The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: There's finally a Supreme Court battle coming over the nation’s main hacking law

Analysis by
Anchor of The Cybersecurity 202 newsletter
April 24, 2020 at 7:33 a.m. EDT

with Tonya Riley

The Supreme Court is finally considering whether to rein in the nation’s sweeping anti-hacking law, which cybersecurity pros say is decades out of date and ill-suited to the modern Internet. 

The justices agreed to hear a case this fall that argues law enforcement and prosecutors have routinely applied the law too broadly and used it to criminalize not just hacking into websites but also far more innocuous behavior – such as lying about your name or location while signing up on a website or otherwise violating the site’s terms of service. 

If the court agrees to narrow how prosecutors can use the law, it would be a huge victory for security researchers.

They routinely skirt websites’ strict terms of service when they investigate them for bugs that cybercriminals could exploit. 

It would also make the Internet far safer, they say. That's because current interpretations of the 1986 law, known as the Computer Fraud and Abuse act (CFAA), have made researchers wary of revealing bugs they find because they fear getting in trouble with police or with companies, which can also sue under the law in civil courts. 

“Computer researchers are constantly afraid that a security test they run is going to run them afoul of the law,” Tor Ekeland, an attorney who specializes in defending people accused of violating the CFAA, told me. “This law makes the Internet less safe because it chills legitimate information security research and it’s bad for the economy because it chills innovation.” 

The fight centers on whether the law should apply just to hacking or more broadly to breaking rules on a computer. 

That’s a distinction that didn’t matter much when the law was drafted in the mid-1980s. But it makes a huge difference now when people routinely spend hours each day visiting a slew of websites that all have their own terms of service that most people never read. 

“It’s making a crime out of ordinary breaches of computer restrictions and terms of service that people likely don’t even know about and if they did would have no reason to think would be a federal crime,” Jeffrey L. Fisher, a Stanford University law professor who is the lead attorney in the case before the high court, told me. 

That case focuses on a former Georgia police officer, Nathan Van Buren, who was convicted under the law in 2017 after he allegedly sold information from a police database to an acquaintance for $6,000. The information was allegedly focused on helping the acquaintance figure out whether a local stripper was actually an undercover cop. 

CFAA critics say that takes the anti-hacking law too far because Van Buren didn’t actually hack into anything. He just broke the rules for a database that he was legitimately allowed to use. 

Fisher was an attorney on two other cases in the past six years in which the Supreme Court tackled pressing technology issues and limited police authorities. In Riley v. California in 2014, the court required a warrant for most police searches of cellphone contents. In Carpenter v. United States in 2018, the justices limited how police can use cellphone location data to track suspects. 

Fisher said he believes that the justices will also be ready in this case to roll back police powers that no longer make sense given modern technology.

Federal appellate districts have split over how broadly to read the law.

Courts in New York, California and several other states generally require that a person actually hack into a computer by using stolen information or exploiting a bug in the system to be prosecuted under the law, while courts in states including Georgia and Florida have convicted people in cases such as Van Buren's where there’s no clear hacking. 

Van Buren's lawyers are essentially asking the Supreme Court to settle the argument. 

This is important because the law either says very few people are criminals under CFAA or almost everyone is a criminal under CFAA,” Jeffrey L. Vagle, a Georgia State University law professor who focuses on cybersecurity law, told me. “This question has been unanswered for years and now it’s about time that it gets answered.”

The Justice Department says there’s no need to rein in the law. 

In a filing with the high court, the agency points to 2014 guidance that directs prosecutors to exercise discretion whenever charging people under the CFAA and to consider factors including whether their actions caused major economic damage or were part of a broader criminal enterprise. 

Prosecution “may not be warranted” if someone merely violated a site’s terms of service, that guidance warns. 

They also say that requiring that direct hacking into a computer be the only way a person can be prosecuted under the law ignores the vast array of fraud and other crimes people commit on the modern Internet.  

“To call this just an anti-hacking law is an over simplification,” said Mark Krotoski, a former national coordinator for the Justice Department’s Computer Hacking and Intellectual Property program who’s now an attorney at the law firm Morgan Lewis. 

CFAA critics, however, say the law gives prosecutors far too much leeway.

“This is about whether a statute should be drafted so broadly that everyone is committing crimes all the time and the government gets to choose who to prosecute,” Greg Nojeim, senior counsel at the Center for Democracy and Technology, told me. 

Critics argue that there might be good reason for the government to prosecute Van Buren's case – but using the CFAA is the wrong way to do it. 

“The argument in this case is that in order to make sure there’s something to cover a government employee misusing a database we need an argument covering all misuses of every computer in every context, and that’s a problem,” Orin Kerr, a law professor at the University of California at Berkeley School of law who focuses on computer crimes, said. 

The Justice Department even charged WikiLeaks founder Julian Assange under the law – his crime was allegedly giving advice to one of the site’s main leakers Chelsea Manning about how to crack a Defense Department password to gather more information. Kerr said that's another example of how expansively prosecutors have applied the law.

One of the best-known CFAA prosecutions was of the Internet activist Aaron Swartz. 

Federal prosecutors in Massachusetts charged him in 2011 for allegedly downloading millions of articles from the JSTOR academic repository in violation of its terms of service. Swartz committed suicide two years later while he was awaiting trial and his case became a rallying cry for Internet reformers and lawmakers eager to update the CFAA. 

“[Congress] just didn’t understand what the ramifications were in 1986 and I’m not sure they could have considering how long ago it was,” Vagle said. “But we’ve lived with the ramifications ever since and some of them have been tragic.” 

The keys

Senate Democrats are pressing Nancy Pelosi for vote-by-mail funding.

The fourth coronavirus stimulus bill should include $3.6 billion to expand voting by mail and early voting, Sens. Christopher A. Coons (Del.), Amy Klobuchar (Minn.) and Ron Wyden (Ore.) say in a letter to the House speaker as well as to other House and Senate leaders. The money is vital, they say, to avoid a repeat of the Wisconsin primary earlier this month, where in-person voting led to “widespread chaos and disenfranchisement of voters.”

 “This is not a partisan issue this is an American issue,” the lawmakers write.

 In addition to the funding, the senators are asking for Congress to:

  • Remove the requirements that state election officials provide matching funds.
  • Enact the Natural Disaster and Emergency Ballot Act, legislation introduced by the trio that would require states to allow all residents to vote by mail without requiring an excuse such as illness or travel.

In other voting by mail news:

  • The presumptive Democratic presidential nominee, former vice president Joe Biden, is staying mum on voting by mail because he doesn’t want it to become a partisan issue, campaign sources tell the Daily Beast
  • States that are making the move to voting by mail are running out of time to get all their supplies in order, NBC News reports
The World Health Organization is updating its security after a recent scare.

The organization is implementing more secure authentication procedures for a system used by current and former employees after a data leak that exposed 450 staff email addresses and passwords, according to a statement

The security measure comes as the agency faces a fivefold increase in cyberattacks as it helps the global response to the coronavirus pandemic. The recent attack also targeted the Gates Foundation, the National Institutes of Health and other organizations battling the virus. The leaked email data appeared to be from previous breaches, but some of the passwords still worked, The Post reported.

Pirated video streaming is surging — and creating hacking fears. 

Visits by U.S. and U.K. residents to sites that host illegally pirated movies and TV shows have jumped 31 percent as more people are stuck at home during the pandemic, the Wall Street Journal's David Uberti reportsBut unlike videos on Netflix or Hulu, the free pirated content often comes laced with malware that can steal people’s private information, Mark Mulready, vice president of cybersecurity company Irdeto BV, told David. Pirated video games pose the same risks.

“There’s always going to be a certain percentage [of people], unfortunately, who will take that risk,” Mulready said.

Interpol issued an advisory about the rise in cybercrime resulting from black-market downloads on Tuesday, the Journal reports.

Hill happenings

Senators are pressing the Small Business Administration for details on a March data breach.

The breach compromised personal information from nearly 8,000 businesses that applied for the SBA’s Economic Injury Disaster Loan (EIDL) program. The senators also want to know what steps the SBA has taken to make sure another breach won't happen, according to a letter to administrator Jovita Carranza.

“We do not need to emphasize how vulnerable the nation’s small businesses are right now. More than ever, they are counting on SBA to deliver vital assistance in a responsible and competent manner, wrote Sens. Marco Rubio (R-Fla.) and Ben Cardin (Md.), chairman and ranking Democrat on the Senate Committee on Small Business, and Rep. Nydia Velázquez (D-N.Y.), chairwoman of the House Committee on Small Business.

Securing the ballot

Voting machine companies should take greater responsibility for sanitizing machines on Election Day, advocates say.

Current procedures aren't adequate for the increased sanitation needs created by the coronavirus pandemic, the advocacy group Free Speech for People wrote in letters to six voting machine vendors yesterday. The group is pressing the companies to provide video demonstrations of machine cleaning to poll workers and to conduct third-party audits of their cleaning procedures. 

MicroVote, the only company to respond so far, says the onus to keep machines clean is on local and state customers, not the company.

Zoom's troubles continue

Zoom is working on myriad security fixes as it surges in popularity but is still running into head winds.

Nevertheless, the app's user base continues to grow. It topped 300 million recently, Reuters reports.

Correction: Bank of America and Ericsson have limited the use of Zoom, not banned it. SpaceX not Tesla banned Zoom.

In other industry news:

Apple says 'no evidence' iPhone mail flaw used against customers (Reuters)

NFL: No real problems in virtual draft, but no real surprises either (Reuters)

As contact tracing gains attention, a researcher pokes a hole in Bluetooth technology (CyberScoop)

Chat room

In another major CFAA lawsuit, Facebook's WhatsApp filed court documents in its lawsuit against the Israeli spyware firm NSO Group. Facebook says NSO helped its government clients hack WhatsApp's messaging service to spy on its users. NSO says U.S. courts lack jurisdiction because it never helped clients track anyone or acquire data in the United States, but WhatsApp says that's not true – and has records to prove it. 

Citizen Lab's John Scott-Railton explains:

The documents also challenge NSO's argument that it merely provides its software to government clients and has limited knowledge about what they do with it. 

Daybook

  • The McCrary Institute and Cyberspace Solarium Commission (CSC) will host live event discussing if deterrence is possible in cyberspace Wednesday at 1 p.m.
  • The R Street Institute will host a discussion on "EARN IT Act and Its Broader Implications for Encryption and Cybersecurity" Wednesday at 2 p.m.

Secure log off

A reminder to social distance this weekend: