, allowing the service owner to decide who goes to prison for what offense, which is control Voatz wishes to maintain. The downside of that approach is that security researchers could also run afoul of the law. Irrespective of how this comes down, make sure you have verified authorization to research the security of any given service before doing so.
"Examining code" is research; attacking live systems is rogue hacking. If accessing law enforcement databases for third parties is found not to be a crime, then it is one more example of why the CFAA needs to be re-written. The CFAA was written long before so many systems were attached to the public networks and most abuse was by otherwise "authorized" personnel.