For the first time, the US Supreme Court on Monday heard arguments surrounding a 34-year-old law on computer hacking — examining how the terms of the Computer Fraud and Abuse Act mean everyday activities like browsing Instagram on a work computer could be interpreted as a federal crime.
The law, passed in 1986, sets the framework for what’s considered illegal hacking — with a broad scope noting that any person who “knowingly accessed a computer without authorization or exceeding authorized access” violates the restrictions.
Under that interpretation, sharing a Netflix password or lying about your height on a dating website could be considered “exceeding authorized access,” though no court or prosecutor has ever charged someone for such things.
The law also presents a dark cloud for security researchers, whose work involves finding vulnerabilities on software and gadgets, often without authorization. For example, election security researchers over the years have uncovered issues with voting machines without the approval of their manufacturers.
The CFAA’s scope puts security researchers at risk of committing a federal crime every time they search for a vulnerability. Companies can take vulnerability disclosures in good faith, but others have argued that, under the law, security researchers should only be able to search for flaws with authorization.
The Supreme Court’s hearing on Monday stems from a case in Georgia, in which former police officer Nathan van Buren allegedly took payments to search for a license plate in a police database. He was convicted of violating the CFAA for allegedly exceeding his authorized access to the police database.
Van Buren’s attorney, Jeff Fisher, argued to the Supreme Court that the law’s scope allows for innocuous actions to be considered illegal hacking. Under the law, Fisher argued, any action that violates a website’s terms of services would be a violation of CFAA because it would exceed “authorized” access.
He cited a number of examples of how someone could run afoul of the CFAA: using a Zoom work account for personal reasons, lying on a dating website or using a work device to check social media.
“Imagine a secretary whose employee handbook says her email or Zoom account may be used only for business purposes,” Fisher said. “Any employee who used a Zoom account over Thanksgiving to connect with distant relatives would be subject to federal prosecutors.”
Fisher referenced a 2008 cyberbullying case in which a jury convicted Lori Drew for violating the CFAA after she created a fake MySpace profile that led to a 13-year-old’s suicide. The jury decided that the false identity violated MySpace’s terms of services, but a judge overturned the decision, noting that the law’s scope was too vague.
On Monday, the justices raised issues about unauthorized access that CFAA might prosecute, like an employee using access to a database to sell personal information or commit fraud. Fisher argued that while these examples raise concerns, the CFAA’s broad scope makes it difficult to separate innocent behavior from actual crimes.
“You cannot distinguish all those hypotheticals from the ones that the government wants to point at as the most troubling,” Fisher said.
The Department of Justice’s deputy solicitor general Eric Feigin argued that the scenarios that Fisher raised were a “wild caricature” of the law that haven’t happened in the CFAA’s decades-long history. Feigin argued that the law has only been used for serious crimes like Van Buren’s alleged police database abuse.
“Everybody’s understood this statute is not to cover that kind of conduct and to cover the kind of conduct that’s at issue here today,” Feigin said.
For more than 30 years, people have evaded prosecution under the CFAA because of the legal establishment’s discretion, not because of restrictions or limits on the bill. But there is a long history of security researchers facing legal threats because of the law, simply for pointing out vulnerabilities with tech companies.
Until the CFAA is changed to explicitly state that discretion or until the Supreme Court makes a decision, the law creates a gray area where people could be considered criminals for everyday activities.
Justice Sonia Sotomayor raised this issue during the hearing, telling Feigin that the CFAA’s ambiguity raises concerns.
“My problem is that you are giving definitions that narrow the statute that the statute doesn’t have,” Sotomayor said. “You’re asking us to write definitions to narrow what could otherwise be viewed as a very broad statute and dangerously vague.”
The Justice Department continued its argument that the Supreme Court shouldn’t alter the law to address hypothetical situations, and to rely on prosecutors’ discretion.
Fisher, arguing on behalf of Van Buren, warned that without taking any action, the potential for prosecution would always be there under CFAA.
“The best thing the government can say is ‘We haven’t brought a whole bunch of these prosecutions yet,'” Fisher said. “The government offers a reading of a federal statute that would sweep in everyday conduct, and it’s never been an answer to that kind of an argument to say, ‘Trust us, we won’t bring those kinds of cases.'”
The Supreme Court has until June to issue a ruling on the case. You can listen to the full hearing here.