In what sense now? US narrows scope of computer fraud law
© Digital Journal
In the United States this week, the Supreme Court’s 6-3 decision on Van Buren v. United States was announced. The ruling dramatically narrows the scope of the Computer Fraud and Abuse Act (“CFAA”). The ruling overturned the conviction of a former Georgian police officer for misusing a government database to determine whether an alleged local stripper was an undercover cop.
This now means that federal prosecutors can no longer use the CFAA to indict people who have abused databases to which they otherwise have the right to access.
As to what this means, as well as the associated implications, Digital journal caught up with Casey Ellis, CTO, founder and president of Bugcrowd.
Ellis is in a good position to provide comment, given that he was part of the amicus brief filed by the Center for Democracy and Technology, Bugcrowd, Scythe, Tenable and others claiming that a broad interpretation of the CFAA would deter the good faith security research, which means it can be discovered. security vulnerabilities remain undetected or unpatched, effectively waiting for attackers to find and exploit them.
Ellis begins by explaining the significance of the change: “With this ruling, the Supreme Court did not update or change the law itself, but effectively put an end to any overly broad use of Computer Fraud and Abuse. Act (CFAA). “
With this act, Ellis sums it up: “The CFAA was originally passed by Congress in response to increasing threats from malicious actors, but with time and advancements in technology, it now serves to create a crippling effect for researchers. security seeking to improve overall security. Internet.
Returning to the specific case, Ellis states, “For such an objectively odd case to produce a decision that challenges the letter of the law itself in order to set a precedent that reflects a changing technological environment (including, most importantly, in this case, the impact of the interaction that the environment and the law have on the overall security of the Internet) is extremely encouraging.
He adds that: “Whenever the CFAA is used too broadly, hackers acting in good faith are disproportionately affected, so a SCOTUS decision against this phenomenon is something I see as a fundamentally positive thing. “
With importance, Ellis concludes by saying: “The Certiorari final, as well as the previous hearings, make it pretty clear that SCOTUS believes that the CFAA itself is obsolete in a way that makes it impossible to apply to a case like Van. Buren against USA. . Footnote 8, in particular, is distinguished by SCOTUS ‘attempt to summarize and account for the law itself, while acknowledging the ambiguity that remains, despite the Van Buren ruling.
Looking ahead, Ellis says: “While there is no doubt that the SCOTUS decision will have a significant impact on the protection of researchers, the work to achieve a safer and more resilient Internet is not over. This SCOTUS decision does not change the law itself. It is up to the US Congress to revise it. Until that happens, Safe Harbor is still the rule of law organizations should set to ensure that ongoing security searches or vulnerability reports reported to the organization are covered by law.